Platform Specific Controls

Azure

Microsoft provides on demand cloud computing services through Azure.  Azure cloud provides services that assist in building, testing, deploying, and managing applications and services.  Azure provides Software as a Service (Saas), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS) and supports many different programming languages, tools and frameworks.

 

The following Azure related controls are organized by Category. You can also “Jump To” other Control Types and Categories by clicking on the link located at the right of this screen.

The following are links to more detailed pages:

Cloud Controls

Showing 94 controls:
Control TitleControl TypeRisk Rating
Access to Storage Accounts Keys Cloud Controls, Least PrivilegeHigh
Application Gateway Insecure listener Cloud ControlsMedium
Application Gateway Subnet security group allowing traffic on insecure ports Cloud ControlsHigh
Application Gateway with Logging Disabled Cloud ControlsHigh
Application Gateway with no Health Probe Rule Cloud ControlsLow
Application Gateway with single or no VM attached Cloud ControlsLow
Application Gateway with WAF Disabled. Cloud ControlsHigh
Application Gateway with WAF not in Prevention mode Cloud ControlsHigh
Application gateways not in WAF tier Cloud ControlsHigh
Availability sets with only 1 fault domain and 1 update domain Cloud ControlsLow
Azure Storage account with Disabled Encryption Cloud Controls, Data ControlsHigh
Containers with Public access on Blobs Cloud ControlsMedium
Containers with Public Access on Container Cloud ControlsMedium
Disks of type Reserved Cloud ControlsLow
Disks that are not standard tier Cloud ControlsLow
Dynamic public IP Address Default Limit Reached Cloud ControlsLow
Ensure that ‘Auditing’ is set to ‘On’ Cloud ControlsHigh
Ensure that ‘Automatic provisioning of monitoring agent’ is set to ‘On’ Cloud ControlsHigh
Ensure that ‘Disk encryption’ is set to ‘On’ Cloud Controls, Data ControlsHigh
Ensure that ‘JIT Network Access’ is set to ‘On’ Cloud ControlsHigh
Ensure that no custom subscription owner roles are created Cloud Controls, Least PrivilegeHigh
Ensure that ‘Public access level’ is set to Private for blob containers Cloud ControlsHigh
Ensure that ‘SQL auditing & Threat detection’ is set to ‘On’ Cloud ControlsHigh
Ensure that ‘SQL Encryption’ is set to ‘On’ Cloud Controls, Data ControlsHigh
Ensure that SQL server access is restricted from the internet Cloud ControlsHigh
Ensure that ‘Storage Encryption’ is set to ‘On’ Cloud Controls, Data ControlsHigh
Ensure that ‘Storage service encryption’ is set to Enabled for Blob Service Cloud Controls, Data ControlsHigh
Ensure that ‘System updates’ is set to ‘On’ Cloud ControlsHigh
Ensure that ‘Threat Detection’ is set to ‘On’ Cloud ControlsHigh
Ensure that ‘Threat’ Retention is ‘greater than 90 days Cloud ControlsHigh
List of classic VMs Cloud ControlsLow
Load Balancer with single or no VM Attached Cloud ControlsMedium
Load Balancers with no Health Probe Rule Cloud ControlsMedium
LoadBalancer default Limit Reached Cloud ControlsLow
Load Balancer Subnet security group allowing traffic on insecure ports Cloud ControlsHigh
Network Security Groups with Open DNS(TCP) Cloud ControlsHigh
Network Security Groups with Open DNS(UDP) Cloud ControlsHigh
Network Security Groups with Open FTP Cloud ControlsHigh
Network Security Groups with Open LDAP Cloud ControlsHigh
Network Security Groups with Open MS SQL Cloud ControlsHigh
Network Security Groups with Open MySQL Cloud ControlsHigh
Network Security Groups with Open PostgreSQL Cloud ControlsHigh
Network Security Groups with Open RDP Cloud ControlsHigh
Network Security Groups with Open SMTP Cloud ControlsHigh
Network Security Groups with Open SSH Cloud ControlsHigh
Network Interface default Limit Reached Cloud ControlsLow
Non-MFA High Privileged Users Cloud Controls, Least PrivilegeHigh
NSGs associated with both NIC level and Subnet level Cloud ControlsMedium
NSGs with Disabled Logging Cloud ControlsMedium
NSGs with Indefinite Log Retention Cloud ControlsMedium
Production workloads with no Availability Set Cloud ControlsMedium
Production Workloads without Resource Locks Cloud ControlsMedium
Public IP’s which have static IP’s associated Cloud ControlsLow
Scale Sets with Autoscaling Disabled. Cloud ControlsMedium
Scale Sets with Over Provision set to false Cloud ControlsLow
Scale Sets with Upgrade Policy mode set to Automatic Cloud ControlsMedium
SQL databases not in standard tier Cloud ControlsLow
SQL Azure Databases with Encryption Disabled Cloud Controls, Data ControlsHigh
SQL Azure Threat Retention ‘greater than 90 days’ Cloud ControlsMedium
SQL Azure with access open to Internet Cloud ControlsHigh
SQL Azure with Auditing Disabled Cloud ControlsHigh
SQL Azure with Threat Detection Disabled Cloud ControlsHigh
Standard Disk attached to VMs (HDD) Cloud ControlsLow
Static Public IP Address Default Limit Reached Cloud ControlsLow
Storage Account Metrics Cloud ControlsLow
Storage accounts that are not standard tier Cloud ControlsLow
Subscriptions with NSG default limit reached Cloud ControlsLow
Total Azure Active Directory Groups Cloud ControlsLow
Underutilized Availability Sets Cloud ControlsLow
Underutilized Scale Sets Cloud ControlsLow
Unencrypted Disks Cloud Controls, Data ControlsHigh
Unused Disks Cloud ControlsLow
Unused Network Security Groups Cloud ControlsLow
Unused Public IP Addresses Cloud ControlsLow
Unused Static Public IP Addresses Cloud ControlsLow
VM Default Limit Reached Cloud ControlsMedium
VM instances associated with Public IP Cloud ControlsLow
VM Instances with disable automatic updates Cloud ControlsLow
VM Instances with Open DNS(TCP) Cloud ControlsHigh
VM Instances with Open DNS(UDP) Cloud ControlsHigh
VM Instances with Open FTP Cloud ControlsHigh
VM Instances with Open LDAP Cloud ControlsHigh
VM Instances with Open MS SQL Cloud ControlsHigh
VM Instances with Open MySQL Cloud ControlsHigh
VM Instances with Open PostgreSQL Cloud ControlsHigh
VM Instances with Open RDP Cloud ControlsHigh
VM Instances with Open SMTP Cloud ControlsHigh
VM Instances with Open SSH Cloud ControlsHigh
VM Instances with Provision VM Agent disabled Cloud ControlsLow
VM Network Security Groups allowing Global Inbound traffic on All Ports Cloud ControlsMedium
VM Network Security Groups allowing inbound traffic from RFC-1918 CIDRs Cloud Controls, Least PrivilegeMedium
VMs outside Resource Groups Cloud ControlsMedium
VMs with Disabled Logging Cloud ControlsMedium
Workloads without Resource Locks Cloud ControlsLow

Data Controls

Showing 1 control:
Control TitleControl TypeRisk Rating
Access to Manage Azure Access Rights Data Controls, Least PrivilegeCritical

Least Privilege

Showing 2 controls:
Control TitleControl TypeRisk Rating
High privileged access to VMs Least PrivilegeHigh
High Privileged Azure Users Least PrivilegeHigh