From cbd6413870206953a4f6256aee9aa0191c515ea6 Mon Sep 17 00:00:00 2001 From: Jose Moreno Date: Wed, 23 Oct 2024 09:57:53 +0200 Subject: [PATCH] added elements --- ...hecklist.en.json => acr_checklist.en.json} | 0 ...hecklist.es.json => acr_checklist.es.json} | 0 ...hecklist.ja.json => acr_checklist.ja.json} | 0 ...hecklist.ko.json => acr_checklist.ko.json} | 0 ...hecklist.pt.json => acr_checklist.pt.json} | 0 ...es.json => blob_storage_checklist.es.json} | 0 ...ja.json => blob_storage_checklist.ja.json} | 0 ...ko.json => blob_storage_checklist.ko.json} | 0 ...pt.json => blob_storage_checklist.pt.json} | 0 ...on => blob_storage_checklist.zh-Hant.json} | 0 checklists/datasecurity_checklist.en.json | 397 +++++++++++++++++- checklists/eh_security_checklist.es.json | 168 -------- checklists/eh_security_checklist.ja.json | 168 -------- checklists/eh_security_checklist.ko.json | 168 -------- checklists/eh_security_checklist.pt.json | 168 -------- checklists/eh_security_checklist.zh-Hant.json | 168 -------- ...cklist.en.json => redis_checklist.en.json} | 0 ...cklist.es.json => redis_checklist.es.json} | 0 ...cklist.ja.json => redis_checklist.ja.json} | 0 ...cklist.ko.json => redis_checklist.ko.json} | 0 ...cklist.pt.json => redis_checklist.pt.json} | 0 ...Hant.json => redis_checklist.zh-Hant.json} | 0 ...cklist.en.json => sqldb_checklist.en.json} | 0 ...cklist.es.json => sqldb_checklist.es.json} | 0 ...cklist.ja.json => sqldb_checklist.ja.json} | 0 ...cklist.ko.json => sqldb_checklist.ko.json} | 0 ...cklist.pt.json => sqldb_checklist.pt.json} | 0 checklists/streamanalytics_checklist.en.json | 6 +- 28 files changed, 399 insertions(+), 844 deletions(-) rename checklists/{acr_security_checklist.en.json => acr_checklist.en.json} (100%) rename checklists/{acr_security_checklist.es.json => acr_checklist.es.json} (100%) rename checklists/{acr_security_checklist.ja.json => acr_checklist.ja.json} (100%) rename checklists/{acr_security_checklist.ko.json => acr_checklist.ko.json} (100%) rename checklists/{acr_security_checklist.pt.json => acr_checklist.pt.json} (100%) rename checklists/{blob_storage_security_checklist.es.json => blob_storage_checklist.es.json} (100%) rename checklists/{blob_storage_security_checklist.ja.json => blob_storage_checklist.ja.json} (100%) rename checklists/{blob_storage_security_checklist.ko.json => blob_storage_checklist.ko.json} (100%) rename checklists/{blob_storage_security_checklist.pt.json => blob_storage_checklist.pt.json} (100%) rename checklists/{blob_storage_security_checklist.zh-Hant.json => blob_storage_checklist.zh-Hant.json} (100%) delete mode 100644 checklists/eh_security_checklist.es.json delete mode 100644 checklists/eh_security_checklist.ja.json delete mode 100644 checklists/eh_security_checklist.ko.json delete mode 100644 checklists/eh_security_checklist.pt.json delete mode 100644 checklists/eh_security_checklist.zh-Hant.json rename checklists/{redis_resiliency_checklist.en.json => redis_checklist.en.json} (100%) rename checklists/{redis_resiliency_checklist.es.json => redis_checklist.es.json} (100%) rename checklists/{redis_resiliency_checklist.ja.json => redis_checklist.ja.json} (100%) rename checklists/{redis_resiliency_checklist.ko.json => redis_checklist.ko.json} (100%) rename checklists/{redis_resiliency_checklist.pt.json => redis_checklist.pt.json} (100%) rename checklists/{redis_resiliency_checklist.zh-Hant.json => redis_checklist.zh-Hant.json} (100%) rename checklists/{sqldb_security_checklist.en.json => sqldb_checklist.en.json} (100%) rename checklists/{sqldb_security_checklist.es.json => sqldb_checklist.es.json} (100%) rename checklists/{sqldb_security_checklist.ja.json => sqldb_checklist.ja.json} (100%) rename checklists/{sqldb_security_checklist.ko.json => sqldb_checklist.ko.json} (100%) rename checklists/{sqldb_security_checklist.pt.json => sqldb_checklist.pt.json} (100%) diff --git a/checklists/acr_security_checklist.en.json b/checklists/acr_checklist.en.json similarity index 100% rename from checklists/acr_security_checklist.en.json rename to checklists/acr_checklist.en.json diff --git a/checklists/acr_security_checklist.es.json b/checklists/acr_checklist.es.json similarity index 100% rename from checklists/acr_security_checklist.es.json rename to checklists/acr_checklist.es.json diff --git a/checklists/acr_security_checklist.ja.json b/checklists/acr_checklist.ja.json similarity index 100% rename from checklists/acr_security_checklist.ja.json rename to checklists/acr_checklist.ja.json diff --git a/checklists/acr_security_checklist.ko.json b/checklists/acr_checklist.ko.json similarity index 100% rename from checklists/acr_security_checklist.ko.json rename to checklists/acr_checklist.ko.json diff --git a/checklists/acr_security_checklist.pt.json b/checklists/acr_checklist.pt.json similarity index 100% rename from checklists/acr_security_checklist.pt.json rename to checklists/acr_checklist.pt.json diff --git a/checklists/blob_storage_security_checklist.es.json b/checklists/blob_storage_checklist.es.json similarity index 100% rename from checklists/blob_storage_security_checklist.es.json rename to checklists/blob_storage_checklist.es.json diff --git a/checklists/blob_storage_security_checklist.ja.json b/checklists/blob_storage_checklist.ja.json similarity index 100% rename from checklists/blob_storage_security_checklist.ja.json rename to checklists/blob_storage_checklist.ja.json diff --git a/checklists/blob_storage_security_checklist.ko.json b/checklists/blob_storage_checklist.ko.json similarity index 100% rename from checklists/blob_storage_security_checklist.ko.json rename to checklists/blob_storage_checklist.ko.json diff --git a/checklists/blob_storage_security_checklist.pt.json b/checklists/blob_storage_checklist.pt.json similarity index 100% rename from checklists/blob_storage_security_checklist.pt.json rename to checklists/blob_storage_checklist.pt.json diff --git a/checklists/blob_storage_security_checklist.zh-Hant.json b/checklists/blob_storage_checklist.zh-Hant.json similarity index 100% rename from checklists/blob_storage_security_checklist.zh-Hant.json rename to checklists/blob_storage_checklist.zh-Hant.json diff --git a/checklists/datasecurity_checklist.en.json b/checklists/datasecurity_checklist.en.json index 11d495144..9475f5848 100644 --- a/checklists/datasecurity_checklist.en.json +++ b/checklists/datasecurity_checklist.en.json @@ -749,7 +749,402 @@ "id": "U01.02", "severity": "Medium", "link": "https://learn.microsoft.com/azure/databricks/security/network/classic/private-link" - } + }, + { + "category": "Data Protection", + "subcategory": "", + "text": "Encrypt sensitive data in transit", + "description": "No additional configurations are required as this is enabled on a default deployment.", + "waf": "Security", + "service": "Azure Event Hubs", + "guid": "21d41d25-00c8-417b-b9ea-c41fd3390798", + "id": "A01.01", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/event-hubs/transport-layer-security-configure-minimum-version" + }, + { + "category": "Data Protection", + "subcategory": "", + "text": "Enable data at rest encryption by default", + "waf": "Security", + "service": "Azure Event Hubs", + "guid": "bc288bec-6a17-4ca7-8444-51e1add3452a", + "id": "A01.02", + "severity": "Medium" + }, + { + "category": "Data Protection", + "subcategory": "", + "text": "Use customer-managed key option in data at rest encryption when required", + "description": "Use Keyvaults to store your CMK", + "waf": "Security", + "service": "Azure Event Hubs", + "guid": "ec723923-7a15-41c5-ab5e-401915387e5c", + "id": "A01.03", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/event-hubs/configure-customer-managed-key?tabs=Key-Vault" + }, + { + "category": "Identity