Framework/Configurations/SVT/Services/TrafficManager.json

{
  "FeatureName": "TrafficManager",
  "Reference": "aka.ms/azsktcp/trafficmanager",
  "IsMaintenanceMode": false,
  "Controls": [
    {
      "ControlID": "Azure_TrafficManager_AuthZ_Grant_Min_RBAC_Access",
      "Description": "All Users/Identities must be granted minimum required permissions using Role Based Access Control (RBAC)",
      "Id": "TrafficManager110",
      "ControlSeverity": "Medium",
      "Automated": "Yes",
      "MethodName": "CheckRBACAccess",
      "Rationale": "Granting minimum access by leveraging RBAC feature ensures that users are granted just enough permissions to perform their tasks. This minimizes exposure of the resources in case of user/service account compromise.",
      "Recommendation": "Clean up any unauthorized users on the Traffic Manager Profile. Run command Remove-AzureRmRoleAssignment -SignInName '{signInName}' -Scope '{scope}}' -RoleDefinitionName {role definition name}'. Run 'Get-Help Remove-AzureRmRoleAssignment -full' to get the complete details about this command.",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "AuthZ",
        "RBAC",
        "TrafficManager"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_TrafficManager_DP_Enable_HTTPS",
      "Description": "Traffic Manager profile should use HTTPS protocol for endpoint monitoring",
      "Id": "TrafficManager120",
      "ControlSeverity": "Medium",
      "Automated": "Yes",
      "MethodName": "CheckTrafficManagerEndpointMonitorProtocol",
      "Rationale": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer man-in-the-middle, eavesdropping, session-hijacking attacks.",
      "Recommendation": "To enable HTTPS protocol for endpoint monitoring, go to Azure Portal --> your Traffic Manager Profile --> Configuration --> Select HTTPS --> Save.",
      "Tags": [
        "SDL",
        "Best Practice",
        "Automated",
        "DP",
        "TrafficManager"
      ],
      "Enabled": true
    }
  ]
}