standard
turbot/azure_compliance
- Detect & correct App Service web apps register with active directory disabled
- Detect & correct App Service web apps with authentication disabled
- Detect & correct App Service web apps with FTP deployment enabled
- Detect & correct App Service web apps with remote debugging enabled
- Detect & correct App Service web apps without HTTPS enabled
- Detect & correct App Service web apps without latest HTTP version
- Detect & correct App Service web apps without the latest PHP version
- Detect & correct App Service web apps without the latest python version
- Detect & correct App Service web apps without the latest TLS version
- Detect & correct Compute disks not encrypted with CMK
- Detect & correct Compute disks with data access auth mode disabled
- Detect & correct Compute disks with public access enabled
- Detect & correct unattached Compute disks not encrypted with CMK
- Detect & correct Compute VMs without a managed disk
- Detect & correct Cosmos DB accounts with virtual network filter disabled
- Detect & correct Cosmos DB accounts without a private link
- Detect & correct Authorization policies allowing IAM users to create security group
- Detect & correct authorization policy allowing IAM users to register application
- Detect & correct IAM conditional access with MFA disabled
- Detect & correct IAM conditional access with MFA disabled for administrators
- Detect & correct Subscriptions with custom owner roles
- Detect & correct Key Vaults with logging disabled
- Detect & correct Key Vaults with purge protection disabled
- Detect & correct Key Vaults with RBAC disabled
- Detect & correct Key Vaults without a private link
- Detect & correct Key Vaults with non-RBAC keys without expiration date
- Detect & correct Key Vaults with non-RBAC secrets without expiration date
- Detect & correct Key Vaults with RBAC keys without expiration date
- Detect & correct Key Vaults with RBAC secrets without expiration date
- Detect & correct Storage account containers insights activity logs not encrypted with CMK
- Detect & correct MySQL flexible servers with audit log disabled
- Detect & correct MySQL flexible servers with audit log events not set to connection
- Detect & correct MySQL flexible servers with SSL disabled
- Detect & correct MySQL flexible servers without minimum TLS 1.2
- Detect & correct Network load balancers with basic SKU
- Detect & correct Network public IPs with basic SKU
- Detect & correct NSGs allowing inbound to HTTPS port
- Detect & correct NSGs allowing inbound to RDP port
- Detect & correct NSGs allowing inbound to SSH port
- Detect & correct NSGs allowing inbound to UDP port
- Detect & correct NSGs flow log with retention period less than 90 days
- Detect & correct regions with network watcher disabled
- Detect & correct PostgreSQL flexible servers with log retention less than 3 days
- Detect & correct PostgreSQL flexible servers with connection throttling disabled
- Detect & correct PostgreSQL flexible servers with log checkpoints disabled
- Detect & correct PostgreSQL flexible servers with SSL disabled
- Detect & correct PostgreSQL servers allowing access to Azure services
- Detect & correct PostgreSQL servers with connection throttling disabled
- Detect & correct PostgreSQL servers with infrastructure encryption disabled
- Detect & correct PostgreSQL servers with log checkpoints disabled
- Detect & correct PostgreSQL servers with logging connections disabled
- Detect & correct PostgreSQL servers with logging disconnections disabled
- Detect & correct PostgreSQL servers with logging duration disabled
- Detect & correct PostgreSQL servers with log retention less than 3 days
- Detect & correct PostgreSQL servers with SSL disabled
- Detect & correct Redis Caches with basic SKU
- Detect & correct Security Center settings without MCAS integration
- Detect & correct Security Center settings without WDATP integration
- Detect & correct Security Center auto provisioning settings with automatic provisioning monitoring agent disabled
- Detect & correct Security Centers with azure defender disabled for App Service
- Detect & correct Security Centers with azure defender disabled for Container
- Detect & correct Security Centers with Azure Defender disabled for Container Registry
- Detect & correct Security Centers with Azure Defender disabled for Cosmos DB
- Detect & correct Security Centers with Azure Defender disabled for DNS
- Detect & correct Security Centers with Azure Defender disabled for Key Vault
- Detect & correct Security Centers with Azure Defender disabled for open-source relational database
- Detect & correct Security Centers with Azure Defender disabled for Resource Manager
- Detect & correct Security Centers with Azure Defender disabled for Server
- Detect & correct Security Centers with Azure Defender disabled for SQL Database
- Detect & correct Security Centers with Azure Defender disabled for SQL Server Virtual Machine
- Detect & correct Security Centers with Azure Defender disabled for Storage
- Detect & correct Security Centers with security alerts to owner disabled
- Detect & correct Security Centers without additional email configured
- Detect & correct Security Centers without notify alerts configured
- Detect & correct SQL Databases with public access enabled
- Detect & correct SQL Databases with transparent data encryption disabled
- Detect & correct SQL servers TDE protector not encrypted with CMK
- Detect & correct SQL servers with auditing disabled
- Detect & correct SQL servers with auditing retention period less than 90 days
- Detect & correct SQL servers with public network access enabled
- Detect & correct SQL servers without active directory admin configured
- Detect & correct Storage Accounts with blob public access enabled
- Detect & correct Storage Accounts with blob service logging disabled
- Detect & correct Storage Accounts with blob soft delete disabled
- Detect & correct Storage Accounts with default network access rule set to Allow
- Detect & correct Storage accounts with encryption at rest using CMK disabled
- Detect & correct Storage Accounts with infrastructure encryption disabled
- Detect & correct Storage Accounts with minimum TLS version less than 1.2
- Detect & correct Storage Accounts with public access enabled
- Detect & correct Storage Accounts with queue service logging disabled
- Detect & correct Storage Accounts with secure transfer required disabled
- Detect & correct Storage Accounts with table service logging disabled
- Detect & correct Storage Accounts with trusted Microsoft services access disabled
- Detect & correct Storage Accounts not using private link
- Detect & correct Subscriptions diagnostic settings without capturing proper categories
- Detect & correct Subscriptions without activity log alert for create policy assignment
- Detect & correct Subscriptions without activity log alert for create and update NSG
- Detect & correct Subscriptions without activity log alert for create and update security solution
- Detect & correct Subscriptions without activity log alert for create and update SQL servers firewall rule
- Detect & correct Subscriptions without activity log alert for delete NSG
- Detect & correct Subscriptions without activity log alert for delete policy assignment
- Detect & correct Subscriptions without activity log alert for delete public IP address
- Detect & correct Subscriptions without activity log alert for delete security solution
- Detect & correct Subscriptions without activity log alert for delete SQL servers firewall rule
- Detect & correct Subscriptions without activity log alert for create update public IP address
- Detect & correct Subscriptions without application insight configured
- Detect & correct Subscriptions without network bastion host
- Detect & correct Tenants with guest users
- Detect & correct Tenants with more than five IAM global administrator
Get Involved
Version
Trigger: Detect & correct App Service web apps without the latest PHP version
Detect App Services web apps without the latest PHP version and then enable latest PHP version.
Query
select concat(id, ' [', subscription_id, '/', resource_group, ']') as title, id as id, name, resource_group, subscription_id, _ctx ->> 'connection_name' as connfrom azure_app_service_web_appwhere exists ( select from unnest(regexp_split_to_array(kind, ',')) elem where elem like 'app%' ) and exists ( select from unnest(regexp_split_to_array(kind, ',')) elem where elem = 'linux' ) and configuration -> 'properties' ->> 'linuxFxVersion' like 'PHP%' and configuration -> 'properties' ->> 'linuxFxVersion' <> 'PHP|8.3';Schedule
15mTags
category = Compliance
plugin = azure
service = Azure/AppService