From 27a3b1e0136b442404d5f9ef425215c4b05993c7 Mon Sep 17 00:00:00 2001 From: BuddyDavies Date: Wed, 27 Sep 2023 13:00:41 +1300 Subject: [PATCH 1/8] Entra updates, typos and more --- checklists/alz_checklist.en.json | 90 ++++++++++++++++---------------- 1 file changed, 45 insertions(+), 45 deletions(-) diff --git a/checklists/alz_checklist.en.json b/checklists/alz_checklist.en.json index c8dd77792..df44ad6c4 100644 --- a/checklists/alz_checklist.en.json +++ b/checklists/alz_checklist.en.json @@ -1,8 +1,8 @@ { "items": [ { - "category": "Azure Billing and Active Directory Tenant", - "subcategory": "Azure AD Tenants", + "category": "Azure Billing and Microsoft Entra ID Tenants", + "subcategory": "Microsoft Entra ID Tenants", "text": "Use one Entra tenant for managing your Azure resources, unless you have a clear regulatory or business requirement for multi-tenants.", "waf": "Operations", "guid": "70c15989-c726-42c7-b0d3-24b7375b9201", @@ -11,9 +11,9 @@ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/considerations-recommendations" }, { - "category": "Azure Billing and Active Directory Tenant", - "subcategory": "Azure AD Tenants", - "text": "Ensure you have a Multi-Tenant Automation approach to managing your Azure AD Tenants", + "category": "Azure Billing and Microsoft Entra ID Tenants", + "subcategory": "Microsoft Entra ID Tenants", + "text": "Ensure you have a Multi-Tenant Automation approach to managing your Microsoft Entra ID Tenants", "waf": "Operations", "guid": "6309957b-821a-43d1-b9d9-7fcf1802b747", "id": "A01.02", @@ -21,8 +21,8 @@ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation" }, { - "category": "Azure Billing and Active Directory Tenant", - "subcategory": "Azure AD Tenants", + "category": "Azure Billing and Microsoft Entra ID Tenants", + "subcategory": "Microsoft Entra ID Tenants", "text": "Leverage Azure Lighthouse for Multi-Tenant Management", "waf": "Operations", "guid": "78e11934-499a-45ed-8ef7-aae5578f0ecf", @@ -31,7 +31,7 @@ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse" }, { - "category": "Azure Billing and Active Directory Tenant", + "category": "Azure Billing and Microsoft Entra ID Tenants", "subcategory": "Cloud Solution Provider", "text": "Ensure that Azure Lighthouse is used for administering the tenant by partner", "waf": "Cost", @@ -41,7 +41,7 @@ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations" }, { - "category": "Azure Billing and Active Directory Tenant", + "category": "Azure Billing and Microsoft Entra ID Tenants", "subcategory": "Cloud Solution Provider", "text": "Discuss support request and escalation process with CSP partner", "waf": "Cost", @@ -51,7 +51,7 @@ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations" }, { - "category": "Azure Billing and Active Directory Tenant", + "category": "Azure Billing and Microsoft Entra ID Tenants", "subcategory": "Cloud Solution Provider", "text": "Setup Cost Reporting and Views with Azure Cost Management", "waf": "Cost", @@ -61,7 +61,7 @@ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations" }, { - "category": "Azure Billing and Active Directory Tenant", + "category": "Azure Billing and Microsoft Entra ID Tenants", "subcategory": "Enterprise Agreement", "text": "Configure Notification Contacts to a group mailbox", "waf": "Cost", @@ -71,7 +71,7 @@ "link": "https://learn.microsoft.com/azure/cost-management-billing/manage/direct-ea-administration#manage-notification-contacts" }, { - "category": "Azure Billing and Active Directory Tenant", + "category": "Azure Billing and Microsoft Entra ID Tenants", "subcategory": "Enterprise Agreement", "text": "Use departments and accounts to map your organization's structure to your enrollment hierarchy can help with separating billing.", "waf": "Cost", @@ -81,7 +81,7 @@ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations" }, { - "category": "Azure Billing and Active Directory Tenant", + "category": "Azure Billing and Microsoft Entra ID Tenants", "subcategory": "Enterprise Agreement", "text": "Ensure that Accounts are configured to be of the type 'Work and School Account'", "waf": "Security", @@ -92,7 +92,7 @@ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations" }, { - "category": "Azure Billing and Active Directory Tenant", + "category": "Azure Billing and Microsoft Entra ID Tenants", "subcategory": "Enterprise Agreement", "text": "Enable both DA View Charges and AO View Charges on your EA Enrollments to allowers users with the correct perms review Cost and Billing Data.", "waf": "Security", @@ -102,7 +102,7 @@ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations" }, { - "category": "Azure Billing and Active Directory Tenant", + "category": "Azure Billing and Microsoft Entra ID Tenants", "subcategory": "Enterprise Agreement", "text": "Make use of Enterprise Dev/Test Subscriptions to reduce costs for non-production workloads", "waf": "Cost", @@ -112,7 +112,7 @@ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations" }, { - "category": "Azure Billing and Active Directory Tenant", + "category": "Azure Billing and Microsoft Entra ID Tenants", "subcategory": "Enterprise Agreement", "text": "Periodically audit the role assignments to review who has access to your Enterprise Agreement Enrollment", "waf": "Cost", @@ -122,8 +122,8 @@ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations" }, { - "category": "Azure Billing and Active Directory Tenant", - "subcategory": "Microsoft Cloud Agreement", + "category": "Azure Billing and Microsoft Entra ID Tenants", + "subcategory": "Microsoft Customer Agreement", "text": "Configure Agreement billing account notification contact email", "waf": "Cost", "guid": "6ad5c3dd-e5ea-4ff1-81a4-7886ff87845c", @@ -132,8 +132,8 @@ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations" }, { - "category": "Azure Billing and Active Directory Tenant", - "subcategory": "Microsoft Cloud Agreement", + "category": "Azure Billing and Microsoft Entra ID Tenants", + "subcategory": "Microsoft Customer Agreement", "text": "Use Billing Profiles and Invoice sections to structure your agreements billing for effective cost management", "waf": "Cost", "guid": "90e87802-602f-4dfb-acea-67c60689f1d7", @@ -142,8 +142,8 @@ "link": "https://learn.microsoft.com/azure/cost-management-billing/manage/mca-section-invoice" }, { - "category": "Azure Billing and Active Directory Tenant", - "subcategory": "Microsoft Cloud Agreement", + "category": "Azure Billing and Microsoft Entra ID Tenants", + "subcategory": "Microsoft Customer Agreement", "text": "Make use of Azure Plan to reduce costs for non-production workloads", "waf": "Cost", "guid": "e81a73f0-84c4-4641-b406-14db3b4d1f50", @@ -152,8 +152,8 @@ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations" }, { - "category": "Azure Billing and Active Directory Tenant", - "subcategory": "Microsoft Cloud Agreement", + "category": "Azure Billing and Microsoft Entra ID Tenants", + "subcategory": "Microsoft Customer Agreement", "text": "Periodically audit the agreement billing RBAC role assignments to review who has access to your MCA billing account", "waf": "Cost", "guid": "ae757485-92a4-482a-8bc9-eefe6f5b5ec3", @@ -287,7 +287,7 @@ }, { "category": "Identity and Access Management", - "subcategory": "Azure AD", + "subcategory": "Microsoft Entra ID", "text": "When deploying an AD Connect VM, consider having a staging sever for high availability / Disaster recovery", "waf": "Reliability", "guid": "cd163e39-84a5-4b39-97b7-6973abd70d94", @@ -310,7 +310,7 @@ { "category": "Identity and Access Management", "subcategory": "Identity", - "text": "Integrate Azure AD logs with the platform-central Azure Monitor. Azure Monitor allows for a single source of truth around log and monitoring data in Azure, giving organizations a cloud native options to meet requirements around log collection and retention.", + "text": "Integrate Microsoft Entra ID logs with the platform-central Azure Monitor. Azure Monitor allows for a single source of truth around log and monitoring data in Azure, giving organizations a cloud native options to meet requirements around log collection and retention.", "waf": "Security", "guid": "1cf0b8da-70bd-44d0-94af-8d99cfc89ae1", "id": "C03.02", @@ -332,7 +332,7 @@ { "category": "Identity and Access Management", "subcategory": "Identity", - "text": "Enforce Azure AD conditional-access policies for any user with rights to Azure environments", + "text": "Enforce Microsoft Entra ID conditional-access policies for any user with rights to Azure environments", "waf": "Security", "guid": "53e8908a-e28c-484c-93b6-b7808b9fe5c4", "id": "C03.04", @@ -366,7 +366,7 @@ { "category": "Identity and Access Management", "subcategory": "Identity", - "text": "Enforce Azure AD Privileged Identity Management (PIM) to establish zero standing access and least privilege", + "text": "Enforce Microsoft Entra ID Privileged Identity Management (PIM) to establish zero standing access and least privilege", "waf": "Security", "guid": "14658d35-58fd-4772-99b8-21112df27ee4", "id": "C03.07", @@ -444,7 +444,7 @@ { "category": "Identity and Access Management", "subcategory": "Identity", - "text": "If AD on Windows server in use, can all required resources access correct domain controller?", + "text": "If AD on Windows server in use, are the resources in Azure using the correct domain controller?", "waf": "Security", "guid": "ac6a9e01-e6a8-43de-9de3-2c1992481607", "id": "C03.14", @@ -455,7 +455,7 @@ { "category": "Identity and Access Management", "subcategory": "Identity", - "text": "Consider using Azure AD Application Proxy as a VPN or reverse proxy replacement to give remote users secure and authenticated access to internal applications (hosted in the cloud or on-premises).", + "text": "Consider using Microsoft Entra ID Application Proxy as a VPN or reverse proxy replacement to give remote users secure and authenticated access to internal applications (hosted in the cloud or on-premises).", "waf": "Security", "guid": "d5d1e4e6-1465-48d3-958f-d77249b82111", "id": "C03.15", @@ -466,7 +466,7 @@ { "category": "Identity and Access Management", "subcategory": "Identity", - "text": "Avoid using on-premises synced accounts for Azure AD role assignments.", + "text": "Avoid using on-premises synced accounts for Microsoft Entra ID role assignments.", "waf": "Security", "guid": "35037e68-9349-4c15-b371-228514f4cdff", "id": "C03.16", @@ -488,7 +488,7 @@ { "category": "Identity and Access Management", "subcategory": "Landing zones", - "text": "Use Azure RBAC to manage data plane access to resources, if possible. E.G - Data Operations across Keyvault, Storage Account and Database Services. ", + "text": "Use Azure RBAC to manage data plane access to resources, if possible. E.G - Data Operations across Key Vault, Storage Account and Database Services. ", "waf": "Security", "guid": "d4d1ad54-1abc-4919-b267-3f342d3b49e4", "id": "C04.02", @@ -499,7 +499,7 @@ { "category": "Identity and Access Management", "subcategory": "Landing zones", - "text": "Use Azure AD PIM access reviews to periodically validate resource entitlements.", + "text": "Use Microsoft Entra ID PIM access reviews to periodically validate resource entitlements.", "waf": "Security", "guid": "d505ebcb-79b1-4274-9c0d-a27c8bea489c", "id": "C04.03", @@ -586,8 +586,8 @@ "guid": "00f1ce16-ed30-41d6-b872-e52e3611cc58", "id": "D03.04", "severity": "Medium", - "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/", - "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment" + "training": "https://learn.microsoft.com/en-us/azure/governance/policy/concepts/effects", + "link": "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/govern/policy-compliance/regulatory-compliance" }, { "category": "Management", @@ -735,7 +735,7 @@ }, { "category": "Management", - "subcategory": "Operational complliance", + "subcategory": "Operational compliance", "text": "Use Azure policies to automatically deploy software configurations through VM extensions and enforce a compliant baseline VM configuration.", "waf": "Security", "guid": "f541acdc-e979-4377-acdb-3751ab2ab13a", @@ -745,7 +745,7 @@ }, { "category": "Management", - "subcategory": "Operational complliance", + "subcategory": "Operational compliance", "text": "Monitor VM security configuration drift via Azure Policy.", "description": "Azure Policy's guest configuration features can audit and remediate machine settings (e.g., OS, application, environment) to ensure resources align with expected configurations, and Update Management can enforce patch management for VMs.", "waf": "Security", @@ -942,7 +942,7 @@ { "category": "Network Topology and Connectivity", "subcategory": "App delivery", - "text": "If users only need access to internal applications, has Azure AD Application Proxy been considered as an alternative to Azure Virtual Desktop (AVD)?", + "text": "If users only need access to internal applications, has Microsoft Entra ID Application Proxy been considered as an alternative to Azure Virtual Desktop (AVD)?", "waf": "Security", "guid": "3b4b3e88-a459-4ed5-a22f-644dfbc58204", "id": "F01.11", @@ -953,7 +953,7 @@ { "category": "Network Topology and Connectivity", "subcategory": "App delivery", - "text": "To reduce the number of firewall ports open for incoming connections in your network, consider using Azure AD Application Proxy to give remote users secure and authenticated access to internal applications.", + "text": "To reduce the number of firewall ports open for incoming connections in your network, consider using Microsoft Entra ID Application Proxy to give remote users secure and authenticated access to internal applications.", "waf": "Security", "guid": "01ca7cf1-5754-442d-babb-8ba6772e5c30", "id": "F01.12", @@ -2109,7 +2109,7 @@ { "category": "Platform Automation and DevOps", "subcategory": "Security", - "text": " Integrate security into the already combined process of development and operations in DevOps to mitigate risks in the innovation process.", + "text": "Integrate security into the already combined process of development and operations in DevOps to mitigate risks in the innovation process.", "waf": "Operations", "guid": "cc87a3bc-c572-4ad2-92ed-8cabab66160f", "id": "H04.01", @@ -2230,7 +2230,7 @@ { "category": "Resource Organization", "subcategory": "Subscriptions", - "text": "Ensure that all subscription owners and IT core team are aware of subscription resource limitations as part of workload design sessions.", + "text": "Ensure that all subscription owners and IT core team are aware of subscription quotas and the impact they have on provision resources for a given subscription.", "waf": "Security", "guid": "2dd69c5b-5c26-422f-94b6-9bad33aad5e8", "id": "I02.10", @@ -2362,7 +2362,7 @@ { "category": "Security", "subcategory": "Encryption and keys", - "text": "Follow a least privilege model by limiting authorization to permanently delete keys, secrets, and certificates to specialized custom Azure Active Directory (Azure AD) roles.", + "text": "Follow a least privilege model by limiting authorization to permanently delete keys, secrets, and certificates to specialized custom Microsoft Entra ID roles.", "waf": "Security", "guid": "dc055bcf-619e-48a1-9f98-879525d62688", "id": "J02.04", @@ -2452,7 +2452,7 @@ { "category": "Security", "subcategory": "Operations", - "text": "Use Azure AD reporting capabilities to generate access control audit reports.", + "text": "Use Microsoft Entra ID reporting capabilities to generate access control audit reports.", "waf": "Security", "guid": "4e5695f2-223a-4ce8-ab12-308ca5017f15", "id": "J03.01", @@ -2558,7 +2558,7 @@ { "category": "Security", "subcategory": "Secure privileged access", - "text": "Separate privledged admin accounts for Azure administrative tasks.", + "text": "Separate privileged admin accounts for Azure administrative tasks.", "waf": "Security", "guid": "6f704104-85c1-441f-96d3-c9819911645e", "id": "J05.01", @@ -2589,7 +2589,7 @@ ], "categories": [ { - "name": "Azure Billing and Active Directory Tenant" + "name": "Azure Billing and Microsoft Entra ID Tenants" }, { "name": "Identity and Access Management" From edc57c84334c39f365a25aa9c41e37b9b78c5c24 Mon Sep 17 00:00:00 2001 From: BuddyDavies Date: Wed, 27 Sep 2023 13:17:55 +1300 Subject: [PATCH 2/8] ADjust Category IDs and organised structure --- checklists/alz_checklist.en.json | 1529 +++++++++++++++--------------- 1 file changed, 765 insertions(+), 764 deletions(-) diff --git a/checklists/alz_checklist.en.json b/checklists/alz_checklist.en.json index df44ad6c4..bdfb1915f 100644 --- a/checklists/alz_checklist.en.json +++ b/checklists/alz_checklist.en.json @@ -73,7 +73,7 @@ { "category": "Azure Billing and Microsoft Entra ID Tenants", "subcategory": "Enterprise Agreement", - "text": "Use departments and accounts to map your organization's structure to your enrollment hierarchy can help with separating billing.", + "text": "Use departments and accounts to map your organization's structure to your enrollment hierarchy which can help with separating billing.", "waf": "Cost", "guid": "12cd499f-96e2-4e41-a243-231fb3245a1c", "id": "A03.02", @@ -83,7 +83,7 @@ { "category": "Azure Billing and Microsoft Entra ID Tenants", "subcategory": "Enterprise Agreement", - "text": "Ensure that Accounts are configured to be of the type 'Work and School Account'", + "text": "Ensure that Accounts are configured to be of the type 'Work or School Account", "waf": "Security", "guid": "29213165-f066-46c4-81fc-4214cc19f3d0", "id": "A03.03", @@ -94,7 +94,7 @@ { "category": "Azure Billing and Microsoft Entra ID Tenants", "subcategory": "Enterprise Agreement", - "text": "Enable both DA View Charges and AO View Charges on your EA Enrollments to allowers users with the correct perms review Cost and Billing Data.", + "text": "Enable both DA View Charges and AO View Charges on your EA Enrollments to allow users with the correct perms review Cost and Billing Data.", "waf": "Security", "guid": "ca0fe401-12ad-46fc-8a7e-86293866a9f6", "id": "A03.04", @@ -161,125 +161,13 @@ "severity": "Medium", "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations" }, - { - "category": "Governance", - "subcategory": "Governance", - "text": "Leverage Azure Policy strategically, define controls for your environment, using Policy Initiatives to group related policies.", - "waf": "Security", - "guid": "5c986cb2-9131-456a-8247-6e49f541acdc", - "id": "B01.01", - "ammp": true, - "severity": "High", - "link": "https://learn.microsoft.com/azure/governance/policy/overview" - }, - { - "category": "Governance", - "subcategory": "Governance", - "text": "Identify required Azure tags and use the 'append' policy mode to enforce usage.", - "waf": "Security", - "guid": "e979377b-cdb3-4751-ab2a-b13ada6e55d7", - "id": "B01.02", - "severity": "Medium", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/naming-and-tagging" - }, - { - "category": "Governance", - "subcategory": "Governance", - "text": "Map regulatory and compliance requirements to Azure Policy definitions and Azure role assignments.", - "waf": "Security", - "guid": "d8a2adb1-17d6-4326-af62-5ca44e5695f2", - "id": "B01.03", - "severity": "Medium", - "link": "https://learn.microsoft.com/azure/governance/policy/overview" - }, - { - "category": "Governance", - "subcategory": "Governance", - "text": "Establish Azure Policy definitions at the top-level root management group so that they can be assigned at inherited