- Best practices for Azure
- Disable Kubernetes dashboard
- Enable Azure Storage Account Trusted Microsoft Services access
- Enable Azure Storage secure transfer required
- Enable geo-redundant backups on PostgreSQL server
- Encrypt Azure VM data disk with ADE/CMK
- Ensure AKS policies add-on
- Ensure AKV secrets have an expiration date set
- Ensure Azure App Service Web app redirects HTTP to HTTPS
- Ensure Azure Network Watcher NSG flow logs retention is greater than 90 days
- Ensure Azure PostgreSQL database server with SSL connection is enabled
- Ensure Azure SQL Server threat detection alerts are enabled for all threat types
- Ensure Azure SQL server audit log retention is greater than 90 days
- Ensure Azure SQL server send alerts to field value is set
- Ensure Azure application gateway has WAF enabled
- Ensure Azure key vault is recoverable
- Ensure FTP Deployments are disabled
- Ensure MSSQL servers have email service and co-administrators enabled
- Ensure MySQL is using the latest version of TLS encryption
- Ensure MySQL server databases have Enforce SSL connection enabled
- Ensure MySQL server disables public network access
- Ensure MySQL server enables Threat Detection policy
- Ensure MySQL server enables geo-redundant backups
- Ensure PostgreSQL server disables public network access
- Ensure PostgreSQL server enables Threat Detection policy
- Ensure PostgreSQL server enables infrastructure encryption
- Ensure Send email notification for high severity alerts is enabled
- Ensure Send email notification for high severity alerts to admins is enabled
- Ensure Web App has incoming client certificates enabled
- Ensure Web App uses the latest version of HTTP
- Ensure Web App uses the latest version of TLS encryption
- Ensure a security contact phone number is present
- Ensure activity log retention is set to 365 days or greater
- Ensure all keys have an expiration date
- Ensure app service enables HTTP logging
- Ensure app service enables detailed error messages
- Ensure app service enables failed request tracing
- Ensure app services use Azure files
- Ensure key vault allows firewall rules settings
- Ensure key vault enables purge protection
- Ensure key vault key is backed by HSM
- Ensure key vault secrets have
content_type
set - Ensure log profile is configured to capture all activities
- Ensure managed identity provider is enabled for app services
- Ensure public network access enabled is set to False for mySQL servers
- Ensure standard pricing tier is selected
- Ensure storage account uses latest TLS version
- Ensure the storage container storing activity logs is not publicly accessible
- Set Azure Storage Account default network access to deny