Best practice rules for Microsoft Azure

Ensure that AKS clusters are using the latest available version of Kubernetes software.

Ensure that Kubernetes Role-Based Access Control is enabled for Azure Kubernetes clusters.

Ensure there are no custom owner roles within your Microsoft Azure cloud account.

Ensure that security groups can be created only by Active Directory (AD) administrators.

Ensure that Office 365 groups can be managed only by Active Directory (AD) administrators.

Ensure that security groups can be managed only by Active Directory (AD) administrators.

Ensure there are no Microsoft Azure Active Directory guest users if they are not needed.

Do not allow users to remember Multi-Factor Authentication (MFA) on their devices and browsers.

Ensure that Active Directory (AD) self-service group management is disabled for non-administrator users.

Ensure that user authentication information reconfirmation is enabled within Active Directory password reset policy.

Ensure that the number of methods required for user password reset is set to 2 (two).

Ensure that Multi-Factor Authentication feature is enabled for all non-privileged users.

Ensure that Multi-Factor Authentication (MFA) is enabled for all privileged Azure users

Ensure that Microsoft Azure Active Directory (AD) admins are notified on password resets.

Ensure that Microsoft Azure Active Directory (AD) users are notified on password resets.

Require Active Directory administrators to provide consent for applications before use.

Ensure that Active Directory (AD) guest users permissions are limited.

Ensure that joining devices to Active Directory requires Multi-Factor Authentication.

Ensure that Active Directory users are not allowed to add applications to Azure Access Panel.

Ensure that non-privileged users are not allowed to register third-party applications.

Ensure that guest users cannot invite other guests to collaborate with your organization.

Ensure that only Active Directory administrators can invite guests to your directory.

Ensure that non-administrator users are not allowed to access Active Directory administration portal.

Ensure that Office 365 groups can be created only by Active Directory (AD) administrators.

Ensure that an activity log alert is created for the "Create Policy Assignment" events.

Ensure that an activity log alert is created for "Create or Update Load Balancer" events.

Ensure that an activity log alert is created for the "Create/Update Security Solution" events.

Ensure that an activity log alert is created for "Create or Update Virtual Machine (Microsoft.Compute/virtualMachines)" events.

Ensure that an activity log alert is created for the “Create/Update/Delete SQL Server Firewall Rule” events.

Ensure that an activity log alert is created for "Create/Update Azure SQL Database" events.

Ensure that an activity log alert is created for the "Create/Update Network Security Group" events.

Ensure there is an activity log alert created for the "Create/Update Storage Account" events.

Ensure that an activity log alert is created for the "Deallocate Virtual Machine (Microsoft.Compute/virtualMachines)" events.

Ensure that an activity log alert is created for "Delete Azure SQL Database (Microsoft.Sql/servers/databases)" events.

Ensure there is an activity log alert created for the "Delete Key Vault" events.

Ensure there is an Azure activity log alert created for "Delete Load Balancer" events.

Ensure that an activity log alert is created for the "Delete Network Security Group Rule" events.

Ensure that an activity log alert is created for the "Delete Network Security Group" events.

Ensure that an activity log alert is created for the "Delete Security Solution" events.

Ensure that an activity log alert exists for "Delete Storage Account" events.

Ensure that an activity log alert exists for "Delete Virtual Machine" events.

Ensure that an activity log alert exists for "Power Off Virtual Machine" events.

Ensure that an activity log alert is created for "Rename Azure SQL Database" events.

Ensure that an activity log alert is created for "Update Key Vault (Microsoft.KeyVault/vaults)" events.

Ensure that an activity log alert is created for the "Update Security Policy" events.

Ensure that an activity log alert is created for “Create/Update MySQL Database” events.

Ensure that an activity log alert is created for the “Create/Update Network Security Group Rule” events.

Ensure that an activity log alert is created for “Create/Update PostgreSQL Database” events.

Ensure that an activity log alert is created for “Delete MySQL Database” events.

Ensure that an activity log alert is created for “Delete PostgreSQL Database” events.

Ensure that Microsoft Azure Advisor recommendations are analyzed and implemented.

Enable HTTP to HTTPS redirects for your Microsoft Azure App Service web applications.

Ensure that Azure App Service web applications are using the latest stable version of Java.

Ensure that Azure App Service web applications are using the latest version of PHP.

Ensure that Azure App Service web applications are using the latest version of Python.

Ensure there is a sufficient backup retention period configured for Azure App Services applications.

Ensure that Azure App Service web applications are using the latest version of TLS encryption.

Disable Remote Debugging feature for your Microsoft Azure App Services web applications.

