Azure

Composite Recipes

Recipes that include further recipes, often including the individual recipes below.

• Best practices for Azure
• Enable Azure Storage Account Trusted Microsoft Services access
• Ensure Azure SQL server audit log retention is greater than 90 days
• Ensure Azure key vault is recoverable
• Set Azure Storage Account default network access to deny

Recipes

• Disable Kubernetes dashboard
• Enable Azure Storage secure transfer required
• Enable geo-redundant backups on PostgreSQL server
• Encrypt Azure VM data disk with ADE/CMK
• Ensure AKS policies add-on
• Ensure AKV secrets have an expiration date set
• Ensure Azure App Service Web app redirects HTTP to HTTPS
• Ensure Azure Network Watcher NSG flow logs retention is greater than 90 days
• Ensure Azure PostgreSQL database server with SSL connection is enabled
• Ensure Azure SQL Server threat detection alerts are enabled for all threat types
• Ensure Azure SQL server send alerts to field value is set
• Ensure Azure application gateway has WAF enabled
• Ensure FTP Deployments are disabled
• Ensure MSSQL servers have email service and co-administrators enabled
• Ensure MySQL is using the latest version of TLS encryption
• Ensure MySQL server databases have Enforce SSL connection enabled
• Ensure MySQL server disables public network access
• Ensure MySQL server enables Threat Detection policy
• Ensure MySQL server enables geo-redundant backups
• Ensure PostgreSQL server disables public network access
• Ensure PostgreSQL server enables Threat Detection policy
• Ensure PostgreSQL server enables infrastructure encryption
• Ensure Send email notification for high severity alerts is enabled
• Ensure Send email notification for high severity alerts to admins is enabled
• Ensure Web App has incoming client certificates enabled
• Ensure Web App uses the latest version of HTTP
• Ensure Web App uses the latest version of TLS encryption
• Ensure a security contact phone number is present
• Ensure activity log retention is set to 365 days or greater
• Ensure all keys have an expiration date
• Ensure app service enables HTTP logging
• Ensure app service enables detailed error messages
• Ensure app service enables failed request tracing
• Ensure app services use Azure files
• Ensure key vault allows firewall rules settings
• Ensure key vault enables purge protection
• Ensure key vault key is backed by HSM
• Ensure key vault secrets have content_type set
• Ensure log profile is configured to capture all activities
• Ensure managed identity provider is enabled for app services
• Ensure public network access enabled is set to False for mySQL servers
• Ensure standard pricing tier is selected
• Ensure storage account uses latest TLS version
• Ensure the storage container storing activity logs is not publicly accessible