Standard Price Is Not Selected

  • Query id: 2081c7d6-2851-4cce-bda5-cb49d462da42
  • Query name: Standard Price Is Not Selected
  • Platform: AzureResourceManager
  • Severity: Low
  • Category: Resource Management
  • CWE: Ongoing
  • URL: Github

Description

Azure Security Center provides more features for standard pricing mode, so it must be activated.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - bicep file
resource webApp1 'Microsoft.Web/sites@2018-11-01' = {
  name: 'webApp1'
  location: resourceGroup().location
  tags: {
    'hidden-related:${resourceGroup().id}/providers/Microsoft.Web/serverfarms/appServicePlan1': 'Resource'
    displayName: 'webApp1'
  }
  properties: {
    name: 'webApp1'
    serverFarmId: resourceId('Microsoft.Web/serverfarms', 'appServicePlan1')
  }
  dependsOn: [resourceId('Microsoft.Web/serverfarms', 'appServicePlan1')]
}

resource Princing 'Microsoft.Security/pricings@2017-08-01-preview' = {
  name: 'Princing'
  properties: {
    pricingTier: 'Free'
  }
}
Positive test num. 2 - json file
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "name": "webApp1",
      "type": "Microsoft.Web/sites",
      "apiVersion": "2018-11-01",
      "location": "[resourceGroup().location]",
      "tags": {
        "[concat('hidden-related:', resourceGroup().id, '/providers/Microsoft.Web/serverfarms/appServicePlan1')]": "Resource",
        "displayName": "webApp1"
      },
      "dependsOn": [
        "[resourceId('Microsoft.Web/serverfarms', 'appServicePlan1')]"
      ],
      "properties": {
        "name": "webApp1",
        "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', 'appServicePlan1')]"
      }
    },
    {
      "type": "Microsoft.Security/pricings",
      "apiVersion": "2017-08-01-preview",
      "name": "Princing",
      "properties": {
        "pricingTier": "Free"
      }
    }
  ]
}
Positive test num. 3 - bicep file
resource webApp1 'Microsoft.Web/sites@2018-11-01' = {
  name: 'webApp1'
  location: resourceGroup().location
  tags: {
    'hidden-related:${resourceGroup().id}/providers/Microsoft.Web/serverfarms/appServicePlan1': 'Resource'
    displayName: 'webApp1'
  }
  properties: {
    name: 'webApp1'
    serverFarmId: resourceId('Microsoft.Web/serverfarms', 'appServicePlan1')
  }
  dependsOn: [resourceId('Microsoft.Web/serverfarms', 'appServicePlan1')]
}

resource Princing 'Microsoft.Security/pricings@2017-08-01-preview' = {
  name: 'Princing'
  properties: {
    pricingTier: 'Free'
  }
}

Positive test num. 4 - json file
{
  "properties": {
    "template": {
      "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
      "contentVersion": "1.0.0.0",
      "resources": [
        {
          "name": "webApp1",
          "type": "Microsoft.Web/sites",
          "apiVersion": "2018-11-01",
          "location": "[resourceGroup().location]",
          "tags": {
            "[concat('hidden-related:', resourceGroup().id, '/providers/Microsoft.Web/serverfarms/appServicePlan1')]": "Resource",
            "displayName": "webApp1"
          },
          "dependsOn": [
            "[resourceId('Microsoft.Web/serverfarms', 'appServicePlan1')]"
          ],
          "properties": {
            "name": "webApp1",
            "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', 'appServicePlan1')]"
          }
        },
        {
          "type": "Microsoft.Security/pricings",
          "apiVersion": "2017-08-01-preview",
          "name": "Princing",
          "properties": {
            "pricingTier": "Free"
          }
        }
      ],
      "outputs": {}
    },
    "parameters": {}
  },
  "kind": "template",
  "type": "Microsoft.Blueprint/blueprints/artifacts",
  "name": "myTemplate"
}
Positive test num. 5 - bicep file
@description(
  'Specifiy whether you want to enable Standard tier for Virtual Machine resource type'
)
@allowed(['Standard', 'Free'])
param virtualMachineTier string = 'Free'

resource VirtualMachines 'Microsoft.Security/pricings@2018-06-01' = {
  name: 'VirtualMachines'
  properties: {
    pricingTier: virtualMachineTier
  }
}
Positive test num. 6 - json file
{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.1",
    "parameters": {
        "virtualMachineTier": {
            "type": "string",
            "defaultValue": "Free",
            "allowedValues": [
                "Standard",
                "Free"
            ],
            "metadata": {
                "description": "Specifiy whether you want to enable Standard tier for Virtual Machine resource type"
            }
        }
    },
    "resources": [
        {
            "type": "Microsoft.Security/pricings",
            "apiVersion": "2018-06-01",
            "name": "VirtualMachines",
            "properties": {
                "pricingTier": "[parameters('virtualMachineTier')]"
            }
        }
    ],
    "outputs": {
    }
}

