Framework/Configurations/SVT/Services/RedisCache.json
{
"FeatureName": "RedisCache", "Reference": "aka.ms/azsktcp/rediscache", "IsManintenanceMode": false, "Controls": [ { "ControlID": "Azure_RedisCache_AuthZ_Grant_Min_RBAC_Access", "Description": "All users/identities must be granted minimum required permissions using Role Based Access Control (RBAC)", "Id": "RedisCache110", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckRBACAccess", "Rationale": "Granting minimum access by leveraging RBAC feature ensures that users are granted just enough permissions to perform their tasks. This minimizes exposure of the resources in case of user/service account compromise.", "Recommendation": "Remove any excessive privileges granted on the Redis Cache. Assign 'Redis Cache Contributor' RBAC role to developers who manages Redis Cache configurations. Run command: Remove-AzureRmRoleAssignment -SignInName '{signInName}' -Scope '{scope}' -RoleDefinitionName '{role definition name}'. Run 'Get-Help Remove-AzureRmRoleAssignment -full' for more help. Refer: https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-control-manage-access-powershell", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "RBAC" ], "Enabled": true }, { "ControlID": "Azure_RedisCache_Audit_Enable_Diagnostics_Log", "Description": "Diagnostics logs must be enabled with a retention period of at least $($this.ControlSettings.Diagnostics_RetentionPeriod_Min) days.", "Id": "RedisCache120", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Rationale": "Logs should be retained for a long enough period so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. A period of 1 year is typical for several compliance requirements as well.", "Recommendation": "Run command: Set-AzureRmDiagnosticSetting -ResourceId {'ResourceId'} -Enable `$true -StorageAccountId '{StorageAccountId}' -RetentionInDays $($this.ControlSettings.Diagnostics_RetentionPeriod_Min) -RetentionEnabled `$true", "Tags": [ "SDL", "TCP", "Manual", "Audit", "Diagnostics" ], "Enabled": true }, { "ControlID": "Azure_RedisCache_AuthZ_Configure_IP_Range", "Description": "Configure Redis Cache firewall settings for additional protection", "Id": "RedisCache130", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckRedisCacheFirewallIPAddressRange", "Rationale": "Using the firewall feature ensures that access to the data or the service is restricted to a specific set/group of clients. While this may not be feasible in all scenarios, when it can be used, it provides an extra layer of access control protection for critical assets.", "Recommendation": "Enable firewall and add rules specifying permitted IPs/ranges. Do not add IP range $($this.ControlSettings.UniversalIPRange) as that allows access to all possible IPs. Refer: https://docs.microsoft.com/en-us/azure/redis-cache/cache-configure#firewall, (REST API) https://docs.microsoft.com/en-in/rest/api/redis/redisfirewallrule", "Tags": [ "SDL", "Best Practice", "Automated", "AuthZ" ], "Enabled": true }, { "ControlID": "Azure_RedisCache_BCDR_Use_RDB_Backup", "Description": "Redis Data Persistence should be enabled to back up Redis Cache data", "Id": "RedisCache140", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckRedisCacheRDBBackup", "Rationale": "Enabling backup on Redis Cache ensures that there is always a previous snapshot of data that can be leveraged towards recovery scenarios.", "Recommendation": "Configure data persistence. Refer: https://docs.microsoft.com/en-us/azure/redis-cache/cache-configure#redis-data-persistence", "Tags": [ "SDL", "Best Practice", "Automated", "BCDR" ], "Enabled": true }, { "ControlID": "Azure_RedisCache_DP_Use_SSL_Port", "Description": "Non-SSL port must not be enabled", "Id": "RedisCache150", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckRedisCacheSSLConfig", "Rationale": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer man-in-the-middle, eavesdropping, session-hijacking attacks.", "Recommendation": "To disable Non-SSL port for Redis Cache, run command : Set-AzureRmRedisCache -ResourceGroupName <String> -Name <String> -EnableNonSslPort $false", "Tags": [ "SDL", "TCP", "Automated", "DP" ], "Enabled": true, "FixControl": { "FixMethodName": "DisableNon_SSLport_RedisCache", "FixControlImpact": "High" } }, { "ControlID": "Azure_RedisCache_DP_Rotate_Keys", "Description": "Access keys must be rotated periodically", "Id": "RedisCache160", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Rationale": "Periodic key/password rotation is a good security hygiene practice as, over time, it minimizes the likelihood of data loss/compromise which can arise from key theft/brute forcing/recovery attacks.", "Recommendation": "Rotate keys at regular intervals. To generate a new key, run command 'New-AzureRmRedisCacheKey'. Run 'Get-Help New-AzureRmRedisCacheKey -full' for more help.", "Tags": [ "SDL", "TCP", "Manual", "DP" ], "Enabled": true }, { "ControlID": "Azure_RedisCache_AuthN_Dont_Share_Cache_Instances", "Description": "Do not share cache instances across applications", "Id": "RedisCache170", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Rationale": "There is no access control within a cache. If multiple applications share the same cache they will be able to freely access each others cached data which may lead to compromise.", "Recommendation": "Create a separate Redis Cache instance for each application. Refer: https://docs.microsoft.com/en-us/azure/redis-cache/cache-web-app-howto#configure-the-application-to-use-redis-cache", "Tags": [ "SDL", "TCP", "Manual", "AuthN" ], "Enabled": true }, { "ControlID": "Azure_RedisCache_NetSec_Configure_Virtual_Network_For_Domain_App", "Description": "Redis Cache instance should be confined within a virtual network for domain-joined scenarios", "Id": "RedisCache180", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Rationale": "Azure Virtual Network (VNet) deployment provides enhanced security and isolation for Azure Redis Cache, as well as subnets, access control policies, and other features to further restrict access.", "Recommendation": "For steps to configure Azure Redis Cache on a Virtual Network, refer: https://docs.microsoft.com/en-us/azure/redis-cache/cache-how-to-premium-vnet", "Tags": [ "SDL", "TCP", "Manual", "NetSec" ], "Enabled": true } ] } |