and Access Management", + "subcategory": "", + "text": "Use Microsoft Entra ID as the default authentication method and disable local access wherever possible", + "description": "Use Microsoft Entra ID as the default authentication method.", + "waf": "Security", + "service": "Azure Event Hubs", + "guid": "a9c26d9c-42bb-45bd-8c69-99a246e3389a", + "id": "B01.01", + "severity": "High" + }, + { + "category": "Identity and Access Management", + "subcategory": "", + "text": "Use managed identity to authenticate to the services", + "description": "Use Microsoft Entra ID as the default authentication method.", + "waf": "Security", + "service": "Azure Event Hubs", + "guid": "7e42c77d-78cb-46a2-8ad1-9f916e698d8f", + "id": "B01.02", + "severity": "Medium" + }, + { + "category": "Identity and Access Management", + "subcategory": "", + "text": "Configure conditional access policies to restrict the access on Data plane", + "waf": "Security", + "service": "Azure Event Hubs", + "guid": "adfe27bd-e187-401a-a352-baa9b68a088c", + "id": "B01.03", + "severity": "Medium" + }, + { + "category": "Identity and Access Management", + "subcategory": "", + "text": "Use Azure Key Vaults to store secrets and crendentials.", + "description": "Restrict exposure of keys and secerts", + "waf": "Security", + "service": "Azure Event Hubs", + "guid": "9a80822b-8eb9-4d1b-a77f-26e5e6beba8e", + "id": "B01.04", + "severity": "High" + }, + { + "category": "Identity and Access Management", + "subcategory": "", + "text": "Separate and limit highly privileged/administrative users", + "waf": "Security", + "service": "Azure Event Hubs", + "guid": "d4f3437c-c336-4d81-9f27-a71efe1b9b5d", + "id": "B01.05", + "severity": "High" + }, + { + "category": "Identity and Access Management", + "subcategory": "", + "text": "Authenticate access to Event Hubs resources using shared access signatures (SAS) and restrict local users", + "description": "When you create an Event Hubs namespace, a policy rule named RootManageSharedAccessKey is automatically created for the namespace. This policy has manage permissions for the entire namespace. It�s recommended that you treat this rule like an administrative root account and don�t use it in your application. You can create additional policy rules in the Configure tab for the namespace in the portal, via PowerShell or Azure CLI. Avoid the usage of local authentication methods or accounts, these should be disabled wherever possible. Instead use Azure AD to authenticate where possible.", + "waf": "Security", + "service": "Azure Event Hubs", + "guid": "9de0d5d7-21d4-41d2-900c-817bf9eac41f", + "id": "B01.06", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/event-hubs/authenticate-shared-access-signature" + }, + { + "category": "Identity and Access Management", + "subcategory": "", + "text": "Use Azure RBACs to fine grain the access ", + "description": "Use Azure role-based access control (Azure RBAC) to manage Azure resource access through built-in role assignments. Azure RBAC roles can be assigned to users, groups, service principals, and managed identities.", + "waf": "Security", + "service": "Azure Event Hubs", + "guid": "387e5ced-127d-4d14-8b06-b20c6999a646", + "id": "B01.07", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-azure-active-directory" + }, + { + "category": "Networking", + "subcategory": "", + "text": "Disable Public Network Access", + "description": "Service supports disabling public network access either through using service-level IP ACL filtering rule (not NSG or Azure Firewall) or using a 'Disable Public Network Access' toggle switch.", + "waf": "Security", + "service": "Azure Event Hubs", + "guid": "f3389a7e-42c7-48e7-ac06-a62a2194956e", + "id": "C01.01", + "severity": "Medium" + }, + { + "category": "Networking", + "subcategory": "", + "text": "Use Vnets to isolate traffic over restricted network ", + "waf": "Security", + "service": "Azure Event Hubs", + "guid": "6a8dc4a2-fe27-4b2e-8870-1a1352beedf7", + "id": "C01.02", + "severity": "Medium" + }, + { + "category": "Networking", + "subcategory": "", + "text": "Deploy private endpoints for all Azure resources that support the Private Link feature, to establish a private access point for the resources.", + "waf": "Security", + "service": "Azure Event Hubs", + "guid": "9b488dee-c496-42cc-9cd2-1bf77f26e5e6", + "id": "C01.03", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/event-hubs/private-link-service" + }, + { + "category": "Data Protection", + "subcategory": "", + "text": "Use Workspace roles to provide access to the users on the data", + "description": "Fabric controls data access using workspaces. In workspaces, data appears in the form of Fabric items, and users can't view or use items (data) unless you give them access to the workspace. You can find more information about workspace and item permissions, in Permission model.", + "waf": "Security", + "service": "Microsoft Fabric", + "guid": "b3bed3d5-f353-47c1-946d-c56028a71ffe", + "id": "D01.01", + "severity": "Medium", + "link": "https://learn.microsoft.com/fabric/security/permission-model" + }, + { + "category": "Data Protection", + "subcategory": "", + "text": "Use RBAC on Onelake to provide fine grain access on the data in Tables/Files Onelake ", + "description": "OneLake RBAC uses role assignments to apply permissions to its members.", + "waf": "Security", + "service": "Microsoft Fabric", + "guid": "1bd05dd2-e0d5-4d77-8d41-e3611cc57b4a", + "id": "D01.02", + "severity": "Medium", + "link": "https://learn.microsoft.com/fabric/onelake/security/data-access-control-model" + }, + { + "category": "Data Protection", + "subcategory": "", + "text": "When using shortcuts the user identity of the user should have access on the target location of the shortcut as well", + "description": "Take into account the access of the user at both target and source location of the shortcut", + "waf": "Security", + "service": "Microsoft Fabric", + "guid": "4b1410d4-3958-498c-8288-b3c6a57cfc64", + "id": "D01.03", + "severity": "Medium", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "link": "https://learn.microsoft.com/fabric/onelake/security/data-access-control-model#shortcuts" + }, + { + "category": "Data Protection", + "subcategory": "", + "text": "Restrict providing workspace level role to users instead share an item only to the users", + "description": "Not all users need to have access on the entire workspace using roles so instead restrict giving roles on the entire workspace and only share the item to the user using share item feature or managing permission in Fabric", + "waf": "Security", + "service": "Microsoft Fabric", + "guid": "4451e1a3-d345-43a3-a763-9637a552d5c1", + "id": "D01.04", + "severity": "Medium", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "link": "https://learn.microsoft.com/fabric/get-started/share-items" + }, + { + "category": "Data Protection", + "subcategory": "", + "text": "Limit access to the data by defining RLS, CLS and dynamic data masking on Warehouse and SQL analytics endpoints", + "description": "Use features like RLS, CLS and Dynamic data masking to enhance your data security requirements on sql workloads.", + "waf": "Security", + "service": "Microsoft Fabric", + "guid": "5e401965-387e-45ce-b127-dd142b06b20c", + "id": "D01.05", + "severity": "Medium", + "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn", + "link": "https://learn.microsoft.com/fabric/data-warehouse/tutorial-row-level-security" + }, + { + "category": "Data Protection", + "subcategory": "", + "text": "Limit access to the data by defining RLS and OLS on semantic models in Power BI", + "description": "Use