-
Notifications
You must be signed in to change notification settings - Fork 3
Expand file tree
/
Copy pathazure-security.yml
More file actions
327 lines (301 loc) · 13.8 KB
/
Copy pathazure-security.yml
File metadata and controls
327 lines (301 loc) · 13.8 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
apiVersion: kopexa.io/v1alpha1
kind: Policy
metadata:
name: kopexa-azure-security
title: Kopexa Microsoft Azure Security
version: 2.0.3
tags:
kopexa.com/category: security
kopexa.com/platform: azure,cloud
require:
- provider: azure
authors:
- name: Kopexa GmbH
email: security@kopexa.com
groups:
- title: Azure Storage
checks:
- uid: kopexa-azure-security-public-access-level-private-blob-containers
- uid: kopexa-azure-security-trusted-microsoft-services-enabled-for-storage-account-access
- uid: kopexa-azure-security-secure-transfer-required-enabled
- uid: kopexa-azure-security-default-network-access-rule-storage-accounts-deny
- title: Azure SQL
checks:
- uid: kopexa-azure-security-sql-server-audit-on
- uid: kopexa-azure-security-sql-server-tde-on
- uid: kopexa-azure-security-ensure-that-ssl-enabled-latest-version-mysql
- uid: kopexa-azure-security-ensure-that-ssl-enabled-postgresql
- uid: kopexa-azure-security-no-sql-databases-allow-ingress-0-0-0-0-0
- uid: kopexa-azure-security-ensure-disabled-public-access-sql
- title: Azure Key Vault
checks:
- uid: kopexa-azure-security-ensure-the-kv-is-recoverable
- uid: kopexa-azure-security-keyvault-public-access-disabled
- title: Azure Compute
checks:
- uid: kopexa-azure-security-ensure-os-disk-are-encrypted
- uid: kopexa-azure-security-nsg-no-unrestricted-ssh
- uid: kopexa-azure-security-nsg-no-unrestricted-rdp
- title: Azure Core
filter: asset.type == "azure-subscription"
checks:
- uid: kopexa-azure-security-diagnostic-settings-exist
- uid: kopexa-azure-security-ensure-register-with-ad-is-enabled-on-app-service
- uid: kopexa-azure-security-ensure-web-app-is-using-the-latest-tls
scoring_system: highest_impact
queries:
# Storage Security Checks
- uid: kopexa-azure-security-public-access-level-private-blob-containers
title: Ensure that anonymous access to blob containers and public access on storage accounts are disabled
resource: azure_storage_account
severity: critical
query: |
has(resource.properties) &&
has(resource.properties.allowBlobPublicAccess) &&
resource.properties.allowBlobPublicAccess == false
docs: |
Anonymous access to blob containers can lead to unauthorized data exposure. This check ensures that public blob access is disabled on storage accounts.
audit: |
**Azure Portal:**
1. Go to Storage Accounts
2. For each storage account, check Networking settings
3. Verify 'Public Network Access' is set to 'Disabled'
4. Under Configuration, verify 'Allow Blob Anonymous Access' is 'Disabled'
remediation: |
Disable public blob access in storage account configuration settings.
- uid: kopexa-azure-security-trusted-microsoft-services-enabled-for-storage-account-access
title: Ensure "Trusted Microsoft Services" have access to azure storage accounts
resource: azure_storage_account
severity: high
query: |
has(resource.properties) &&
has(resource.properties.networkAcls) &&
has(resource.properties.networkAcls.bypass) &&
resource.properties.networkAcls.bypass == "AzureServices" &&
resource.properties.networkAcls.defaultAction == "Deny"
docs: |
Allowing trusted Microsoft services ensures operational functionality while maintaining security.
remediation: |
Enable 'Allow trusted Microsoft services' in storage account networking settings.
- uid: kopexa-azure-security-secure-transfer-required-enabled
title: Mandate HTTPS for Secure Data Transfer to azure storage accounts
resource: azure_storage_account
severity: critical
query: |
has(resource.properties) &&
has(resource.properties.supportsHttpsTrafficOnly) &&
resource.properties.supportsHttpsTrafficOnly == true
docs: |
Enforces HTTPS for all data operations to prevent data interception.
remediation: |
Enable 'Secure transfer required' in storage account configuration.