scopes", - "waf": "Security", - "guid": "223ace8c-b123-408c-a501-7f154e3ab369", - "id": "B01.04", - "severity": "Medium", - "link": "https://learn.microsoft.com/azure/governance/policy/overview" - }, - { - "category": "Governance", - "subcategory": "Governance", - "text": "Manage policy assignments at the highest appropriate level with exclusions at bottom levels, if required.", - "waf": "Security", - "guid": "3829e7e3-1618-4368-9a04-77a209945bda", - "id": "B01.05", - "severity": "Medium", - "link": "https://learn.microsoft.com/azure/governance/policy/overview" - }, - { - "category": "Governance", - "subcategory": "Governance", - "text": "Use Azure Policy to control which services users can provision at the subscription/management group level", - "waf": "Security", - "guid": "43334f24-9116-4341-a2ba-527526944008", - "id": "B01.06", - "severity": "Low", - "link": "https://learn.microsoft.com/security/benchmark/azure/mcsb-asset-management#am-2-use-only-approved-services" - }, - { - "category": "Governance", - "subcategory": "Governance", - "text": "Use built-in policies where possible to minimize operational overhead.", - "waf": "Security", - "guid": "be7d7e48-4327-46d8-adc0-55bcf619e8a1", - "id": "B01.07", - "severity": "Medium", - "link": "https://learn.microsoft.com/azure/governance/policy/overview" - }, - { - "category": "Governance", - "subcategory": "Governance", - "text": "Assign the built-in Resource Policy Contributor role at a particular scope to enable application-level governance.", - "description": "Assigning the Resource Policy Contributor role to specific scopes allows you to delegate policy management to relevant teams. For instance, a central IT team may oversee management group-level policies, while application teams handle policies for their subscriptions, enabling distributed governance with adherence to organizational standards.", - "waf": "Security", - "guid": "3f988795-25d6-4268-a6d7-0ba6c97be995", - "id": "B01.08", - "severity": "Medium", - "link": "https://learn.microsoft.com/azure/governance/policy/overview#azure-rbac-permissions-in-azure-policy" - }, - { - "category": "Governance", - "subcategory": "Governance", - "text": "Limit the number of Azure Policy assignments made at the root management group scope to avoid managing through exclusions at inherited scopes.", - "waf": "Security", - "guid": "19048384-5c98-46cb-8913-156a12476e49", - "id": "B01.09", - "severity": "Medium", - "link": "https://learn.microsoft.com/azure/governance/policy/overview" - }, - { - "category": "Governance", - "subcategory": "Optimize your cloud investment", - "text": "Consider using automation tags to start/stop VM's in your environment to save on cost.", - "waf": "Security", - "guid": "9b5e2a28-9823-4faf-ab7e-afa5f6c57221", - "id": "B02.01", - "severity": "Low", - "link": "https://learn.microsoft.com/azure/automation/automation-solution-vm-management-config" - }, - { - "category": "Governance", - "subcategory": "Optimize your cloud investment", - "text": "Configure 'Actual' and 'Forecasted' Budget Alerts.", - "waf": "Cost", - "guid": "29fd366b-a180-452b-9bd7-954b7700c667", - "id": "B02.02", - "severity": "Medium", - "link": "https://learn.microsoft.com/azure/cost-management-billing/costs/tutorial-acm-create-budgets?bc=%2Fazure%2Fcloud-adoption-framework%2F_bread%2Ftoc.json&toc=%2Fazure%2Fcloud-adoption-framework%2Ftoc.json" - }, { "category": "Identity and Access Management", "subcategory": "Active Directory and Hybrid Identity", "text": "Use managed identities instead of service principals for authentication to Azure services", "waf": "Security", "guid": "4348bf81-7573-4512-8f46-9061cc198fea", - "id": "C01.01", + "id": "B01.01", "ammp": true, "severity": "High", "training": "https://learn.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview", @@ -291,7 +179,7 @@ "text": "When deploying an AD Connect VM, consider having a staging sever for high availability / Disaster recovery", "waf": "Reliability", "guid": "cd163e39-84a5-4b39-97b7-6973abd70d94", - "id": "C02.01", + "id": "B02.01", "severity": "Medium", "link": "https://learn.microsoft.com/azure/active-directory/hybrid/how-to-connect-sync-staging-server" }, @@ -301,7 +189,7 @@ "text": "Implement an emergency access or break-glass accounts to prevent tenant-wide account lockout", "waf": "Security", "guid": "984a859c-773e-47d2-9162-3a765a917e1f", - "id": "C03.01", + "id": "B03.01", "ammp": true, "severity": "High", "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", @@ -313,7 +201,7 @@ "text": "Integrate Microsoft Entra ID logs with the platform-central Azure Monitor. Azure Monitor allows for a single source of truth around log and monitoring data in Azure, giving organizations a cloud native options to meet requirements around log collection and retention.", "waf": "Security", "guid": "1cf0b8da-70bd-44d0-94af-8d99cfc89ae1", - "id": "C03.02", + "id": "B03.02", "severity": "Medium", "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/concept-activity-logs-azure-monitor" }, @@ -323,7 +211,7 @@ "text": "Enforce a RBAC model that aligns to your cloud operating model. Scope and Assign across Management Groups and Subscriptions.", "waf": "Security", "guid": "348ef254-c27d-442e-abba-c7571559ab91", - "id": "C03.03", + "id": "B03.03", "ammp": true, "severity": "High", "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", @@ -335,7 +223,7 @@ "text": "Enforce Microsoft Entra ID conditional-access policies for any user with rights to Azure environments", "waf": "Security", "guid": "53e8908a-e28c-484c-93b6-b7808b9fe5c4", - "id": "C03.04", + "id": "B03.04", "severity": "Low", "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/", "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/overview" @@ -346,7 +234,7 @@ "text": "Enforce multi-factor authentication for any user with rights to the Azure environments", "waf": "Security", "guid": "1049d403-a923-4c34-94d0-0018ac6a9e01", - "id": "C03.05", + "id": "B03.05", "ammp": true, "severity": "High", "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/", @@ -358,7 +246,7 @@ "text": "Enforce centralized and delegated responsibilities to manage resources deployed inside the landing zone, based on role and security requirements", "waf": "Security", "guid": "e6a83de5-de32-4c19-a248-1607d5d1e4e6", - "id": "C03.06", + "id": "B03.06", "severity": "Medium", "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/", "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/manage/centralize-operations" @@ -369,7 +257,7 @@ "text": "Enforce Microsoft Entra ID Privileged Identity Management (PIM) to establish zero standing access and least privilege", "waf": "Security", "guid": "14658d35-58fd-4772-99b8-21112df27ee4", - "id": "C03.07", + "id": "B03.07", "severity": "Medium", "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure" @@ -380,7 +268,7 @@ "text": "Only use the authentication type Work or school account for all account types. Avoid using the Microsoft account", "waf": "Security", "guid": "12e7f983-f630-4472-8dd6-9c5b5c2622f5", - "id": "C03.08", + "id": "B03.08", "ammp": true, "severity": "High", "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/", @@ -392,7 +280,7 @@ "text": "Only use groups to assign permissions. Add on-premises groups to the Azure-AD-only group if a group management system is already in place.", "waf": "Security", "guid": "4b69bad3-3aad-45e8-a68e-1d76667313b4", - "id": "C03.09", + "id": "B03.09", "severity": "Medium", "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/", "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal" @@ -403,7 +291,7 @@ "text": "Consider using Azure custom roles for the following key roles: Azure platform owner, network management, security operations, subscription owner, application owner", "waf": "Security", "guid": "f5664b5e-984a-4859-a773-e7d261623a76", - "id": "C03.10", + "id": "B03.10", "severity": "Medium", "training": "https://learn.microsoft.com/learn/modules/create-custom-azure-roles-with-rbac/", "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access#prerequisites-for-a-landing-zone---design-recommendations" @@ -414,7 +302,7 @@ "text": "If any data sovereignty requirements exist, Azure Policies can be deployed to enforce them", "waf": "Security", "guid": "5a917e1f-348e-4f25-9c27-d42e8bbac757", - "id": "C03.11", + "id": "B03.11", "severity": "Medium", "training": "https://learn.microsoft.com/learn/paths/secure-your-cloud-data/", "link": "https://azure.microsoft.com/resources/achieving-compliant-data-residency-and-security-with-azure/" @@ -425,7 +313,7 @@ "text": "If Azure Active Directory Domains Services (AADDS) is in use, deploy AADDS within the primary region because this service can only be projected into one subscription", "waf": "Security", "guid": "1559ab91-53e8-4908-ae28-c84c33b6b780", - "id": "C03.12", + "id": "B03.12", "severity": "Medium", "training": "https://learn.microsoft.com/learn/modules/azure-active-directory/", "link": "https://learn.microsoft.com/azure/active-directory-domain-services/overview" @@ -436,7 +324,7 @@ "text": "If AADDS in use, evaluate the compatibility of all workloads", "waf": "Security", "guid": "8b9fe5c4-1049-4d40-9a92-3c3474d00018", - "id": "C03.13", + "id": "B03.13", "severity": "Medium", "training": "https://learn.microsoft.com/learn/modules/implement-hybrid-identity-windows-server/", "link": "https://learn.microsoft.com/azure/active-directory-domain-services/overview" @@ -447,7 +335,7 @@ "text": "If AD on Windows server in use, are the resources in Azure using the correct domain controller?", "waf": "Security", "guid": "ac6a9e01-e6a8-43de-9de3-2c1992481607", - "id": "C03.14", + "id": "B03.14", "severity": "Medium", "training": "https://learn.microsoft.com/learn/paths/implement-windows-server-iaas-virtual-machine-identity/", "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/identity/adds-extend-domain" @@ -458,7 +346,7 @@ "text": "Consider using Microsoft Entra ID Application Proxy as a VPN or reverse proxy replacement to give remote users secure and authenticated access to internal applications (hosted in the cloud or on-premises).", "waf": "Security", "guid": "d5d1e4e6-1465-48d3-958f-d77249b82111", - "id": "C03.15", + "id": "B03.15", "severity": "Medium", "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/", "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy" @@ -469,7 +357,7 @@ "text": "Avoid using on-premises synced accounts for Microsoft Entra ID role assignments.", "waf": "Security", "guid": "35037e68-9349-4c15-b371-228514f4cdff", - "id": "C03.16", + "id": "B03.16", "severity": "Medium", "training": "https://learn.microsoft.com/learn/modules/design-identity-security-strategy/", "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices" @@ -480,7 +368,7 @@ "text": "Configure Identity (ADDS) network segmentation through the use of a virtual Network and peer back to the hub. Providing authentication inside application landing zone (legacy).", "waf": "Security", "guid": "9cf5418b-1520-4b7b-add7-88eb28f833e8", - "id": "C04.01", + "id": "B04.01", "severity": "Low", "training": "https://learn.microsoft.com/azure/architecture/example-scenario/identity/adds-extend-domain", "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access-landing-zones#managed-identities" @@ -491,7 +379,7 @@ "text": "Use Azure RBAC to manage data plane access to resources, if possible. E.G - Data Operations across Key Vault, Storage Account and Database Services. ", "waf": "Security", "guid": "d4d1ad54-1abc-4919-b267-3f342d3b49e4", - "id": "C04.02", + "id": "B04.02", "severity": "Medium", "training": "https://learn.microsoft.com/azure/role-based-access-control/overview", "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access-landing-zones#rbac-recommendations" @@ -502,337 +390,208 @@ "text": "Use Microsoft Entra ID PIM access reviews to periodically validate resource entitlements.", "waf": "Security", "guid": "d505ebcb-79b1-4274-9c0d-a27c8bea489c", - "id": "C04.03", + "id": "B04.03", "severity": "Medium", "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-create-roles-and-resource-roles-review" }, { - "category": "Management", - "subcategory": "App delivery", - "text": "Add diagnostic settings to save your Azure Front Door WAF's logs. Regularly review the logs to check for attacks and for false positive detections.", - "waf": "Operations", - "guid": "89cc5e11-aa4d-4c3b-893d-feb99215266a", - "id": "D01.01", + "category": "Resource Organization", + "subcategory": "Naming and tagging", + "text": "It is recommended to follow Microsoft Best Practice Naming Standards", + "waf": "Security", + "guid": "cacf55bc-e4e4-46be-96bc-57a5f23a269a", + "id": "C01.01", "ammp": true, "severity": "High", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs" + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming" }, { - "category": "Management", - "subcategory": "App delivery", - "text": "Send Azure Front Door logs to Microsoft Sentinel. Detect attacks and integrate Front Door telemetry into your overall Azure environment.", - "waf": "Operations", - "guid": "7f408960-c626-44cb-a018-347c8d790cdf", - "id": "D01.02", + "category": "Resource Organization", + "subcategory": "Subscriptions", + "text": "Enforce reasonably flat management group hierarchy with no more than four levels.", + "waf": "Security", + "guid": "2df27ee4-12e7-4f98-9f63-04722dd69c5b", + "id": "C02.01", "severity": "Medium", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel" + "graph": "resourcecontainers| where type == 'microsoft.resources/subscriptions'| extend ManagementGroup = tostring(tags),mgmtChain = properties.managementGroupAncestorsChain| extend compliant =( array_length(mgmtChain) <= 4 and array_length(mgmtChain) > 1)", + "training": "https://learn.microsoft.com/learn/modules/azure-architecture-fundamentals/", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups" }, { - "category": "Management", - "subcategory": "Data Protection", - "text": "Consider cross-region replication in Azure for BCDR with paired regions", - "waf": "Reliability", - "guid": "7ea02e1c-7166-45a3-bdf5-098891367fcb", - "id": "D02.01", + "category": "Resource Organization", + "subcategory": "Subscriptions", + "text": "Enforce or appended resource tags through Azure Policy", + "waf": "Security", + "guid": "5c2622f5-4b69-4bad-93aa-d5e8c68e1d76", + "id": "C02.02", "severity": "Medium", - "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure" + "graph": "resources | extend compliant = isnotnull(['tags']) | project name, id, subscriptionId, resourceGroup, tags, compliant", + "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/decision-guides/resource-tagging/?toc=/azure/azure-resource-manager/management/toc.json" }, { - "category": "Management", - "subcategory": "Data Protection", - "text": "When using Azure Backup, consider the different backup types (GRS, ZRS & LRS) as the default setting is GRS", - "waf": "Reliability", - "guid": "eba8cf22-45c6-4dc1-9b57-2cceb3b97ce5", - "id": "D02.02", + "category": "Resource Organization", + "subcategory": "Subscriptions", + "text": "Enforce a sandbox management group to allow users to immediately experiment with Azure", + "waf": "Security", + "guid": "667313b4-f566-44b5-b984-a859c773e7d2", + "id": "C02.03", "severity": "Medium", - "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy" + "training": "https://learn.microsoft.com/learn/paths/enterprise-scale-architecture/", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-group-recommendations" }, { - "category": "Management", - "subcategory": "Monitoring", - "text": "Use a single monitor logs workspace to manage platforms centrally except where Azure role-based access control (Azure RBAC), data sovereignty requirements, or data retention policies mandate separate workspaces.", - "waf": "Operations", - "guid": "67e7a8ed-4b30-4e38-a3f2-9812b2363cef", - "id": "D03.01", + "category": "Resource Organization", + "subcategory": "Subscriptions", + "text": "Enforce a platform management group under the root management group to support common platform policy and Azure role assignment", + "waf": "Security", + "guid": "61623a76-5a91-47e1-b348-ef254c27d42e", + "id": "C02.04", "severity": "Medium", - "training": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", - "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment" + "training": "https://learn.microsoft.com/learn/paths/enterprise-scale-architecture/", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-group-recommendations" }, { - "category": "Management", - "subcategory": "Monitoring", - "text": "Is the landing zone documented?", - "waf": "Operations", - "guid": "e179b599-de0d-4597-9cd4-cd21b088137f", - "id": "D03.02", - "severity": "Medium" + "category": "Resource Organization", + "subcategory": "Subscriptions", + "text": "Enforce a dedicated connectivity subscription in the Platform management group to host an Azure Virtual WAN hub, private Domain Name System (DNS), ExpressRoute circuit, and other networking resources.", + "waf": "Security", + "guid": "8bbac757-1559-4ab9-853e-8908ae28c84c", + "id": "C02.05", + "severity": "Medium", + "training": "https://learn.microsoft.com/learn/paths/enterprise-scale-architecture/", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-group-recommendations" }, { - "category": "Management", - "subcategory": "Monitoring", - "text": "Use Azure Monitor Logs when log retention requirements exceed two years. You can currently keep data in archived state for up to 7 years.", - "waf": "Operations", - "guid": "5e6c4cfd-3e50-4454-9c24-47ec66138a72", - "id": "D03.03", + "category": "Resource Organization", + "subcategory": "Subscriptions", + "text": "Enforce no subscriptions are placed under the root management group", + "waf": "Security", + "guid": "33b6b780-8b9f-4e5c-9104-9d403a923c34", + "id": "C02.06", "severity": "Medium", - "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/", - "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work" + "graph": "resourcecontainers| where type == 'microsoft.resources/subscriptions'| extend ManagementGroup = tostring(tags),mgmtChain = properties.managementGroupAncestorsChain| extend compliant = (array_length(mgmtChain) > 1)", + "link": "https://learn.microsoft.com/azure/governance/management-groups/how-to/protect-resource-hierarchy#setting---default-management-group" }, { - "category": "Management", - "subcategory": "Monitoring", - "text": "Use Azure Policy for access control and compliance reporting. Azure Policy provides the ability to enforce organization-wide settings to ensure consistent policy adherence and fast violation detection. ", - "waf": "Operations", - "guid": "00f1ce16-ed30-41d6-b872-e52e3611cc58", - "id": "D03.04", + "category": "Resource Organization", + "subcategory": "Subscriptions", + "text": "Enforce that only privileged users can operate management groups in the tenant by enabling Azure RBAC authorization in the management group hierarchy settings", + "waf": "Security", + "guid": "74d00018-ac6a-49e0-8e6a-83de5de32c19", + "id": "C02.07", "severity": "Medium", - "training": "https://learn.microsoft.com/en-us/azure/governance/policy/concepts/effects", - "link": "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/govern/policy-compliance/regulatory-compliance" + "link": "https://learn.microsoft.com/azure/governance/management-groups/how-to/protect-resource-hierarchy#setting---require-authorization" }, { - "category": "Management", - "subcategory": "Monitoring", - "text": "Monitor in-guest virtual machine (VM) configuration drift using Azure Policy. Enabling guest configuration audit capabilities through policy helps