Azure Resource Manager
AzureResourceManager Queries List¶
This page contains all queries from AzureResourceManager.
Query | Severity | Category | Description | Help |
---|---|---|---|---|
Key Vault Not Recoverable 7c25f361-7c66-44bf-9b69-022acd5eb4bd |
High | Backup | Key Vault should have 'enableSoftDelete' and 'enablePurgeProtection' set to true | Documentation |
Azure Instance Using Basic Authentication 6797f581-0433-4768-ae3e-7ceb2f8b138e |
High | Best Practices | Azure Instances should use SSH Key instead of basic authentication | Documentation |
Secret Without Expiration Date cff9c3f7-e8f0-455f-9fb4-5f72326da96e |
High | Best Practices | All Secrets must have an expiration date defined | Documentation |
Storage Account Allows Unsecure Transfer 1367dd13-2c90-4020-80b7-e4339a3dc2c4 |
High | Encryption | 'Microsoft.Storage/storageAccounts' should force the use of HTTPS | Documentation |
Web App Not Using TLS Last Version b5c851d5-00f1-43dc-a8de-3218fd6f71be |
High | Encryption | Resources of type 'Microsoft.Web/sites' should define 'properties.siteConfig.minTlsVersion' with '1.2' | Documentation |
Azure Managed Disk Without Encryption 350f3955-b5be-436f-afaa-3d2be2fa6cdd |
High | Encryption | Azure Disk Encryption should be enabled | Documentation |
Website Not Forcing HTTPS 488847ff-6031-487c-bf42-98fd6ac5c9a0 |
High | Insecure Configurations | 'Microsoft.Web/sites' should force the use of HTTPS | Documentation |
Trusted Microsoft Services Not Enabled e25b56cd-a4d6-498f-ab92-e6296a082097 |
High | Networking and Firewall | Trusted Microsoft Services should be enabled for Storage Account access | Documentation |
SQL Database Server Firewall Allows All IPS 6a3201a5-1630-494b-b294-3129d06b0eca |
High | Networking and Firewall | SQL Database Server Firewall endIpAddress should not be '255.255.255.255' when startIpAddress is '0.0.0.0' since this allows all IPS | Documentation |
MySQL Server SSL Enforcement Disabled 90120147-f2e7-4fda-bb21-6fa9109afd63 |
High | Networking and Firewall | 'Microsoft.DBforMySQL/servers' should enforce SSL | Documentation |
PostgreSQL Database Server SSL Disabled bf500309-da53-4dd3-bcf7-95f7974545a5 |
High | Networking and Firewall | Microsoft.DBforPostgreSQL/servers sslEnforcement property should be set to 'Enabled' | Documentation |
Website with Client Certificate Auth Disabled 92302b47-b0cc-46cb-a28f-5610ecda140b |
High | Networking and Firewall | 'Microsoft.Web/sites' should have client certificate authentication enabled | Documentation |
Network Security Group With Unrestricted Access To RDP 59cb3da7-f206-4ae6-b827-7abf0a9cab9d |
High | Networking and Firewall | Port 3389 (Remote Desktop) is exposed to the Internet | Documentation |
Storage Blob Service Container With Public Access a0ab985d-660b-41f7-ac81-70957ee8e627 |
High | Networking and Firewall | Storage Blob Service Container should not publicly accessible | Documentation |
Network Security Group With Unrestricted Access To SSH 2ade1579-4b2c-4590-bebb-f99bf597f612 |
High | Networking and Firewall | Port 22 (SSH) is exposed to the Internet | Documentation |
Role Definitions Allow Custom Subscription Role Creation 8fa9ceea-881f-4ef0-b0b8-728f589699a7 |
Medium | Access Control | Role Definitions should not allow custom subscription role creation (actions set to '*' or 'Microsoft.Authorization/roleDefinitions/write') | Documentation |
AKS Cluster RBAC Disabled 9307a2ed-35c2-413d-94de-a1a0682c2158 |
Medium | Access Control | Microsoft.ContainerService/managedClusters should have enableRBAC set to true | Documentation |
SQL Server Database With Alerts Disabled 574e8d82-1db2-4b9c-b526-e320ede9a9ff |
Medium | Best Practices | All Alerts should be enabled in SQL Database Server SecurityAlerts Policy Properties | Documentation |
AKS Cluster Network Policy Not Configured 25c0228e-4444-459b-a2df-93c7df40b7ed |
Medium | Insecure Configurations | Azure Kubernetes Service must have a network policy defined. | Documentation |
AKS With Authorized IP Ranges Disabled 2583fab1-953b-4fae-bd02-4a136a6c21f9 |
Medium | Networking and Firewall | Azure Kubernetes Service must have an authorized IP range for API Services enabled | Documentation |
PostgreSQL Database Server Log Connections Disabled e69bda39-e1e2-47ca-b9ee-b6531b23aedd |
Medium | Networking and Firewall | Microsoft.DBforPostgreSQL/servers/configurations should have 'log_connections' property set to 'on' | Documentation |