Code samples without security vulnerabilities

Negative test num. 1 - bicep file
resource webApp1 'Microsoft.Web/sites@2018-11-01' = {
  name: 'webApp1'
  location: resourceGroup().location
  tags: {
    'hidden-related:${resourceGroup().id}/providers/Microsoft.Web/serverfarms/appServicePlan1': 'Resource'
    displayName: 'webApp1'
  }
  properties: {
    name: 'webApp1'
    serverFarmId: resourceId('Microsoft.Web/serverfarms', 'appServicePlan1')
  }
  dependsOn: [resourceId('Microsoft.Web/serverfarms', 'appServicePlan1')]
}

resource Princing 'Microsoft.Security/pricings@2017-08-01-preview' = {
  name: 'Princing'
  properties: {
    pricingTier: 'Standard'
  }
}
Negative test num. 2 - json file
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "name": "webApp1",
      "type": "Microsoft.Web/sites",
      "apiVersion": "2018-11-01",
      "location": "[resourceGroup().location]",
      "tags": {
        "[concat('hidden-related:', resourceGroup().id, '/providers/Microsoft.Web/serverfarms/appServicePlan1')]": "Resource",
        "displayName": "webApp1"
      },
      "dependsOn": [
        "[resourceId('Microsoft.Web/serverfarms', 'appServicePlan1')]"
      ],
      "properties": {
        "name": "webApp1",
        "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', 'appServicePlan1')]"
      }
    },
    {
      "type": "Microsoft.Security/pricings",
      "apiVersion": "2017-08-01-preview",
      "name": "Princing",
      "properties": {
        "pricingTier": "Standard"
      }
    }
  ]
}
Negative test num. 3 - bicep file
resource webApp1 'Microsoft.Web/sites@2018-11-01' = {
  name: 'webApp1'
  location: resourceGroup().location
  tags: {
    'hidden-related:${resourceGroup().id}/providers/Microsoft.Web/serverfarms/appServicePlan1': 'Resource'
    displayName: 'webApp1'
  }
  properties: {
    name: 'webApp1'
    serverFarmId: resourceId('Microsoft.Web/serverfarms', 'appServicePlan1')
  }
  dependsOn: [resourceId('Microsoft.Web/serverfarms', 'appServicePlan1')]
}

resource Princing 'Microsoft.Security/pricings@2017-08-01-preview' = {
  name: 'Princing'
  properties: {
    pricingTier: 'Standard'
  }
}

Negative test num. 4 - json file
{
  "properties": {
    "template": {
      "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
      "contentVersion": "1.0.0.0",
      "resources": [
        {
          "name": "webApp1",
          "type": "Microsoft.Web/sites",
          "apiVersion": "2018-11-01",
          "location": "[resourceGroup().location]",
          "tags": {
            "[concat('hidden-related:', resourceGroup().id, '/providers/Microsoft.Web/serverfarms/appServicePlan1')]": "Resource",
            "displayName": "webApp1"
          },
          "dependsOn": [
            "[resourceId('Microsoft.Web/serverfarms', 'appServicePlan1')]"
          ],
          "properties": {
            "name": "webApp1",
            "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', 'appServicePlan1')]"
          }
        },
        {
          "type": "Microsoft.Security/pricings",
          "apiVersion": "2017-08-01-preview",
          "name": "Princing",
          "properties": {
            "pricingTier": "Standard"
          }
        }
      ],
      "outputs": {}
    },
    "parameters": {}
  },
  "kind": "template",
  "type": "Microsoft.Blueprint/blueprints/artifacts",
  "name": "myTemplate"
}
Negative test num. 5 - bicep file
@description(
  'Name of the central Log Analytics workspace that stores security event and data collected by Azure Security Center'
)
@allowed(['az-security-workspace'])
param workspaceName string = 'az-security-workspace'

@description(
  'Name of the resource group where the central log analytics workspace belongs to'
)
@allowed(['azsec-security-rg'])
param workspaceRgName string = 'azsec-security-rg'

@description('Specify whether Auto Provisoning is turned on or off')
@allowed(['On', 'Off'])
param autoProvisionSetting string = 'On'