application team workloads to immediately consume feature capabilities with little effort.", - "waf": "Operations", - "guid": "e7d7e484-3276-4d8b-bc05-5bcf619e8a13", - "id": "D03.05", + "category": "Resource Organization", + "subcategory": "Subscriptions", + "text": "Enforce management groups under the root-level management group to represent the types of workloads, based on their security, compliance, connectivity, and feature needs.", + "waf": "Security", + "guid": "92481607-d5d1-4e4e-9146-58d3558fd772", + "id": "C02.08", "severity": "Medium", - "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", - "link": "https://learn.microsoft.com/azure/governance/policy/how-to/guest-configuration-create" + "link": "https://learn.microsoft.com/azure/governance/management-groups/overview" }, { - "category": "Management", - "subcategory": "Monitoring", - "text": "Use Update Management in Azure Automation as a long-term patching mechanism for both Windows and Linux VMs. ", - "waf": "Operations", - "guid": "f9887952-5d62-4688-9d70-ba6c97be9951", - "id": "D03.06", - "severity": "Medium", - "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-compute-resources/", - "link": "https://learn.microsoft.com/azure/automation/update-management/overview" + "category": "Resource Organization", + "subcategory": "Subscriptions", + "text": "Enforce a process to make resource owners aware of their roles and responsibilities, access review, budget review, policy compliance and remediate when necessary.", + "waf": "Security", + "guid": "49b82111-2df2-47ee-912e-7f983f630472", + "id": "C02.09", + "ammp": true, + "severity": "High", + "link": "https://learn.microsoft.com/azure/governance/management-groups/overview" }, { - "category": "Management", - "subcategory": "Monitoring", - "text": "Use Network Watcher to proactively monitor traffic flows", - "waf": "Operations", - "guid": "90483845-c986-4cb2-a131-56a12476e49f", - "id": "D03.07", - "severity": "Medium", - "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/", - "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview" - }, - { - "category": "Management", - "subcategory": "Monitoring", - "text": "Use resource locks to prevent accidental deletion of critical shared services.", - "waf": "Operations", - "guid": "541acdce-9793-477b-adb3-751ab2ab13ad", - "id": "D03.08", - "severity": "Medium", - "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", - "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json" - }, - { - "category": "Management", - "subcategory": "Monitoring", - "text": "Use deny policies to supplement Azure role assignments. The combination of deny policies and Azure role assignments ensures the appropriate guardrails are in place to enforce who can deploy and configure resources and what resources they can deploy and configure.", - "waf": "Operations", - "guid": "a6e55d7d-8a2a-4db1-87d6-326af625ca44", - "id": "D03.09", - "severity": "Low", - "link": "https://learn.microsoft.com/azure/governance/policy/overview" - }, - { - "category": "Management", - "subcategory": "Monitoring", - "text": "Include service and resource health events as part of the overall platform monitoring solution. Tracking service and resource health from the platform perspective is an important component of resource management in Azure.", - "waf": "Operations", - "guid": "e5695f22-23ac-4e8c-a123-08ca5017f154", - "id": "D03.10", - "severity": "Medium", - "link": "https://learn.microsoft.com/azure/service-health/alerts-activity-log-service-notifications-portal" - }, - { - "category": "Management", - "subcategory": "Monitoring", - "text": "Include alerts and action groups as part of the Azure Service Health platform to ensure that alerts or issues can be actioned", - "waf": "Operations", - "guid": "d5f345bf-97ab-41a7-819c-6104baa7d48c", - "id": "D03.11", - "severity": "Medium", - "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/action-groups" - }, - { - "category": "Management", - "subcategory": "Monitoring", - "text": "Don't send raw log entries back to on-premises monitoring systems. Instead, adopt a principle that data born in Azure stays in Azure. If on-premises SIEM integration is required, then send critical alerts instead of logs.", - "waf": "Operations", - "guid": "e3ab3693-829e-47e3-8618-3687a0477a20", - "id": "D03.12", - "severity": "Medium", - "link": "https://learn.microsoft.com/azure/sentinel/quickstart-onboard" - }, - { - "category": "Management", - "subcategory": "Monitoring", - "text": "Use a centralized Azure Monitor Log Analytics workspace to collect logs and metrics from IaaS and PaaS application resources and control log access with Azure RBAC.", - "waf": "Operations", - "guid": "9945bda4-3334-4f24-a116-34182ba52752", - "id": "D03.13", - "severity": "Medium", - "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment" - }, - { - "category": "Management", - "subcategory": "Monitoring", - "text": "Use Azure Monitor Logs for insights and reporting.", - "waf": "Operations", - "guid": "6944008b-e7d7-4e48-9327-6d8bdc055bcf", - "id": "D03.14", - "severity": "Medium", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor" - }, - { - "category": "Management", - "subcategory": "Monitoring", - "text": "When necessary, use shared storage accounts within the landing zone for Azure diagnostic extension log storage.", - "waf": "Operations", - "guid": "619e8a13-f988-4795-85d6-26886d70ba6c", - "id": "D03.15", - "severity": "Medium", - "link": "https://learn.microsoft.com/azure/azure-monitor/agents/diagnostics-extension-overview" - }, - { - "category": "Management", - "subcategory": "Monitoring", - "text": "Use Azure Monitor alerts for the generation of operational alerts.", - "waf": "Operations", - "guid": "97be9951-9048-4384-9c98-6cb2913156a1", - "id": "D03.16", - "severity": "Medium", - "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/alerts-overview" - }, - { - "category": "Management", - "subcategory": "Monitoring", - "text": "Ensure that monitoring requirements have been assessed and that appropriate data collection and alerting configurations are applied", - "waf": "Operations", - "guid": "859c3900-4514-41eb-b010-475d695abd74", - "id": "D03.17", - "severity": "Medium", - "link": "https://learn.microsoft.com/azure/architecture/best-practices/monitoring" - }, - { - "category": "Management", - "subcategory": "Monitoring", - "text": "Consider supported regions for linked Log Analytics workspace and automation accounts", - "waf": "Operations", - "guid": "fed3c55f-a67e-4875-aadd-3aba3f9fde31", - "id": "D03.18", - "severity": "Medium", - "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings" - }, - { - "category": "Management", - "subcategory": "Operational compliance", - "text": "Use Azure policies to automatically deploy software configurations through VM extensions and enforce a compliant baseline VM configuration.", + "category": "Resource Organization", + "subcategory": "Subscriptions", + "text": "Ensure that all subscription owners and IT core team are aware of subscription quotas and the impact they have on provision resources for a given subscription.", "waf": "Security", - "guid": "f541acdc-e979-4377-acdb-3751ab2ab13a", - "id": "D04.01", + "guid": "2dd69c5b-5c26-422f-94b6-9bad33aad5e8", + "id": "C02.10", "severity": "Medium", - "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration" + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits" }, { - "category": "Management", - "subcategory": "Operational compliance", - "text": "Monitor VM security configuration drift via Azure Policy.", - "description": "Azure Policy's guest configuration features can audit and remediate machine settings (e.g., OS, application, environment) to ensure resources align with expected configurations, and Update Management can enforce patch management for VMs.", + "category": "Resource Organization", + "subcategory": "Subscriptions", + "text": "Use Reserved Instances where appropriate to optimize cost and ensure available capacity in target regions. Enforce the use of purchased Reserved Instance VM SKUs via Azure Policy.", "waf": "Security", - "guid": "da6e55d7-d8a2-4adb-817d-6326af625ca4", - "id": "D04.02", - "severity": "Medium", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift" - }, - { - "category": "Management", - "subcategory": "Protect and Recover", - "text": "Use Azure Site Recovery for Azure-to-Azure Virtual Machines disaster recovery scenarios. This enables you to replicate workloads across regions.", - "waf": "Operations", - "guid": "2476e49f-541a-4cdc-b979-377bcdb3751a", - "id": "D05.01", - "severity": "Medium", - "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview" + "guid": "c68e1d76-6673-413b-9f56-64b5e984a859", + "id": "C02.11", + "ammp": true, + "severity": "High", + "training": "https://learn.microsoft.com/learn/paths/improve-reliability-modern-operations/", + "link": "https://learn.microsoft.com/azure/cost-management-billing/reservations/save-compute-costs-reservations" }, { - "category": "Management", - "subcategory": "Protect and Recover", - "text": "Ensure to use and test native PaaS service disaster recovery capabilities.", - "waf": "Operations", - "guid": "b2ab13ad-a6e5-45d7-b8a2-adb117d6326a", - "id": "D05.02", - "severity": "Medium", - "link": "https://learn.microsoft.com/azure/architecture/framework/resiliency/backup-and-recovery" + "category": "Resource Organization", + "subcategory": "Subscriptions", + "text": "Enforce a dashboard, workbook, or manual process to monitor used capacity levels", + "waf": "Security", + "guid": "c773e7d2-6162-43a7-95a9-17e1f348ef25", + "id": "C02.12", + "ammp": true, + "severity": "High", + "training": "https://learn.microsoft.com/learn/paths/monitor-usage-performance-availability-resources-azure-monitor/", + "link": "https://learn.microsoft.com/azure/architecture/framework/scalability/design-capacity" }, { - "category": "Management", - "subcategory": "Protect and Recover", - "text": "Use Azure-native backup capabilities, or an Azure-compatible, 3rd-party backup solution.", - "waf": "Operations", - "guid": "f625ca44-e569-45f2-823a-ce8cb12308ca", - "id": "D05.03", + "category": "Resource Organization", + "subcategory": "Subscriptions", + "text": "Ensure required services and features are available within the chosen deployment regions", + "waf": "Security", + "guid": "4c27d42e-8bba-4c75-9155-9ab9153e8908", + "id": "C02.13", "severity": "Medium", - "link": "https://learn.microsoft.com/azure/backup/backup-center-overview" - }, - { - "category": "Management ", - "subcategory": "Fault Tolerance", - "text": "Leverage Availability Zones for your VMs in regions where they are supported.", - "waf": "Reliability", - "guid": "826c5c45-bb79-4951-a812-e3bfbfd7326b", - "id": "E01.01", - "ammp": true, - "severity": "High", - "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview" + "training": "https://learn.microsoft.com/learn/modules/azure-architecture-fundamentals/", + "link": "https://azure.microsoft.com/global-infrastructure/services/" }, { - "category": "Management ", - "subcategory": "Fault Tolerance", - "text": "Avoid running a production workload on a single VM.", - "waf": "Reliability", - "guid": "7ccb7c06-5511-42df-8177-d97f08d0337d", - "id": "E01.02", + "category": "Resource Organization", + "subcategory": "Subscriptions", + "text": "Enforce a process for cost management", + "waf": "Security", + "guid": "ae28c84c-33b6-4b78-88b9-fe5c41049d40", + "id": "C02.14", "ammp": true, "severity": "High", - "link": "https://learn.microsoft.com/azure/virtual-machines/availability" + "training": "https://learn.microsoft.com/learn/paths/control-spending-manage-bills/", + "link": "https://learn.microsoft.com/azure/cost-management-billing/cost-management-billing-overview" }, { - "category": "Management ", - "subcategory": "Fault Tolerance", - "text": "Azure Load Balancer and Application Gateway distribute incoming network traffic across multiple resources.", - "waf": "Reliability", - "guid": "84101f59-1941-4195-a270-e28034290e3a", - "id": "E01.03", + "category": "Resource Organization", + "subcategory": "Subscriptions", + "text": "If AD on Windows Server, establish a dedicated identity subscription in the Platform management group to host Windows Server Active Directory domain controllers", + "waf": "Security", + "guid": "3a923c34-74d0-4001-aac6-a9e01e6a83de", + "id": "C02.15", "severity": "Medium", - "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview" + "training": "https://learn.microsoft.com/learn/paths/enterprise-scale-architecture/", + "link": "https://learn.microsoft.com/azure/governance/management-groups/overview" }, { - "category": "Management ", - "subcategory": "Scalability", - "text": "Leverage Azure Virtual Machine Scale sets to scale up and down based on the load.", - "waf": "Reliability", - "guid": "ecdc7506-6f37-4ea9-be87-fc5d3df08a64", - "id": "E02.01", + "category": "Resource Organization", + "subcategory": "Subscriptions", + "text": "Ensure tags are used for billing and cost management", + "waf": "Security", + "guid": "5de32c19-9248-4160-9d5d-1e4e614658d3", + "id": "C02.16", "severity": "Medium", - "link": "https://learn.microsoft.com/azure/virtual-machine-scale-sets/overview" + "graph": "resources | extend compliant = isnotnull(['tags']) | project name, id, subscriptionId, resourceGroup, tags, compliant", + "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/track-costs" }, + { "category": "Network Topology and Connectivity", "subcategory": "App delivery", "text": "If you use customer-managed TLS certificates with Azure Front Door, use the 'Latest' certificate version. Reduce the risk of outages caused by manual certificate renewal.", "waf": "Operations", "guid": "f00a69de-7076-4734-a734-6e4552cad9e1", - "id": "F01.01", + "id": "D01.01", "severity": "Medium", "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates" }, @@ -842,7 +601,7 @@ "text": "Perform app delivery within landing zones for both internal-facing (corp) and external-facing apps (online).", "waf": "Security", "guid": "6138a720-0f1c-4e16-bd30-1d6e872e52e3", - "id": "F01.02", + "id": "D01.02", "severity": "Medium", "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-groups-in-the-azure-landing-zone-accelerator" @@ -853,7 +612,7 @@ "text": "Ensure you are using Application Gateway v2 SKU", "waf": "Security", "guid": "553585a6-abe0-11ed-afa1-0242ac120002", - "id": "F01.03", + "id": "D01.03", "severity": "Medium", "graph": "resources | where type == 'microsoft.network/applicationgateways' | project id, compliant = properties.sku.name in ('Standard_v2', 'WAF_v2') | project id,compliant", "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", @@ -865,7 +624,7 @@ "text": "Ensure you are using the Standard SKU for your Azure Load Balancers", "waf": "Security", "guid": "4e35fbf5-0ae2-48b2-97ce-753353edbd1a", - "id": "F01.04", + "id": "D01.04", "severity": "Medium", "graph": "resources | where type == 'microsoft.network/loadbalancers' | project id, compliant=(tolower(sku.name) == 'standard')", "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview" @@ -876,7 +635,7 @@ "text": "Your application gateways should be deployed in subnets with IP prefixes equal or larger than /26", "waf": "Security", "guid": "dfc50f87-3800-424c-937b-ed5f186e7c15", - "id": "F01.05", + "id": "D01.05", "severity": "Medium", "graph": "resources | where type=='microsoft.network/applicationgateways' | extend subnetId = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id) | project id, subnetId | join (resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetId = tostring(subnets.id), subnetPrefixLength = split(subnets.properties.addressPrefix, '/')[1]) on subnetId | extend compliant = (subnetPrefixLength <= 26) | distinct id,compliant", "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", @@ -889,7 +648,7 @@ "description": "Administration of reverse proxies in general and WAF in particular is closer to the application than to networking, so they belong in the same subscription as the app. Centralizing the Application Gateway and WAF in the connectivity subscription might be OK if it is managed by one single team.", "waf": "Security", "guid": "48b662d6-d15f-4512-a654-98f6dfe237de", - "id": "F01.06", + "id": "D01.06", "severity": "Medium", "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview" @@ -900,7 +659,7 @@ "text": "Use a DDoS Network or IP protection plans for all Public IP addresses in application landing zones.", "waf": "Security", "guid": "143b16c3-1d7a-4a9b-9470-4489a8042d88", - "id": "F01.07", + "id": "D01.07", "severity": "Medium", "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview" @@ -911,7 +670,7 @@ "text": "Use Azure Front Door with WAF policies to deliver and help protect global HTTP/S apps that span multiple Azure regions.", "waf": "Security", "guid": "e79d17b7-3b22-4a5a-97e7-a8ed4b30e38c", - "id": "F01.08", + "id": "D01.08", "severity": "Medium", "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview" @@ -922,7 +681,7 @@ "text": "When using Front Door and Application Gateway to help protect HTTP/S apps, use WAF policies in Front Door. Lock down Application Gateway to receive traffic only from Front Door.", "waf": "Security", "guid": "3f29812b-2363-4cef-b179-b599de0d5973", - "id": "F01.09", + "id": "D01.09", "severity": "Medium", "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview" @@ -933,7 +692,7 @@ "text": "Use Traffic Manager to deliver global apps that span protocols other than HTTP/S.", "waf": "Reliability", "guid": "cd4cd21b-0881-437f-9e6c-4cfd3e504547", - "id": "F01.10", + "id": "D01.10", "ammp": true, "severity": "High", "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", @@ -945,7 +704,7 @@ "text": "If users only need access to internal applications, has Microsoft Entra ID Application Proxy been considered as an alternative to Azure Virtual Desktop (AVD)?", "waf": "Security", "guid": "3b4b3e88-a459-4ed5-a22f-644dfbc58204", - "id": "F01.11", + "id": "D01.11", "severity": "Low", "training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/", "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works" @@ -956,7 +715,7 @@ "text": "To reduce the number of firewall ports open for incoming connections in your network, consider using Microsoft Entra ID Application Proxy to give remote users secure and authenticated access to internal applications.", "waf": "Security", "guid": "01ca7cf1-5754-442d-babb-8ba6772e5c30", - "id": "F01.12", + "id": "D01.12", "severity": "Medium", "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/", "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works" @@ -967,7 +726,7 @@ "text": "Deploy your WAF profiles for Front Door in 'Prevention' mode.", "waf": "Security", "guid": "ae248989-b306-4591-9186-de482e3f0f0e", - "id": "F01.13", + "id": "D01.13", "ammp": true, "severity": "High", "graph": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode", @@ -979,7 +738,7 @@ "text": "Avoid combining Azure Traffic Manager and Azure Front Door.", "waf": "Security", "guid": "062d5839-4d36-402f-bfa4-02811eb936e9", - "id": "F01.14", + "id": "D01.14", "ammp": true, "severity": "High", "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door" @@ -990,7 +749,7 @@ "text": "Use the same domain name on Azure Front Door and your origin. Mismatched host names can cause subtle bugs.", "waf": "Security", "guid": "5efeb96a-003f-4b18-8fcd-b4d84459c2b2", - "id": "F01.15", + "id": "D01.15", "ammp": true, "severity": "High", "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin" @@ -1001,7 +760,7 @@ "text": "Disable health probes when there is only one origin in an Azure Front Door origin group.", "waf": "Performance", "guid": "0b5a380c-4bfb-47bc-b1d7-dcfef363a61b", - "id": "F01.16", + "id": "D01.16", "severity": "Low", "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group" }, @@ -1011,7 +770,7 @@ "text": "Select good health probe endpoints for Azure Front Door. Consider building health endpoints that check all of your application's dependencies.", "waf": "Reliability", "guid": "5567048e-e5d7-4206-9c55-b5ed45d2cc0c", - "id": "F01.17", + "id": "D01.17", "severity": "Medium", "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints" }, @@ -1021,7 +780,7 @@ "text": "Use HEAD health probes with Azure Front Door, to reduce the traffic that Front Door sends to your application.", "waf": "Performance", "guid": "a13f72f3-8f5c-4864-95e5-75bf37fbbeb1", - "id": "F01.18", + "id": "D01.18", "severity": "Low", "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes" }, @@ -1031,7 +790,7 @@ "text": "Use Azure NAT Gateway instead of Load Balancer outbound rules for better SNAT scalability", "waf": "Reliability", "guid": "97a2fd46-64b0-1dfa-b72d-9c8869496d75", - "id": "F01.19", + "id": "D01.19", "ammp": true, "severity": "High", "graph": "resources | where type=='microsoft.network/loadbalancers' | extend countOutRules=array_length(properties.outboundRules) | extend compliant = (countOutRules == 0) | distinct id,compliant", @@ -1043,7 +802,7 @@ "text": "Use managed TLS certificates with Azure Front Door. Reduce operational cost and risk of outages due to certificate renewals.", "waf": "Operations", "guid": "af95c92d-d723-4f4a-98d7-8722324efd4d", - "id": "F01.20", + "id": "D01.20", "ammp": true, "severity": "High", "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates" @@ -1054,7 +813,7 @@ "text": "Define your Azure Front Door WAF configuration as code. By using code, you can more easily adopt new ruleset versions and gain additional protection.", "waf": "Operations", "guid": "189ea962-3969-4863-8f5a-5ad808c2cf4b", - "id": "F01.21", + "id": "D01.21", "severity": "Medium", "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#define-your-waf-configuration-as-code" }, @@ -1064,7 +823,7 @@ "text": "When you're using ExpressRoute Direct, configure MACsec in order to encrypt traffic at the layer-two level between the organization's routers and MSEE. The diagram shows this encryption in flow.", "waf": "Security", "guid": "de0d5973-cd4c-4d21-a088-137f5e6c4cfd", - "id": "F02.01", + "id": "D02.01", "severity": "Medium", "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works" }, @@ -1074,7 +833,7 @@ "text": "For scenarios where MACsec isn't an option (for example, not using ExpressRoute Direct), use a VPN gateway to establish IPsec tunnels over ExpressRoute private peering. ", "waf": "Security", "guid": "ed301d6e-872e-452e-9611-cc58b5a4b151", - "id": "F02.02", + "id": "D02.02", "severity": "Low", "training": "https://learn.microsoft.com/learn/paths/implement-network-security/", "link": "https://learn.microsoft.com/azure/expressroute/expressroute-erdirect-about" @@ -1085,7 +844,7 @@ "text": "Consider a network design based on the traditional hub-and-spoke network topology for network scenarios that require maximum flexibility.", "waf": "Security", "guid": "e8bbac75-7155-49ab-a153-e8908ae28c84", - "id": "F03.01", + "id": "D03.01", "severity": "Medium", "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/network-topology-and-connectivity" @@ -1096,7 +855,7 @@ "text": "Ensure that shared networking services, including ExpressRoute gateways, VPN gateways, and Azure Firewall or partner NVAs in the central-hub virtual network. If necessary, also deploy Active Directory domain controllers and DNS servers.", "waf": "Cost", "guid": "7dd61623-a364-4a90-9eca-e48ebd54cd7d", - "id": "F03.02", + "id": "D03.02", "ammp": true, "severity": "High", "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/expressroute" @@ -1107,7 +866,7 @@ "text": "When deploying partner networking technologies or NVAs, follow the partner vendor's guidance", "waf": "Reliability", "guid": "e2e8abac-3571-4559-ab91-53e89f89dc7b", - "id": "F03.03", + "id": "D03.03", "severity": "Medium", "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/nva-ha" }, @@ -1117,7 +876,7 @@ "text": "If you need transit between ExpressRoute and VPN gateways in hub and spoke scenarios, use Azure Route Server.", "waf": "Security", "guid": "ce463dbb-bc8a-4c2a-aebc-92a43da1dae2", - "id": "F03.04", + "id": "D03.04", "severity": "Low", "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager#to-enable-transit-routing-between-expressroute-and-azure-vpn" }, @@ -1127,7 +886,7 @@ "text": "If using Route Server, use a /27 prefix for the Route Server subnet.", "waf": "Security", "guid": "91b9d7d5-91e1-4dcb-8f1f-fa7e465646cc", - "id": "F03.05", + "id": "D03.05", "severity": "Low", "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant", "link": "https://learn.microsoft.com/azure/route-server/quickstart-configure-route-server-portal#create-a-route-server-1" @@ -1138,7 +897,7 @@ "text": "For network architectures with multiple hub-and-spoke topologies across Azure regions, use global virtual network peerings between the hub VNets to connect the regions to each other. ", "waf": "Performance", "guid": "cc881471-607c-41cc-a0e6-14658dd558f9", - "id": "F03.06", + "id": "D03.06", "severity": "Medium", "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-virtual-networks/", "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-faq#can-i-create-a-peering-connection-to-a-vnet-in-a-different-region" @@ -1149,7 +908,7 @@ "text": "Use Azure Monitor for Networks to monitor the end-to-end state of the networks on Azure.", "waf": "Operations", "guid": "4722d929-c1b1-4cd6-81f5-4b29bade39ad", - "id": "F03.07", + "id": "D03.07", "severity": "Medium", "training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/", "link": "https://learn.microsoft.com/azure/azure-monitor/insights/network-insights-overview" @@ -1160,7 +919,7 @@ "text": "When connecting spoke virtual networks to the central hub virtual network, consider VNet peering limits (500), the maximum number of prefixes that can be advertised via ExpressRoute (1000)", "waf": "Reliability", "guid": "0e7c28ec-9366-4572-83b0-f4664b1d944a", - "id": "F03.08", + "id": "D03.08", "severity": "Medium", "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant", "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits" @@ -1171,7 +930,7 @@ "text": "Consider the limit of routes per route table (400).", "waf": "Reliability", "guid": "3d457936-e9b7-41eb-bdff-314b26450b12", - "id": "F03.09", + "id": "D03.09", "severity": "Medium", "graph": "resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant", "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits" @@ -1182,7 +941,7 @@ "text": "Use the setting 'Allow traffic to remote virtual network' when configuring VNet peerings", "waf": "Reliability", "guid": "c76cb5a2-abe2-11ed-afa1-0242ac120002", - "id": "F03.10", + "id": "D03.10", "ammp": true, "severity": "High", "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True)", @@ -1194,7 +953,7 @@ "text": "Ensure that you have investigated the possibility to use ExpressRoute as primary connection to Azure.", "waf": "Performance", "guid": "359c373e-7dd6-4162-9a36-4a907ecae48e", - "id": "F04.01", + "id": "D04.01", "severity": "Medium", "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/hub-spoke?tabs=cli" @@ -1206,7 +965,7 @@ "description": "You can use AS-path prepending and connection weights to influence traffic from Azure to on-premises, and the full range of BGP attributes in your own routers to influence traffic from on-premises to Azure.", "waf": "Reliability", "guid": "f29812b2-363c-4efe-879b-599de0d5973c", - "id": "F04.02", + "id": "D04.02", "severity": "Medium", "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", "link": "https://learn.microsoft.com/azure/expressroute/expressroute-routing" @@ -1217,7 +976,7 @@ "text": "Ensure that you're using the right SKU for the ExpressRoute/VPN gateways based on bandwidth and performance requirements.", "waf": "Performance", "guid": "d4cd21b0-8813-47f5-b6c4-cfd3e504547c", - "id": "F04.03", + "id": "D04.03", "severity": "Medium", "graph": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant", "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", @@ -1229,7 +988,7 @@ "text": "Ensure that you're using unlimited-data ExpressRoute circuits only if you reach the bandwidth that justifies their cost.", "waf": "Cost", "guid": "7025b442-f6e9-4af6-b11f-c9574916016f", - "id": "F04.04", + "id": "D04.04", "ammp": true, "severity": "High", "graph": "resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant", @@ -1241,7 +1000,7 @@ "text": "Leverage the Local SKU of ExpressRoute to reduce the cost of your circuits, if your circuits' peering location supports your Azure regions for the Local SKU.", "waf": "Cost", "guid": "f4e7926a-ec35-476e-a412-5dd17136bd62", - "id": "F04.05", + "id": "D04.05", "ammp": true, "severity": "High", "graph": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id", @@ -1253,7 +1012,7 @@ "text": "Deploy a zone-redundant ExpressRoute gateway in the supported Azure regions.", "waf": "Reliability", "guid": "2447ec66-138a-4720-8f1c-e16ed301d6e8", - "id": "F04.06", + "id": "D04.06", "severity": "Medium", "graph": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant", "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", @@ -1265,7 +1024,7 @@ "text": "For scenarios that require bandwidth higher than 10 Gbps or dedicated 10/100-Gbps ports, use ExpressRoute Direct.", "waf": "Performance", "guid": "72e52e36-11cc-458b-9a4b-1511e43a58a9", - "id": "F04.07", + "id": "D04.07", "severity": "Medium", "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", "link": "https://learn.microsoft.com/azure/networking/" @@ -1276,7 +1035,7 @@ "text": "When low latency is required, or throughput from on-premises to Azure must be greater than 10 Gbps, enable FastPath to bypass the ExpressRoute gateway from the data path.", "waf": "Performance", "guid": "c2299c4d-7b57-4d0c-9555-62f2b3e4563a", - "id": "F04.08", + "id": "D04.08", "severity": "Medium", "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", "link": "https://learn.microsoft.com/azure/expressroute/about-fastpath" @@ -1287,7 +1046,7 @@ "text": "Use VPN gateways to connect branches or remote locations to Azure. For higher resilience, deploy zone-redundant gateways (where available).", "waf": "Reliability", "guid": "4d873974-8b66-42d6-b15f-512a65498f6d", - "id": "F04.09", + "id": "D04.09", "severity": "Medium", "graph": "resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant", "training": "https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/", @@ -1299,7 +1058,7 @@ "text": "If using ExpressRoute Direct, consider using ExpressRoute Local circuits to the local Azure regions to save costs", "waf": "Cost", "guid": "718cb437-b060-2589-8856-2e93a5c6633b", - "id": "F04.10", + "id": "D04.10", "ammp": true, "severity": "High", "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", @@ -1311,7 +1070,7 @@ "text": "When traffic isolation or dedicated bandwidth is required, such as for separating production and nonproduction environments, use different ExpressRoute circuits. It will help you ensure isolated routing domains and alleviate noisy-neighbor risks.", "waf": "Security", "guid": "8042d88e-79d1-47b7-9b22-a5a67e7a8ed4", - "id": "F04.11", + "id": "D04.11", "severity": "Medium", "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", "link": "https://learn.microsoft.com/azure/architecture/framework/services/networking/expressroute/reliability" @@ -1322,7 +1081,7 @@ "text": "Monitor ExpressRoute availability and utilization using built-in Express Route Insights.", "waf": "Operations", "guid": "b30e38c3-f298-412b-8363-cefe179b599d", - "id": "F04.12", + "id": "D04.12", "severity": "Medium", "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", "link": "https://learn.microsoft.com/azure/expressroute/expressroute-monitoring-metrics-alerts" @@ -1333,7 +1092,7 @@ "text": "Use Connection Monitor for connectivity monitoring across the environment.", "waf": "Operations", "guid": "5bf68dc9-325e-4873-bf88-f8214ef2e5d2", - "id": "F04.13", + "id": "D04.13", "severity": "Medium", "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", "link": "https://learn.microsoft.com/azure/expressroute/how-to-configure-connection-monitor" @@ -1344,7 +1103,7 @@ "text": "Use ExpressRoute circuits from different peering locations for redundancy.", "waf": "Reliability", "guid": "e0d5973c-d4cd-421b-8881-37f5e6c4cfd3", - "id": "F04.14", + "id": "D04.14", "severity": "Medium", "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering#challenges-of-using-multiple-expressroute-circuits" @@ -1355,7 +1114,7 @@ "text": "If you are deploying at least two VMs running AD DS as domain controllers, add them to different Availability Zones. If not available in the region, deploy in an Availability Set.", "waf": "Reliability", "guid": "2df4930f-6a43-49a3-926b-309f02c302f0", - "id": "F04.15", + "id": "D04.15", "ammp": true, "severity": "High", "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/identity/adds-extend-domain#vm-recommendations" @@ -1366,7 +1125,7 @@ "text": "Ensure no overlapping IP address spaces across Azure regions and on-premises locations are used", "waf": "Security", "guid": "558fd772-49b8-4211-82df-27ee412e7f98", - "id": "F05.01", + "id": "D05.01", "ammp": true, "severity": "High", "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", @@ -1378,7 +1137,7 @@ "text": "Use IP addresses from the address allocation ranges for private internets (RFC 1918).", "waf": "Security", "guid": "3f630472-2dd6-49c5-a5c2-622f54b69bad", - "id": "F05.02", + "id": "D05.02", "severity": "Low", "graph": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\\\.|172\\\\.(1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.)') | project id, compliant, cidr", "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", @@ -1390,7 +1149,7 @@ "text": "Ensure that IP address space isn't wasted, don't create unnecessarily large virtual networks (for example /16) ", "waf": "Performance", "guid": "33aad5e8-c68e-41d7-9667-313b4f5664b5", - "id": "F05.03", + "id": "D05.03", "ammp": true, "severity": "High", "graph": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant", @@ -1403,7 +1162,7 @@ "text": "Avoid using overlapping IP address ranges for production and DR sites.", "waf": "Reliability", "guid": "f348ef25-4c27-4d42-b8bb-ac7571559ab9", - "id": "F05.04", + "id": "D05.04", "ammp": true, "severity": "High", "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/", @@ -1415,7 +1174,7 @@ "text": "For environments where name resolution in Azure is all that's required, use Azure Private DNS for resolution with a delegated zone for name resolution (such as 'azure.contoso.com').", "waf": "Operations", "guid": "153e8908-ae28-4c84-a33b-6b7808b9fe5c", - "id": "F05.05", + "id": "D05.05", "severity": "Medium", "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/", "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances" @@ -1426,7 +1185,7 @@ "text": "For environments where name resolution across Azure and on-premises is required, consider using Azure DNS Private Resolver.", "waf": "Security", "guid": "41049d40-3a92-43c3-974d-00018ac6a9e0", - "id": "F05.06", + "id": "D05.06", "severity": "Medium", "training": "https://learn.microsoft.com/training/modules/intro-to-azure-dns-private-resolver/", "link": "https://learn.microsoft.com/azure/dns/dns-private-resolver-overview" @@ -1437,7 +1196,7 @@ "text": "Special workloads that require and deploy their own DNS (such as Red Hat OpenShift) should use their preferred DNS solution.", "waf": "Operations", "guid": "1e6a83de-5de3-42c1-a924-81607d5d1e4e", - "id": "F05.07", + "id": "D05.07", "severity": "Low", "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances" }, @@ -1447,7 +1206,7 @@ "text": "Enable auto-registration for Azure DNS to automatically manage the lifecycle of the DNS records for the virtual machines deployed within a virtual network.", "waf": "Operations", "guid": "614658d3-558f-4d77-849b-821112df27ee", - "id": "F05.08", + "id": "D05.08", "ammp": true, "severity": "High", "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/", @@ -1459,7 +1218,7 @@ "text": "Consider using Azure Bastion to securely connect to your network.", "waf": "Security", "guid": "ee1ac551-c4d5-46cf-b035-d0a3c50d87ad", - "id": "F06.01", + "id": "D06.01", "severity": "Medium", "link": "https://learn.microsoft.com/azure/bastion/bastion-overview" }, @@ -1469,7 +1228,7 @@ "text": "Use Azure Bastion in a subnet /26 or larger.", "waf": "Security", "guid": "6eab9eb6-762b-485e-8ea8-15aa5dba0bd0", - "id": "F06.02", + "id": "D06.02", "severity": "Medium", "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant", "link": "https://learn.microsoft.com/azure/bastion/bastion-faq#subnet" @@ -1480,7 +1239,7 @@ "text": "Use Azure Firewall to govern Azure outbound traffic to the internet, non-HTTP/S inbound connections, and East/West traffic filtering (if the organization requires it)", "waf": "Security", "guid": "e6c4cfd3-e504-4547-a244-7ec66138a720", - "id": "F06.03", + "id": "D06.03", "ammp": true, "severity": "High", "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", @@ -1492,7 +1251,7 @@ "text": "Create a global Azure Firewall policy to govern security posture across the global network environment and assign it to all Azure Firewall instances. Allow for granular policies to meet requirements of specific regions by delegating incremental firewall policies to local security teams via Azure role-based access control.", "waf": "Security", "guid": "5a4b1511-e43a-458a-ac22-99c4d7b57d0c", - "id": "F06.04", + "id": "D06.04", "severity": "Medium", "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", "link": "https://learn.microsoft.com/azure/firewall/" @@ -1503,7 +1262,7 @@ "text": "Configure supported partner SaaS security providers within Firewall Manager if the organization wants to use such solutions to help protect outbound connections.", "waf": "Security", "guid": "655562f2-b3e4-4563-a4d8-739748b662d6", - "id": "F06.05", + "id": "D06.05", "severity": "Low", "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", "link": "https://learn.microsoft.com/azure/firewall/" @@ -1514,7 +1273,7 @@ "text": "Use Azure Front Door and WAF policies to provide global protection across Azure regions for inbound HTTP/S connections to a landing zone.", "waf": "Security", "guid": "1d7aa9b6-4704-4489-a804-2d88e79d17b7", - "id": "F06.06", + "id": "D06.06", "severity": "Medium", "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview" @@ -1525,7 +1284,7 @@ "text": "When using Azure Front Door and Azure Application Gateway to help protect HTTP/S apps, use WAF policies in Azure Front Door. Lock down Azure Application Gateway to receive traffic only from Azure Front Door.", "waf": "Security", "guid": "3b22a5a6-7e7a-48ed-9b30-e38c3f29812b", - "id": "F06.07", + "id": "D06.07", "severity": "Low", "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview" @@ -1536,7 +1295,7 @@ "text": "Deploy WAFs and other reverse proxies are required for inbound HTTP/S connections, deploy them within a landing-zone virtual network and together with the apps that they're protecting and exposing to the