Ensure that your Azure App Services web applications stay loaded all the time by enabling the Always On feature.

Ensure that App Service Authentication is enabled within your Microsoft Azure cloud account.

Ensure that Azure App Services applications are configured to use Application Insights feature.

Ensure that all your Azure App Services applications are using the Backup and Restore feature.

Enable FTPS-only access for your Microsoft Azure App Services web applications.

Ensure that Azure App Service web applications are using the latest stable version of HTTP.

Enable HTTP to HTTPS redirects for your Microsoft Azure App Service web applications.

Ensure that Azure App Service web applications are using incoming client certificates.

Ensure that registration with Azure Active Directory is enabled for Azure App Service applications.

Ensure that Advanced Threat Protection is enabled for all Microsoft Azure Cosmos DB accounts.

Enable automatic failover for Microsoft Azure Cosmos DB accounts.

Ensure that default network access (i.e. public access) is denied within your Azure Cosmos DB accounts configuration.

Ensure that a Customer-Managed Key is created for your Azure cloud application tier.

Ensure that Azure Key Vault certificates are using the appropriate key type(s).

Ensure that your Azure Key Vault encryption keys are renewed prior to their expiration date.

Ensure that your Azure Key Vault secrets are renewed prior to their expiration date.

Ensure that Azure Key Vault RSA certificates are using the appropriate key size.

Ensure that no Azure user, group or application has full permissions to access and manage Key Vaults.

Ensure there is a sufficient period configured for the SSL certificates auto-renewal.

Ensure that a Customer-Managed Key is created for your Microsoft Azure cloud database tier.

Ensure that AuditEvent logging is enabled for your Microsoft Azure Key Vaults.

Ensure that certificate transparency is enabled for all your Azure Key Vault certificates.

Ensure that your Microsoft Azure Key Vault instances are recoverable.

Ensure that Auto-Renewal feature is enabled for your Azure Key Vault SSL certificates.

Allow trusted Microsoft services to access your Azure Key Vault resources (i.e. encryption keys, secrets and certificates).

Ensure that default network access (i.e. public access) rule is set to "Deny" within your Azure Key Vaults configuration.

Ensure that an expiration date is set for all your Microsoft Azure secret keys.

Ensure that an expiration date is configured for all your Microsoft Azure encryption keys.

Ensure that a Customer-Managed Key is created for your Microsoft Azure cloud web tier.

Ensure that resource locks are enabled for your high-impact Microsoft Azure resources.

Ensure that Azure Log Profile is configured to export all control & management activities.

Ensure that Azure Log Profile is configured to capture activity logs for all regions.

Ensure that Azure activity log retention period is set for 365 days or greater.

Ensure that a Log Profile exists for each subscription available in your Azure account.

Ensure that the Azure storage container storing the activity logs is not publicly accessible.

Use Bring Your Own Key (BYOK) for Azure activity log storage container encryption.

Ensure that in-transit encryption is enabled for your Azure MySQL database servers.

Ensure that Network Security Group (NSG) flow log retention period is greater than or equal to 90 days.

Ensure there are no network security groups with range of ports opened to allow incoming traffic.

Ensure that no network security groups allow unrestricted inbound access on TCP port 20 and 21 (File Transfer Protocol – FTP).

Ensure that no network security groups allow unrestricted inbound access on TCP port 1433 (Microsoft SQL Server).

Ensure that no network security groups allow unrestricted ingress access on TCP port 3306 (MySQL Database).

Ensure that no network security groups allow unrestricted inbound access on TCP port 1521 (Oracle Database).

Ensure that no network security groups allow unrestricted inbound access on TCP port 5432 (PostgreSQL Database Server).

Ensure that no network security groups allow unrestricted inbound access on TCP port 3389 (Remote Desktop Protocol – RDP).

Ensure that no network security groups allow unrestricted inbound access on TCP port 135 (Remote Procedure Call – RPC).

Ensure that no network security groups allow unrestricted inbound access on TCP port 22 (SSH).

Ensure that Network Watcher service is enabled for all your Microsoft Azure subscriptions.

Ensure that DDoS standard protection is enabled for production Azure virtual networks.

Network security group changes have been detected in your Microsoft Azure cloud account.

Ensure that the Azure network interfaces with IP forwarding enabled are regularly reviewed.

Policy assignment changes have been detected in your Microsoft Azure cloud account.

Ensure that PostgreSQL database servers have a sufficient log retention period configured.

Ensure that PostgreSQL database servers are using the latest major version of PostgreSQL database.

Ensure that "connection_throttling" parameter is set to "ON" within your Azure PostgreSQL server settings.

