standard
turbot/azure_compliance
- Detect & correct App Service web apps register with active directory disabled
- Detect & correct App Service web apps with authentication disabled
- Detect & correct App Service web apps with FTP deployment enabled
- Detect & correct App Service web apps with remote debugging enabled
- Detect & correct App Service web apps without HTTPS enabled
- Detect & correct App Service web apps without latest HTTP version
- Detect & correct App Service web apps without the latest PHP version
- Detect & correct App Service web apps without the latest python version
- Detect & correct App Service web apps without the latest TLS version
- Detect & correct Compute disks not encrypted with CMK
- Detect & correct Compute disks with data access auth mode disabled
- Detect & correct Compute disks with public access enabled
- Detect & correct unattached Compute disks not encrypted with CMK
- Detect & correct Compute VMs without a managed disk
- Detect & correct Cosmos DB accounts with virtual network filter disabled
- Detect & correct Cosmos DB accounts without a private link
- Detect & correct Authorization policies allowing IAM users to create security group
- Detect & correct authorization policy allowing IAM users to register application
- Detect & correct IAM conditional access with MFA disabled
- Detect & correct IAM conditional access with MFA disabled for administrators
- Detect & correct Subscriptions with custom owner roles
- Detect & correct Key Vaults with logging disabled
- Detect & correct Key Vaults with purge protection disabled
- Detect & correct Key Vaults with RBAC disabled
- Detect & correct Key Vaults without a private link
- Detect & correct Key Vaults with non-RBAC keys without expiration date
- Detect & correct Key Vaults with non-RBAC secrets without expiration date
- Detect & correct Key Vaults with RBAC keys without expiration date
- Detect & correct Key Vaults with RBAC secrets without expiration date
- Detect & correct Storage account containers insights activity logs not encrypted with CMK
- Detect & correct MySQL flexible servers with audit log disabled
- Detect & correct MySQL flexible servers with audit log events not set to connection
- Detect & correct MySQL flexible servers with SSL disabled
- Detect & correct MySQL flexible servers without minimum TLS 1.2
- Detect & correct Network load balancers with basic SKU
- Detect & correct Network public IPs with basic SKU
- Detect & correct NSGs allowing inbound to HTTPS port
- Detect & correct NSGs allowing inbound to RDP port
- Detect & correct NSGs allowing inbound to SSH port
- Detect & correct NSGs allowing inbound to UDP port
- Detect & correct NSGs flow log with retention period less than 90 days
- Detect & correct regions with network watcher disabled
- Detect & correct PostgreSQL flexible servers with log retention less than 3 days
- Detect & correct PostgreSQL flexible servers with connection throttling disabled
- Detect & correct PostgreSQL flexible servers with log checkpoints disabled
- Detect & correct PostgreSQL flexible servers with SSL disabled
- Detect & correct PostgreSQL servers allowing access to Azure services
- Detect & correct PostgreSQL servers with connection throttling disabled
- Detect & correct PostgreSQL servers with infrastructure encryption disabled
- Detect & correct PostgreSQL servers with log checkpoints disabled
- Detect & correct PostgreSQL servers with logging connections disabled
- Detect & correct PostgreSQL servers with logging disconnections disabled
- Detect & correct PostgreSQL servers with logging duration disabled
- Detect & correct PostgreSQL servers with log retention less than 3 days
- Detect & correct PostgreSQL servers with SSL disabled
- Detect & correct Redis Caches with basic SKU
- Detect & correct Security Center settings without MCAS integration
- Detect & correct Security Center settings without WDATP integration
- Detect & correct Security Center auto provisioning settings with automatic provisioning monitoring agent disabled
- Detect & correct Security Centers with azure defender disabled for App Service
- Detect & correct Security Centers with azure defender disabled for Container
- Detect & correct Security Centers with Azure Defender disabled for Container Registry
- Detect & correct Security Centers with Azure Defender disabled for Cosmos DB
- Detect & correct Security Centers with Azure Defender disabled for DNS
- Detect & correct Security Centers with Azure Defender disabled for Key Vault
- Detect & correct Security Centers with Azure Defender disabled for open-source relational database
- Detect & correct Security Centers with Azure Defender disabled for Resource Manager
- Detect & correct Security Centers with Azure Defender disabled for Server
- Detect & correct Security Centers with Azure Defender disabled for SQL Database
- Detect & correct Security Centers with Azure Defender disabled for SQL Server Virtual Machine
- Detect & correct Security Centers with Azure Defender disabled for Storage
- Detect & correct Security Centers with security alerts to owner disabled
- Detect & correct Security Centers without additional email configured
- Detect & correct Security Centers without notify alerts configured
- Detect & correct SQL Databases with public access enabled
- Detect & correct SQL Databases with transparent data encryption disabled
- Detect & correct SQL servers TDE protector not encrypted with CMK
- Detect & correct SQL servers with auditing disabled
- Detect & correct SQL servers with auditing retention period less than 90 days
- Detect & correct SQL servers with public network access enabled
- Detect & correct SQL servers without active directory admin configured
- Detect & correct Storage Accounts with blob public access enabled
- Detect & correct Storage Accounts with blob service logging disabled
- Detect & correct Storage Accounts with blob soft delete disabled
- Detect & correct Storage Accounts with default network access rule set to Allow
- Detect & correct Storage accounts with encryption at rest using CMK disabled
- Detect & correct Storage Accounts with infrastructure encryption disabled
- Detect & correct Storage Accounts with minimum TLS version less than 1.2
- Detect & correct Storage Accounts with public access enabled
- Detect & correct Storage Accounts with queue service logging disabled
- Detect & correct Storage Accounts with secure transfer required disabled
- Detect & correct Storage Accounts with table service logging disabled
- Detect & correct Storage Accounts with trusted Microsoft services access disabled
- Detect & correct Storage Accounts not using private link
- Detect & correct Subscriptions diagnostic settings without capturing proper categories
- Detect & correct Subscriptions without activity log alert for create policy assignment
- Detect & correct Subscriptions without activity log alert for create and update NSG
- Detect & correct Subscriptions without activity log alert for create and update security solution
- Detect & correct Subscriptions without activity log alert for create and update SQL servers firewall rule
- Detect & correct Subscriptions without activity log alert for delete NSG
- Detect & correct Subscriptions without activity log alert for delete policy assignment
- Detect & correct Subscriptions without activity log alert for delete public IP address
- Detect & correct Subscriptions without activity log alert for delete security solution
- Detect & correct Subscriptions without activity log alert for delete SQL servers firewall rule
- Detect & correct Subscriptions without activity log alert for create update public IP address
- Detect & correct Subscriptions without application insight configured
- Detect & correct Subscriptions without network bastion host
- Detect & correct Tenants with guest users
- Detect & correct Tenants with more than five IAM global administrator
Get Involved
Version
Trigger: Detect & correct Storage Accounts with default network access rule set to Allow
Detect Storage Accounts with default network access rule set to Allow and runs your chosen action.
Query
select concat( sa.id, ' [', sa.resource_group, '/', sa.subscription_id, ']' ) as title, sa.id as id, sa.name, sa.resource_group, sa.subscription_id, sa._ctx ->> 'connection_name' as connfrom azure_storage_account as sa, azure_subscription as subwhere sa.network_rule_default_action = 'Allow' and sub.subscription_id = sa.subscription_id;
Schedule
15m
Tags
category = Compliance
plugin = azure
service = Azure/Storage