internet.", "waf": "Security", "guid": "2363cefe-179b-4599-be0d-5973cd4cd21b", - "id": "F06.08", + "id": "D06.08", "ammp": true, "severity": "High", "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", @@ -1548,7 +1307,7 @@ "text": "Use Azure DDoS Network or IP Protection plans to help protect Public IP Addresses endpoints within the virtual networks.", "waf": "Security", "guid": "088137f5-e6c4-4cfd-9e50-4547c2447ec6", - "id": "F06.09", + "id": "D06.09", "ammp": true, "severity": "High", "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", @@ -1560,7 +1319,7 @@ "text": "Use FQDN-based network rules and Azure Firewall with DNS proxy to filter egress traffic to the Internet over protocols not supported by application rules.", "waf": "Security", "guid": "14d99880-2f88-47e8-a134-62a7d85c94af", - "id": "F06.10", + "id": "D06.10", "ammp": true, "severity": "High", "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant", @@ -1572,7 +1331,7 @@ "text": "Use Azure Firewall Premium for additional security and protection.", "waf": "Security", "guid": "c10d51ef-f999-455d-bba0-5c90ece07447", - "id": "F06.11", + "id": "D06.11", "ammp": true, "severity": "High", "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant", @@ -1584,7 +1343,7 @@ "text": "Configure Azure Firewall Threat Intelligence mode to Alert and Deny for additional protection.", "waf": "Security", "guid": "e9c8f584-6d5e-473b-8dc5-acc9fbaab4e3", - "id": "F06.12", + "id": "D06.12", "ammp": true, "severity": "High", "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant", @@ -1596,7 +1355,7 @@ "text": "Configure Azure Firewall IDPS mode to Deny for additional protection.", "waf": "Security", "guid": "b9d0dff5-bdd4-4cd8-88ed-5811610b2b2c", - "id": "F06.13", + "id": "D06.13", "ammp": true, "severity": "High", "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant", @@ -1608,7 +1367,7 @@ "text": "For subnets in VNets not connected to Virtual WAN, attach a route table so that Internet traffic is redirected to Azure Firewall or a Network Virtual Appliance", "waf": "Security", "guid": "a3784907-9836-4271-aafc-93535f8ec08b", - "id": "F06.14", + "id": "D06.14", "ammp": true, "severity": "High", "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant", @@ -1620,7 +1379,7 @@ "text": "Ensure that control-plane communication for Azure PaaS services injected into a virtual network is not broken, for example with a 0.0.0.0/0 route or an NSG rule that blocks control plane traffic.", "waf": "Security", "guid": "d301d6e8-72e5-42e3-911c-c58b5a4b1511", - "id": "F07.01", + "id": "D07.01", "ammp": true, "severity": "High", "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn", @@ -1632,7 +1391,7 @@ "text": "Use Private Link, where available, for shared Azure PaaS services.", "waf": "Security", "guid": "e43a58a9-c229-49c4-b7b5-7d0c655562f2", - "id": "F07.02", + "id": "D07.02", "severity": "Medium", "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", "link": "https://learn.microsoft.com/azure/app-service/networking-features" @@ -1643,7 +1402,7 @@ "text": "Access Azure PaaS services from on-premises via private endpoints and ExpressRoute private peering. This method avoids transiting over the public internet.", "waf": "Security", "guid": "b3e4563a-4d87-4397-98b6-62d6d15f512a", - "id": "F07.03", + "id": "D07.03", "severity": "Medium", "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", "link": "https://learn.microsoft.com/azure/app-service/networking-features" @@ -1654,7 +1413,7 @@ "text": "Don't enable virtual network service endpoints by default on all subnets.", "waf": "Security", "guid": "4704489a-8042-4d88-b79d-17b73b22a5a6", - "id": "F07.04", + "id": "D07.04", "severity": "Medium", "graph": "resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc", "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn", @@ -1666,7 +1425,7 @@ "text": "Filter egress traffic to Azure PaaS services using FQDNs instead of IP addresses in Azure Firewall or an NVA to prevent data exfiltration. If using Private Link you can block all FQDNs, otherwise allow only the required PaaS services.", "waf": "Security", "guid": "7e7a8ed4-b30e-438c-9f29-812b2363cefe", - "id": "F07.05", + "id": "D07.05", "severity": "Medium", "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn", "link": "https://learn.microsoft.com/azure/app-service/networking-features" @@ -1677,7 +1436,7 @@ "text": "Use a /26 prefix for your Azure Firewall subnets.", "waf": "Security", "guid": "22d6419e-b627-4d95-9e7d-019fa759387f", - "id": "F08.01", + "id": "D08.01", "ammp": true, "severity": "High", "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant", @@ -1689,7 +1448,7 @@ "text": "Use at least a /27 prefix for your Gateway subnets", "waf": "Security", "guid": "f2aad7e3-bb03-4adc-8606-4123d342a917", - "id": "F08.02", + "id": "D08.02", "ammp": true, "severity": "High", "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant", @@ -1701,7 +1460,7 @@ "text": "Don't rely on the NSG inbound default rules using the VirtualNetwork service tag to limit connectivity.", "waf": "Security", "guid": "11deb39d-8299-4e47-bbe0-0fb5a36318a8", - "id": "F08.03", + "id": "D08.03", "severity": "Medium", "graph": "resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant)", "link": "https://learn.microsoft.com/azure/virtual-network/service-tags-overview#available-service-tags" @@ -1712,7 +1471,7 @@ "text": "Delegate subnet creation to the landing zone owner. ", "waf": "Security", "guid": "c2447ec6-6138-4a72-80f1-ce16ed301d6e", - "id": "F08.04", + "id": "D08.04", "severity": "Medium", "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-landing-zone-network-segmentation" @@ -1723,7 +1482,7 @@ "text": "Use NSGs to help protect traffic across subnets, as well as east/west traffic across the platform (traffic between landing zones).", "waf": "Security", "guid": "872e52e3-611c-4c58-a5a4-b1511e43a58a", - "id": "F08.05", + "id": "D08.05", "severity": "Medium", "training": "https://learn.microsoft.com/learn/paths/implement-network-security/", "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview" @@ -1734,7 +1493,7 @@ "text": "The application team should use application security groups at the subnet-level NSGs to help protect multi-tier VMs within the landing zone.", "waf": "Security", "guid": "9c2299c4-d7b5-47d0-a655-562f2b3e4563", - "id": "F08.06", + "id": "D08.06", "severity": "Medium", "graph": "Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetName=subnets.name,subnetNsg=subnets.properties.networkSecurityGroup | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend compliant = isnotnull(subnetNsg)", "training": "https://learn.microsoft.com/learn/paths/implement-network-security/" @@ -1745,7 +1504,7 @@ "text": "Use NSGs and application security groups to micro-segment traffic within the landing zone and avoid using a central NVA to filter traffic flows.", "waf": "Security", "guid": "a4d87397-48b6-462d-9d15-f512a65498f6", - "id": "F08.07", + "id": "D08.07", "severity": "Medium", "training": "https://learn.microsoft.com/learn/paths/implement-network-security/", "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works" @@ -1756,7 +1515,7 @@ "text": "Enable NSG flow logs and feed them into Traffic Analytics to gain insights into internal and external traffic flows.", "waf": "Security", "guid": "dfe237de-143b-416c-91d7-aa9b64704489", - "id": "F08.08", + "id": "D08.08", "severity": "Medium", "training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/", "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works" @@ -1767,7 +1526,7 @@ "text": "Consider Virtual WAN for simplified Azure networking management, and make sure your scenario is explicitly described in the list of Virtual WAN routing designs", "waf": "Operations", "guid": "412e7f98-3f63-4047-82dd-69c5b5c2622f", - "id": "F09.01", + "id": "D09.01", "severity": "Medium", "training": "https://learn.microsoft.com/learn/modules/introduction-azure-virtual-wan/", "link": "https://learn.microsoft.com/azure/virtual-wan/scenario-any-to-any" @@ -1778,7 +1537,7 @@ "text": "Use a Virtual WAN hub per Azure region to connect multiple landing zones together across Azure regions via a common global Azure Virtual WAN.", "waf": "Performance", "guid": "54b69bad-33aa-4d5e-ac68-e1d76667313b", - "id": "F09.02", + "id": "D09.02", "severity": "Medium", "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about" }, @@ -1788,7 +1547,7 @@ "text": "Follow the principle 'traffic in Azure stays in Azure' so that communication across resources in Azure occurs via the Microsoft backbone network", "waf": "Performance", "guid": "8ac6a9e0-1e6a-483d-b5de-32c199248160", - "id": "F09.03", + "id": "D09.03", "severity": "Low", "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about" }, @@ -1798,7 +1557,7 @@ "text": "For outbound Internet traffic protection and filtering, deploy Azure Firewall in secured hubs", "waf": "Security", "guid": "7d5d1e4e-6146-458d-9558-fd77249b8211", - "id": "F09.04", + "id": "D09.04", "severity": "Medium", "graph": "resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant", "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", @@ -1810,7 +1569,7 @@ "text": "Ensure that the network architecture is within the Azure Virtual WAN limits.", "waf": "Reliability", "guid": "6667313b-4f56-464b-9e98-4a859c773e7d", - "id": "F09.05", + "id": "D09.05", "severity": "Medium", "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits" }, @@ -1820,7 +1579,7 @@ "text": "Use Azure Monitor Insights for Virtual WAN to monitor the end-to-end topology of the Virtual WAN, status, and key metrics.", "waf": "Operations", "guid": "261623a7-65a9-417e-8f34-8ef254c27d42", - "id": "F09.06", + "id": "D09.06", "severity": "Medium", "link": "https://learn.microsoft.com/azure/virtual-wan/azure-monitor-insights" }, @@ -1830,7 +1589,7 @@ "text": "Make sure that your IaC deployments does not disable branch-to-branch traffic in Virtual WAN, unless these flows should be explicitly blocked.", "waf": "Reliability", "guid": "727c77e1-b9aa-4a37-a024-129d042422c1", - "id": "F09.07", + "id": "D09.07", "severity": "Medium", "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#is-branch-to-branch-connectivity-allowed-in-virtual-wan" }, @@ -1840,7 +1599,7 @@ "text": "Use AS-Path as hub routing preference, since it is more flexible than ExpressRoute or VPN.", "waf": "Reliability", "guid": "d49ac006-6670-4bc9-9948-d3e0a3a94f4d", - "id": "F09.08", + "id": "D09.08", "severity": "Medium", "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing-preference" }, @@ -1850,7 +1609,7 @@ "text": "Make sure that your IaC deployments are configuring label-based propagation in Virtual WAN, otherwise connectivity between virtual hubs will be impaired.", "waf": "Reliability", "guid": "2586b854-237e-47f1-84a1-d45d4cd2310d", - "id": "F09.09", + "id": "D09.09", "severity": "Medium", "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing#labels" }, @@ -1860,7 +1619,7 @@ "text": "Assign enough IP space to virtual hubs, ideally a /23 prefix.", "waf": "Reliability", "guid": "9c75dfef-573c-461c-a698-68598595581a", - "id": "F09.10", + "id": "D09.10", "ammp": true, "severity": "High", "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#what-is-the-recommended-hub-address-space-during-hub-creation" @@ -1871,7 +1630,7 @@ "text": "Use end-to-end TLS with Azure Front Door. Use TLS for connections from your clients to Front Door, and from Front Door to your origin.", "waf": "Security", "guid": "2e30abab-5478-417c-81bf-bf1ad4ed1ed4", - "id": "G01.01", + "id": "D10.01", "ammp": true, "severity": "High", "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-end-to-end-tls" @@ -1882,7 +1641,7 @@ "text": "Use HTTP to HTTPS redirection with Azure Front Door. Support older clients by redirecting them to an HTTPS request automatically.", "waf": "Security", "guid": "10aa45af-166f-44c4-9f36-b6d592dac2ca", - "id": "G01.02", + "id": "D10.02", "severity": "Medium", "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-http-to-https-redirection" }, @@ -1892,7 +1651,7 @@ "text": "Enable the Azure Front Door WAF. Protect your application from a range of attacks.", "waf": "Security", "guid": "28b9ee82-b2c7-45aa-bc98-6de6f59a095d", - "id": "G01.03", + "id": "D10.03", "ammp": true, "severity": "High", "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#enable-the-waf" @@ -1903,7 +1662,7 @@ "text": "Tune the Azure Front Door WAF for your workload. Reduce false positive detections.", "waf": "Security", "guid": "2902d8cc-1b0c-4495-afad-624ab70f7bd6", - "id": "G01.04", + "id": "D10.04", "ammp": true, "severity": "High", "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#tune-your-waf" @@ -1914,7 +1673,7 @@ "text": "Use prevention mode with the Azure Front Door WAF. Prevention mode ensures that the WAF blocks malicious requests.", "waf": "Security", "guid": "17ba124b-127d-42b6-9322-388d5b2bbcfc", - "id": "G01.05", + "id": "D10.05", "ammp": true, "severity": "High", "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-prevention-mode" @@ -1925,7 +1684,7 @@ "text": "Enable the Azure Front Door WAF default rule sets. The default rule sets detect and block common attacks.", "waf": "Security", "guid": "49a98f2b-ec22-4a87-9415-6a10b00d6555", - "id": "G01.06", + "id": "D10.06", "ammp": true, "severity": "High", "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-default-rule-sets" @@ -1936,7 +1695,7 @@ "text": "Enable the Azure Front Door WAF bot management rules. The bot rules detect good and bad bots.", "waf": "Security", "guid": "147a13d4-2a2f-4824-a524-f5855b52b946", - "id": "G01.07", + "id": "D10.07", "ammp": true, "severity": "High", "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-bot-management-rules" @@ -1947,7 +1706,7 @@ "text": "Use the latest Azure Front Door WAF ruleset versions. Ruleset updates are regularly updated to take account of the current threat landscape.", "waf": "Security", "guid": "d7dcdcb9-0d99-44b9-baab-ac7570ede79a", - "id": "G01.08", + "id": "D10.08", "severity": "Medium", "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-the-latest-ruleset-versions" }, @@ -1957,7 +1716,7 @@ "text": "Add rate limiting to the Azure Front Door WAF. Rate limiting blocks clients accidentally or intentionally sending large amounts of traffic in a short period of time.", "waf": "Security", "guid": "b9620385-1cde-418f-914b-a84a06982ffc", - "id": "G01.09", + "id": "D10.09", "severity": "Medium", "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-rate-limiting" }, @@ -1967,7 +1726,7 @@ "text": "Use a high threshold for Azure Front Door WAF rate limits. High rate limit thresholds avoid blocking legitimate traffic, while still providing protection against extremely high numbers of requests that might overwhelm your infrastructure. ", "waf": "Security", "guid": "6dc36c52-0124-4ffe-9eaf-23ec1282dedb", - "id": "G01.10", + "id": "D10.10", "severity": "Medium", "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-a-high-threshold-for-rate-limits" }, @@ -1977,7 +1736,7 @@ "text": "Geo-filter traffic by using the Azure Front Door WAF. Allow traffic only from expected regions, and block traffic from other regions.", "waf": "Security", "guid": "388a3d0e-0a43-4367-90b2-3dd2aeece5ee", - "id": "G01.11", + "id": "D10.11", "severity": "Low", "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#geo-filter-traffic" }, @@ -1987,325 +1746,441 @@ "text": "Specify the unknown (ZZ) location when geo-filtering traffic with the Azure Front Door WAF. Avoid accidentally blocking legitimate requests when IP addresses can't be geo-matched.", "waf": "Security", "guid": "00acd8a9-6975-414f-8491-2be6309893b8", - "id": "G01.12", + "id": "D10.12", "severity": "Medium", "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#specify-the-unknown-zz-location" }, { - "category": "Platform Automation and DevOps", - "subcategory": "DevOps Team Topologies", - "text": "Ensure you have a cross functional DevOps Platform Team to build, manage and maintain your Azure Landing Zone architecture.", - "waf": "Operations", - "guid": "e85f4226-bf06-4e35-8a8b-7aee4d2d633a", - "id": "H01.01", + "category": "Governance", + "subcategory": "Governance", + "text": "Leverage Azure Policy strategically, define controls for your environment, using Policy Initiatives to group related policies.", + "waf": "Security", + "guid": "5c986cb2-9131-456a-8247-6e49f541acdc", + "id": "B01.01", "ammp": true, "severity": "High", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/platform-automation-devops" + "link": "https://learn.microsoft.com/azure/governance/policy/overview" }, { - "category": "Platform Automation and DevOps", - "subcategory": "DevOps Team Topologies", - "text": "Aim to define functions for Azure Landing Zone Platform team.", - "waf": "Operations", - "guid": "634146bf-7085-4419-a7b5-f96d2726f6da", - "id": "H01.02", + "category": "Governance", + "subcategory": "Governance", + "text": "Identify required Azure tags and use the 'append' policy mode to enforce usage.", + "waf": "Security", + "guid": "e979377b-cdb3-4751-ab2a-b13ada6e55d7", + "id": "E01.02", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/naming-and-tagging" + }, + { + "category": "Governance", + "subcategory": "Governance", + "text": "Map regulatory and compliance requirements to Azure Policy definitions and Azure role assignments.", + "waf": "Security", + "guid": "d8a2adb1-17d6-4326-af62-5ca44e5695f2", + "id": "E01.03", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/governance/policy/overview" + }, + { + "category": "Governance", + "subcategory": "Governance", + "text": "Establish Azure Policy definitions at the top-level root management group so that they can be assigned at inherited scopes", + "waf": "Security", + "guid": "223ace8c-b123-408c-a501-7f154e3ab369", + "id": "E01.04", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/governance/policy/overview" + }, + { + "category": "Governance", + "subcategory": "Governance", + "text": "Manage policy assignments at the highest appropriate level with exclusions at bottom levels, if required.", + "waf": "Security", + "guid": "3829e7e3-1618-4368-9a04-77a209945bda", + "id": "E01.05", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/governance/policy/overview" + }, + { + "category": "Governance", + "subcategory": "Governance", + "text": "Use Azure Policy to control which services users can provision at the subscription/management group level", + "waf": "Security", + "guid": "43334f24-9116-4341-a2ba-527526944008", + "id": "E01.06", "severity": "Low", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/devops-teams-topologies#design-recommendations" + "link": "https://learn.microsoft.com/security/benchmark/azure/mcsb-asset-management#am-2-use-only-approved-services" }, { - "category": "Platform Automation and DevOps", - "subcategory": "DevOps Team Topologies", - "text": "Aim to define functions for application workload teams to be self-sufficient and not require DevOps Platform Team support. Achieve this through the use of custom RBAC role.", - "waf": "Operations", - "guid": "a9e65070-c59e-4112-8bf6-c11364d4a2a5", - "id": "H01.03", + "category": "Governance", + "subcategory": "Governance", + "text": "Use built-in policies where possible to minimize operational overhead.", + "waf": "Security", + "guid": "be7d7e48-4327-46d8-adc0-55bcf619e8a1", + "id": "E01.07", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/governance/policy/overview" + }, + { + "category": "Governance", + "subcategory": "Governance", + "text": "Assign the built-in Resource Policy Contributor role at a particular scope to enable application-level