- uid: kopexa-azure-security-default-network-access-rule-storage-accounts-deny
title: Enforce Deny as Default Network Access for Azure Storage Accounts
resource: azure_storage_account
severity: critical
query: |
has(resource.properties) &&
has(resource.properties.networkAcls) &&
resource.properties.networkAcls.defaultAction == "Deny"
docs: |
Setting default network access to "Deny" ensures only explicitly allowed networks can access storage.
remediation: |
Set default network access rule to 'Deny' in storage account networking settings.
# SQL Security Checks
- uid: kopexa-azure-security-sql-server-audit-on
title: Ensure that all activities on SQL server are audited
resource: azure_sql_server
severity: high
query: |
has(resource.auditingPolicy) &&
resource.auditingPolicy.state == "Enabled"
docs: |
Auditing SQL server activities helps detect unauthorized access and suspicious behavior.
remediation: |
Enable auditing for the SQL server in Azure portal or via Azure CLI.
- uid: kopexa-azure-security-sql-server-tde-on
title: Ensure that transparent data encryption is enabled for SQL Server databases
resource: azure_sql_database
severity: high
query: |
resource.name == "master" ||
(has(resource.transparentDataEncryption) &&
resource.transparentDataEncryption.state == "Enabled")
docs: |
TDE encrypts data at rest, protecting sensitive information from unauthorized access.
remediation: |
Enable Transparent Data Encryption for each SQL database.
- uid: kopexa-azure-security-ensure-that-ssl-enabled-latest-version-mysql
title: Ensure SSL connection enabled for MySQL Database Server with the latest version
resource: azure_mysql_server
severity: critical
query: |
has(resource.properties) &&
resource.properties.sslEnforcement == "Enabled" &&
resource.properties.minimalTlsVersion == "TLS1_2"
docs: |
Enforces SSL/TLS connections and ensures the latest TLS version is used for MySQL servers.
remediation: |
Enable SSL enforcement and set minimum TLS version to 1.2 for MySQL server.
- uid: kopexa-azure-security-ensure-that-ssl-enabled-postgresql
title: Ensure SSL connection enabled for PostgreSQL database servers
resource: azure_postgresql_server
severity: critical
query: |
has(resource.properties) &&
resource.properties.sslEnforcement == "Enabled"
docs: |
Enforces SSL/TLS for all PostgreSQL connections to protect data in transit.
remediation: |
Enable SSL enforcement for the PostgreSQL server.
- uid: kopexa-azure-security-no-sql-databases-allow-ingress-0-0-0-0-0
title: Ensure no SQL Databases allow ingress 0.0.0.0/0 (ANY IP)
resource: azure_sql_server
severity: critical
query: |
!has(resource.firewallRules) ||
size(resource.firewallRules) == 0 ||
resource.firewallRules.all(rule, rule.startIpAddress != "0.0.0.0" || rule.endIpAddress != "255.255.255.255")
docs: |
Prevents unrestricted network access to SQL databases from any IP address.
remediation: |
Remove firewall rules that allow access from 0.0.0.0 to 255.255.255.255.
- uid: kopexa-azure-security-ensure-disabled-public-access-sql
title: Ensure public network access for SQL server is blocked or Limited to Use Selected Networks
resource: azure_sql_server
severity: critical
query: |
has(resource.properties) &&
(resource.properties.publicNetworkAccess == "Disabled" ||
(has(resource.virtualNetworkRules) && size(resource.virtualNetworkRules) > 0) ||
(has(resource.firewallRules) && size(resource.firewallRules) > 0))
docs: |
Limits public network access to SQL servers to reduce exposure to attacks.
remediation: |
Disable public network access or configure virtual network rules for the SQL server.
# Key Vault Security Checks
- uid: kopexa-azure-security-ensure-the-kv-is-recoverable
title: Ensure Key Vaults are configured with Recovery features
resource: azure_keyvault_vault
severity: critical
query: |
has(resource.properties) &&
has(resource.properties.enablePurgeProtection) &&
resource.properties.enablePurgeProtection == true
docs: |
Purge protection prevents accidental or malicious permanent deletion of key vaults.
remediation: |
Enable purge protection for the Key Vault.
- uid: kopexa-azure-security-keyvault-public-access-disabled
title: Ensure default public network access for Azure Key Vault is disabled
resource: azure_keyvault_vault
severity: critical
query: |
has(resource.properties) &&
(resource.properties.publicNetworkAccess == "Disabled" ||
(has(resource.properties.networkAcls) &&
((has(resource.properties.networkAcls.ipRules) && size(resource.properties.networkAcls.ipRules) > 0) ||
(has(resource.properties.networkAcls.virtualNetworkRules) && size(resource.properties.networkAcls.virtualNetworkRules) > 0))))
docs: |
Restricting public network access to Key Vault minimizes exposure to potential attacks.
remediation: |
Disable public network access or configure IP/virtual network rules for the Key Vault.