Standard Price Is Not Selected 2081c7d6-2851-4cce-bda5-cb49d462da42 |
Medium | Networking and Firewall | Azure Security Center provides more features for standard pricing mode, so it must be activated. | Documentation |
PostgreSQL Database Server Log Checkpoints Disabled f9112910-c7bb-4864-9f5e-2059ba413bb7 |
Medium | Networking and Firewall | Microsoft.DBforPostgreSQL/servers/configurations should have 'log_checkpoint' property set to 'on' | Documentation |
PostgresSQL Database Server Connection Throttling Disabled a6d774b6-d9ea-4bf4-8433-217bf15d2fb8 |
Medium | Networking and Firewall | Microsoft.DBforPostgreSQL/servers/configurations should have 'connection_throttling' property set to 'on' | Documentation |
Log Profile Incorrect Category 4d522e7b-f938-4d51-a3b1-974ada528bd3 |
Medium | Observability | Log Profile Categories should be set to 'Write', 'Delete', and/or 'Action' | Documentation |
AKS Logging To Azure Monitoring Is Disabled 9b09dee1-f09b-4013-91d2-158fa4695f4b |
Medium | Observability | Azure Kubernetes Service should have logging to Azure Monitoring enabled. | Documentation |
SQL Server Database With Unrecommended Retention Days c09cdac2-7670-458a-bf6c-efad6880973a |
Medium | Observability | SQL Server Database Auditing Settings should keep the audit logs in the storage account for at least 90 days | Documentation |
SQL Server Database Without Auditing e055285c-bc01-48b4-8aa5-8a54acdd29df |
Medium | Observability | Every 'Microsoft.Sql/servers/databases' resource should have Auditing Enabled | Documentation |
Unrecommended Log Profile Retention Policy 25684eac-daaa-4c2c-94b4-8d2dbb627909 |
Medium | Observability | Log Profile Retention Policy should be enabled and the recommended number of days for the retention should be higher than 365 or 0 (0 will retain the events indefinitely) | Documentation |
Unrecommended Network Watcher Flow Log Retention Policy 564b70f8-41cd-4690-aff8-bb53add86bc9 |
Medium | Observability | Network Watcher Flow Log Retention Policy should be enabled and the recommended number of days for the retention should be higher than 90 | Documentation |
Storage Logging For Read Write And Delete Requests Disabled 43f6e60c-9cdb-4e77-864d-a66595d26518 |
Medium | Observability | Storage Logging should be enabled for read, write and delete methods | Documentation |
Hardcoded SecureString Parameter Default Value 4d2cf896-c053-4be5-9c95-8b4771112f29 |
Medium | Secret Management | Secure parameters should not have hardcoded default value | Documentation |
Website Azure Active Directory Disabled e9c133e5-c2dd-4b7b-8fff-40f2de367b56 |
Low | Access Control | WebApp should have Azure Active Directory enabled with 'identity.type' set to 'SystemAssigned' or 'userAssignedIdentities' set to 'true' | Documentation |
Phone Number Not Set For Security Contacts 3e9fcc67-1f64-405f-b2f9-0a6be17598f0 |
Low | Best Practices | Microsoft.Security securityContacts should have a phone number defined | Documentation |
AKS Dashboard Is Enabled c62d3b92-9a11-4ffd-b7b7-6faaae83faed |
Low | Insecure Configurations | Azure Kubernetes Service should have the Kubernetes dashboard disabled. | Documentation |
Website with 'Http20Enabled' Disabled 70111098-7f85-48f0-b1b4-e4261cf5f61b |
Low | Networking and Firewall | 'Microsoft.Web/sites' should have 'Http20Enabled' enabled | Documentation |
Storage Account Allows Default Network Access 9073f073-5d60-4b46-b569-0d6baa80ed95 |
Low | Networking and Firewall | 'Microsoft.Storage/storageAccounts' should force the use of HTTPS | Documentation |
App Service Authentication Is Not Set 83130a07-235b-4a80-918b-a370e53f0bd9 |
Info | Access Control | Azure App Service should have App Service Authentication set | Documentation |
Account Admins Not Notified By Email a8852cc0-fd4b-4fc7-9372-1e43fad0732e |
Info | Best Practices | Account admins should be notified by email in the event of security alerts | Documentation |
SQL Alert Policy Without Emails 89b79fe5-49bd-4d39-84ce-55f5fc6f7764 |
Info | Best Practices | SQL Database Server should contain emails to be notified in the event of a Security Alert | Documentation |
Email Notifications Disabled 79c2c2c0-eb00-47c0-ac16-f8b0e2c81c92 |
Info | Networking and Firewall | Email notifications about new security alerts, should be set to 'On', and be sent to persons with specific RBAC roles on the subscription | Documentation |