governance.", + "description": "Assigning the Resource Policy Contributor role to specific scopes allows you to delegate policy management to relevant teams. For instance, a central IT team may oversee management group-level policies, while application teams handle policies for their subscriptions, enabling distributed governance with adherence to organizational standards.", + "waf": "Security", + "guid": "3f988795-25d6-4268-a6d7-0ba6c97be995", + "id": "E01.08", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/governance/policy/overview#azure-rbac-permissions-in-azure-policy" + }, + { + "category": "Governance", + "subcategory": "Governance", + "text": "Limit the number of Azure Policy assignments made at the root management group scope to avoid managing through exclusions at inherited scopes.", + "waf": "Security", + "guid": "19048384-5c98-46cb-8913-156a12476e49", + "id": "E01.09", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/governance/policy/overview" + }, + { + "category": "Governance", + "subcategory": "Optimize your cloud investment", + "text": "Consider using automation tags to start/stop VM's in your environment to save on cost.", + "waf": "Security", + "guid": "9b5e2a28-9823-4faf-ab7e-afa5f6c57221", + "id": "E02.01", "severity": "Low", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/devops-teams-topologies#design-recommendations" + "link": "https://learn.microsoft.com/azure/automation/automation-solution-vm-management-config" }, { - "category": "Platform Automation and DevOps", - "subcategory": "DevOps Team Topologies", - "text": "Use a CI/CD pipeline to deploy IaC artifacts and ensure the quality of your deployment and Azure environments.", + "category": "Governance", + "subcategory": "Optimize your cloud investment", + "text": "Configure 'Actual' and 'Forecasted' Budget Alerts.", + "waf": "Cost", + "guid": "29fd366b-a180-452b-9bd7-954b7700c667", + "id": "E02.02", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/cost-management-billing/costs/tutorial-acm-create-budgets?bc=%2Fazure%2Fcloud-adoption-framework%2F_bread%2Ftoc.json&toc=%2Fazure%2Fcloud-adoption-framework%2Ftoc.json" + }, + { + "category": "Management", + "subcategory": "App delivery", + "text": "Add diagnostic settings to save your Azure Front Door WAF's logs. Regularly review the logs to check for attacks and for false positive detections.", "waf": "Operations", - "guid": "165eb5e9-b434-448a-9e24-178632186212", - "id": "H01.04", + "guid": "89cc5e11-aa4d-4c3b-893d-feb99215266a", + "id": "F01.01", "ammp": true, "severity": "High", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/infrastructure-as-code" + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs" }, { - "category": "Platform Automation and DevOps", - "subcategory": "DevOps Team Topologies", - "text": "Include unit tests for IaC and application code as part of your build process.", + "category": "Management", + "subcategory": "App delivery", + "text": "Send Azure Front Door logs to Microsoft Sentinel. Detect attacks and integrate Front Door telemetry into your overall Azure environment.", "waf": "Operations", - "guid": "0cadb8c7-8fa5-4fbf-8f39-d1fadb3b0460", - "id": "H01.05", + "guid": "7f408960-c626-44cb-a018-347c8d790cdf", + "id": "F01.02", "severity": "Medium", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/development-strategy-development-lifecycle#automated-builds" + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel" }, { - "category": "Platform Automation and DevOps", - "subcategory": "DevOps Team Topologies", - "text": "Use Key Vault secrets to avoid hard-coding sensitive information such as credentials (virtual machines user passwords), certificates or keys.", + "category": "Management", + "subcategory": "Data Protection", + "text": "Consider cross-region replication in Azure for BCDR with paired regions", + "waf": "Reliability", + "guid": "7ea02e1c-7166-45a3-bdf5-098891367fcb", + "id": "F02.01", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure" + }, + { + "category": "Management", + "subcategory": "Data Protection", + "text": "When using Azure Backup, consider the different backup types (GRS, ZRS & LRS) as the default setting is GRS", + "waf": "Reliability", + "guid": "eba8cf22-45c6-4dc1-9b57-2cceb3b97ce5", + "id": "F02.02", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy" + }, + { + "category": "Management", + "subcategory": "Monitoring", + "text": "Use a single monitor logs workspace to manage platforms centrally except where Azure role-based access control (Azure RBAC), data sovereignty requirements, or data retention policies mandate separate workspaces.", "waf": "Operations", - "guid": "108d5099-a11d-4445-bd8b-e12a5e95412e", - "id": "H01.06", - "ammp": true, - "severity": "High", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/development-strategy-development-lifecycle#automated-builds" + "guid": "67e7a8ed-4b30-4e38-a3f2-9812b2363cef", + "id": "F03.01", + "severity": "Medium", + "training": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", + "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment" }, { - "category": "Platform Automation and DevOps", - "subcategory": "DevOps Team Topologies", - "text": "Implement automation for File > New > Landing Zone for applications and workloads.", + "category": "Management", + "subcategory": "Monitoring", + "text": "Is the landing zone documented?", "waf": "Operations", - "guid": "a52e0c98-76b9-4a09-a1c9-6b2babf22ac4", - "id": "H01.07", - "severity": "Low", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/subscription-vending" + "guid": "e179b599-de0d-4597-9cd4-cd21b088137f", + "id": "F03.02", + "severity": "Medium" }, { - "category": "Platform Automation and DevOps", - "subcategory": "Development Lifecycle", - "text": "Ensure a version control system is used for source code of applications and IaC developed. Microsoft recommends Git.", + "category": "Management", + "subcategory": "Monitoring", + "text": "Use Azure Monitor Logs when log retention requirements exceed two years. You can currently keep data in archived state for up to 7 years.", "waf": "Operations", - "guid": "cfe363b5-f579-4284-bc56-a42153e4c10b", - "id": "H02.01", - "ammp": true, - "severity": "High", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/infrastructure-as-code" + "guid": "5e6c4cfd-3e50-4454-9c24-47ec66138a72", + "id": "F03.03", + "severity": "Medium", + "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/", + "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work" }, { - "category": "Platform Automation and DevOps", - "subcategory": "Development Lifecycle", - "text": "Follow a branching strategy to allow teams to collaborate better and efficiently manage version control of IaC and application Code. Review options such as Github Flow.", + "category": "Management", + "subcategory": "Monitoring", + "text": "Use Azure Policy for access control and compliance reporting. Azure Policy provides the ability to enforce organization-wide settings to ensure consistent policy adherence and fast violation detection. ", "waf": "Operations", - "guid": "c7245dd4-af8a-403a-8bb7-890c1a7cfa9d", - "id": "H02.02", - "severity": "Low", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/development-strategy-development-lifecycle" + "guid": "00f1ce16-ed30-41d6-b872-e52e3611cc58", + "id": "F03.04", + "severity": "Medium", + "training": "https://learn.microsoft.com/en-us/azure/governance/policy/concepts/effects", + "link": "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/govern/policy-compliance/regulatory-compliance" }, { - "category": "Platform Automation and DevOps", - "subcategory": "Development Lifecycle", - "text": "Adopt a pull request strategy to help keep control of code changes merged into branches.", + "category": "Management", + "subcategory": "Monitoring", + "text": "Monitor in-guest virtual machine (VM) configuration drift using Azure Policy. Enabling guest configuration audit capabilities through policy helps application team workloads to immediately consume feature capabilities with little effort.", "waf": "Operations", - "guid": "12aeea20-9165-4b3e-bdf2-6795fcd3cdbe", - "id": "H02.03", + "guid": "e7d7e484-3276-4d8b-bc05-5bcf619e8a13", + "id": "F03.05", "severity": "Medium", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/development-strategy-development-lifecycle" + "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", + "link": "https://learn.microsoft.com/azure/governance/policy/how-to/guest-configuration-create" }, { - "category": "Platform Automation and DevOps", - "subcategory": "Development Strategy", - "text": "Leverage Declarative Infrastructure as Code Tools such as Azure Bicep, ARM Templates or Terraform to build and maintain your Azure Landing Zone architecture. Both from a Platform and Application workload perspective.", + "category": "Management", + "subcategory": "Monitoring", + "text": "Use Update Management in Azure Automation as a long-term patching mechanism for both Windows and Linux VMs. ", "waf": "Operations", - "guid": "2cdc9d99-dbcc-4ad4-97f5-e7d358bdfa73", - "id": "H03.01", - "ammp": true, - "severity": "High", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/infrastructure-as-code" + "guid": "f9887952-5d62-4688-9d70-ba6c97be9951", + "id": "F03.06", + "severity": "Medium", + "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-compute-resources/", + "link": "https://learn.microsoft.com/azure/automation/update-management/overview" }, { - "category": "Platform Automation and DevOps", - "subcategory": "Security", - "text": "Integrate security into the already combined process of development and operations in DevOps to mitigate risks in the innovation process.", + "category": "Management", + "subcategory": "Monitoring", + "text": "Use Network Watcher to proactively monitor traffic flows", "waf": "Operations", - "guid": "cc87a3bc-c572-4ad2-92ed-8cabab66160f", - "id": "H04.01", - "ammp": true, - "severity": "High", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/landing-zone-security#secure" + "guid": "90483845-c986-4cb2-a131-56a12476e49f", + "id": "F03.07", + "severity": "Medium", + "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/", + "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview" }, { - "category": "Resource Organization", - "subcategory": "Naming and tagging", - "text": "It is recommended to follow Microsoft Best Practice Naming Standards", - "waf": "Security", - "guid": "cacf55bc-e4e4-46be-96bc-57a5f23a269a", - "id": "I01.01", - "ammp": true, - "severity": "High", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming" + "category": "Management", + "subcategory": "Monitoring", + "text": "Use resource locks to prevent accidental deletion of critical shared services.", + "waf": "Operations", + "guid": "541acdce-9793-477b-adb3-751ab2ab13ad", + "id": "F03.08", + "severity": "Medium", + "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json" }, { - "category": "Resource Organization", - "subcategory": "Subscriptions", - "text": "Enforce reasonably flat management group hierarchy with no more than four levels.", - "waf": "Security", - "guid": "2df27ee4-12e7-4f98-9f63-04722dd69c5b", - "id": "I02.01", + "category": "Management", + "subcategory": "Monitoring", + "text": "Use deny policies to supplement Azure role assignments. The combination of deny policies and Azure role assignments ensures the appropriate guardrails are in place to enforce who can deploy and configure resources and what resources they can deploy and configure.", + "waf": "Operations", + "guid": "a6e55d7d-8a2a-4db1-87d6-326af625ca44", + "id": "F03.09", + "severity": "Low", + "link": "https://learn.microsoft.com/azure/governance/policy/overview" + }, + { + "category": "Management", + "subcategory": "Monitoring", + "text": "Include service and resource health events as part of the overall platform monitoring solution. Tracking service and resource health from the platform perspective is an important component of resource management in Azure.", + "waf": "Operations", + "guid": "e5695f22-23ac-4e8c-a123-08ca5017f154", + "id": "F03.10", "severity": "Medium", - "graph": "resourcecontainers| where type == 'microsoft.resources/subscriptions'| extend ManagementGroup = tostring(tags),mgmtChain = properties.managementGroupAncestorsChain| extend compliant =( array_length(mgmtChain) <= 4 and array_length(mgmtChain) > 1)", - "training": "https://learn.microsoft.com/learn/modules/azure-architecture-fundamentals/", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups" + "link": "https://learn.microsoft.com/azure/service-health/alerts-activity-log-service-notifications-portal" }, { - "category": "Resource Organization", - "subcategory": "Subscriptions", - "text": "Enforce or appended resource tags through Azure Policy", - "waf": "Security", - "guid": "5c2622f5-4b69-4bad-93aa-d5e8c68e1d76", - "id": "I02.02", + "category": "Management", + "subcategory": "Monitoring", + "text": "Include alerts and action groups as part of the Azure Service Health platform to ensure that alerts or issues can be actioned", + "waf": "Operations", + "guid": "d5f345bf-97ab-41a7-819c-6104baa7d48c", + "id": "F03.11", "severity": "Medium", - "graph": "resources | extend compliant = isnotnull(['tags']) | project name, id, subscriptionId, resourceGroup, tags, compliant", - "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/decision-guides/resource-tagging/?toc=/azure/azure-resource-manager/management/toc.json" + "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/action-groups" }, { - "category": "Resource Organization", - "subcategory": "Subscriptions", - "text": "Enforce a sandbox management group to allow users to immediately experiment with Azure", - "waf": "Security", - "guid": "667313b4-f566-44b5-b984-a859c773e7d2", - "id": "I02.03", + "category": "Management", + "subcategory": "Monitoring", + "text": "Don't send raw log entries back to on-premises monitoring systems. Instead, adopt a principle that data born in Azure stays in Azure. If on-premises SIEM integration is required, then send critical alerts instead of logs.", + "waf": "Operations", + "guid": "e3ab3693-829e-47e3-8618-3687a0477a20", + "id": "F03.12", "severity": "Medium", - "training": "https://learn.microsoft.com/learn/paths/enterprise-scale-architecture/", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-group-recommendations" + "link": "https://learn.microsoft.com/azure/sentinel/quickstart-onboard" }, { - "category": "Resource Organization", - "subcategory": "Subscriptions", - "text": "Enforce a platform management group under the root management group to support common platform policy and Azure role assignment", - "waf": "Security", - "guid": "61623a76-5a91-47e1-b348-ef254c27d42e", - "id": "I02.04", + "category": "Management", + "subcategory": "Monitoring", + "text": "Use a centralized Azure Monitor Log Analytics workspace to collect logs and metrics from IaaS and PaaS application resources and control log access with Azure RBAC.", + "waf": "Operations", + "guid": "9945bda4-3334-4f24-a116-34182ba52752", + "id": "F03.13", "severity": "Medium", - "training": "https://learn.microsoft.com/learn/paths/enterprise-scale-architecture/", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-group-recommendations" + "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment" }, { - "category": "Resource Organization", - "subcategory": "Subscriptions", - "text": "Enforce a dedicated connectivity subscription in the Platform management group to host an Azure Virtual WAN hub, private Domain Name System (DNS), ExpressRoute circuit, and other networking resources.", - "waf": "Security", - "guid": "8bbac757-1559-4ab9-853e-8908ae28c84c", - "id": "I02.05", + "category": "Management", + "subcategory": "Monitoring", + "text": "Use Azure Monitor Logs for insights and reporting.", + "waf": "Operations", + "guid": "6944008b-e7d7-4e48-9327-6d8bdc055bcf", + "id": "F03.14", "severity": "Medium", - "training": "https://learn.microsoft.com/learn/paths/enterprise-scale-architecture/", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-group-recommendations" + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor" }, { - "category": "Resource Organization", - "subcategory": "Subscriptions", - "text": "Enforce no subscriptions are placed under the root management group", - "waf": "Security", - "guid": "33b6b780-8b9f-4e5c-9104-9d403a923c34", - "id": "I02.06", + "category": "Management", + "subcategory": "Monitoring", + "text": "When necessary, use shared storage accounts within the landing zone for Azure diagnostic extension log storage.", + "waf": "Operations", + "guid": "619e8a13-f988-4795-85d6-26886d70ba6c", + "id": "F03.15", "severity": "Medium", - "graph": "resourcecontainers| where type == 'microsoft.resources/subscriptions'| extend ManagementGroup = tostring(tags),mgmtChain = properties.managementGroupAncestorsChain| extend compliant = (array_length(mgmtChain) > 1)", - "link": "https://learn.microsoft.com/azure/governance/management-groups/how-to/protect-resource-hierarchy#setting---default-management-group" + "link": "https://learn.microsoft.com/azure/azure-monitor/agents/diagnostics-extension-overview" }, { - "category": "Resource Organization", - "subcategory": "Subscriptions", - "text": "Enforce that only privileged users can operate management groups in the tenant by enabling Azure RBAC authorization in the management group hierarchy settings", + "category": "Management", + "subcategory": "Monitoring", + "text": "Use Azure Monitor alerts for the generation of operational alerts.", + "waf": "Operations", + "guid": "97be9951-9048-4384-9c98-6cb2913156a1", + "id": "F03.16", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/alerts-overview" + }, + { + "category": "Management", + "subcategory": "Monitoring", + "text": "Ensure that monitoring requirements have been assessed and that appropriate data collection and alerting configurations are applied", + "waf": "Operations", + "guid": "859c3900-4514-41eb-b010-475d695abd74", + "id": "F03.17", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/architecture/best-practices/monitoring" + }, + { + "category": "Management", + "subcategory": "Monitoring", + "text": "Consider supported regions for linked Log Analytics workspace and automation accounts", + "waf": "Operations", + "guid": "fed3c55f-a67e-4875-aadd-3aba3f9fde31", + "id": "F03.18", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings" + }, + { + "category": "Management", + "subcategory": "Operational compliance", + "text": "Use Azure policies to automatically deploy software configurations through VM extensions and enforce a compliant baseline VM configuration.", "waf": "Security", - "guid": "74d00018-ac6a-49e0-8e6a-83de5de32c19", - "id": "I02.07", + "guid": "f541acdc-e979-4377-acdb-3751ab2ab13a", + "id": "F04.01", "severity": "Medium", - "link": "https://learn.microsoft.com/azure/governance/management-groups/how-to/protect-resource-hierarchy#setting---require-authorization" + "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration" }, { - "category": "Resource Organization", - "subcategory": "Subscriptions", - "text": "Enforce management groups under the root-level management group to represent the types of workloads, based on their security, compliance, connectivity, and feature needs.", + "category": "Management", + "subcategory": "Operational compliance", + "text": "Monitor VM security configuration drift via Azure Policy.", + "description": "Azure Policy's guest configuration features can audit