@description(
  'Email of the administrator who should be notified about Azure Security Center alert'
)
param ascOwnerEmail string

@description(
  'Phone number of the administrator should be notified about Azure Security Center alert'
)
param ascOwnerContact string

@description(
  'Specify whether you want to notify high severity alert to ASC administrator'
)
@allowed(['On', 'Off'])
param highSeverityAlertNotification string = 'On'

@description(
  'Specifiy whether you want to notify high severity alert to subscription owner'
)
@allowed(['On', 'Off'])
param subscriptionOwnerNotification string = 'On'

@description(
  'Specifiy whether you want to enable Standard tier for Virtual Machine resource type'
)
@allowed(['Standard', 'Free'])
param virtualMachineTier string = 'Standard'

@description(
  'Specify whether you want to enable Standard tier for Azure App Service resource type'
)
@allowed(['Standard', 'Free'])
param appServiceTier string = 'Standard'

@description(
  'Specify whether you want to enable Standard tier for PaaS SQL Service resource type'
)
@allowed(['Standard', 'Free'])
param paasSQLServiceTier string = 'Standard'

@description(
  'Specify whether you want to enable Standard tier for SQL Server on VM resource type'
)
@allowed(['Standard', 'Free'])
param sqlServerOnVmTier string = 'Standard'

@description(
  'Specify whether you want to enable Standard tier for Storage Account resource type'
)
@allowed(['Standard', 'Free'])
param storageAccountTier string = 'Standard'

@description(
  'Specify whether you want to enable Standard tier for Kubernetes service resource type'
)
@allowed(['Standard', 'Free'])
param kubernetesServiceTier string = 'Standard'

@description(
  'Specify whether you want to enable Standard tier for Container Registry resource type'
)
@allowed(['Standard', 'Free'])
param containerRegistryTier string = 'Standard'

@description(
  'Specify whether you want to enable Standard tier for Key Vault resource type'
)
@allowed(['Standard', 'Free'])
param keyvaultTier string = 'Standard'

@description(
  'Select integration name to enable. Only MCAS or MDATP is supported.'
)
@allowed(['MCAS', 'MDATP'])
param integrationName string

@description('Specify whether you want to enable or not.')
@allowed([true, false])
param integrationEnabled bool

resource default 'Microsoft.Security/workspaceSettings@2017-08-01-preview' = {
  name: 'default'
  properties: {
    scope: subscription().id
    workspaceId: '${subscription().id}/resourceGroups/${workspaceRgName}/providers/Microsoft.OperationalInsights/workspaces/${workspaceName}'
  }
}

resource Microsoft_Security_autoProvisioningSettings_default 'Microsoft.Security/autoProvisioningSettings@2017-08-01-preview' = {
  name: 'default'
  properties: {
    autoProvision: autoProvisionSetting
  }
}

resource default1 'Microsoft.Security/securityContacts@2017-08-01-preview' = {
  name: 'default1'
  properties: {
    emails: ascOwnerEmail
    phone: ascOwnerContact
    alertNotifications: {
      state: 'On'
      minimalSeverity: highSeverityAlertNotification
    }
    notificationsByRole: {
      state: 'On'
      roles: subscriptionOwnerNotification
    }
  }
}

resource VirtualMachines 'Microsoft.Security/pricings@2018-06-01' = {
  name: 'VirtualMachines'
  properties: {
    pricingTier: virtualMachineTier
  }
}

resource AppServices 'Microsoft.Security/pricings@2018-06-01' = {
  name: 'AppServices'
  properties: {
    pricingTier: appServiceTier
  }
  dependsOn: [VirtualMachines]
}

resource SqlServers 'Microsoft.Security/pricings@2018-06-01' = {
  name: 'SqlServers'
  properties: {
    pricingTier: paasSQLServiceTier
  }
  dependsOn: [AppServices]
}

resource SqlServerVirtualMachines 'Microsoft.Security/pricings@2018-06-01' = {
  name: 'SqlServerVirtualMachines'
  properties: {
    pricingTier: sqlServerOnVmTier
  }
  dependsOn: [SqlServers]
}

resource StorageAccounts 'Microsoft.Security/pricings@2018-06-01' = {
  name: 'StorageAccounts'
  properties: {
    pricingTier: storageAccountTier
  }
  dependsOn: [SqlServerVirtualMachines]
}

resource KubernetesService 'Microsoft.Security/pricings@2018-06-01' = {
  name: 'KubernetesService'
  properties: {
    pricingTier: kubernetesServiceTier
  }
  dependsOn: [StorageAccounts]
}

