Standard Price Is Not Selected

  • Query id: 2081c7d6-2851-4cce-bda5-cb49d462da42
  • Query name: Standard Price Is Not Selected
  • Platform: AzureResourceManager
  • Severity: Medium
  • Category: Networking and Firewall
  • URL: Github

Description

Azure Security Center provides more features for standard pricing mode, so it must be activated.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - json file
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "name": "webApp1",
      "type": "Microsoft.Web/sites",
      "apiVersion": "2018-11-01",
      "location": "[resourceGroup().location]",
      "tags": {
        "[concat('hidden-related:', resourceGroup().id, '/providers/Microsoft.Web/serverfarms/appServicePlan1')]": "Resource",
        "displayName": "webApp1"
      },
      "dependsOn": [
        "[resourceId('Microsoft.Web/serverfarms', 'appServicePlan1')]"
      ],
      "properties": {
        "name": "webApp1",
        "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', 'appServicePlan1')]"
      }
    },
    {
      "type": "Microsoft.Security/pricings",
      "apiVersion": "2017-08-01-preview",
      "name": "Princing",
      "properties": {
        "pricingTier": "Free"
      }
    }
  ]
}
Positive test num. 2 - json file
{
  "properties": {
    "template": {
      "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
      "contentVersion": "1.0.0.0",
      "resources": [
        {
          "name": "webApp1",
          "type": "Microsoft.Web/sites",
          "apiVersion": "2018-11-01",
          "location": "[resourceGroup().location]",
          "tags": {
            "[concat('hidden-related:', resourceGroup().id, '/providers/Microsoft.Web/serverfarms/appServicePlan1')]": "Resource",
            "displayName": "webApp1"
          },
          "dependsOn": [
            "[resourceId('Microsoft.Web/serverfarms', 'appServicePlan1')]"
          ],
          "properties": {
            "name": "webApp1",
            "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', 'appServicePlan1')]"
          }
        },
        {
          "type": "Microsoft.Security/pricings",
          "apiVersion": "2017-08-01-preview",
          "name": "Princing",
          "properties": {
            "pricingTier": "Free"
          }
        }
      ],
      "outputs": {}
    },
    "parameters": {}
  },
  "kind": "template",
  "type": "Microsoft.Blueprint/blueprints/artifacts",
  "name": "myTemplate"
}
Positive test num. 3 - json file
{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.1",
    "parameters": {
        "virtualMachineTier": {
            "type": "string",
            "defaultValue": "Free",
            "allowedValues": [
                "Standard",
                "Free"
            ],
            "metadata": {
                "description": "Specifiy whether you want to enable Standard tier for Virtual Machine resource type"
            }
        }
    },
    "resources": [
        {
            "type": "Microsoft.Security/pricings",
            "apiVersion": "2018-06-01",
            "name": "VirtualMachines",
            "properties": {
                "pricingTier": "[parameters('virtualMachineTier')]"
            }
        }
    ],
    "outputs": {
    }
}