and remediate machine settings (e.g., OS, application, environment) to ensure resources align with expected configurations, and Update Management can enforce patch management for VMs.", "waf": "Security", - "guid": "92481607-d5d1-4e4e-9146-58d3558fd772", - "id": "I02.08", + "guid": "da6e55d7-d8a2-4adb-817d-6326af625ca4", + "id": "F04.02", "severity": "Medium", - "link": "https://learn.microsoft.com/azure/governance/management-groups/overview" + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift" }, { - "category": "Resource Organization", - "subcategory": "Subscriptions", - "text": "Enforce a process to make resource owners aware of their roles and responsibilities, access review, budget review, policy compliance and remediate when necessary.", - "waf": "Security", - "guid": "49b82111-2df2-47ee-912e-7f983f630472", - "id": "I02.09", - "ammp": true, - "severity": "High", - "link": "https://learn.microsoft.com/azure/governance/management-groups/overview" + "category": "Management", + "subcategory": "Protect and Recover", + "text": "Use Azure Site Recovery for Azure-to-Azure Virtual Machines disaster recovery scenarios. This enables you to replicate workloads across regions.", + "waf": "Operations", + "guid": "2476e49f-541a-4cdc-b979-377bcdb3751a", + "id": "F05.01", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview" }, { - "category": "Resource Organization", - "subcategory": "Subscriptions", - "text": "Ensure that all subscription owners and IT core team are aware of subscription quotas and the impact they have on provision resources for a given subscription.", - "waf": "Security", - "guid": "2dd69c5b-5c26-422f-94b6-9bad33aad5e8", - "id": "I02.10", + "category": "Management", + "subcategory": "Protect and Recover", + "text": "Ensure to use and test native PaaS service disaster recovery capabilities.", + "waf": "Operations", + "guid": "b2ab13ad-a6e5-45d7-b8a2-adb117d6326a", + "id": "F05.02", "severity": "Medium", - "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits" + "link": "https://learn.microsoft.com/azure/architecture/framework/resiliency/backup-and-recovery" }, { - "category": "Resource Organization", - "subcategory": "Subscriptions", - "text": "Use Reserved Instances where appropriate to optimize cost and ensure available capacity in target regions. Enforce the use of purchased Reserved Instance VM SKUs via Azure Policy.", - "waf": "Security", - "guid": "c68e1d76-6673-413b-9f56-64b5e984a859", - "id": "I02.11", - "ammp": true, - "severity": "High", - "training": "https://learn.microsoft.com/learn/paths/improve-reliability-modern-operations/", - "link": "https://learn.microsoft.com/azure/cost-management-billing/reservations/save-compute-costs-reservations" + "category": "Management", + "subcategory": "Protect and Recover", + "text": "Use Azure-native backup capabilities, or an Azure-compatible, 3rd-party backup solution.", + "waf": "Operations", + "guid": "f625ca44-e569-45f2-823a-ce8cb12308ca", + "id": "F05.03", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/backup/backup-center-overview" }, { - "category": "Resource Organization", - "subcategory": "Subscriptions", - "text": "Enforce a dashboard, workbook, or manual process to monitor used capacity levels", - "waf": "Security", - "guid": "c773e7d2-6162-43a7-95a9-17e1f348ef25", - "id": "I02.12", + "category": "Management ", + "subcategory": "Fault Tolerance", + "text": "Leverage Availability Zones for your VMs in regions where they are supported.", + "waf": "Reliability", + "guid": "826c5c45-bb79-4951-a812-e3bfbfd7326b", + "id": "E01.01", "ammp": true, "severity": "High", - "training": "https://learn.microsoft.com/learn/paths/monitor-usage-performance-availability-resources-azure-monitor/", - "link": "https://learn.microsoft.com/azure/architecture/framework/scalability/design-capacity" - }, - { - "category": "Resource Organization", - "subcategory": "Subscriptions", - "text": "Ensure required services and features are available within the chosen deployment regions", - "waf": "Security", - "guid": "4c27d42e-8bba-4c75-9155-9ab9153e8908", - "id": "I02.13", - "severity": "Medium", - "training": "https://learn.microsoft.com/learn/modules/azure-architecture-fundamentals/", - "link": "https://azure.microsoft.com/global-infrastructure/services/" + "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview" }, { - "category": "Resource Organization", - "subcategory": "Subscriptions", - "text": "Enforce a process for cost management", - "waf": "Security", - "guid": "ae28c84c-33b6-4b78-88b9-fe5c41049d40", - "id": "I02.14", + "category": "Management ", + "subcategory": "Fault Tolerance", + "text": "Avoid running a production workload on a single VM.", + "waf": "Reliability", + "guid": "7ccb7c06-5511-42df-8177-d97f08d0337d", + "id": "E01.02", "ammp": true, "severity": "High", - "training": "https://learn.microsoft.com/learn/paths/control-spending-manage-bills/", - "link": "https://learn.microsoft.com/azure/cost-management-billing/cost-management-billing-overview" + "link": "https://learn.microsoft.com/azure/virtual-machines/availability" }, { - "category": "Resource Organization", - "subcategory": "Subscriptions", - "text": "If AD on Windows Server, establish a dedicated identity subscription in the Platform management group to host Windows Server Active Directory domain controllers", - "waf": "Security", - "guid": "3a923c34-74d0-4001-aac6-a9e01e6a83de", - "id": "I02.15", + "category": "Management ", + "subcategory": "Fault Tolerance", + "text": "Azure Load Balancer and Application Gateway distribute incoming network traffic across multiple resources.", + "waf": "Reliability", + "guid": "84101f59-1941-4195-a270-e28034290e3a", + "id": "E01.03", "severity": "Medium", - "training": "https://learn.microsoft.com/learn/paths/enterprise-scale-architecture/", - "link": "https://learn.microsoft.com/azure/governance/management-groups/overview" + "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview" }, { - "category": "Resource Organization", - "subcategory": "Subscriptions", - "text": "Ensure tags are used for billing and cost management", - "waf": "Security", - "guid": "5de32c19-9248-4160-9d5d-1e4e614658d3", - "id": "I02.16", + "category": "Management ", + "subcategory": "Scalability", + "text": "Leverage Azure Virtual Machine Scale sets to scale up and down based on the load.", + "waf": "Reliability", + "guid": "ecdc7506-6f37-4ea9-be87-fc5d3df08a64", + "id": "E02.01", "severity": "Medium", - "graph": "resources | extend compliant = isnotnull(['tags']) | project name, id, subscriptionId, resourceGroup, tags, compliant", - "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/track-costs" + "link": "https://learn.microsoft.com/azure/virtual-machine-scale-sets/overview" }, { "category": "Security", @@ -2313,7 +2188,7 @@ "text": "Determine the incident response plan for Azure services before allowing it into production.", "waf": "Security", "guid": "b86ad884-08e3-4727-94b8-75ba18f20459", - "id": "J01.01", + "id": "G01.01", "severity": "Medium", "link": "https://learn.microsoft.com/security/benchmark/azure/security-control-incident-response" }, @@ -2323,7 +2198,7 @@ "text": "Implement a zero-trust approach for access to the Azure platform, where appropriate.", "waf": "Security", "guid": "01365d38-e43f-49cc-ad86-8266abca264f", - "id": "J01.02", + "id": "G01.02", "severity": "Medium", "link": "https://www.microsoft.com/security/business/zero-trust" }, @@ -2333,7 +2208,7 @@ "text": "Use Azure Key Vault to store your secrets and credentials", "waf": "Security", "guid": "5017f154-e3ab-4369-9829-e7e316183687", - "id": "J02.01", + "id": "G02.01", "ammp": true, "severity": "High", "link": "https://learn.microsoft.com/azure/key-vault/general/overview" @@ -2344,7 +2219,7 @@ "text": "Use different Azure Key Vaults for different applications and regions to avoid transaction scale limits and restrict access to secrets.", "waf": "Security", "guid": "a0477a20-9945-4bda-9333-4f2491163418", - "id": "J02.02", + "id": "G02.02", "severity": "Medium", "graph": "ResourceContainers | where type=='microsoft.resources/subscriptions'| parse id with '/subscriptions/' SubscriptionID| project subscriptionId, SubscriptionName = name| join kind=leftouter (Resources| where type == 'microsoft.keyvault/vaults'| project id, name, subscriptionId) on subscriptionId| join kind= leftouter (Resources| where type == 'microsoft.keyvault/vaults'| summarize ResourceCount = count() by subscriptionId) on subscriptionId| extend RCount = iff(isnull(ResourceCount), 0, ResourceCount)| project-away ResourceCount| extend compliant = (RCount <> 1)", "link": "https://learn.microsoft.com/azure/key-vault/general/overview-throttling" @@ -2355,7 +2230,7 @@ "text": "Provision Azure Key Vault with the soft delete and purge policies enabled to allow retention protection for deleted objects.", "waf": "Security", "guid": "2ba52752-6944-4008-ae7d-7e4843276d8b", - "id": "J02.03", + "id": "G02.03", "severity": "Medium", "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices" }, @@ -2365,7 +2240,7 @@ "text": "Follow a least privilege model by limiting authorization to permanently delete keys, secrets, and certificates to specialized custom Microsoft Entra ID roles.", "waf": "Security", "guid": "dc055bcf-619e-48a1-9f98-879525d62688", - "id": "J02.04", + "id": "G02.04", "severity": "Medium", "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices" }, @@ -2375,7 +2250,7 @@ "text": "Automate the certificate management and renewal process with public certificate authorities to ease administration.", "waf": "Security", "guid": "6d70ba6c-97be-4995-8904-83845c986cb2", - "id": "J02.05", + "id": "G02.05", "severity": "Medium", "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices" }, @@ -2385,7 +2260,7 @@ "text": "Establish an automated process for key and certificate rotation.", "waf": "Security", "guid": "913156a1-2476-4e49-b541-acdce979377b", - "id": "J02.06", + "id": "G02.06", "severity": "Medium", "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices" }, @@ -2395,7 +2270,7 @@ "text": "Enable firewall and virtual network service endpoint or private endpoint on the vault to control access to the key vault.", "waf": "Security", "guid": "cdb3751a-b2ab-413a-ba6e-55d7d8a2adb1", - "id": "J02.07", + "id": "G02.07", "severity": "Medium", "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices" }, @@ -2405,7 +2280,7 @@ "text": "Use the platform-central Azure Monitor Log Analytics workspace to audit key, certificate, and secret usage within each instance of Key Vault.", "waf": "Security", "guid": "17d6326a-f625-4ca4-9e56-95f2223ace8c", - "id": "J02.08", + "id": "G02.08", "severity": "Medium", "link": "https://learn.microsoft.com/azure/key-vault/general/monitor-key-vault" }, @@ -2415,7 +2290,7 @@ "text": "Delegate Key Vault instantiation and privileged access and use Azure Policy to enforce a consistent compliant configuration.", "waf": "Security", "guid": "b12308ca-5017-4f15-9e3a-b3693829e7e3", - "id": "J02.09", + "id": "G02.09", "severity": "Medium", "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices" }, @@ -2425,7 +2300,7 @@ "text": "Default to Microsoft-managed keys for principal encryption functionality and use customer-managed keys when required.", "waf": "Security", "guid": "16183687-a047-47a2-8994-5bda43334f24", - "id": "J02.10", + "id": "G02.10", "severity": "Medium", "link": "https://learn.microsoft.com/azure/security/fundamentals/encryption-atrest" }, @@ -2435,7 +2310,7 @@ "text": "Use an Azure Key Vault per application per environment per region.", "waf": "Security", "guid": "91163418-2ba5-4275-8694-4008be7d7e48", - "id": "J02.11", + "id": "G02.11", "severity": "Medium", "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices" }, @@ -2445,7 +2320,7 @@ "text": "If you want to bring your own keys, this might not be supported across all considered services. Implement relevant mitigation so that inconsistencies don't hinder desired outcomes. Choose appropriate region pairs and disaster recovery regions that minimize latency.", "waf": "Security", "guid": "25d62688-6d70-4ba6-a97b-e99519048384", - "id": "J02.12", + "id": "G02.12", "severity": "Medium", "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices" }, @@ -2455,7 +2330,7 @@ "text": "Use Microsoft Entra ID reporting capabilities to generate access control audit reports.", "waf": "Security", "guid": "4e5695f2-223a-4ce8-ab12-308ca5017f15", - "id": "J03.01", + "id": "G03.01", "severity": "Medium", "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/overview-reports" }, @@ -2465,7 +2340,7 @@ "text": "Export Azure activity logs to Azure Monitor Logs for long-term data retention. Export to Azure Storage for long-term storage beyond two years, if necessary.", "waf": "Security", "guid": "4e3ab369-3829-4e7e-9161-83687a0477a2", - "id": "J03.02", + "id": "G03.02", "severity": "Medium", "link": "https://learn.microsoft.com/azure/azure-monitor/logs/logs-data-export?tabs=portal" }, @@ -2475,7 +2350,7 @@ "text": "Enable Defender Cloud Security Posture Management for all subscriptions.", "waf": "Security", "guid": "09945bda-4333-44f2-9911-634182ba5275", - "id": "J03.03", + "id": "G03.03", "ammp": true, "severity": "High", "link": "https://learn.microsoft.com/azure/defender-for-cloud/concept-cloud-security-posture-management" @@ -2486,7 +2361,7 @@ "text": "Enable a Defender Cloud Workload Protection Plan for Servers on all subscriptions.", "waf": "Security", "guid": "36a72a48-fffe-4c40-9747-0ab5064355ba", - "id": "J03.04", + "id": "G03.04", "ammp": true, "severity": "High", "link": "https://learn.microsoft.com/azure/defender-for-cloud/plan-defender-for-servers-select-plan" @@ -2497,7 +2372,7 @@ "text": "Enable Defender Cloud Workload Protection Plans for Azure Resources on all subscriptions.", "waf": "Security", "guid": "77425f48-ecba-43a0-aeac-a3ac733ccc6a", - "id": "J03.05", + "id": "G03.05", "ammp": true, "severity": "High", "link": "https://www.microsoft.com/en-gb/security/business/solutions/cloud-workload-protection" @@ -2508,7 +2383,7 @@ "text": "Enable Endpoint Protection on IaaS Servers.", "waf": "Security", "guid": "24d96b30-61ee-4436-a1cc-d6ef08bc574b", - "id": "J03.06", + "id": "G03.06", "ammp": true, "severity": "High", "link": "https://learn.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection" @@ -2519,7 +2394,7 @@ "text": "Monitor base operating system patching drift via Azure Monitor Logs and Defender for Cloud.", "waf": "Security", "guid": "15833ee7-ad6c-46d3-9331-65c7acbe44ab", - "id": "J03.07", + "id": "G03.07", "severity": "Medium", "link": "https://learn.microsoft.com/azure/security-center/" }, @@ -2529,7 +2404,7 @@ "text": "Connect default resource configurations to a centralized Azure Monitor Log Analytics workspace.", "waf": "Security", "guid": "e5f8d79f-2e87-4768-924c-516775c6ea95", - "id": "J03.08", + "id": "G03.08", "severity": "Medium", "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment" }, @@ -2539,7 +2414,7 @@ "text": "Secure transfer to storage accounts should be enabled", "waf": "Security", "guid": "b03ed428-4617-4067-a787-85468b9ccf3f", - "id": "J04.01", + "id": "G04.01", "ammp": true, "severity": "High", "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer" @@ -2550,7 +2425,7 @@ "text": "Enable container soft delete for the storage account to recover a deleted container and its contents.", "waf": "Security", "guid": "159aac9f-863f-4f48-82cf-00c28fa97a0e", - "id": "J04.02", + "id": "G04.02", "ammp": true, "severity": "High", "link": "https://learn.microsoft.com/azure/storage/blobs/data-protection-overview#recommendations-for-basic-data-protection" @@ -2561,7 +2436,7 @@ "text": "Separate privileged admin accounts for Azure administrative tasks.", "waf": "Security", "guid": "6f704104-85c1-441f-96d3-c9819911645e", - "id": "J05.01", + "id": "G05.01", "ammp": true, "severity": "High", "link": "https://learn.microsoft.com/azure/active-directory/roles/security-planning" @@ -2572,7 +2447,7 @@ "text": "Plan how new azure services will be implemented", "waf": "Security", "guid": "9a19bf39-c95d-444c-9c89-19ca1f6d5215", - "id": "J06.01", + "id": "G06.01", "severity": "Medium", "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/service-enablement-framework" }, @@ -2582,10 +2457,136 @@ "text": "Plan how service request will be fulfilled for Azure services", "waf": "Security", "guid": "ae514b93-3d45-485e-8112-9bd7ba012f7b", - "id": "J06.02", + "id": "G06.02", "severity": "Medium", "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/service-enablement-framework" - } + }, + { + "category": "Platform Automation and DevOps", + "subcategory": "DevOps Team Topologies", + "text": "Ensure you have a cross functional DevOps Platform Team to build, manage and maintain your Azure Landing Zone architecture.", + "waf": "Operations", + "guid": "e85f4226-bf06-4e35-8a8b-7aee4d2d633a", + "id": "H01.01", + "ammp": true, + "severity": "High", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/platform-automation-devops" + }, + { + "category": "Platform Automation and DevOps", + "subcategory": "DevOps Team Topologies", + "text": "Aim to define functions for Azure Landing Zone Platform team.", + "waf": "Operations", + "guid": "634146bf-7085-4419-a7b5-f96d2726f6da", + "id": "H01.02", + "severity": "Low", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/devops-teams-topologies#design-recommendations" + }, + { + "category": "Platform Automation and DevOps", + "subcategory": "DevOps Team Topologies", + "text": "Aim to define functions for application workload teams to be self-sufficient and not require DevOps Platform Team support. Achieve this through the use of custom RBAC role.", + "waf": "Operations", + "guid": "a9e65070-c59e-4112-8bf6-c11364d4a2a5", + "id": "H01.03", + "severity": "Low", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/devops-teams-topologies#design-recommendations" + }, + { + "category": "Platform Automation and DevOps", + "subcategory": "DevOps Team Topologies", + "text": "Use a CI/CD pipeline to deploy IaC artifacts and ensure the quality of your deployment and Azure environments.", + "waf": "Operations", + "guid": "165eb5e9-b434-448a-9e24-178632186212", + "id": "H01.04", + "ammp": true, + "severity": "High", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/infrastructure-as-code" + }, + { + "category": "Platform Automation and DevOps", + "subcategory": "DevOps Team Topologies", + "text": "Include unit tests for IaC and application code as part of your build process.", + "waf": "Operations", + "guid": "0cadb8c7-8fa5-4fbf-8f39-d1fadb3b0460", + "id": "H01.05", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/development-strategy-development-lifecycle#automated-builds" + }, + { + "category": "Platform Automation and DevOps", + "subcategory": "DevOps Team Topologies", + "text": "Use Key Vault secrets to avoid hard-coding sensitive information such as credentials (virtual machines user passwords), certificates or keys.", + "waf": "Operations", + "guid": "108d5099-a11d-4445-bd8b-e12a5e95412e", + "id": "H01.06", + "ammp": true, + "severity": "High", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/development-strategy-development-lifecycle#automated-builds" + }, + { + "category": "Platform Automation and DevOps", + "subcategory": "DevOps Team Topologies", + "text": "Implement automation for File > New > Landing Zone for applications and workloads.", + "waf": "Operations", + "guid": "a52e0c98-76b9-4a09-a1c9-6b2babf22ac4", + "id": "H01.07", + "severity": "Low", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/subscription-vending" + }, + { + "category": "Platform