features like RLS and OLS on Power BI to have more security features on semantic models", + "waf": "Security", + "service": "Microsoft Fabric", + "guid": "6999a646-f338-49a7-b42c-78e78c06a62a", + "id": "D01.06", + "severity": "Medium", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "link": "https://learn.microsoft.com/fabric/security/service-admin-row-level-security" + }, + { + "category": "Data Protection", + "subcategory": "", + "text": "Encrypt Data at rest", + "description": "In Fabric, all data that is stored in OneLake is encrypted at rest", + "waf": "Security", + "service": "Microsoft Fabric", + "guid": "2194956e-6a8d-4c4a-8fe2-7b2e28701a13", + "id": "D01.07", + "severity": "Medium", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/" + }, + { + "category": "Data Protection", + "subcategory": "", + "text": "Encrypt data in transit", + "description": "Data in transit across the public internet between Microsoft services is always encrypted with at least TLS 1.2. Fabric negotiates to TLS 1.3 whenever possible.", + "waf": "Security", + "service": "Microsoft Fabric", + "guid": "52beedf7-9b48-48de-bc49-62cc3cd21bf7", + "id": "D01.08", + "severity": "Medium", + "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn" + }, + { + "category": "Identity and Access Management", + "subcategory": "", + "text": "Use Microsoft Entra ID as default authentication method", + "description": "No need to do anything. Every request to connect to Fabric is authenticated with Microsoft Entra ID, allowing users to safely connect to Fabric from their corporate office, when working at home, or from a remote location.", + "waf": "Security", + "service": "Microsoft Fabric", + "guid": "7f26e5e6-b3be-4d3d-9f35-37c1346dc560", + "id": "E01.01", + "severity": "Medium", + "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn" + }, + { + "category": "Identity and Access Management", + "subcategory": "", + "text": "Use workspace identity to authenticate to the services", + "description": "A Fabric workspace identity is an automatically managed service principal that can be associated with a Fabric workspace. Workspace identities can be created in the workspace settings of any workspace except My workspaces. A workspace identity is automatically assigned the workspace contributor role and has access to workspace items. Limitation: Write to shortcut destination fails when using workspace identity as the authentication method. Connections with workspace-identity-authentication can only be used in Onelake shortcuts and data pipelines.", + "waf": "Security", + "service": "Microsoft Fabric", + "guid": "28a71ffe-1bd0-45dd-8e0d-5d771d41e361", + "id": "E01.02", + "severity": "Medium", + "link": "https://learn.microsoft.com/fabric/security/workspace-identity" + }, + { + "category": "Identity and Access Management", + "subcategory": "", + "text": "Provide RBAC roles on storage account to the managed identity to make a successful connection", + "description": "Grant the identity permissions on the storage account", + "waf": "Security", + "service": "Microsoft Fabric", + "guid": "1cc57b4a-4b14-410d-9395-898c2288b3c6", + "id": "E01.03", + "severity": "Medium", + "link": "https://learn.microsoft.com/fabric/security/workspace-identity-authenticate#step-2-grant-the-identity-permissions-on-the-storage-account" + }, + { + "category": "Networking", + "subcategory": "", + "text": "Configure trusted workspace access to access storage account behind firewall ", + "description": "Fabric workspaces with a workspace identity can securely read or write to firewall-enabled Azure Data Lake Storage Gen2 accounts through�trusted workspace access�for OneLake shortcuts.", + "waf": "Security", + "service": "Microsoft Fabric", + "guid": "a57cfc64-4451-4e1a-9d34-53a3c7639637", + "id": "F01.01", + "severity": "Medium", + "link": "https://learn.microsoft.com/fabric/security/security-trusted-workspace-access" + }, + { + "category": "Networking", + "subcategory": "", + "text": "Use managed vnet option if you have network isolation needs", + "description": "Managed virtual networks are virtual networks that are created and managed by Microsoft Fabric for each Fabric workspace. Managed virtual networks provide network isolation for Fabric Spark workloads, meaning that the compute clusters are deployed in a dedicated network and are no longer part of the shared virtual network. It is only supported for spark workload in Fabric.", + "waf": "Security", + "service": "Microsoft Fabric", + "guid": "a552d5c1-5e40-4196-9387-e5ced127dd14", + "id": "F01.02", + "severity": "Medium", + "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", + "link": "https://learn.microsoft.com/fabric/security/security-managed-vnets-fabric-overview" + }, + { + "category": "Networking", + "subcategory": "", + "text": "Configure managed private endpoints to access Azure services", + "description": "Managed private endpoints are feature that allows secure and private access to data sources from Fabric Spark workloads. You cannot use starter pool with managed PE", + "waf": "Security", + "service": "Microsoft Fabric", + "guid": "6f4a0641-addd-4ea8-a477-cdeb3861bc3b", + "id": "F01.03", + "severity": "Medium", + "training": "https://learn.microsoft.com/learn/paths/implement-network-security/", + "link": "https://learn.microsoft.com/fabric/security/security-managed-private-endpoints-overview" + }, + { + "category": "Networking", + "subcategory": "", + "text": "Configure Private Links to access resources in your own Azure vnet i.e traffic coming in your Fabric environment", + "description": "Fabric uses a private IP address from your virtual network. The endpoint allows users in your network to communicate with Fabric over the private IP address using private links.", + "waf": "Security", + "service": "Microsoft Fabric", + "guid": "c14aea6e-65d8-4d9a-9aec-218e6436b063", + "id": "F01.04", + "severity": "Medium", + "training": "https://learn.microsoft.com/learn/paths/implement-network-security/", + "link": "https://learn.microsoft.com/fabric/security/security-private-links-use" + }, + { + "category": "Networking", + "subcategory": "", + "text": "Configure Microsoft Entra ID conditional access if a user is trying to access your Fabric environment", + "description": "When a user authenticates access is determined based on a set of policies that might include IP address, location, and managed devices.", + "waf": "Security", + "service": "Microsoft Fabric", + "guid": "6cb45e57-9603-4324-adf8-cc23318da611", + "id": "F01.05", + "severity": "Medium", + "training": "https://learn.microsoft.com/learn/paths/implement-network-security/", + "link": "https://learn.microsoft.com/fabric/security/security-conditional-access" + }, + { + "category": "Networking", + "subcategory": "", + "text": "You can use Azure service tags to enable connections to and from Microsoft Fabric.", + "description": "In Azure, a service tag is a defined group of IP addresses that is automatically managed, as a group, to minimize the complexity of updates or changes to network security rules.", + "waf": "Security", + "service": "Microsoft Fabric", + "guid": "70265f4b-b46a-4393-af70-317294797b15", + "id": "F01.06", + "severity": "Medium", + "training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/", + "link": "https://learn.microsoft.com/fabric/security/security-service-tags" + }, + { + "category": "Networking", + "subcategory": "", + "text": "You can add Fabric URLs to your allowlist", + "description": "optional", + "waf": "Security", + "service": "Microsoft