Enable "log_checkpoints" parameter for your Microsoft Azure PostgreSQL database servers.

Enable "log_connections" parameter for your Microsoft Azure PostgreSQL database servers.

Enable "log_disconnections" parameter for your Microsoft Azure PostgreSQL database servers.

Enable "log_duration" parameter on your Microsoft Azure PostgreSQL database servers.

Ensure that geo-redundant backups are enabled for your Azure PostgreSQL database servers.

Ensure that in-transit encryption is enabled for your Azure PostgreSQL database servers.

Ensure that storage auto-growth is enabled for your Microsoft Azure PostgreSQL database servers.

Ensure that an Azure Active Directory (AAD) admin is configured for PostgreSQL authentication.

Ensure that email notifications are enabled for virtual machine (VM) backup alerts.

Ensure that Azure Redis Cache servers are using the latest version of the TLS protocol.

Ensure that in-transit encryption is enabled for all Microsoft Azure Redis Cache servers.

Ensure there is a tagging strategy in use for identifying and organizing Azure resources by name, purpose, environment, and other criteria.

Ensure that Azure Search Service instances are configured to use system-assigned managed identities.

Ensure that Microsoft Azure Security Center recommendations are examined and resolved.

Security solution changes have been detected within your Microsoft Azure cloud account.

Azure security policy changes have been detected within your Microsoft Azure cloud account.

Enable adaptive application safelisting monitoring for Microsoft Azure virtual machines.

Ensure that "Also send email notification to subscription owners" feature is enabled within Azure Security Center.

Ensure that "Automatic provisioning of monitoring agent" feature is enabled to enhance security at the virtual machine (VM) level.

Ensure that monitoring of DDoS protection at the Azure virtual network level is enabled.

Enable disk encryption monitoring for Microsoft Azure virtual machines (VMs).

Ensure that "Email Notification for Alerts" security feature is enabled within Azure Security Center.

Enable endpoint protection monitoring and recommendations for Microsoft Azure virtual machines.

Ensure that JIT network access monitoring for Azure virtual machines (VMs) is enabled.

Enable OS vulnerability monitoring for Microsoft Azure virtual machines (VMs).

Ensure that monitoring of deprecated accounts within your Azure subscription(s) is enabled.

Enable network security group recommendations for Microsoft Azure virtual machines (VMs).

Ensure that next generation firewall monitoring for Azure virtual machines (VMs) is enabled.

Enable SQL auditing and threat detection monitoring for Microsoft Azure SQL servers.

Enable SQL encryption monitoring and recommendations for Microsoft Azure SQL servers.

Ensure that Security Center standard pricing tier is enabled in your Microsoft Azure account.

Enable storage encryption monitoring and recommendations for Azure Storage resources.

Enable system updates recommendations for Microsoft Azure virtual machines (VMs).

Ensure that IP forwarding enabled on your Azure virtual machines (VMs) is being monitored.

Ensure that vulnerability assessment monitoring for Azure virtual machines (VMs) is enabled.

Enable web application firewall monitoring for Microsoft Azure virtual machines (VMs).

Ensure that the external accounts with write permissions are monitored using Azure Security Center.

Ensure that the total number of subscription owners within your Azure account is monitored.

Ensure that one or more security contact email addresses are defined within Azure Security Center settings.

Ensure that a security contact phone number is provided in the Azure Security Center settings.

Ensure that Advanced Data Security (ADS) is enabled at the Azure SQL database server level.

Ensure that Azure SQL database servers are accessible via private endpoints only.

Ensure there is a sufficient PITR backup retention period configured for Azure SQL databases.

Ensure that no SQL databases allow unrestricted inbound access from 0.0.0.0/0 (any IP address).

Ensure that "AuditActionGroup" property is well configured at the Azure SQL database server level.

SQL Server firewall rule changes have been detected in your Microsoft Azure cloud account.

Enable all types of threat detection for your Microsoft Azure SQL database servers.

Ensure that database auditing is enabled at the Azure SQL database server level.

Ensure that your Azure SQL database servers are configured to use auto-failover groups.

Ensure that Automatic Tuning feature is enabled for Microsoft Azure SQL database servers.

Enable administrators and subscription owners to receive threat detection email notification alerts for SQL servers.

Enable threat detection email notification alerts for your Microsoft Azure SQL servers.

Ensure that Transparent Data Encryption (TDE) is enabled for every Azure SQL database.

Ensure that SQL database auditing has a sufficient log data retention period configured.

Ensure that an Azure Active Directory (AAD) admin is configured for SQL authentication.

Use Bring Your Own Key (BYOK) support for Transparent Data Encryption (TDE).