resource ContainerRegistry 'Microsoft.Security/pricings@2018-06-01' = {
  name: 'ContainerRegistry'
  properties: {
    pricingTier: containerRegistryTier
  }
  dependsOn: [KubernetesService]
}

resource KeyVaults 'Microsoft.Security/pricings@2018-06-01' = {
  name: 'KeyVaults'
  properties: {
    pricingTier: keyvaultTier
  }
  dependsOn: [ContainerRegistry]
}

resource integration 'Microsoft.Security/settings@2019-01-01' = {
  name: integrationName
  kind: 'DataExportSettings'
  properties: {
    enabled: integrationEnabled
  }
}
Negative test num. 6 - json file
{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.1",
    "parameters": {
        "workspaceName": {
            "type": "string",
            "defaultValue": "az-security-workspace",
            "allowedValues": [
                "az-security-workspace"
            ],
            "metadata": {
                "description": "Name of the central Log Analytics workspace that stores security event and data collected by Azure Security Center"
            }
        },
        "workspaceRgName": {
            "type": "string",
            "defaultValue": "azsec-security-rg",
            "allowedValues": [
                "azsec-security-rg"
            ],
            "metadata": {
                "description": "Name of the resource group where the central log analytics workspace belongs to"
            }
        },
        "autoProvisionSetting": {
            "type": "string",
            "defaultValue": "On",
            "allowedValues": [
                "On",
                "Off"
            ],
            "metadata": {
                "description": "Specify whether Auto Provisoning is turned on or off"
            }
        },
        "ascOwnerEmail": {
            "type": "string",
            "metadata": {
                "description": "Email of the administrator who should be notified about Azure Security Center alert"
            }
        },
        "ascOwnerContact": {
            "type": "string",
            "metadata": {
                "description": "Phone number of the administrator should be notified about Azure Security Center alert"
            }
        },
        "highSeverityAlertNotification": {
            "type": "string",
            "defaultValue": "On",
            "allowedValues": [
                "On",
                "Off"
            ],
            "metadata": {
                "description": "Specify whether you want to notify high severity alert to ASC administrator"
            }
        },
        "subscriptionOwnerNotification": {
            "type": "string",
            "defaultValue": "On",
            "allowedValues": [
                "On",
                "Off"
            ],
            "metadata": {
                "description": "Specifiy whether you want to notify high severity alert to subscription owner"
            }
        },
        "virtualMachineTier": {
            "type": "string",
            "defaultValue": "Standard",
            "allowedValues": [
                "Standard",
                "Free"
            ],
            "metadata": {
                "description": "Specifiy whether you want to enable Standard tier for Virtual Machine resource type"
            }
        },
        "appServiceTier": {
            "type": "string",
            "defaultValue": "Standard",
            "allowedValues": [
                "Standard",
                "Free"
            ],
            "metadata": {
                "description": "Specify whether you want to enable Standard tier for Azure App Service resource type"
            }
        },
        "paasSQLServiceTier": {
            "type": "string",
            "defaultValue": "Standard",
            "allowedValues": [
                "Standard",
                "Free"
            ],
            "metadata": {
                "description": "Specify whether you want to enable Standard tier for PaaS SQL Service resource type"
            }
        },
        "sqlServerOnVmTier": {
            "type": "string",
            "defaultValue": "Standard",
            "allowedValues": [
                "Standard",
                "Free"
            ],
            "metadata": {
                "description": "Specify whether you want to enable Standard tier for SQL Server on VM resource type"
            }
        },
        "storageAccountTier": {
            "type": "string",
            "defaultValue": "Standard",
            "allowedValues": [
                "Standard",
                "Free"
            ],
            "metadata": {
                "description": "Specify whether you want to enable Standard tier for Storage Account resource type"
            }
        },
        "kubernetesServiceTier": {
            "type": "string",
            "defaultValue": "Standard",
            "allowedValues": [
                "Standard",
                "Free"
            ],
            "metadata": {
                "description": "Specify whether you want to enable Standard tier for Kubernetes service resource type"
            }
        },
        "containerRegistryTier": {
            "type": "string",
            "defaultValue": "Standard",
            "allowedValues": [
                "Standard",
                "Free"
            ],
            "metadata": {
                "description": "Specify whether you want to enable Standard tier for Container Registry resource type"
            }
        },
        "keyvaultTier": {
            "type": "string",