Fabric", + "guid": "78a219a4-6beb-4544-9502-4922634292bb", + "id": "F01.07", + "severity": "Medium", + "training": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works", + "link": "https://learn.microsoft.com/fabric/security/fabric-allow-list-urls" + }, + { + "category": "Networking", + "subcategory": "", + "text": "You can add Power BI URLs to your allowlist", + "description": "optional", + "waf": "Security", + "service": "Microsoft Fabric", + "guid": "528537a5-4119-4bf8-b8f5-854287d9cdc1", + "id": "F01.08", + "severity": "Medium", + "training": "https://learn.microsoft.com/learn/modules/introduction-azure-virtual-wan/", + "link": "https://learn.microsoft.com/fabric/security/power-bi-allow-list-urls" + }, + { + "category": "Networking", + "subcategory": "", + "text": "Configure and use On-prem data gateway or Vnet data gateway to connect to sources either on prem or behind a virtual network", + "description": "The data gateway lets you connect your Azure and other data services to Microsoft Fabric and the Power Platform to securely communicate with the data source, execute queries, and transmit results back to the service.", + "waf": "Security", + "service": "Microsoft Fabric", + "guid": "56cc071a-e9b1-441a-a889-535e727897e7", + "id": "F01.09", + "severity": "Medium", + "link": "https://learn.microsoft.com/data-integration/gateway/service-gateway-install" + } + ], "categories": [], "waf": [ diff --git a/checklists/eh_security_checklist.es.json b/checklists/eh_security_checklist.es.json deleted file mode 100644 index eeec91f60..000000000 --- a/checklists/eh_security_checklist.es.json +++ /dev/null @@ -1,168 +0,0 @@ -{ - "categories": [ - { - "name": "Seguridad" - } - ], - "items": [ - { - "category": "Seguridad", - "description": "Azure Event Hub proporciona cifrado de datos en reposo. Si usa su propia clave, los datos se siguen cifrando con la clave administrada por Microsoft, pero además la clave administrada por Microsoft se cifrará con la clave administrada por el cliente. ", - "guid": "7aaf12e7-b94e-4f6e-847d-2d92981b1cd6", - "id": "A01.01", - "link": "https://learn.microsoft.com/azure/event-hubs/configure-customer-managed-key", - "severity": "Bajo", - "subcategory": "Protección de datos", - "text": "Usar la opción de clave administrada por el cliente en el cifrado de datos en reposo cuando sea necesario", - "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/", - "waf": "Seguridad" - }, - { - "category": "Seguridad", - "description": "Los espacios de nombres de Azure Event Hubs permiten a los clientes enviar y recibir datos con TLS 1.0 y versiones posteriores. Para aplicar medidas de seguridad más estrictas, puede configurar el espacio de nombres de Event Hubs para requerir que los clientes envíen y reciban datos con una versión más reciente de TLS. Si un espacio de nombres de Event Hubs requiere una versión mínima de TLS, se producirá un error en las solicitudes realizadas con una versión anterior. ", - "guid": "d2f54b29-769e-43a6-a0e7-828ac936657e", - "id": "A01.02", - "link": "https://learn.microsoft.com/azure/event-hubs/transport-layer-security-configure-minimum-version", - "severity": "Medio", - "subcategory": "Protección de datos", - "text": "Aplicar una versión mínima requerida de Seguridad de la capa de transporte (TLS) para las solicitudes ", - "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/", - "waf": "Seguridad" - }, - { - "category": "Seguridad", - "description": "Al crear un espacio de nombres de Event Hubs, se crea automáticamente una regla de directiva denominada RootManageSharedAccessKey para el espacio de nombres. Esta directiva tiene permisos de administración para todo el espacio de nombres. Se recomienda tratar esta regla como una cuenta raíz administrativa y no usarla en la aplicación. Se recomienda usar AAD como proveedor de autenticación con RBAC. ", - "guid": "13b0f566-4b1e-4944-a459-837ee79d6c6d", - "id": "A02.01", - "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-shared-access-signature#shared-access-authorization-policies", - "severity": "Medio", - "subcategory": "Gestión de identidades y accesos", - "text": "Evite usar la cuenta raíz cuando no sea necesario", - "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/", - "waf": "Seguridad" - }, - { - "category": "Seguridad", - "description": "Las identidades administradas para los recursos de Azure pueden autorizar el acceso a los recursos de Event Hubs mediante credenciales de Azure AD desde aplicaciones que se ejecutan en Azure Virtual Machines (VM), aplicaciones de funciones, Virtual Machine Scale Sets y otros servicios. Mediante el uso de identidades administradas para los recursos de Azure junto con la autenticación de Azure AD, puede evitar el almacenamiento de credenciales con las aplicaciones que se ejecutan en la nube. ", - "guid": "3a365a5c-7acb-4e48-abd5-4cd79f2e8776", - "id": "A02.02", - "link": "https://learn.microsoft.com/azure/event-hubs/authenticate-managed-identity?tabs=latest", - "severity": "Medio", - "subcategory": "Gestión de identidades y accesos", - "text": "Siempre que sea posible, la aplicación debe usar una identidad administrada para autenticarse en Azure Event Hub. Si no es así, considere la posibilidad de tener la credencial de almacenamiento (SAS, credencial de entidad de servicio) en Azure Key Vault o en un servicio equivalente", - "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", - "waf": "Seguridad" - }, - { - "category": "Seguridad", - "description": "Al crear permisos, proporcione un control específico sobre el acceso de un cliente al Centro de eventos de Azure. Los permisos del Centro de eventos de Azure pueden y deben limitarse al nivel de recurso individual, por ejemplo, grupo de consumidores, entidad del centro de eventos, espacios de nombres del centro de eventos, etc.", - "guid": "8357c559-675c-45ee-a5b8-6ad8844ce3b2", - "id": "A02.03", - "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-azure-active-directory#azure-built-in-roles-for-azure-event-hubs", - "severity": "Alto", - "subcategory": "Gestión de identidades y accesos", - "text": "Usar RBAC del plano de datos con privilegios mínimos", - "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/", - "waf": "Seguridad" - }, - { - "category": "Seguridad", - "description": "Los registros de recursos del Centro de eventos de Azure incluyen registros operativos, registros de red virtual y registros de Kafka. Los registros de auditoría en tiempo de ejecución capturan información de diagnóstico agregada para todas las operaciones de acceso al plano de datos (como eventos de envío o recepción) en Event Hubs.", - "guid": "b38b875b-a1cf-4104-a900-3a4d3ce474db", - "id": "A03.01", - "link": "https://learn.microsoft.com/azure/event-hubs/monitor-event-hubs-reference", - "severity": "Medio", - "subcategory": "Monitorización", - "text": "Habilite el registro para la investigación de seguridad. Use Azure Monitor para capturar métricas y registros, como registros de recursos, registros de auditoría en tiempo de ejecución y registros de Kafka", - "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/", - "waf": "Seguridad" - }, - { - "category": "Seguridad", - "description": "De forma predeterminada, Azure Event Hub tiene una dirección IP pública y es accesible a través de Internet. Los puntos de conexión privados permiten el tráfico entre la red virtual y Azure Event Hubs a través de la red troncal de Microsoft. Además de eso, debe deshabilitar los puntos de conexión públicos si no se usan. ", - "guid": "5abca2a4-eda1-4dae-8cc9-5d48c6b791dc", - "id": "A04.01", - "link": "https://learn.microsoft.com/azure/event-hubs/private-link-service", - "severity": "Medio", - "subcategory": "Gestión de redes", - "text": "Considere la posibilidad de usar puntos de conexión privados para acceder al