Skip to content

Azure.Pillar.Security.L1#

v1.36.0Download CSV

Microsoft Azure Well-Architected Framework - Security pillar Level 1 maturity baseline.

Rules#

The following rules are included within the Azure.Pillar.Security.L1 baseline.

This baseline includes a total of 33 rules.

Name Synopsis Severity Maturity
Azure.ACR.AdminUser The local admin account allows depersonalized access to a container registry using a shared secret. Critical L1
Azure.ADX.DiskEncryption Use disk encryption for Azure Data Explorer (ADX) clusters. Important L1
Azure.AI.DisableLocalAuth Access keys allow depersonalized access to Azure AI using a shared secret. Important L1
Azure.AI.ManagedIdentity Configure managed identities to access Azure resources. Important L1
Azure.AKS.AuditLogs AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. Important L1
Azure.AKS.LocalAccounts Enforce named user accounts with RBAC assigned permissions. Important L1
Azure.AKS.ManagedAAD Use AKS-managed Azure AD to simplify authorization and improve security. Important L1
Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important L1
Azure.APIM.Ciphers API Management should not accept weak or deprecated ciphers for client or backend communication. Critical L1
Azure.APIM.HTTPBackend Unencrypted communication could allow disclosure of information to an untrusted party. Critical L1
Azure.APIM.HTTPEndpoint Unencrypted communication could allow disclosure of information to an untrusted party. Important L1
Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important L1
Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical L1
Azure.AppConfig.DisableLocalAuth Access keys allow depersonalized access to App Configuration using a shared secret. Important L1
Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical L1
Azure.AppGw.UseHTTPS Application Gateways should only expose frontend HTTP endpoints over HTTPS. Critical L1
Azure.AppInsights.LocalAuth Local authentication allows depersonalized access to store telemetry in Application Insights using a shared identifier. Critical L1
Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. Important L1
Azure.AppService.MinTLS App Service should not accept weak or deprecated transport protocols for client-server communication. Critical L1
Azure.Automation.ManagedIdentity Ensure Managed Identity is used for authentication. Important L1
Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. Important L1
Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. Critical L1
Azure.IoTHub.MinTLS IoT Hubs should reject TLS versions older than 1.2. Critical L1
Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. Important L1
Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. Important L1
Azure.KeyVault.RBAC Key Vaults should use Azure RBAC as the authorization system for the data plane. Awareness L1
Azure.MySQL.AAD Use Entra ID authentication with Azure Database for MySQL databases. Critical L1
Azure.MySQL.AADOnly Ensure Entra ID only authentication is enabled with Azure Database for MySQL databases. Important L1
Azure.PostgreSQL.AAD Use Entra ID authentication with Azure Database for PostgreSQL databases. Critical L1
Azure.SQL.AAD Use Entra ID authentication with Azure SQL databases. Critical L1
Azure.SQL.AADOnly Ensure Entra ID only authentication is enabled with Azure SQL Database. Important L1
Azure.Storage.MinTLS Storage Accounts should not accept weak or deprecated transport protocols for client-server communication. Critical L1
Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important L1