Framework/Configurations/SVT/Services/LoadBalancer.json
{
"FeatureName": "LoadBalancer", "Reference": "aka.ms/azsdkosstcp", "IsManintenanceMode": false, "Controls": [ { "ControlID": "Azure_LoadBalancer_AuthZ_Grant_Min_RBAC_Access", "Description": "All users/identities must be granted minimum required permissions using Role Based Access Control (RBAC)", "Id": "LoadBalancer110", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckRBACAccess", "Recommendation": "Remove any excessive privileges granted on the Load Balancer. Assign 'Log Analytics Contributor, Network Contributor, Virtual Machine Contributor' RBAC role to developers who manages Load Balancer configurations. Run command: Remove-AzureRmRoleAssignment -SignInName '{signInName}' -Scope '{scope}' -RoleDefinitionName '{role definition name}'. Run 'Get-Help Remove-AzureRmRoleAssignment -full' for more help. Refer: https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-control-manage-access-powershell", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "RBAC" ], "Enabled": true }, { "ControlID": "Azure_LoadBalancer_Audit_Enable_Diagnostics_Log", "Description": "Diagnostics logs must be enabled with a retention period of at least $($this.ControlSettings.Diagnostics_RetentionPeriod_Min) days.", "Id": "LoadBalancer120", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckDiagnosticsSettings", "Recommendation": "Diagnostics logs must be enabled with a retention period of at least $($this.ControlSettings.Diagnostics_RetentionPeriod_Min) days. Run command: Set-AzureRmDiagnosticSetting -ResourceId {'ResourceId'} -Enable $true -StorageAccountId '{StorageAccountId}' -RetentionInDays $($this.ControlSettings.Diagnostics_RetentionPeriod_Min) -RetentionEnabled $true. Refer: https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-monitor-log", "Tags": [ "SDL", "TCP", "Automated", "Audit", "Diagnostics" ], "Enabled": true }, { "ControlID": "Azure_LoadBalancer_NetSec_Justify_PublicIPs", "Description": "Public IPs on a internet facing Load Balancer should be carefully reviewed", "Id": "LoadBalancer130", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckPublicIP", "Recommendation": "Use steps on portal :LoadBalancer Properties -> Frontend IP configuration -> Click on Context menu of desired Frontend IP configuration -> Delete", "Tags": [ "SDL", "TCP", "Automated", "NetSec" ], "Enabled": true, "DataObjectProperties": [ "PublicIpAllocationMethod", "IpConfiguration", "Id", "DnsSettings" ] } ] } |