Centro de eventos de Azure y deshabilitar el acceso a la red pública cuando corresponda.", - "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", - "waf": "Seguridad" - }, - { - "category": "Seguridad", - "description": "Con el firewall IP, puede restringir aún más el punto de conexión público a solo un conjunto de direcciones IPv4 o rangos de direcciones IPv4 en notación CIDR (Classless Inter-Domain Routing). ", - "guid": "a0e6c465-89e5-458b-a37d-3974d1112dbd", - "id": "A04.02", - "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-ip-filtering", - "severity": "Medio", - "subcategory": "Gestión de redes", - "text": "Considere la posibilidad de permitir solo el acceso al espacio de nombres del Centro de eventos de Azure desde direcciones IP o intervalos específicos", - "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", - "waf": "Seguridad" - } - ], - "metadata": { - "name": "Azure Event Hub Review", - "state": "Preview", - "timestamp": "December 15, 2023" - }, - "severities": [ - { - "name": "Alto" - }, - { - "name": "Medio" - }, - { - "name": "Bajo" - } - ], - "status": [ - { - "description": "Esta comprobación aún no se ha examinado", - "name": "No verificado" - }, - { - "description": "Hay un elemento de acción asociado a esta comprobación", - "name": "Abrir" - }, - { - "description": "Esta comprobación se ha verificado y no hay más elementos de acción asociados a ella", - "name": "Cumplido" - }, - { - "description": "Recomendación entendida, pero no necesaria por los requisitos actuales", - "name": "Riesgo aceptado" - }, - { - "description": "No aplicable para el diseño actual", - "name": "N/A" - } - ], - "waf": [ - { - "name": "Fiabilidad" - }, - { - "name": "Seguridad" - }, - { - "name": "Costar" - }, - { - "name": "Operaciones" - }, - { - "name": "Rendimiento" - } - ], - "yesno": [ - { - "name": "Sí" - }, - { - "name": "No" - } - ] -} \ No newline at end of file diff --git a/checklists/eh_security_checklist.ja.json b/checklists/eh_security_checklist.ja.json deleted file mode 100644 index b43fca412..000000000 --- a/checklists/eh_security_checklist.ja.json +++ /dev/null @@ -1,168 +0,0 @@ -{ - "categories": [ - { - "name": "安全" - } - ], - "items": [ - { - "category": "安全", - "description": "Azure Event Hub は、保存データの暗号化を提供します。独自のキーを使用する場合、データは引き続き Microsoft マネージド キーを使用して暗号化されますが、さらに Microsoft マネージド キーはカスタマー マネージド キーを使用して暗号化されます。", - "guid": "7aaf12e7-b94e-4f6e-847d-2d92981b1cd6", - "id": "A01.01", - "link": "https://learn.microsoft.com/azure/event-hubs/configure-customer-managed-key", - "severity": "低い", - "subcategory": "データ保護", - "text": "必要に応じて、保存データの暗号化でカスタマー マネージド キー オプションを使用する", - "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/", - "waf": "安全" - }, - { - "category": "安全", - "description": "Azure Event Hubs 名前空間を使用すると、クライアントは TLS 1.0 以降でデータを送受信できます。より厳格なセキュリティ対策を適用するには、クライアントが新しいバージョンの TLS を使用してデータを送受信するように Event Hubs 名前空間を構成できます。Event Hubs 名前空間で TLS の最小バージョンが必要な場合、古いバージョンで行われた要求はすべて失敗します。", - "guid": "d2f54b29-769e-43a6-a0e7-828ac936657e", - "id": "A01.02", - "link": "https://learn.microsoft.com/azure/event-hubs/transport-layer-security-configure-minimum-version", - "severity": "中程度", - "subcategory": "データ保護", - "text": "要求に最低限必要なバージョンのトランスポート層セキュリティ (TLS) を適用する", - "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/", - "waf": "安全" - }, - { - "category": "安全", - "description": "Event Hubs 名前空間を作成すると、名前空間に対して RootManageSharedAccessKey という名前のポリシー規則が自動的に作成されます。このポリシーには、名前空間全体に対する管理アクセス許可があります。このルールは、管理ルートアカウントのように扱い、アプリケーションでは使用しないことをお勧めします。RBAC で認証プロバイダーとして AAD を使用することをお勧めします。", - "guid": "13b0f566-4b1e-4944-a459-837ee79d6c6d", - "id": "A02.01", - "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-shared-access-signature#shared-access-authorization-policies", - "severity": "中程度", - "subcategory": "IDおよびアクセス管理", - "text": "必要のない場合はrootアカウントの使用を避けてください", - "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/", - "waf": "安全" - }, - { - "category": "安全", - "description": "Azure リソースのマネージド ID は、Azure Virtual Machines (VM)、関数アプリ、Virtual Machine Scale Sets、およびその他のサービスで実行されているアプリケーションから Azure AD 資格情報を使用して Event Hubs リソースへのアクセスを承認できます。Azure リソースのマネージド ID を Azure AD 認証と共に使用することで、クラウドで実行されるアプリケーションに資格情報を格納することを回避できます。", - "guid": "3a365a5c-7acb-4e48-abd5-4cd79f2e8776", - "id": "A02.02", - "link": "https://learn.microsoft.com/azure/event-hubs/authenticate-managed-identity?tabs=latest", - "severity": "中程度", - "subcategory": "IDおよびアクセス管理", - "text": "可能な場合、アプリケーションではマネージド ID を使用して Azure Event Hub に対する認証を行う必要があります。そうでない場合は、ストレージ資格情報 (SAS、サービス プリンシパル資格情報) を Azure Key Vault または同等のサービスに用意することを検討してください", - "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", - "waf": "安全" - }, - { - "category": "安全", - "description": "アクセス許可を作成するときは、Azure Event Hub へのクライアントのアクセスをきめ細かく制御します。Azure Event Hub のアクセス許可は、個々のリソース レベル (コンシューマー グループ、イベント ハブ エンティティ、イベント ハブ名前空間など) にスコープを設定する必要があり、またそうする必要があります。", - "guid": "8357c559-675c-45ee-a5b8-6ad8844ce3b2", - "id": "A02.03", - "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-azure-active-directory#azure-built-in-roles-for-azure-event-hubs", - "severity": "高い", - "subcategory": "IDおよびアクセス管理", - "text": "最小特権データ プレーン RBAC を使用する", - "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/", - "waf": "安全" - }, - { - "category": "安全", - "description": "Azure Event Hub リソース ログには、操作ログ、仮想ネットワーク、Kafka ログが含まれます。ランタイム監査ログは、Event Hubs のすべてのデータ プレーン アクセス操作 (イベントの送信や受信など) に関する集計された診断情報をキャプチャします。", - "guid": "b38b875b-a1cf-4104-a900-3a4d3ce474db", - "id": "A03.01", - "link": "https://learn.microsoft.com/azure/event-hubs/monitor-event-hubs-reference", - "severity": "中程度", - "subcategory": "モニタリング", - "text": "セキュリティ調査のログ記録を有効にします。Azure Monitor を使用して、リソース ログ、ランタイム監査ログ、Kafka ログなどのメトリックとログをキャプチャします", - "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/", - "waf": "安全" - }, - { - "category": "安全", - "description": "既定では、Azure Event Hub にはパブリック IP アドレスがあり、インターネットに到達できます。プライベート エンドポイントを使用すると、仮想ネットワークと Azure Event Hub の間のトラフィックが Microsoft のバックボーン ネットワークを経由するようになります。それに加えて、パブリックエンドポイントを使用しない場合は無効にする必要があります。", - "guid": "5abca2a4-eda1-4dae-8cc9-5d48c6b791dc", - "id": "A04.01", - "link": "https://learn.microsoft.com/azure/event-hubs/private-link-service", - "severity": "中程度", - "subcategory": "ネットワーキング", - "text": "プライベート エンドポイントを使用して Azure Event Hub にアクセスし、該当する場合はパブリック ネットワーク アクセスを無効にすることを検討してください。", - "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", - "waf": "安全" - }, - { - "category": "安全", - "description": "IP ファイアウォールを使用すると、パブリック エンドポイントを CIDR (Classless Inter-Domain Routing) 表記の IPv4 アドレスまたはIPv4 アドレス範囲のセットのみに制限できます。", - "guid": "a0e6c465-89e5-458b-a37d-3974d1112dbd", - "id": "A04.02", - "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-ip-filtering", - "severity": "中程度", - "subcategory": "ネットワーキング", - "text": "特定の IP アドレスまたは範囲からの Azure Event Hub 名前空間へのアクセスのみを許可することを検討してください", - "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", - "waf": "安全" - } - ], - "metadata": { - "name": "Azure Event Hub Review", - "state": "Preview", - "timestamp": "December 15, 2023" - }, - "severities": [ - { - "name": "高い" - }, - { - "name": "中程度" - }, - { - "name": "低い" - } - ], - "status": [ - { - "description": "このチェックはまだ検討されていません", - "name": "未確認" - }, - { - "description": "このチェックにはアクションアイテムが関連付けられています", - "name": "開ける" - }, - { - "description": "このチェックは検証済みで、これ以上のアクションアイテムは関連付けられていません", - "name": "達成" - }, - { - "description": "推奨事項は理解されているが、現在の要件では不要", - "name": "リスクの受け入れ" - }, - { - "description": "現在のデザインには適用されません", - "name": "該当なし" - } - ], - "waf": [ - { - "name": "確実" - }, - { - "name": "安全" - }, - { - "name": "費用" - }, - { - "name": "オペレーションズ" - }, - { - "name": "パフォーマンス" - } - ], - "yesno": [ - { - "name": "はい" - }, - { - "name": "いいえ" - } - ] -} \ No newline at end of file diff --git a/checklists/eh_security_checklist.ko.json b/checklists/eh_security_checklist.ko.json deleted file mode 100644 index 7902fd51a..000000000 --- a/checklists/eh_security_checklist.ko.json +++ /dev/null @@ -1,168 +0,0 @@ -{ - "categories": [ - { - "name": "안전" - } - ], - "items": [ - { - "category": "안전", - "description": "Azure Event Hub는 미사용 데이터의 암호화를 제공합니다. 