Skip to content

Azure Resource Manager

AzureResourceManager Queries List

This page contains all queries from AzureResourceManager.

Query Severity Category Description Help
Key Vault Not Recoverable
7c25f361-7c66-44bf-9b69-022acd5eb4bd
High Backup Key Vault should have 'enableSoftDelete' and 'enablePurgeProtection' set to true Documentation
Azure Instance Using Basic Authentication
6797f581-0433-4768-ae3e-7ceb2f8b138e
High Best Practices Azure Instances should use SSH Key instead of basic authentication Documentation
Secret Without Expiration Date
cff9c3f7-e8f0-455f-9fb4-5f72326da96e
High Best Practices All Secrets must have an expiration date defined Documentation
Azure Managed Disk Without Encryption
350f3955-b5be-436f-afaa-3d2be2fa6cdd
High Encryption Azure Disk Encryption should be enabled Documentation
Storage Account Allows Unsecure Transfer
1367dd13-2c90-4020-80b7-e4339a3dc2c4
High Encryption 'Microsoft.Storage/storageAccounts' should force the use of HTTPS Documentation
Web App Not Using TLS Last Version
b5c851d5-00f1-43dc-a8de-3218fd6f71be
High Encryption Resources of type 'Microsoft.Web/sites' should define 'properties.siteConfig.minTlsVersion' with '1.2' Documentation
Website Not Forcing HTTPS
488847ff-6031-487c-bf42-98fd6ac5c9a0
High Insecure Configurations 'Microsoft.Web/sites' should force the use of HTTPS Documentation
Trusted Microsoft Services Not Enabled
e25b56cd-a4d6-498f-ab92-e6296a082097
High Networking and Firewall Trusted Microsoft Services should be enabled for Storage Account access Documentation
Network Security Group With Unrestricted Access To SSH
2ade1579-4b2c-4590-bebb-f99bf597f612
High Networking and Firewall Port 22 (SSH) is exposed to the Internet Documentation
Website with Client Certificate Auth Disabled
92302b47-b0cc-46cb-a28f-5610ecda140b
High Networking and Firewall 'Microsoft.Web/sites' should have client certificate authentication enabled Documentation
PostgreSQL Database Server SSL Disabled
bf500309-da53-4dd3-bcf7-95f7974545a5
High Networking and Firewall Microsoft.DBforPostgreSQL/servers sslEnforcement property should be set to 'Enabled' Documentation
Network Security Group With Unrestricted Access To RDP
59cb3da7-f206-4ae6-b827-7abf0a9cab9d
High Networking and Firewall Port 3389 (Remote Desktop) is exposed to the Internet Documentation
MySQL Server SSL Enforcement Disabled
90120147-f2e7-4fda-bb21-6fa9109afd63
High Networking and Firewall 'Microsoft.DBforMySQL/servers' should enforce SSL Documentation
Storage Blob Service Container With Public Access
a0ab985d-660b-41f7-ac81-70957ee8e627
High Networking and Firewall Storage Blob Service Container should not publicly accessible Documentation
SQL Database Server Firewall Allows All IPS
6a3201a5-1630-494b-b294-3129d06b0eca
High Networking and Firewall SQL Database Server Firewall endIpAddress should not be '255.255.255.255' when startIpAddress is '0.0.0.0' since this allows all IPS Documentation
AKS Cluster RBAC Disabled
9307a2ed-35c2-413d-94de-a1a0682c2158
Medium Access Control Microsoft.ContainerService/managedClusters should have enableRBAC set to true Documentation
Role Definitions Allow Custom Subscription Role Creation
8fa9ceea-881f-4ef0-b0b8-728f589699a7
Medium Access Control Role Definitions should not allow custom subscription role creation (actions set to '*' or 'Microsoft.Authorization/roleDefinitions/write') Documentation
SQL Server Database With Alerts Disabled
574e8d82-1db2-4b9c-b526-e320ede9a9ff
Medium Best Practices All Alerts should be enabled in SQL Database Server SecurityAlerts Policy Properties Documentation
AKS Cluster Network Policy Not Configured
25c0228e-4444-459b-a2df-93c7df40b7ed
Medium Insecure Configurations Azure Kubernetes Service must have a network policy defined. Documentation
PostgresSQL Database Server Connection Throttling Disabled
a6d774b6-d9ea-4bf4-8433-217bf15d2fb8
Medium Networking and Firewall Microsoft.DBforPostgreSQL/servers/configurations should have 'connection_throttling' property set to 'on' Documentation
PostgreSQL Database Server Log Checkpoints Disabled
f9112910-c7bb-4864-9f5e-2059ba413bb7
Medium Networking and Firewall Microsoft.DBforPostgreSQL/servers/configurations should have 'log_checkpoint' property set to 'on' Documentation