Code samples without security vulnerabilities

Negative test num. 1 - json file
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "name": "webApp1",
      "type": "Microsoft.Web/sites",
      "apiVersion": "2018-11-01",
      "location": "[resourceGroup().location]",
      "tags": {
        "[concat('hidden-related:', resourceGroup().id, '/providers/Microsoft.Web/serverfarms/appServicePlan1')]": "Resource",
        "displayName": "webApp1"
      },
      "dependsOn": [
        "[resourceId('Microsoft.Web/serverfarms', 'appServicePlan1')]"
      ],
      "properties": {
        "name": "webApp1",
        "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', 'appServicePlan1')]"
      }
    },
    {
      "type": "Microsoft.Security/pricings",
      "apiVersion": "2017-08-01-preview",
      "name": "Princing",
      "properties": {
        "pricingTier": "Standard"
      }
    }
  ]
}
Negative test num. 2 - json file
{
  "properties": {
    "template": {
      "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
      "contentVersion": "1.0.0.0",
      "resources": [
        {
          "name": "webApp1",
          "type": "Microsoft.Web/sites",
          "apiVersion": "2018-11-01",
          "location": "[resourceGroup().location]",
          "tags": {
            "[concat('hidden-related:', resourceGroup().id, '/providers/Microsoft.Web/serverfarms/appServicePlan1')]": "Resource",
            "displayName": "webApp1"
          },
          "dependsOn": [
            "[resourceId('Microsoft.Web/serverfarms', 'appServicePlan1')]"
          ],
          "properties": {
            "name": "webApp1",
            "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', 'appServicePlan1')]"
          }
        },
        {
          "type": "Microsoft.Security/pricings",
          "apiVersion": "2017-08-01-preview",
          "name": "Princing",
          "properties": {
            "pricingTier": "Standard"
          }
        }
      ],
      "outputs": {}
    },
    "parameters": {}
  },
  "kind": "template",
  "type": "Microsoft.Blueprint/blueprints/artifacts",
  "name": "myTemplate"
}
Negative test num. 3 - json file
{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.1",
    "parameters": {
        "workspaceName": {
            "type": "string",
            "defaultValue": "az-security-workspace",
            "allowedValues": [
                "az-security-workspace"
            ],
            "metadata": {
                "description": "Name of the central Log Analytics workspace that stores security event and data collected by Azure Security Center"
            }
        },
        "workspaceRgName": {
            "type": "string",
            "defaultValue": "azsec-security-rg",
            "allowedValues": [
                "azsec-security-rg"
            ],
            "metadata": {
                "description": "Name of the resource group where the central log analytics workspace belongs to"
            }
        },
        "autoProvisionSetting": {
            "type": "string",
            "defaultValue": "On",
            "allowedValues": [
                "On",
                "Off"
            ],
            "metadata": {
                "description": "Specify whether Auto Provisoning is turned on or off"
            }
        },
        "ascOwnerEmail": {
            "type": "string",
            "metadata": {
                "description": "Email of the administrator who should be notified about Azure Security Center alert"
            }
        },
        "ascOwnerContact": {
            "type": "string",
            "metadata": {
                "description": "Phone number of the administrator should be notified about Azure Security Center alert"
            }
        },
        "highSeverityAlertNotification": {
            "type": "string",
            "defaultValue": "On",
            "allowedValues": [
                "On",
                "Off"
            ],
            "metadata": {
                "description": "Specify whether you want to notify high severity alert to ASC administrator"
            }
        },
        "subscriptionOwnerNotification": {
            "type": "string",
            "defaultValue": "On",
            "allowedValues": [
                "On",
                "Off"
            ],
            "metadata": {
                "description": "Specifiy whether you want to notify high severity alert to subscription owner"
            }
        },
        "virtualMachineTier": {
            "type": "string",
            "defaultValue": "Standard",
            "allowedValues": [
                "Standard",
                "Free"
            ],
            "metadata": {
                "description": "Specifiy whether you want to enable Standard tier for Virtual Machine resource type"
            }
        },
        "appServiceTier": {
            "type": "string",
            "defaultValue": "Standard",
            "allowedValues": [
                "Standard",
                "Free"
            ],
            "metadata": {
                "description": "Specify whether you want to enable Standard tier for Azure App Service resource type"
            }
        },
        "paasSQLServiceTier": {
            "type": "string",
            "defaultValue": "Standard",
            "allowedValues": [
                "Standard",
                "Free"
            ],
            "metadata": {
                "description": "Specify whether you want to enable Standard tier for PaaS SQL Service resource type"
            }
        },
        "sqlServerOnVmTier": {
            "type": "string",
            "defaultValue": "Standard",
            "allowedValues": [
                "Standard",
                "Free"
            ],
            "metadata": {
                "description": "Specify whether you want to enable Standard tier for SQL Server on VM resource type"
            }
        },
        "storageAccountTier": {
            "type": "string",
            "defaultValue": "Standard",
            "allowedValues": [
                "Standard",
                "Free"
            ],
            "metadata": {
                "description": "Specify whether you want to enable Standard tier for Storage Account resource type"
            }
        },