# Compute Security Checks
- uid: kopexa-azure-security-ensure-os-disk-are-encrypted
title: Ensure OS Disks in azure virtual machines are encrypted with Customer Managed Keys
resource: azure_virtual_machine
severity: critical
query: |
has(resource.osDisk) &&
has(resource.osDisk.properties) &&
has(resource.osDisk.properties.encryption) &&
resource.osDisk.properties.encryption.type == "EncryptionAtRestWithCustomerKey"
docs: |
Encrypting OS disks with CMK provides enhanced control over encryption and decryption processes.
remediation: |
Enable disk encryption with Customer Managed Keys for the virtual machine.
- uid: kopexa-azure-security-nsg-no-unrestricted-ssh
title: Ensure that SSH access is restricted from the internet
resource: azure_network_security_group
severity: critical
query: |
!has(resource.securityRules) ||
size(resource.securityRules) == 0 ||
!resource.securityRules.exists(rule,
has(rule.properties) &&
rule.properties.access == "Allow" &&
rule.properties.direction == "Inbound" &&
(rule.properties.protocol == "TCP" || rule.properties.protocol == "*") &&
(rule.properties.sourceAddressPrefix == "*" ||
rule.properties.sourceAddressPrefix == "0.0.0.0/0" ||
rule.properties.sourceAddressPrefix == "Internet" ||
rule.properties.sourceAddressPrefix == "Any") &&
(rule.properties.destinationPortRange == "22" ||
rule.properties.destinationPortRange == "*")
)
docs: |
Restricting SSH access from the internet prevents unauthorized remote access attempts.
remediation: |
Remove or restrict NSG rules that allow SSH (port 22) from any internet source.
- uid: kopexa-azure-security-nsg-no-unrestricted-rdp
title: Ensure that RDP access is restricted from the internet
resource: azure_network_security_group
severity: critical
query: |
!has(resource.securityRules) ||
size(resource.securityRules) == 0 ||
!resource.securityRules.exists(rule,
has(rule.properties) &&
rule.properties.access == "Allow" &&
rule.properties.direction == "Inbound" &&
(rule.properties.protocol == "TCP" || rule.properties.protocol == "*") &&
(rule.properties.sourceAddressPrefix == "*" ||
rule.properties.sourceAddressPrefix == "0.0.0.0/0" ||
rule.properties.sourceAddressPrefix == "Internet" ||
rule.properties.sourceAddressPrefix == "Any") &&
(rule.properties.destinationPortRange == "3389" ||
rule.properties.destinationPortRange == "*")
)
docs: |
Restricting RDP access from the internet prevents brute force and unauthorized access attempts.
remediation: |
Remove or restrict NSG rules that allow RDP (port 3389) from any internet source.
# Core Security Checks
- uid: kopexa-azure-security-diagnostic-settings-exist
title: Ensure that diagnostic settings exist for the subscription
resource: azure_subscription
severity: high
query: |
has(resource.monitor) &&
has(resource.monitor.diagnosticSettings) &&
size(resource.monitor.diagnosticSettings) > 0
docs: |
Diagnostic settings enable effective monitoring and security analysis of Azure resources.
remediation: |
Create diagnostic settings for the Azure subscription to enable logging.
- uid: kopexa-azure-security-ensure-register-with-ad-is-enabled-on-app-service
title: Enable Managed Identities for App services to Authenticate via Microsoft Entra ID
resource: azure_app_service
severity: high
query: |
has(resource.identity) &&
has(resource.identity.type) &&
resource.identity.type == "SystemAssigned" &&
has(resource.identity.principalId) &&
resource.identity.principalId != ""
docs: |
Managed Identities eliminate the need to store credentials and enhance security.
remediation: |
Enable System Assigned Managed Identity for the App Service.
- uid: kopexa-azure-security-ensure-web-app-is-using-the-latest-tls
title: Ensure that Web Apps use the latest available version of TLS encryption
resource: azure_app_service
severity: high
query: |
has(resource.configuration) &&
has(resource.configuration.properties) &&
resource.configuration.properties.minTlsVersion == "1.2"
docs: |
Using the latest TLS version ensures strong encryption and mitigates known vulnerabilities.
remediation: |
Set minimum TLS version to 1.2 for the App Service.