AKS With Authorized IP Ranges Disabled
2583fab1-953b-4fae-bd02-4a136a6c21f9
Medium Networking and Firewall Azure Kubernetes Service must have an authorized IP range for API Services enabled Documentation
Standard Price Is Not Selected
2081c7d6-2851-4cce-bda5-cb49d462da42
Medium Networking and Firewall Azure Security Center provides more features for standard pricing mode, so it must be activated. Documentation
PostgreSQL Database Server Log Connections Disabled
e69bda39-e1e2-47ca-b9ee-b6531b23aedd
Medium Networking and Firewall Microsoft.DBforPostgreSQL/servers/configurations should have 'log_connections' property set to 'on' Documentation
Unrecommended Log Profile Retention Policy
25684eac-daaa-4c2c-94b4-8d2dbb627909
Medium Observability Log Profile Retention Policy should be enabled and the recommended number of days for the retention should be higher than 365 or 0 (0 will retain the events indefinitely) Documentation
SQL Server Database With Unrecommended Retention Days
c09cdac2-7670-458a-bf6c-efad6880973a
Medium Observability SQL Server Database Auditing Settings should keep the audit logs in the storage account for at least 90 days Documentation
Unrecommended Network Watcher Flow Log Retention Policy
564b70f8-41cd-4690-aff8-bb53add86bc9
Medium Observability Network Watcher Flow Log Retention Policy should be enabled and the recommended number of days for the retention should be higher than 90 Documentation
AKS Logging To Azure Monitoring Is Disabled
9b09dee1-f09b-4013-91d2-158fa4695f4b
Medium Observability Azure Kubernetes Service should have logging to Azure Monitoring enabled. Documentation
SQL Server Database Without Auditing
e055285c-bc01-48b4-8aa5-8a54acdd29df
Medium Observability Every 'Microsoft.Sql/servers/databases' resource should have Auditing Enabled Documentation
Log Profile Incorrect Category
4d522e7b-f938-4d51-a3b1-974ada528bd3
Medium Observability Log Profile Categories should be set to 'Write', 'Delete', and/or 'Action' Documentation
Storage Logging For Read Write And Delete Requests Disabled
43f6e60c-9cdb-4e77-864d-a66595d26518
Medium Observability Storage Logging should be enabled for read, write and delete methods Documentation
Hardcoded SecureString Parameter Default Value
4d2cf896-c053-4be5-9c95-8b4771112f29
Medium Secret Management Secure parameters should not have hardcoded default value Documentation
Website Azure Active Directory Disabled
e9c133e5-c2dd-4b7b-8fff-40f2de367b56
Low Access Control WebApp should have Azure Active Directory enabled with 'identity.type' set to 'SystemAssigned' or 'userAssignedIdentities' set to 'true' Documentation
Phone Number Not Set For Security Contacts
3e9fcc67-1f64-405f-b2f9-0a6be17598f0
Low Best Practices Microsoft.Security securityContacts should have a phone number defined Documentation
AKS Dashboard Is Enabled
c62d3b92-9a11-4ffd-b7b7-6faaae83faed
Low Best Practices Azure Kubernetes Service should have the Kubernetes dashboard disabled. Documentation
Storage Account Allows Default Network Access
9073f073-5d60-4b46-b569-0d6baa80ed95
Low Networking and Firewall 'Microsoft.Storage/storageAccounts' should force the use of HTTPS Documentation
Website with 'Http20Enabled' Disabled
70111098-7f85-48f0-b1b4-e4261cf5f61b
Low Networking and Firewall 'Microsoft.Web/sites' should have 'Http20Enabled' enabled Documentation
App Service Authentication Is Not Set
83130a07-235b-4a80-918b-a370e53f0bd9
Info Access Control Azure App Service should have App Service Authentication set Documentation
Account Admins Not Notified By Email
a8852cc0-fd4b-4fc7-9372-1e43fad0732e
Info Best Practices Account admins should be notified by email in the event of security alerts Documentation
SQL Alert Policy Without Emails
89b79fe5-49bd-4d39-84ce-55f5fc6f7764
Info Best Practices SQL Database Server should contain emails to be notified in the event of a Security Alert Documentation
Email Notifications Disabled
79c2c2c0-eb00-47c0-ac16-f8b0e2c81c92
Info Networking and Firewall Email notifications about new security alerts, should be set to 'On', and be sent to persons with specific RBAC roles on the subscription Documentation