Ensure that Shared Access Signature (SAS) tokens are allowed only over the HTTPS protocol.

Ensure that Azure Storage shared access signature (SAS) tokens are not using overly permissive access policies.

Ensure that Azure Storage containers created to host static websites are not publicly accessible.

Ensure there is a sufficient retention period configured for Azure Blob Storage soft deleted data.

Ensure that anonymous access to blob containers is disabled within your Azure Storage account.

Ensure that Azure Blob Storage service has a lifecycle management policy configured.

Ensure that critical Azure Blob Storage data is protected from accidental deletion or modification.

Ensure that detailed storage logging is enabled for the Azure Storage Queue service.

Ensure that "Secure transfer required" security feature is enabled within your Azure Storage account configuration.

Ensure that Soft Delete feature is enabled for your Microsoft Azure Storage blob objects.

Allow Trusted Microsoft Services to access your Azure Storage account resources.

Ensure that your Shared Access Signature (SAS) tokens expire within an hour.

Ensure that Azure Storage account access is limited only to specific IP address(es).

Regenerate storage account access keys periodically to help keep your storage account secure.

Ensure that the default network access rule is set to "Deny" within your Azure Storage account.

Ensure that Azure Storage Accounts with static website configuration are regularly reviewed (informational).

Use customer-managed keys (CMKs) for Microsoft Azure Storage accounts encryption.

Ensure there are budget alerts configured to warn about forthcoming budget overages within your Azure cloud account.

Ensure there is more than one owner assigned to your Microsoft Azure subscription.

To prevent certain resource types from being deployed ensure that "Not Allowed Resource Types" policy is assigned.

Ensure that the latest OS patches available for Microsoft Azure virtual machines are applied.

Ensure that all your Azure virtual machine instances are launched from approved machine images only.

Ensure that your Azure virtual machine scale sets are using load balancers for traffic distribution.

Ensure that your virtual machine instances are of a given SKU size (e.g. Standard_A8_v2).

Identify and remove empty virtual machine scale sets from your Azure cloud account.

Ensure that Azure Linux-based virtual machines (VMs) are configured to use SSH keys.

Ensure there is a sufficient daily backup retention period configured for Azure virtual machines.

Ensure there is a sufficient instant restore retention period configured for Azure virtual machines.

Identify and remove unused load balancers from your Microsoft Azure cloud account.

Ensure that Azure virtual machine scale sets are configured for zone redundancy.

Ensure that Azure virtual machines are using Standard SSD disk volumes instead of Premium SSD volumes to optimize VM costs.

Ensure that Microsoft Azure virtual machines are configured to use accelerated networking.

Configure your Microsoft Azure virtual machines to automatically shut down on a daily basis.

Ensure that Azure virtual machine scale sets are configured to use automatic instance repairs

Ensure that Automatic OS Upgrades feature is enabled for your Azure virtual machine scale sets.

Ensure that autoscale notifications are enabled for Azure virtual machine scale sets.

Ensure that Microsoft Azure Backup service is in use for your Azure virtual machines (VMs).

Ensure that Azure virtual machine disk volumes created for the app tier are encrypted.

Ensure that encryption is enabled for Azure virtual machine boot volumes to protect data at rest.

Ensure that encryption at rest is enabled for Microsoft Azure virtual machine non-boot volumes.

Ensure that encryption at rest is enabled for unattached Azure virtual machine disk volumes.

Ensure that Azure virtual machine disk volumes deployed within the web tier are encrypted.

Ensure that Microsoft Azure virtual machines are configured to use OS guest-level monitoring.

Ensure that instance termination notifications are enabled for your Azure virtual machine scale sets.

Ensure that Microsoft Azure virtual machines are configured to use Just-in-Time (JIT) access.

Ensure that Azure virtual machines are configured to use the Performance Diagnostics tool.

Ensure that Azure virtual machines are configured to use system-assigned managed identities.

Configure your Microsoft Azure virtual machines to use Azure Active Directory credentials for secure authentication.

Ensure that Microsoft Azure virtual machines are configured to use Boot Diagnostics feature.

Ensure that the health of your Microsoft Azure scale set instances is being monitored.

Ensure that only approved extensions are installed on your Microsoft Azure virtual machines.

Ensure that endpoint protection is installed on your Microsoft Azure virtual machines.

Identify and remove old virtual machine disk snapshots in order to optimize cloud costs.

Remove any unattached Azure virtual machine (VM) disk volumes to improve security and reduce costs

Use customer-managed keys for Microsoft Azure virtual machine (VM) disk volumes encryption.

Ensure that your Microsoft Azure virtual machines are using managed disk volumes.