Prowler Documentation Site

Azure general policies

prowler-cloud/prowler

Azure general policies

Ensure Azure VM data disk is encrypted with ADE/CMK

Ensure Azure App Service Web app authentication is On

Ensure a security contact phone number is present

Ensure Send email notification for high severity alerts is enabled

Ensure Send email notification for high severity alerts to admins is enabled

Ensure Azure SQL Server threat detection alerts are enabled for all threat types

Ensure Azure SQL server send alerts to field value is set

Ensure MSSQL servers have email service and co-administrators enabled

Ensure standard pricing tier is selected

Ensure all keys have an expiration date

Ensure Azure key vault is recoverable

Ensure a retention period of less than 90 days is specified

Ensure Azure Linux scale set uses an SSH key

Ensure Virtual Machine extensions are not installed

Ensure FTP Deployments are disabled

Ensure PostgreSQL server enables geo-redundant backups

Ensure key vault key is backed by HSM

Ensure MariaDB server enables geo-redundant backups

Ensure My SQL server enables geo-redundant backups

Ensure Virtual Machines are backed up using Azure backup

Ensure Cosmos DB accounts have CMKs to encrypt data at rest

Ensure Data Lake Store accounts enable encryption

Ensure PostgreSQL server enables infrastructure encryption

Ensure Automation account variables are encrypted

Ensure Azure Data Explorer uses disk encryption

Ensure Azure Data Explorer uses double encryption

Ensure Azure Batch account uses key vault to encrypt data

Ensure managed disks use a specific set of disk encryption sets for customer-managed key encryption

Ensure MySQL server enables infrastructure encryption

Ensure Virtual Machine scale sets have encryption at host enabled

Ensure storage for critical data are encrypted with CMKs

Ensure Azure Data Explorer encryption at rest uses a CMK

Ensure unattached disks are encrypted

Ensure Azure data factories are encrypted with a CMK

Ensure MySQL server enables CMKs for encryption

Ensure PostgreSQL server enables CMKs for encryption

Ensure Azure storage account encryption CMKs are enabled

Ensure Azure Data Factory uses Git repository for source control

Ensure key vault enables purge protection

Ensure key vault enables soft-delete

Ensure key vault secrets have content_type set

Ensure Service Fabric clusters use AD for authentication

Ensure My SQL server enables Threat Detection policy

Ensure PostgreSQL server enables Threat Detection policy

Ensure Azure Security Center Defender is set to On for servers

Ensure Azure function app authentication is set to On

Ensure CORS disallows resource to access app services

Ensure security contact emails are set

Ensure Azure Security Center Defender is set to On for app service

Ensure CORS does not allow resources to access function apps

Ensure function app uses the latest HTTP version

Ensure Azure Security Center Defender is set to On for Azure SQL database servers

Ensure managed identity provider is enabled for app services

Ensure remote debugging is not enabled for app services

Ensure Azure Defender is set to On for SQL servers on machines

Ensure Azure App Service Web app uses the latest .Net Core version

Ensure Azure App Service Web app uses the latest PHP version

Ensure Azure App Service Web app uses the latest Python version

Ensure Azure App Service Web app uses the latest Java version

Ensure Azure Security Center Defender is set to On for storage

Ensure Azure Security Center Defender is set to On for Kubernetes

Ensure Azure Defender is set to On for container registries

Ensure Azure Security Center Defender set to On for Key Vault

Ensure app services use Azure files

Ensure Virtual Machines are utilizing managed disks

Ensure automatic OS image patching is enabled for Virtual Machine scale sets

Ensure Microsoft Antimalware is configured to automatically update Virtual Machines

Ensure SQL servers enable data security policy

Ensure Azure SQL server ADS Vulnerability Assessment is enabled

Ensure Azure SQL server ADS Vulnerability Assessment Periodic recurring scans is enabled

Ensure Azure SQL server ADS VA Send scan reports to is configured

Ensure Azure SQL server ADS VA Also send email notifications to admins and subscription owners is enabled

Ensure SQL servers have Azure Active Directory admin configured

Ensure Azure Virtual Machines are utilizing managed disks

Ensure MSSQL is using the latest version of TLS encryption

Ensure MySQL is using the latest version of TLS encryption

Ensure that Active Directory is used for Service Fabric authentication

Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled

Ensure that Service Fabric uses available three levels of protection

Ensure Azure resources that support tags have Tags