사용자 고유의 키를 사용하는 경우 데이터는 여전히 Microsoft 관리형 키를 사용하여 암호화되지만 Microsoft 관리형 키는 고객 관리형 키를 사용하여 암호화됩니다. ", - "guid": "7aaf12e7-b94e-4f6e-847d-2d92981b1cd6", - "id": "A01.01", - "link": "https://learn.microsoft.com/azure/event-hubs/configure-customer-managed-key", - "severity": "낮다", - "subcategory": "데이터 보호", - "text": "필요한 경우 미사용 데이터 암호화에서 고객 관리형 키 옵션 사용Use customer-managed key option in data at rest encryption when required", - "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/", - "waf": "안전" - }, - { - "category": "안전", - "description": "Azure Event Hubs 네임스페이스를 사용하면 클라이언트가 TLS 1.0 이상을 사용하여 데이터를 보내고 받을 수 있습니다. 더 엄격한 보안 조치를 적용하기 위해 클라이언트가 최신 버전의 TLS를 사용하여 데이터를 보내고 받도록 Event Hubs 네임스페이스를 구성할 수 있습니다. Event Hubs 네임스페이스에 최소 버전의 TLS가 필요한 경우 이전 버전을 사용하여 수행한 모든 요청이 실패합니다. ", - "guid": "d2f54b29-769e-43a6-a0e7-828ac936657e", - "id": "A01.02", - "link": "https://learn.microsoft.com/azure/event-hubs/transport-layer-security-configure-minimum-version", - "severity": "보통", - "subcategory": "데이터 보호", - "text": "요청에 필요한 최소 버전의 TLS(전송 계층 보안) 적용 ", - "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/", - "waf": "안전" - }, - { - "category": "안전", - "description": "Event Hubs 네임스페이스를 만들 때 네임스페이스에 대해 RootManageSharedAccessKey라는 정책 규칙이 자동으로 만들어집니다. 이 정책에는 전체 네임스페이스에 대한 관리 권한이 있습니다. 이 규칙을 관리 루트 계정처럼 취급하고 응용 프로그램에서 사용하지 않는 것이 좋습니다. RBAC에서 AAD를 인증 공급자로 사용하는 것이 좋습니다. ", - "guid": "13b0f566-4b1e-4944-a459-837ee79d6c6d", - "id": "A02.01", - "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-shared-access-signature#shared-access-authorization-policies", - "severity": "보통", - "subcategory": "ID 및 액세스 관리", - "text": "필요하지 않은 경우 루트 계정을 사용하지 마십시오.", - "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/", - "waf": "안전" - }, - { - "category": "안전", - "description": "Azure 리소스에 대한 관리 ID는 Azure VM(Virtual Machines), 함수 앱, Virtual Machine Scale Sets 및 기타 서비스에서 실행되는 애플리케이션에서 Azure AD 자격 증명을 사용하여 Event Hubs 리소스에 대한 액세스 권한을 부여할 수 있습니다. Azure AD 인증과 함께 Azure 리소스에 대한 관리 ID를 사용하면 클라우드에서 실행되는 애플리케이션에 자격 증명을 저장하지 않아도 됩니다. ", - "guid": "3a365a5c-7acb-4e48-abd5-4cd79f2e8776", - "id": "A02.02", - "link": "https://learn.microsoft.com/azure/event-hubs/authenticate-managed-identity?tabs=latest", - "severity": "보통", - "subcategory": "ID 및 액세스 관리", - "text": "가능한 경우 애플리케이션은 관리 ID를 사용하여 Azure Event Hub에 인증해야 합니다. 그렇지 않은 경우 Azure Key Vault 또는 동등한 서비스에 스토리지 자격 증명(SAS, 서비스 주체 자격 증명)을 사용하는 것이 좋습니다", - "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", - "waf": "안전" - }, - { - "category": "안전", - "description": "권한을 만들 때 Azure Event Hub에 대한 클라이언트의 액세스를 세밀하게 제어할 수 있습니다. Azure Event Hub의 사용 권한은 개별 리소스 수준(예: 소비자 그룹, 이벤트 허브 엔터티, 이벤트 허브 네임스페이스 등)으로 범위를 지정할 수 있으며 범위가 지정되어야 합니다.", - "guid": "8357c559-675c-45ee-a5b8-6ad8844ce3b2", - "id": "A02.03", - "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-azure-active-directory#azure-built-in-roles-for-azure-event-hubs", - "severity": "높다", - "subcategory": "ID 및 액세스 관리", - "text": "최소 권한 데이터 평면 RBAC 사용", - "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/", - "waf": "안전" - }, - { - "category": "안전", - "description": "Azure Event Hub 리소스 로그에는 작업 로그, 가상 네트워크 및 Kafka 로그가 포함됩니다. 런타임 감사 로그는 Event Hubs의 모든 데이터 평면 액세스 작업(예: 이벤트 보내기 또는 받기)에 대해 집계된 진단 정보를 캡처합니다.", - "guid": "b38b875b-a1cf-4104-a900-3a4d3ce474db", - "id": "A03.01", - "link": "https://learn.microsoft.com/azure/event-hubs/monitor-event-hubs-reference", - "severity": "보통", - "subcategory": "모니터링", - "text": "보안 조사를 위해 로깅을 사용하도록 설정합니다. Azure Monitor를 사용하여 리소스 로그, 런타임 감사 로그 및 Kafka 로그와 같은 메트릭 및 로그를 캡처합니다.", - "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/", - "waf": "안전" - }, - { - "category": "안전", - "description": "Azure Event Hub는 기본적으로 공용 IP 주소를 가지며 인터넷에 연결할 수 있습니다. 프라이빗 엔드포인트를 사용하면 가상 네트워크와 Azure Event Hub 간의 트래픽이 Microsoft 백본 네트워크를 통해 트래버스할 수 있습니다. 또한 퍼블릭 엔드포인트를 사용하지 않는 경우 사용하지 않도록 설정해야 합니다. ", - "guid": "5abca2a4-eda1-4dae-8cc9-5d48c6b791dc", - "id": "A04.01", - "link": "https://learn.microsoft.com/azure/event-hubs/private-link-service", - "severity": "보통", - "subcategory": "네트워킹", - "text": "프라이빗 엔드포인트를 사용하여 Azure Event Hub에 액세스하고 해당하는 경우 공용 네트워크 액세스를 사용하지 않도록 설정하는 것이 좋습니다.", - "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", - "waf": "안전" - }, - { - "category": "안전", - "description": "IP 방화벽을 사용하면 퍼블릭 엔드포인트를 CIDR(Classless Inter-Domain Routing) 표기법의 IPv4 주소 집합 또는 IPv4 주소 범위로만 추가로 제한할 수 있습니다. ", - "guid": "a0e6c465-89e5-458b-a37d-3974d1112dbd", - "id": "A04.02", - "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-ip-filtering", - "severity": "보통", - "subcategory": "네트워킹", - "text": "특정 IP 주소 또는 범위에서 Azure Event Hub 네임스페이스에 대한 액세스만 허용하는 것이 좋습니다", - "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", - "waf": "안전" - } - ], - "metadata": { - "name": "Azure Event Hub Review", - "state": "Preview", - "timestamp": "December 15, 2023" - }, - "severities": [ - { - "name": "높다" - }, - { - "name": "보통" - }, - { - "name": "낮다" - } - ], - "status": [ - { - "description": "이 검사는 아직 검토되지 않았습니다", - "name": "확인되지 않음" - }, - { - "description": "이 검사와 연관된 작업 항목이 있습니다", - "name": "열다" - }, - { - "description": "이 검사는 확인되었으며 이와 관련된 추가 작업 항목이 없습니다", - "name": "성취" - }, - { - "description": "권장 사항은 이해되었지만 현재 요구 사항에 필요하지 않음", - "name": "감수된 위험" - }, - { - "description": "현재 설계에는 적용되지 않습니다.", - "name": "해당 없음" - } - ], - "waf": [ - { - "name": "신뢰도" - }, - { - "name": "안전" - }, - { - "name": "비용" - }, - { - "name": "작업" - }, - { - "name": "공연" - } - ], - "yesno": [ - { - "name": "예" - }, - { - "name": "아니요" - } - ] -} \ No newline at end of file diff --git a/checklists/eh_security_checklist.pt.json b/checklists/eh_security_checklist.pt.json deleted file mode 100644 index 8615987d7..000000000 --- a/checklists/eh_security_checklist.pt.json +++ /dev/null @@ -1,168 +0,0 @@ -{ - "categories": [ - { - "name": "Segurança" - } - ], - "items": [ - { - "category": "Segurança", - "description": "O Hub de Eventos do Azure fornece criptografia de dados em repouso. Se você usar sua própria chave, os dados ainda serão criptografados usando a chave gerenciada pela Microsoft, mas, além disso, a chave gerenciada pela Microsoft será criptografada usando a chave gerenciada pelo cliente. ", - "guid": "7aaf12e7-b94e-4f6e-847d-2d92981b1cd6", - "id": "A01.01", - "link": "https://learn.microsoft.com/azure/event-hubs/configure-customer-managed-key", - "severity": "Baixo", - "subcategory": "Proteção de Dados", - "text": "Usar a opção de chave gerenciada pelo cliente na criptografia de dados em repouso quando necessário", - "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/", - "waf": "Segurança" - }, - { - "category": "Segurança", - "description": "Os namespaces dos Hubs de Eventos do Azure permitem que os clientes enviem e recebam dados com TLS 1.0 e superior. Para impor medidas de segurança mais rígidas, você pode configurar o namespace dos Hubs de Eventos para exigir que os clientes enviem e recebam dados com uma versão mais recente do TLS. Se um namespace de Hubs de Eventos exigir uma versão mínima do TLS, todas as solicitações feitas com uma versão mais antiga falharão. ", - "guid": "d2f54b29-769e-43a6-a0e7-828ac936657e", - "id": "A01.02", - "link": "https://learn.microsoft.com/azure/event-hubs/transport-layer-security-configure-minimum-version", - "severity": "Média", - "subcategory": "Proteção