diff --git a/checklists/alz_checklist.en.json b/checklists/alz_checklist.en.json index e9ca44c8d..1940e0fa8 100644 --- a/checklists/alz_checklist.en.json +++ b/checklists/alz_checklist.en.json @@ -284,6 +284,19 @@ "training": "https://learn.microsoft.com/learn/modules/implement-hybrid-identity-windows-server/", "link": "https://learn.microsoft.com/entra/identity/domain-services/overview" }, + { + "category": "Identity and Access Management", + "subcategory": "Identity", + "text": "When using Microsoft Entra Domain Services use replica sets. Replica sets will improve the resiliency of your managed domain and allow you to deploy to additional regions. ", + "waf": "Reliability", + "service": "Entra", + "guid": "0dd4e625-9c4b-4a56-b54a-4357bac12761", + "id": "B03.12", + "graph": "resources | where type == 'microsoft.aad/domainservices' | extend replicaSets = properties.replicaSets | where array_length(replicaSets) < 2 | project name=name, id=id, tags=tags, param1=strcat('replicaSetLocation:', replicaSets[0].location)", + "severity": "Medium", + "training": "https://learn.microsoft.com/training/modules/understand-azure-active-directory/6-examine-azure-domain-services", + "link": "https://learn.microsoft.com/entra/identity/domain-services/overview" + }, { "category": "Identity and Access Management", "subcategory": "Identity", @@ -291,7 +304,7 @@ "waf": "Security", "service": "Entra", "guid": "1cf0b8da-70bd-44d0-94af-8d99cfc89ae1", - "id": "B03.12", + "id": "B03.13", "severity": "Medium", "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/concept-activity-logs-azure-monitor", "training": "https://learn.microsoft.com/entra/identity/monitoring-health/howto-integrate-activity-logs-with-azure-monitor-logs" @@ -303,7 +316,7 @@ "waf": "Security", "service": "Entra", "guid": "984a859c-773e-47d2-9162-3a765a917e1f", - "id": "B03.13", + "id": "B03.14", "ammp": true, "severity": "High", "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", @@ -315,7 +328,7 @@ "text": "When deploying Microsoft Entra Connect, use a staging sever for high availability/disaster recovery.", "waf": "Reliability", "guid": "cd163e39-84a5-4b39-97b7-6973abd70d94", - "id": "B03.14", + "id": "B03.15", "severity": "Medium", "link": "https://learn.microsoft.com/azure/active-directory/hybrid/how-to-connect-sync-staging-server", "training": "https://learn.microsoft.com/entra/identity/hybrid/connect/plan-connect-topologies" @@ -327,7 +340,7 @@ "waf": "Security", "service": "Entra", "guid": "35037e68-9349-4c15-b371-228514f4cdff", - "id": "B03.15", + "id": "B03.16", "severity": "Medium", "training": "https://learn.microsoft.com/learn/modules/design-identity-security-strategy/", "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices" @@ -339,7 +352,7 @@ "waf": "Security", "service": "Entra", "guid": "d5d1e4e6-1465-48d3-958f-d77249b82111", - "id": "B03.16", + "id": "B03.17", "severity": "Medium", "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/", "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy" @@ -734,6 +747,30 @@ "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-manage-peering", "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/" }, + { + "category": "Network Topology and Connectivity", + "subcategory": "Hub and spoke", + "text": "Use Standard Load Balancer SKU with a zone-redundant deployment, Selecting Standard SKU Load Balancer enhances reliability through availability zones and zone resiliency, ensuring deployments withstand zone and region failures. Unlike Basic, it supports global load balancing and offers an SLA.", + "waf": "Reliability", + "service": "Load Balancers", + "guid": "9dcd6250-9c4a-4382-aa9b-5b84c64fc1fe", + "id": "D01.11", + "severity": "High", + "graph": "resources | where type == 'microsoft.network/loadbalancers' | where tolower(sku.name) != 'basic' | mv-expand feIPconfigs = properties.frontendIPConfigurations | extend feConfigName = (feIPconfigs.name), PrivateSubnetId = toupper(feIPconfigs.properties.subnet.id), PrivateIPZones = feIPconfigs.zones, PIPid = toupper(feIPconfigs.properties.publicIPAddress.id), JoinID = toupper(id) | where isnotempty(PrivateSubnetId) | where isnull(PrivateIPZones) or array_length(PrivateIPZones) < 2 | project name, feConfigName, id | union (resources | where type == 'microsoft.network/loadbalancers' | where tolower(sku.name) != 'basic' | mv-expand feIPconfigs = properties.frontendIPConfigurations | extend feConfigName = (feIPconfigs.name), PIPid = toupper(feIPconfigs.properties.publicIPAddress.id), JoinID = toupper(id) | where isnotempty(PIPid) | join kind=innerunique ( resources | where type == 'microsoft.network/publicipaddresses' | where isnull(zones) or array_length(zones) < 2 | extend LBid = toupper(substring(properties.ipConfiguration.id, 0, indexof(properties.ipConfiguration.id, '/frontendIPConfigurations'))), InnerID = toupper(id) ) on $left.PIPid == $right.InnerID) | project name, id, tags, param1='Zones: No Zone or Zonal', param2=strcat('Frontend IP Configuration:', ' ', feConfigName)", + "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-load-balancer?tabs=graph#zone-redundant" + }, + { + "category": "Network Topology and Connectivity", + "subcategory": "Hub and spoke", + "text": "Ensure load balancer backend pool(s) contains at least two instances, Deploying Azure Load Balancers with at least two instances in the backend prevents a single point of failure and supports scalability.", + "waf": "Reliability", + "service": "Load Balancers", + "guid": "48682fb1-1e86-4458-a686-518ebd47393d", + "id": "D01.12", + "severity": "High", + "graph": "resources | where type =~ 'Microsoft.Network/loadBalancers' | extend bep = properties.backendAddressPools | extend BackEndPools = array_length(bep) | where BackEndPools == 0 | project name, id, Param1='backendPools', Param2=toint(0), tags | union (resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name == 'Standard' | extend bep = properties.backendAddressPools | extend BackEndPools = toint(array_length(bep)) | mv-expand bip = properties.backendAddressPools | extend BackendAddresses = array_length(bip.properties.loadBalancerBackendAddresses) | where toint(BackendAddresses) <= 1 | project name, id, tags, Param1='backendAddresses', Param2=toint(BackendAddresses)) | union ( resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name == 'Basic' | mv-expand properties.backendAddressPools | extend backendPoolId = properties_backendAddressPools.id | project id, name, tags, tostring(backendPoolId), Param1='BackEndPools' | join kind = leftouter ( resources | where type =~ 'Microsoft.Network/networkInterfaces' | mv-expand properties.ipConfigurations | mv-expand properties_ipConfigurations.properties.loadBalancerBackendAddressPools | extend backendPoolId = tostring(properties_ipConfigurations_properties_loadBalancerBackendAddressPools.id) | summarize poolMembers = count() by backendPoolId | project tostring(backendPoolId), poolMembers ) on backendPoolId | where toint(poolMembers) <= 1 | extend BackendAddresses = poolMembers | project id, name, tags, Param1='backendAddresses', Param2=toint(BackendAddresses))", + "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-load-balancer?tabs=graph#zone-redundant" + }, { "category": "Network Topology and Connectivity", "subcategory": "Encryption", @@ -808,6 +845,19 @@ "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/", "link": "https://learn.microsoft.com/azure/site-recovery/concepts-on-premises-to-azure-networking#retain-ip-addresses" }, + { + "category": "Network Topology and Connectivity", + "subcategory": "IP plan", + "text": "Use Standard SKU and Zone-Redundant IPs when applicable, Public IP addresses in Azure can be of standard SKU, available as non-zonal, zonal, or zone-redundant. Zone-redundant IPs are accessible across all zones, resisting any single zone failure, thereby providing higher resilience. ", + "waf": "Reliability", + "service": "Public IP Addresses", + "guid": "0c47f486-656d-4699-8c30-edef5b8a93c4", + "id": "D03.05", + "graph": "Resources | where type =~ 'Microsoft.Network/publicIPAddresses' and sku.tier =~ 'Regional' | where isempty(zones) or array_length(zones) <= 1 | extend az = case(isempty(zones), 'Non-zonal', array_length(zones) <= 1, strcat('Zonal (', strcat_array(zones, ','), ')'), zones) | project name, id, tags, param1 = strcat('sku: ', sku.name), param2 = strcat('availabilityZone: ', az)", + "severity": "High", + "training": "https://learn.microsoft.com/en-gb/training/modules/configure-virtual-networks/6-create-public-ip-addressing", + "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/public-ip-addresses#availability-zone" + }, { "category": "Network Topology and Connectivity", "subcategory": "IP plan", @@ -815,7 +865,7 @@ "waf": "Operations", "service": "DNS", "guid": "153e8908-ae28-4c84-a33b-6b7808b9fe5c", - "id": "D03.05", + "id": "D03.06", "severity": "Medium", "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/", "link": "https://learn.microsoft.com/azure/dns/private-dns-getstarted-portal" @@ -827,7 +877,7 @@ "waf": "Security", "service": "DNS", "guid": "41049d40-3a92-43c3-974d-00018ac6a9e0", - "id": "D03.06", + "id": "D03.07", "severity": "Medium", "training": "https://learn.microsoft.com/training/modules/intro-to-azure-dns-private-resolver/", "link": "https://learn.microsoft.com/azure/dns/dns-private-resolver-overview" @@ -839,7 +889,7 @@ "waf": "Operations", "service": "DNS", "guid": "1e6a83de-5de3-42c1-a924-81607d5d1e4e", - "id": "D03.07", + "id": "D03.08", "severity": "Low", "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances", "training": "https://learn.microsoft.com/training/courses/az-700t00" @@ -851,7 +901,7 @@ "waf": "Operations", "service": "DNS", "guid": "614658d3-558f-4d77-849b-821112df27ee", - "id": "D03.08", + "id": "D03.09", "severity": "High", "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/", "link": "https://learn.microsoft.com/azure/dns/private-dns-autoregistration" @@ -1491,7 +1541,7 @@ { "category": "Network Topology and Connectivity", "subcategory": "Firewall", - "text": "Integrate Azure Firewall with Azure Monitor and enable diagnostic logging to store and analyze firewall logs.", + "text": "Integrate Azure Firewall with Azure Monitor and enable diagnostic logging to store and analyze firewall logs and metrics.", "waf": "Operations", "service": "Firewall", "guid": "1dc04554-dece-4ffb-a49e-5c683e09f8da", @@ -1512,6 +1562,31 @@ "link": "https://learn.microsoft.com/azure/well-architected/service-guides/azure-firewall", "training": "https://learn.microsoft.com/training/courses/az-104t00/" }, + { + "category": "Network Topology and Connectivity", + "subcategory": "Firewall", + "text": "Deploy Azure Firewall across multiple availability zones. Azure Firewall offers different SLAs depending on its deployment; in a single availability zone or across multiple, potentially improving reliability and performance.", + "waf": "Reliability", + "service": "Firewall", + "guid": "d38ad60c-bc9e-4d49-b699-97e5d4dcf707", + "id": "D07.21", + "severity": "High", + "graph": "resources | where type == 'microsoft.network/azurefirewalls' | where array_length(zones) <= 1 or isnull(zones) | where isempty(properties.virtualHub.id) or isnull(properties.virtualHub.id) | project name, id, tags, param1='multipleZones:false'", + "link": "https://learn.microsoft.com/azure/firewall/deploy-availability-zone-powershell", + "training": "https://learn.microsoft.com/training/courses/az-104t00/" + }, + { + "category": "Network Topology and Connectivity", + "subcategory": "Firewall", + "text": "Configure DDoS Protection on the Azure Firewall VNet, Associate a DDoS protection plan with the virtual network hosting Azure Firewall to provide enhanced mitigation against DDoS attacks. Azure Firewall Manager integrates the creation of firewall infrastructure and DDoS protection plans. ", + "waf": "Reliability", + "service": "Firewall", + "guid": "e8143efa-0301-4d62-be54-ca7b5ce566dc", + "id": "D07.22", + "severity": "High", + "graph": "resources | where type =~ 'Microsoft.Network/azureFirewalls' | where isempty(properties.virtualHub.id) or isnull(properties.virtualHub.id) | mv-expand ipConfig = properties.ipConfigurations | project name, firewallId = id, tags, vNetName = split(ipConfig.properties.subnet.id, '/', 8)[0], vNetId = tolower(substring(ipConfig.properties.subnet.id, 0, indexof(ipConfig.properties.subnet.id, /subnet'))) | join kind=fullouter ( resources | where type =~ 'Microsoft.Network/ddosProtectionPlans' | mv-expand vNet = properties.virtualNetworks | project ddosProtectionPlanId = id, vNetId = tolower(vNet.id) ) on vNetId | where isempty(ddosProtectionPlanId) | , name, id = firewallId, tags, param1 = strcat('vNet: ', vNetName), param2 = 'ddosProtection: Disabled'", + "link": "https://learn.microsoft.com/en-gb/azure/ddos-protection/ddos-protection-overview" + }, { "category": "Network Topology and Connectivity", "subcategory": "PaaS", @@ -1519,7 +1594,7 @@ "waf": "Security", "service": "App Gateway", "guid": "d301d6e8-72e5-42e3-911c-c58b5a4b1511", - "id": "D07.21", + "id": "D07.23", "severity": "High", "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn", "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services" @@ -2113,8 +2188,20 @@ "guid": "aa45be6a-8f2d-4896-b0e3-885e6e94e770", "id": "F01.20", "severity": "Medium", - "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-overview", - "training": "https://learn.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-overview#installation" + "link": "https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-overview", + "training": "https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-overview#installation" + }, + { + "category": "Management", + "subcategory": "Data Protection", + "text": "Ensure that storage accounts are zone or region redundant, Redundancy ensures storage accounts meet availability and durability targets amidst failures, weighing lower costs against higher availability. Locally redundant storage offers the least durability at the lowest cost.", + "waf": "Reliability", + "guid": "0d83fd81-952c-4d47-a6cb-3a930925ef2e", + "id": "F01.21", + "graph": "Resources | where type =~ 'Microsoft.Storage/storageAccounts' | where sku.name in~ ('Standard_LRS', 'Premium_LRS') | project name, id, tags, param1 = strcat('sku: ', sku.name)", + "severity": "High", + "link": "https://learn.microsoft.com/en-gb/azure/storage/common/redundancy-migration?tabs=portal", + "training": "https://learn.microsoft.com/azure/storage/common/storage-redundancy" }, { "category": "Management",