            "defaultValue": "Standard",
            "allowedValues": [
                "Standard",
                "Free"
            ],
            "metadata": {
                "description": "Specify whether you want to enable Standard tier for Key Vault resource type"
            }
        },
        "integrationName": {
            "type": "string",
            "allowedValues": [
                "MCAS",
                "MDATP"
            ],
            "metadata": {
                "description": "Select integration name to enable. Only MCAS or MDATP is supported."
            }
        },
        "integrationEnabled": {
            "type": "bool",
            "allowedValues": [
                true,
                false
            ],
            "metadata": {
                "description": "Specify whether you want to enable or not."
            }
        }
    },
    "resources": [
        {
            "type": "Microsoft.Security/workspaceSettings",
            "apiVersion": "2017-08-01-preview",
            "name": "default",
            "properties": {
                "scope": "[subscription().id]",
                "workspaceId": "[concat(subscription().id,'/resourceGroups/',parameters('workspaceRgName'),'/providers/Microsoft.OperationalInsights/workspaces/',parameters('workspaceName'))]"
            }
        },
        {
            "type": "Microsoft.Security/autoProvisioningSettings",
            "apiVersion": "2017-08-01-preview",
            "name": "default",
            "properties": {
                "autoProvision": "[parameters('autoProvisionSetting')]"
            }
        },
        {
            "type": "Microsoft.Security/securityContacts",
            "apiVersion": "2017-08-01-preview",
            "name": "default1",
            "properties": {
                "emails": "[parameters('ascOwnerEmail')]",
                "phone": "[parameters('ascOwnerContact')]",
                "alertNotifications": {
                    "state": "On",
                    "minimalSeverity": "[parameters('highSeverityAlertNotification')]"
                },
                "notificationsByRole": {
                    "state": "On",
                    "roles": "[parameters('subscriptionOwnerNotification')]"
                }
            }
        },
        {
            "type": "Microsoft.Security/pricings",
            "apiVersion": "2018-06-01",
            "name": "VirtualMachines",
            "properties": {
                "pricingTier": "[parameters('virtualMachineTier')]"
            }
        },
        {
            "type": "Microsoft.Security/pricings",
            "apiVersion": "2018-06-01",
            "name": "AppServices",
            "dependsOn": [
                "[concat('Microsoft.Security/pricings/VirtualMachines')]"
            ],
            "properties": {
                "pricingTier": "[parameters('appServiceTier')]"
            }
        },
        {
            "type": "Microsoft.Security/pricings",
            "apiVersion": "2018-06-01",
            "name": "SqlServers",
            "dependsOn": [
                "[concat('Microsoft.Security/pricings/AppServices')]"
            ],
            "properties": {
                "pricingTier": "[parameters('paasSQLServiceTier')]"
            }
        },
        {
            "type": "Microsoft.Security/pricings",
            "apiVersion": "2018-06-01",
            "name": "SqlServerVirtualMachines",
            "dependsOn": [
                "[concat('Microsoft.Security/pricings/SqlServers')]"
            ],
            "properties": {
                "pricingTier": "[parameters('sqlServerOnVmTier')]"
            }
        },
        {
            "type": "Microsoft.Security/pricings",
            "apiVersion": "2018-06-01",
            "name": "StorageAccounts",
            "dependsOn": [
                "[concat('Microsoft.Security/pricings/SqlServerVirtualMachines')]"
            ],
            "properties": {
                "pricingTier": "[parameters('storageAccountTier')]"
            }
        },
        {
            "type": "Microsoft.Security/pricings",
            "apiVersion": "2018-06-01",
            "name": "KubernetesService",
            "dependsOn": [
                "[concat('Microsoft.Security/pricings/StorageAccounts')]"
            ],
            "properties": {
                "pricingTier": "[parameters('kubernetesServiceTier')]"
            }
        },
        {
            "type": "Microsoft.Security/pricings",
            "apiVersion": "2018-06-01",
            "name": "ContainerRegistry",
            "dependsOn": [
                "[concat('Microsoft.Security/pricings/KubernetesService')]"
            ],
            "properties": {
                "pricingTier": "[parameters('containerRegistryTier')]"
            }
        },
        {
            "type": "Microsoft.Security/pricings",
            "apiVersion": "2018-06-01",
            "name": "KeyVaults",
            "dependsOn": [
                "[concat('Microsoft.Security/pricings/ContainerRegistry')]"
            ],
            "properties": {
                "pricingTier": "[parameters('keyvaultTier')]"
            }
        },
        {
            "type": "Microsoft.Security/settings",
            "apiVersion": "2019-01-01",
            "name": "[parameters('integrationName')]",
            "kind": "DataExportSettings",
            "properties": {
                "enabled": "[parameters('integrationEnabled')]"
            }
        }
    ],
    "outputs": {
    }
}