        "kubernetesServiceTier": {
            "type": "string",
            "defaultValue": "Standard",
            "allowedValues": [
                "Standard",
                "Free"
            ],
            "metadata": {
                "description": "Specify whether you want to enable Standard tier for Kubernetes service resource type"
            }
        },
        "containerRegistryTier": {
            "type": "string",
            "defaultValue": "Standard",
            "allowedValues": [
                "Standard",
                "Free"
            ],
            "metadata": {
                "description": "Specify whether you want to enable Standard tier for Container Registry resource type"
            }
        },
        "keyvaultTier": {
            "type": "string",
            "defaultValue": "Standard",
            "allowedValues": [
                "Standard",
                "Free"
            ],
            "metadata": {
                "description": "Specify whether you want to enable Standard tier for Key Vault resource type"
            }
        },
        "integrationName": {
            "type": "string",
            "allowedValues": [
                "MCAS",
                "MDATP"
            ],
            "metadata": {
                "description": "Select integration name to enable. Only MCAS or MDATP is supported."
            }
        },
        "integrationEnabled": {
            "type": "bool",
            "allowedValues": [
                true,
                false
            ],
            "metadata": {
                "description": "Specify whether you want to enable or not."
            }
        }
    },
    "resources": [
        {
            "type": "Microsoft.Security/workspaceSettings",
            "apiVersion": "2017-08-01-preview",
            "name": "default",
            "properties": {
                "scope": "[subscription().id]",
                "workspaceId": "[concat(subscription().id,'/resourceGroups/',parameters('workspaceRgName'),'/providers/Microsoft.OperationalInsights/workspaces/',parameters('workspaceName'))]"
            }
        },
        {
            "type": "Microsoft.Security/autoProvisioningSettings",
            "apiVersion": "2017-08-01-preview",
            "name": "default",
            "properties": {
                "autoProvision": "[parameters('autoProvisionSetting')]"
            }
        },
        {
            "type": "Microsoft.Security/securityContacts",
            "apiVersion": "2017-08-01-preview",
            "name": "default1",
            "properties": {
                "emails": "[parameters('ascOwnerEmail')]",
                "phone": "[parameters('ascOwnerContact')]",
                "alertNotifications": {
                    "state": "On",
                    "minimalSeverity": "[parameters('highSeverityAlertNotification')]"
                },
                "notificationsByRole": {
                    "state": "On",
                    "roles": "[parameters('subscriptionOwnerNotification')]"
                }
            }
        },
        {
            "type": "Microsoft.Security/pricings",
            "apiVersion": "2018-06-01",
            "name": "VirtualMachines",
            "properties": {
                "pricingTier": "[parameters('virtualMachineTier')]"
            }
        },
        {
            "type": "Microsoft.Security/pricings",
            "apiVersion": "2018-06-01",
            "name": "AppServices",
            "dependsOn": [
                "[concat('Microsoft.Security/pricings/VirtualMachines')]"
            ],
            "properties": {
                "pricingTier": "[parameters('appServiceTier')]"
            }
        },
        {
            "type": "Microsoft.Security/pricings",
            "apiVersion": "2018-06-01",
            "name": "SqlServers",
            "dependsOn": [
                "[concat('Microsoft.Security/pricings/AppServices')]"
            ],
            "properties": {
                "pricingTier": "[parameters('paasSQLServiceTier')]"
            }
        },
        {
            "type": "Microsoft.Security/pricings",
            "apiVersion": "2018-06-01",
            "name": "SqlServerVirtualMachines",
            "dependsOn": [
                "[concat('Microsoft.Security/pricings/SqlServers')]"
            ],
            "properties": {
                "pricingTier": "[parameters('sqlServerOnVmTier')]"
            }
        },
        {
            "type": "Microsoft.Security/pricings",
            "apiVersion": "2018-06-01",
            "name": "StorageAccounts",
            "dependsOn": [
                "[concat('Microsoft.Security/pricings/SqlServerVirtualMachines')]"
            ],
            "properties": {
                "pricingTier": "[parameters('storageAccountTier')]"
            }
        },
        {
            "type": "Microsoft.Security/pricings",
            "apiVersion": "2018-06-01",
            "name": "KubernetesService",
            "dependsOn": [
                "[concat('Microsoft.Security/pricings/StorageAccounts')]"
            ],
            "properties": {
                "pricingTier": "[parameters('kubernetesServiceTier')]"
            }
        },
        {
            "type": "Microsoft.Security/pricings",
            "apiVersion": "2018-06-01",
            "name": "ContainerRegistry",
            "dependsOn": [
                "[concat('Microsoft.Security/pricings/KubernetesService')]"
            ],
            "properties": {
                "pricingTier": "[parameters('containerRegistryTier')]"
            }
        },
        {
            "type": "Microsoft.Security/pricings",
            "apiVersion": "2018-06-01",
            "name": "KeyVaults",
            "dependsOn": [
                "[concat('Microsoft.Security/pricings/ContainerRegistry')]"
            ],
            "properties": {
                "pricingTier": "[parameters('keyvaultTier')]"
            }
        },
        {
            "type": "Microsoft.Security/settings",
            "apiVersion": "2019-01-01",
            "name": "[parameters('integrationName')]",
            "kind": "DataExportSettings",
            "properties": {
                "enabled": "[parameters('integrationEnabled')]"
            }
        }
    ],
    "outputs": {
    }
}