de Dados", - "text": "Impor uma versão mínima necessária do TLS (Transport Layer Security) para solicitações ", - "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/", - "waf": "Segurança" - }, - { - "category": "Segurança", - "description": "Quando você cria um namespace de Hubs de Eventos, uma regra de política chamada RootManageSharedAccessKey é criada automaticamente para o namespace. Essa política tem permissões de gerenciamento para todo o namespace. É recomendável que você trate essa regra como uma conta raiz administrativa e não a use em seu aplicativo. Recomenda-se o uso do AAD como um provedor de autenticação com RBAC. ", - "guid": "13b0f566-4b1e-4944-a459-837ee79d6c6d", - "id": "A02.01", - "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-shared-access-signature#shared-access-authorization-policies", - "severity": "Média", - "subcategory": "Gerenciamento de identidades e acesso", - "text": "Evite usar conta root quando não for necessário", - "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/", - "waf": "Segurança" - }, - { - "category": "Segurança", - "description": "As identidades gerenciadas para recursos do Azure podem autorizar o acesso a recursos dos Hubs de Eventos usando credenciais do Azure AD de aplicativos em execução em VMs (Máquinas Virtuais) do Azure, aplicativos de Função, Conjuntos de Dimensionamento de Máquina Virtual e outros serviços. Usando identidades gerenciadas para recursos do Azure junto com a autenticação do Azure AD, você pode evitar o armazenamento de credenciais com seus aplicativos executados na nuvem. ", - "guid": "3a365a5c-7acb-4e48-abd5-4cd79f2e8776", - "id": "A02.02", - "link": "https://learn.microsoft.com/azure/event-hubs/authenticate-managed-identity?tabs=latest", - "severity": "Média", - "subcategory": "Gerenciamento de identidades e acesso", - "text": "Quando possível, seu aplicativo deve estar usando uma identidade gerenciada para autenticar no Hub de Eventos do Azure. Caso contrário, considere ter a credencial de armazenamento (SAS, credencial da entidade de serviço) no Cofre de Chaves do Azure ou em um serviço equivalente", - "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", - "waf": "Segurança" - }, - { - "category": "Segurança", - "description": "Ao criar permissões, forneça controle refinado sobre o acesso de um cliente ao Hub de Eventos do Azure. As permissões no Hub de Eventos do Azure podem e devem ter o escopo definido para o nível de recurso individual, por exemplo, grupo de consumidores, entidade de hub de eventos, namespaces de hub de eventos, etc.", - "guid": "8357c559-675c-45ee-a5b8-6ad8844ce3b2", - "id": "A02.03", - "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-azure-active-directory#azure-built-in-roles-for-azure-event-hubs", - "severity": "Alto", - "subcategory": "Gerenciamento de identidades e acesso", - "text": "Usar RBAC do plano de dados de privilégios mínimos", - "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/", - "waf": "Segurança" - }, - { - "category": "Segurança", - "description": "Os logs de recursos do Hub de Eventos do Azure incluem logs operacionais, logs de rede virtual e logs de Kafka. Os logs de auditoria de tempo de execução capturam informações de diagnóstico agregadas para todas as operações de acesso ao plano de dados (como eventos de envio ou recebimento) nos Hubs de Eventos.", - "guid": "b38b875b-a1cf-4104-a900-3a4d3ce474db", - "id": "A03.01", - "link": "https://learn.microsoft.com/azure/event-hubs/monitor-event-hubs-reference", - "severity": "Média", - "subcategory": "Monitorização", - "text": "Habilite o registro em log para investigação de segurança. Usar o Azure Monitor para capturar métricas e logs como logs de recursos, logs de auditoria de tempo de execução e logs Kafka", - "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/", - "waf": "Segurança" - }, - { - "category": "Segurança", - "description": "Por padrão, o Hub de Eventos do Azure tem um endereço IP público e pode ser acessado pela Internet. Os pontos de extremidade privados permitem que o tráfego entre sua rede virtual e o Hub de Eventos do Azure percorra a rede de backbone da Microsoft. Além disso, você deve desabilitar os pontos de extremidade públicos se eles não forem usados. ", - "guid": "5abca2a4-eda1-4dae-8cc9-5d48c6b791dc", - "id": "A04.01", - "link": "https://learn.microsoft.com/azure/event-hubs/private-link-service", - "severity": "Média", - "subcategory": "Rede", - "text": "Considere o uso de pontos de extremidade privados para acessar o Hub de Eventos do Azure e desabilitar o acesso à rede pública quando aplicável.", - "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", - "waf": "Segurança" - }, - { - "category": "Segurança", - "description": "Com o firewall IP, você pode restringir ainda mais o ponto de extremidade público a apenas um conjunto de endereços IPv4 ou intervalos de endereços IPv4 na notação CIDR (Roteamento entre Domínios Sem Classe). ", - "guid": "a0e6c465-89e5-458b-a37d-3974d1112dbd", - "id": "A04.02", - "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-ip-filtering", - "severity": "Média", - "subcategory": "Rede", - "text": "Considere permitir apenas o acesso ao namespace do Hub de Eventos do Azure a partir de endereços IP ou intervalos específicos", - "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", - "waf": "Segurança" - } - ], - "metadata": { - "name": "Azure Event Hub Review", - "state": "Preview", - "timestamp": "December 15, 2023" - }, - "severities": [ - { - "name": "Alto" - }, - { - "name": "Média" - }, - { - "name": "Baixo" - } - ], - "status": [ - { - "description": "Esta verificação ainda não foi analisada", - "name": "Não verificado" - }, - { - "description": "Há um item de ação associado a essa verificação", - "name": "Abrir" - }, - { - "description": "Essa verificação foi verificada e não há outros itens de ação associados a ela", - "name": "Cumprido" - }, - { - "description": "Recomendação compreendida, mas não necessária pelos requisitos atuais", - "name": "Risco aceito" - }, - { - "description": "Não aplicável ao projeto atual", - "name": "N/A" - } - ], - "waf": [ - { - "name": "Fiabilidade" - }, - { - "name": "Segurança" - }, - { - "name": "Custar" - }, - { - "name": "Operações" - }, - { - "name": "Desempenho" - } - ], - "yesno": [ - { - "name": "Sim" - }, - { - "name": "Não" - } - ] -} \ No newline at end of file diff --git a/checklists/eh_security_checklist.zh-Hant.json b/checklists/eh_security_checklist.zh-Hant.json deleted file mode 100644 index 6faad36c7..000000000 --- a/checklists/eh_security_checklist.zh-Hant.json +++ /dev/null @@ -1,168 +0,0 @@ -{ - "categories": [ - { - "name": "安全" - } - ], - "items": [ - { - "category": "安全", - "description": "Azure 事件中心提供靜態數據加密。如果使用自己的金鑰,則仍使用 Microsoft 管理的金鑰對數據進行加密,但此外,還將使用客戶管理的密鑰對 Microsoft 管理的金鑰進行加密。", - "guid": "7aaf12e7-b94e-4f6e-847d-2d92981b1cd6", - "id": "A01.01", - "link": "https://learn.microsoft.com/azure/event-hubs/configure-customer-managed-key", - "severity": "低", - "subcategory": "數據保護", - "text": "需要時,在靜態數據加密中使用客戶管理的金鑰選項", - "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/", - "waf": "安全" - }, - { - "category": "安全", - "description": "Azure 事件中心命名空間允許用戶端使用 TLS 1.0 及更高版本發送和接收數據。若要強制實施更嚴格的安全措施,可以將事件中心命名空間配置為要求用戶端使用較新版本的 TLS 發送和接收數據。如果事件中心命名空間需要最低版本的 TLS,則使用舊版本發出的任何請求都將失敗。", - "guid": "d2f54b29-769e-43a6-a0e7-828ac936657e", - "id": "A01.02", - "link": "https://learn.microsoft.com/azure/event-hubs/transport-layer-security-configure-minimum-version", - "severity": "中等", - "subcategory": "數據保護", - "text": "對請求強制實施所需的最低傳輸層安全性 (TLS) 版本", - "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/", - "waf": "安全" - }, - { - "category": "安全", - "description": "創建事件中心命名空間時,會自動為該命名空間創建名為 RootManageSharedAccessKey 的策略規則。