Automation and DevOps", + "subcategory": "Development Lifecycle", + "text": "Ensure a version control system is used for source code of applications and IaC developed. Microsoft recommends Git.", + "waf": "Operations", + "guid": "cfe363b5-f579-4284-bc56-a42153e4c10b", + "id": "H02.01", + "ammp": true, + "severity": "High", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/infrastructure-as-code" + }, + { + "category": "Platform Automation and DevOps", + "subcategory": "Development Lifecycle", + "text": "Follow a branching strategy to allow teams to collaborate better and efficiently manage version control of IaC and application Code. Review options such as Github Flow.", + "waf": "Operations", + "guid": "c7245dd4-af8a-403a-8bb7-890c1a7cfa9d", + "id": "H02.02", + "severity": "Low", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/development-strategy-development-lifecycle" + }, + { + "category": "Platform Automation and DevOps", + "subcategory": "Development Lifecycle", + "text": "Adopt a pull request strategy to help keep control of code changes merged into branches.", + "waf": "Operations", + "guid": "12aeea20-9165-4b3e-bdf2-6795fcd3cdbe", + "id": "H02.03", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/development-strategy-development-lifecycle" + }, + { + "category": "Platform Automation and DevOps", + "subcategory": "Development Strategy", + "text": "Leverage Declarative Infrastructure as Code Tools such as Azure Bicep, ARM Templates or Terraform to build and maintain your Azure Landing Zone architecture. Both from a Platform and Application workload perspective.", + "waf": "Operations", + "guid": "2cdc9d99-dbcc-4ad4-97f5-e7d358bdfa73", + "id": "H03.01", + "ammp": true, + "severity": "High", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/infrastructure-as-code" + }, + { + "category": "Platform Automation and DevOps", + "subcategory": "Security", + "text": "Integrate security into the already combined process of development and operations in DevOps to mitigate risks in the innovation process.", + "waf": "Operations", + "guid": "cc87a3bc-c572-4ad2-92ed-8cabab66160f", + "id": "H04.01", + "ammp": true, + "severity": "High", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/landing-zone-security#secure" + } ], "categories": [ { From feba26a5e20aab5cdf6ee60eae5ec42e5269fd12 Mon Sep 17 00:00:00 2001 From: BuddyDavies Date: Wed, 27 Sep 2023 13:24:50 +1300 Subject: [PATCH 3/8] Fixed up Management list --- checklists/alz_checklist.en.json | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/checklists/alz_checklist.en.json b/checklists/alz_checklist.en.json index bdfb1915f..f525d4217 100644 --- a/checklists/alz_checklist.en.json +++ b/checklists/alz_checklist.en.json @@ -1756,7 +1756,7 @@ "text": "Leverage Azure Policy strategically, define controls for your environment, using Policy Initiatives to group related policies.", "waf": "Security", "guid": "5c986cb2-9131-456a-8247-6e49f541acdc", - "id": "B01.01", + "id": "E01.01", "ammp": true, "severity": "High", "link": "https://learn.microsoft.com/azure/governance/policy/overview" @@ -2146,7 +2146,7 @@ "text": "Leverage Availability Zones for your VMs in regions where they are supported.", "waf": "Reliability", "guid": "826c5c45-bb79-4951-a812-e3bfbfd7326b", - "id": "E01.01", + "id": "F06.01", "ammp": true, "severity": "High", "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview" @@ -2157,7 +2157,7 @@ "text": "Avoid running a production workload on a single VM.", "waf": "Reliability", "guid": "7ccb7c06-5511-42df-8177-d97f08d0337d", - "id": "E01.02", + "id": "F06.02", "ammp": true, "severity": "High", "link": "https://learn.microsoft.com/azure/virtual-machines/availability" @@ -2168,7 +2168,7 @@ "text": "Azure Load Balancer and Application Gateway distribute incoming network traffic across multiple resources.", "waf": "Reliability", "guid": "84101f59-1941-4195-a270-e28034290e3a", - "id": "E01.03", + "id": "F06.03", "severity": "Medium", "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview" }, From 93af2836086b4e4297a2d973b881c537522932d9 Mon Sep 17 00:00:00 2001 From: BuddyDavies Date: Wed, 27 Sep 2023 13:29:22 +1300 Subject: [PATCH 4/8] entra fix up --- checklists/alz_checklist.en.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/checklists/alz_checklist.en.json b/checklists/alz_checklist.en.json index f525d4217..c3b331ab7 100644 --- a/checklists/alz_checklist.en.json +++ b/checklists/alz_checklist.en.json @@ -163,7 +163,7 @@ }, { "category": "Identity and Access Management", - "subcategory": "Active Directory and Hybrid Identity", + "subcategory": "Microsoft Entra ID and Hybrid Identity", "text": "Use managed identities instead of service principals for authentication to Azure services", "waf": "Security", "guid": "4348bf81-7573-4512-8f46-9061cc198fea", From 681f0eb7fb3c4fafc8738b3b2a2efdcfc4439da7 Mon Sep 17 00:00:00 2001 From: BuddyDavies Date: Wed, 27 Sep 2023 13:37:02 +1300 Subject: [PATCH 5/8] moved d42e8bbac757 to correct design area --- checklists/alz_checklist.en.json | 33 ++++++++++++++++---------------- 1 file changed, 17 insertions(+), 16 deletions(-) diff --git a/checklists/alz_checklist.en.json b/checklists/alz_checklist.en.json index c3b331ab7..b90b6f3a6 100644 --- a/checklists/alz_checklist.en.json +++ b/checklists/alz_checklist.en.json @@ -296,24 +296,13 @@ "training": "https://learn.microsoft.com/learn/modules/create-custom-azure-roles-with-rbac/", "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access#prerequisites-for-a-landing-zone---design-recommendations" }, - { - "category": "Identity and Access Management", - "subcategory": "Identity", - "text": "If any data sovereignty requirements exist, Azure Policies can be deployed to enforce them", - "waf": "Security", - "guid": "5a917e1f-348e-4f25-9c27-d42e8bbac757", - "id": "B03.11", - "severity": "Medium", - "training": "https://learn.microsoft.com/learn/paths/secure-your-cloud-data/", - "link": "https://azure.microsoft.com/resources/achieving-compliant-data-residency-and-security-with-azure/" - }, { "category": "Identity and Access Management", "subcategory": "Identity", "text": "If Azure Active Directory Domains Services (AADDS) is in use, deploy AADDS within the primary region because this service can only be projected into one subscription", "waf": "Security", "guid": "1559ab91-53e8-4908-ae28-c84c33b6b780", - "id": "B03.12", + "id": "B03.11", "severity": "Medium", "training": "https://learn.microsoft.com/learn/modules/azure-active-directory/", "link": "https://learn.microsoft.com/azure/active-directory-domain-services/overview" @@ -324,7 +313,7 @@ "text": "If AADDS in use, evaluate the compatibility of all workloads", "waf": "Security", "guid": "8b9fe5c4-1049-4d40-9a92-3c3474d00018", - "id": "B03.13", + "id": "B03.12", "severity": "Medium", "training": "https://learn.microsoft.com/learn/modules/implement-hybrid-identity-windows-server/", "link": "https://learn.microsoft.com/azure/active-directory-domain-services/overview" @@ -335,7 +324,7 @@ "text": "If AD on Windows server in use, are the resources in Azure using the correct domain controller?", "waf": "Security", "guid": "ac6a9e01-e6a8-43de-9de3-2c1992481607", - "id": "B03.14", + "id": "B03.13", "severity": "Medium", "training": "https://learn.microsoft.com/learn/paths/implement-windows-server-iaas-virtual-machine-identity/", "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/identity/adds-extend-domain" @@ -346,7 +335,7 @@ "text": "Consider using Microsoft Entra ID Application Proxy as a VPN or reverse proxy replacement to give remote users secure and authenticated access to internal applications (hosted in the cloud or on-premises).", "waf": "Security", "guid": "d5d1e4e6-1465-48d3-958f-d77249b82111", - "id": "B03.15", + "id": "B03.14", "severity": "Medium", "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/", "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy" @@ -357,7 +346,7 @@ "text": "Avoid using on-premises synced accounts for Microsoft Entra ID role assignments.", "waf": "Security", "guid": "35037e68-9349-4c15-b371-228514f4cdff", - "id": "B03.16", + "id": "B03.15", "severity": "Medium", "training": "https://learn.microsoft.com/learn/modules/design-identity-security-strategy/", "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices" @@ -1842,6 +1831,18 @@ "severity": "Medium", "link": "https://learn.microsoft.com/azure/governance/policy/overview" }, + + { + "category": "Governance", + "subcategory": "Governance", + "text": "If any data sovereignty requirements exist, Azure Policies can be deployed to enforce them", + "waf": "Security", + "guid": "5a917e1f-348e-4f25-9c27-d42e8bbac757", + "id": "E01.10", + "severity": "Medium", + "training": "https://learn.microsoft.com/learn/paths/secure-your-cloud-data/", + "link": "https://azure.microsoft.com/resources/achieving-compliant-data-residency-and-security-with-azure/" + }, { "category": "Governance", "subcategory": "Optimize your cloud investment", From 8f0e6f584228e2b4d29d5f49ba49111a3b3c7eec Mon Sep 17 00:00:00 2001 From: BuddyDavies Date: Wed, 27 Sep 2023 14:59:23 +1300 Subject: [PATCH 6/8] igors feedback addressed --- checklists/alz_checklist.en.json | 48 ++++++++++++-------------------- 1 file changed, 18 insertions(+), 30 deletions(-) diff --git a/checklists/alz_checklist.en.json b/checklists/alz_checklist.en.json index b90b6f3a6..5eac1d75d 100644 --- a/checklists/alz_checklist.en.json +++ b/checklists/alz_checklist.en.json @@ -406,25 +406,13 @@ "training": "https://learn.microsoft.com/learn/modules/azure-architecture-fundamentals/", "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups" }, - { - "category": "Resource Organization", - "subcategory": "Subscriptions", - "text": "Enforce or appended resource tags through Azure Policy", - "waf": "Security", - "guid": "5c2622f5-4b69-4bad-93aa-d5e8c68e1d76", - "id": "C02.02", - "severity": "Medium", - "graph": "resources | extend compliant = isnotnull(['tags']) | project name, id, subscriptionId, resourceGroup, tags, compliant", - "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/decision-guides/resource-tagging/?toc=/azure/azure-resource-manager/management/toc.json" - }, { "category": "Resource Organization", "subcategory": "Subscriptions", "text": "Enforce a sandbox management group to allow users to immediately experiment with Azure", "waf": "Security", "guid": "667313b4-f566-44b5-b984-a859c773e7d2", - "id": "C02.03", + "id": "C02.02", "severity": "Medium", "training": "https://learn.microsoft.com/learn/paths/enterprise-scale-architecture/", "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-group-recommendations" @@ -435,7 +423,7 @@ "text": "Enforce a platform management group under the root management group to support common platform policy and Azure role assignment", "waf": "Security", "guid": "61623a76-5a91-47e1-b348-ef254c27d42e", - "id": "C02.04", + "id": "C02.03", "severity": "Medium", "training": "https://learn.microsoft.com/learn/paths/enterprise-scale-architecture/", "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-group-recommendations" @@ -443,10 +431,10 @@ { "category": "Resource Organization", "subcategory": "Subscriptions", - "text": "Enforce a dedicated connectivity subscription in the Platform management group to host an Azure Virtual WAN hub, private Domain Name System (DNS), ExpressRoute circuit, and other networking resources.", + "text": "Enforce a dedicated connectivity subscription in the Connectivity management group to host an Azure Virtual WAN hub, private Domain Name System (DNS), ExpressRoute circuit, and other networking resources.", "waf": "Security", "guid": "8bbac757-1559-4ab9-853e-8908ae28c84c", - "id": "C02.05", + "id": "C02.04", "severity": "Medium", "training": "https://learn.microsoft.com/learn/paths/enterprise-scale-architecture/", "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-group-recommendations" @@ -457,7 +445,7 @@ "text": "Enforce no subscriptions are placed under the root management group", "waf": "Security", "guid": "33b6b780-8b9f-4e5c-9104-9d403a923c34", - "id": "C02.06", + "id": "C02.05", "severity": "Medium", "graph": "resourcecontainers| where type == 'microsoft.resources/subscriptions'| extend ManagementGroup = tostring(tags),mgmtChain = properties.managementGroupAncestorsChain| extend compliant = (array_length(mgmtChain) > 1)", "link": "https://learn.microsoft.com/azure/governance/management-groups/how-to/protect-resource-hierarchy#setting---default-management-group" @@ -468,7 +456,7 @@ "text": "Enforce that only privileged users can operate management groups in the tenant by enabling Azure RBAC authorization in the management group hierarchy settings", "waf": "Security", "guid": "74d00018-ac6a-49e0-8e6a-83de5de32c19", - "id": "C02.07", + "id": "C02.06", "severity": "Medium", "link": "https://learn.microsoft.com/azure/governance/management-groups/how-to/protect-resource-hierarchy#setting---require-authorization" }, @@ -478,7 +466,7 @@ "text": "Enforce management groups under the root-level management group to represent the types of workloads, based on their security, compliance, connectivity, and feature needs.", "waf": "Security", "guid": "92481607-d5d1-4e4e-9146-58d3558fd772", - "id": "C02.08", + "id": "C02.07", "severity": "Medium", "link": "https://learn.microsoft.com/azure/governance/management-groups/overview" }, @@ -488,7 +476,7 @@ "text": "Enforce a process to make resource owners aware of their roles and responsibilities, access review, budget review, policy compliance and remediate when necessary.", "waf": "Security", "guid": "49b82111-2df2-47ee-912e-7f983f630472", - "id": "C02.09", + "id": "C02.08", "ammp": true, "severity": "High", "link": "https://learn.microsoft.com/azure/governance/management-groups/overview" @@ -499,7 +487,7 @@ "text": "Ensure that all subscription owners and IT core team are aware of subscription quotas and the impact they have on provision resources for a given subscription.", "waf": "Security", "guid": "2dd69c5b-5c26-422f-94b6-9bad33aad5e8", - "id": "C02.10", + "id": "C02.09", "severity": "Medium", "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits" }, @@ -509,7 +497,7 @@ "text": "Use Reserved Instances where appropriate to optimize cost and ensure available capacity in target regions. Enforce the use of purchased Reserved Instance VM SKUs via Azure Policy.", "waf": "Security", "guid": "c68e1d76-6673-413b-9f56-64b5e984a859", - "id": "C02.11", + "id": "C02.10", "ammp": true, "severity": "High", "training": "https://learn.microsoft.com/learn/paths/improve-reliability-modern-operations/", @@ -521,7 +509,7 @@ "text": "Enforce a dashboard, workbook, or manual process to monitor used capacity levels", "waf": "Security", "guid": "c773e7d2-6162-43a7-95a9-17e1f348ef25", - "id": "C02.12", + "id": "C02.11", "ammp": true, "severity": "High", "training": "https://learn.microsoft.com/learn/paths/monitor-usage-performance-availability-resources-azure-monitor/", @@ -533,7 +521,7 @@ "text": "Ensure required services and features are available within the chosen deployment regions", "waf": "Security", "guid": "4c27d42e-8bba-4c75-9155-9ab9153e8908", - "id": "C02.13", + "id": "C02.12", "severity": "Medium", "training": "https://learn.microsoft.com/learn/modules/azure-architecture-fundamentals/", "link": "https://azure.microsoft.com/global-infrastructure/services/" @@ -544,7 +532,7 @@ "text": "Enforce a process for cost management", "waf": "Security", "guid": "ae28c84c-33b6-4b78-88b9-fe5c41049d40", - "id": "C02.14", + "id": "C02.13", "ammp": true, "severity": "High", "training": "https://learn.microsoft.com/learn/paths/control-spending-manage-bills/", @@ -553,10 +541,10 @@ { "category": "Resource Organization", "subcategory": "Subscriptions", - "text": "If AD on Windows Server, establish a dedicated identity subscription in the Platform management group to host Windows Server Active Directory domain controllers", + "text": "If AD on Windows Server, establish a dedicated identity subscription in the Indentity management group, to host Windows Server Active Directory domain controllers", "waf": "Security", "guid": "3a923c34-74d0-4001-aac6-a9e01e6a83de", - "id": "C02.15", + "id": "C02.14", "severity": "Medium", "training": "https://learn.microsoft.com/learn/paths/enterprise-scale-architecture/", "link": "https://learn.microsoft.com/azure/governance/management-groups/overview" @@ -567,7 +555,7 @@ "text": "Ensure tags are used for billing and cost management", "waf": "Security", "guid": "5de32c19-9248-4160-9d5d-1e4e614658d3", - "id": "C02.16", + "id": "C02.15", "severity": "Medium", "graph": "resources | extend compliant = isnotnull(['tags']) | project name, id, subscriptionId, resourceGroup, tags, compliant", "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", @@ -841,7 +829,7 @@ { "category": "Network Topology and Connectivity", "subcategory": "Hub and spoke", - "text": "Ensure that shared networking services, including ExpressRoute gateways, VPN gateways, and Azure Firewall or partner NVAs in the central-hub virtual network. If necessary, also deploy Active Directory domain controllers and DNS servers.", + "text": "Ensure that shared networking services, including ExpressRoute gateways, VPN gateways, and Azure Firewall or partner NVAs in the central-hub virtual network. If necessary, also deploy DNS servers.", "waf": "Cost", "guid": "7dd61623-a364-4a90-9eca-e48ebd54cd7d", "id": "D03.02", @@ -2176,7 +2164,7 @@ { "category": "Management ", "subcategory": "Scalability", - "text": "Leverage Azure Virtual Machine Scale sets to scale up and down based on the load.", + "text": "Leverage Azure Virtual Machine Scale sets to scale in and out based on the load.", "waf": "Reliability", "guid": "ecdc7506-6f37-4ea9-be87-fc5d3df08a64", "id": "E02.01", From df53882b922dc22214bc361c00f9743ddb998ab3 Mon Sep 17 00:00:00 2001 From: BuddyDavies Date: Wed, 27 Sep 2023 15:00:46 +1300 Subject: [PATCH 7/8] igors feedback addressed. --- checklists/alz_checklist.en.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/checklists/alz_checklist.en.json b/checklists/alz_checklist.en.json index 5eac1d75d..5d3ef2981 100644 --- a/checklists/alz_checklist.en.json +++ b/checklists/alz_checklist.en.json @@ -1761,7 +1761,7 @@ { "category": "Governance", "subcategory": "Governance", - "text": "Establish Azure Policy definitions at the top-level root management group so that they can be assigned at inherited scopes", + "text": "Establish Azure Policy definitions at the intermediate root management group so that they can be assigned at inherited scopes", "waf": "Security", "guid": "223ace8c-b123-408c-a501-7f154e3ab369", "id": "E01.04", From 7d5b15003f00865f39968ec9a2cea839f8a99148 Mon Sep 17 00:00:00 2001 From: BuddyDavies Date: Thu, 28 Sep 2023 16:46:16 +1300 Subject: [PATCH 8/8] minor tweak --- checklists/alz_checklist.en.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/checklists/alz_checklist.en.json b/checklists/alz_checklist.en.json index 5d3ef2981..0b1fab3ba 100644 --- a/checklists/alz_checklist.en.json +++ b/checklists/alz_checklist.en.json @@ -1741,7 +1741,7 @@ { "category": "Governance", "subcategory": "Governance", - "text": "Identify required Azure tags and use the 'append' policy mode to enforce usage.", + "text": "Identify required Azure tags and use the 'append' policy mode to enforce usage via Azure Policy.", "waf": "Security", "guid": "e979377b-cdb3-4751-ab2a-b13ada6e55d7", "id": "E01.02",