此策略具有整個命名空間的管理許可權。建議您將此規則視為管理 root 帳戶,不要在應用程式中使用它。建議使用 AAD 作為具有 RBAC 的身份驗證提供程式。", - "guid": "13b0f566-4b1e-4944-a459-837ee79d6c6d", - "id": "A02.01", - "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-shared-access-signature#shared-access-authorization-policies", - "severity": "中等", - "subcategory": "身份和訪問管理", - "text": "避免在不必要的情況下使用 root 帳戶", - "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/", - "waf": "安全" - }, - { - "category": "安全", - "description": "Azure 資源的託管標識可以使用 Azure AD 憑據從 Azure 虛擬機 (VM)、函數應用、虛擬機規模集和其他服務中運行的應用程式授予對事件中心資源的訪問許可權。通過將 Azure 資源的託管標識與 Azure AD 身份驗證結合使用,可以避免將憑據存儲在雲中運行的應用程式中。", - "guid": "3a365a5c-7acb-4e48-abd5-4cd79f2e8776", - "id": "A02.02", - "link": "https://learn.microsoft.com/azure/event-hubs/authenticate-managed-identity?tabs=latest", - "severity": "中等", - "subcategory": "身份和訪問管理", - "text": "如果可能,應用程式應使用託管標識向 Azure 事件中心進行身份驗證。如果沒有,請考慮在 Azure Key Vault 或等效服務中擁有存儲憑據(SAS、服務主體憑據)", - "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", - "waf": "安全" - }, - { - "category": "安全", - "description": "創建許可權時,請對用戶端對 Azure 事件中心的訪問提供精細控制。Azure 事件中心中的許可權可以且應限定為單個資源級別,例如消費者組、事件中心實體、事件中心命名空間等。", - "guid": "8357c559-675c-45ee-a5b8-6ad8844ce3b2", - "id": "A02.03", - "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-azure-active-directory#azure-built-in-roles-for-azure-event-hubs", - "severity": "高", - "subcategory": "身份和訪問管理", - "text": "使用最低特權數據平面 RBAC", - "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/", - "waf": "安全" - }, - { - "category": "安全", - "description": "Azure 事件中心資源日誌包括操作日誌、虛擬網路和 Kafka 日誌。運行時審核日誌捕獲事件中心中所有數據平面訪問操作(例如發送或接收事件)的聚合診斷資訊。", - "guid": "b38b875b-a1cf-4104-a900-3a4d3ce474db", - "id": "A03.01", - "link": "https://learn.microsoft.com/azure/event-hubs/monitor-event-hubs-reference", - "severity": "中等", - "subcategory": "監測", - "text": "啟用記錄以進行安全調查。使用 Azure Monitor 捕獲指標和日誌,例如資源日誌、運行時審核日誌和 Kafka 紀錄", - "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/", - "waf": "安全" - }, - { - "category": "安全", - "description": "默認情況下,Azure 事件中心具有公共IP位址,並且可通過Internet訪問。專用終結點允許虛擬網路和 Azure 事件中心之間的流量通過 Microsoft 主幹網路遍歷。除此之外,如果未使用公共終結點,則應禁用這些終結點。", - "guid": "5abca2a4-eda1-4dae-8cc9-5d48c6b791dc", - "id": "A04.01", - "link": "https://learn.microsoft.com/azure/event-hubs/private-link-service", - "severity": "中等", - "subcategory": "聯網", - "text": "請考慮使用專用終結點訪問 Azure 事件中心,並在適用時禁用公用網路訪問。", - "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", - "waf": "安全" - }, - { - "category": "安全", - "description": "使用IP防火牆,您可以將公共終結點進一步限製為僅一組 IPv4 位址或 CIDR(無類別域間路由)表示法的 IPv4 位址範圍。", - "guid": "a0e6c465-89e5-458b-a37d-3974d1112dbd", - "id": "A04.02", - "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-ip-filtering", - "severity": "中等", - "subcategory": "聯網", - "text": "請考慮僅允許從特定IP位址或範圍訪問 Azure 事件中心命名空間", - "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", - "waf": "安全" - } - ], - "metadata": { - "name": "Azure Event Hub Review", - "state": "Preview", - "timestamp": "December 15, 2023" - }, - "severities": [ - { - "name": "高" - }, - { - "name": "中等" - }, - { - "name": "低" - } - ], - "status": [ - { - "description": "此檢查尚未查看", - "name": "未驗證" - }, - { - "description": "有一個與此檢查關聯的操作項", - "name": "打開" - }, - { - "description": "此檢查已經過驗證,沒有與之關聯的其他操作項", - "name": "實現" - }, - { - "description": "建議已理解,但當前要求不需要", - "name": "接受風險" - }, - { - "description": "不適用於當前設計", - "name": "不適用" - } - ], - "waf": [ - { - "name": "可靠性" - }, - { - "name": "安全" - }, - { - "name": "成本" - }, - { - "name": "操作" - }, - { - "name": "性能" - } - ], - "yesno": [ - { - "name": "是的" - }, - { - "name": "不" - } - ] -} \ No newline at end of file diff --git a/checklists/redis_resiliency_checklist.en.json b/checklists/redis_checklist.en.json similarity index 100% rename from checklists/redis_resiliency_checklist.en.json rename to checklists/redis_checklist.en.json diff --git a/checklists/redis_resiliency_checklist.es.json b/checklists/redis_checklist.es.json similarity index 100% rename from checklists/redis_resiliency_checklist.es.json rename to checklists/redis_checklist.es.json diff --git a/checklists/redis_resiliency_checklist.ja.json b/checklists/redis_checklist.ja.json similarity index 100% rename from checklists/redis_resiliency_checklist.ja.json rename to checklists/redis_checklist.ja.json diff --git a/checklists/redis_resiliency_checklist.ko.json b/checklists/redis_checklist.ko.json similarity index 100% rename from checklists/redis_resiliency_checklist.ko.json rename to checklists/redis_checklist.ko.json diff --git a/checklists/redis_resiliency_checklist.pt.json b/checklists/redis_checklist.pt.json similarity index 100% rename from checklists/redis_resiliency_checklist.pt.json rename to checklists/redis_checklist.pt.json diff --git a/checklists/redis_resiliency_checklist.zh-Hant.json b/checklists/redis_checklist.zh-Hant.json similarity index 100% rename from checklists/redis_resiliency_checklist.zh-Hant.json rename to checklists/redis_checklist.zh-Hant.json diff --git a/checklists/sqldb_security_checklist.en.json b/checklists/sqldb_checklist.en.json similarity index 100% rename from checklists/sqldb_security_checklist.en.json rename to checklists/sqldb_checklist.en.json diff --git a/checklists/sqldb_security_checklist.es.json b/checklists/sqldb_checklist.es.json similarity index 100% rename from checklists/sqldb_security_checklist.es.json rename to checklists/sqldb_checklist.es.json diff --git a/checklists/sqldb_security_checklist.ja.json b/checklists/sqldb_checklist.ja.json similarity index 100% rename from checklists/sqldb_security_checklist.ja.json rename to checklists/sqldb_checklist.ja.json diff --git a/checklists/sqldb_security_checklist.ko.json b/checklists/sqldb_checklist.ko.json similarity index 100% rename from checklists/sqldb_security_checklist.ko.json rename to checklists/sqldb_checklist.ko.json diff --git a/checklists/sqldb_security_checklist.pt.json b/checklists/sqldb_checklist.pt.json similarity index 100% rename from checklists/sqldb_security_checklist.pt.json rename to checklists/sqldb_checklist.pt.json diff --git a/checklists/streamanalytics_checklist.en.json b/checklists/streamanalytics_checklist.en.json index 868d10680..bbc5a0912 100644 --- a/checklists/streamanalytics_checklist.en.json +++ b/checklists/streamanalytics_checklist.en.json @@ -2,7 +2,7 @@ "items": [ { "category": "Operations Management", - "subcategory": "High Availablity ", + "subcategory": "High Availablity", "text": "Leverage FTA Resiliency Handbook for Stream Analytics", "waf": "Reliability", "guid": "32e52e36-11c8-418b-8a0b-c511e43a18a9", @@ -12,7 +12,7 @@ }, { "category": "Operations Management", - "subcategory": "High Availablity ", + "subcategory": "High Availablity", "text": "Understand High Availability 99% SLA and use it to plan your DR strategy", "description": "Azure Stream Analytics provides high availability (99.9% SLA) for jobs and clusters within a region, the details of which are transparent to the end customer. If failures occur within the service, per the documentation �Azure Stream Analytics guarantees exactly once event processing and at-least-once delivery of events, so events are never lost.�", "waf": "Reliability", @@ -35,7 +35,7 @@ { "category": "Operations Management", "subcategory": "Geo Redundancy", - "text": "Depending on your availablity requirement, configure Active/Active configuration or Active/Passive configuration ", + "text": "Depending on your availablity requirement, configure Active/Active configuration or Active/Passive configuration", "waf": "Reliability", "guid": "b9d37dac-43bc-46cd-8d7a-a9b24604489a", "id": "41.4",