Framework/Configurations/SVT/Services/RedisCache.json

{
  "FeatureName": "RedisCache",
  "Reference": "aka.ms/azsktcp/rediscache",
  "IsMaintenanceMode": false,
  "Controls": [
    {
      "ControlID": "Azure_RedisCache_AuthZ_Grant_Min_RBAC_Access",
      "Description": "All users/identities must be granted minimum required permissions using Role Based Access Control (RBAC)",
      "Id": "RedisCache110",
      "ControlSeverity": "Medium",
      "Automated": "Yes",
      "MethodName": "CheckRBACAccess",
      "Rationale": "Granting minimum access by leveraging RBAC feature ensures that users are granted just enough permissions to perform their tasks. This minimizes exposure of the resources in case of user/service account compromise.",
      "Recommendation": "Remove any excessive privileges granted on the Redis Cache. Assign 'Redis Cache Contributor' RBAC role to developers who manages Redis Cache configurations. Run command: Remove-AzRoleAssignment -SignInName '{signInName}' -Scope '{scope}' -RoleDefinitionName '{role definition name}'. Run 'Get-Help Remove-AzRoleAssignment -full' for more help. Refer: https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-control-manage-access-powershell",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "AuthZ",
        "RBAC",
        "RedisCache"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_RedisCache_Audit_Enable_Diagnostics_Log",
      "Description": "Diagnostics logs must be enabled with a retention period of at least $($this.ControlSettings.Diagnostics_RetentionPeriod_Min) days.",
      "Id": "RedisCache120",
      "ControlSeverity": "Medium",
      "Automated": "No",
      "MethodName": "",
      "Rationale": "Logs should be retained for a long enough period so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. A period of 1 year is typical for several compliance requirements as well.",
      "Recommendation": "You can change the diagnostic settings from the Azure Portal by following the steps given here: https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/monitoring-archive-diagnostic-logs#archive-diagnostic-logs-using-the-portal",
      "Tags": [
        "SDL",
        "TCP",
        "Manual",
        "Audit",
        "Diagnostics",
        "RedisCache"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_RedisCache_AuthZ_Configure_IP_Range",
      "Description": "Configure Redis Cache firewall settings for additional protection",
      "Id": "RedisCache130",
      "ControlSeverity": "Medium",
      "Automated": "Yes",
      "MethodName": "CheckRedisCacheFirewallIPAddressRange",
      "Rationale": "Using the firewall feature ensures that access to the data or the service is restricted to a specific set/group of clients. While this may not be feasible in all scenarios, when it can be used, it provides an extra layer of access control protection for critical assets.",
      "Recommendation": "Enable firewall and add rules specifying permitted IPs/ranges. Do not add IP range $($this.ControlSettings.UniversalIPRange) as that allows access to all possible IPs. Refer: https://docs.microsoft.com/en-us/azure/redis-cache/cache-configure#firewall, (REST API) https://docs.microsoft.com/en-in/rest/api/redis/redisfirewallrule. Note: In case the IP range is indeterminate (for instance, if the client is a PaaS endpoint), you may need to attest this control.",
      "Tags": [
        "SDL",
        "Best Practice",
        "Automated",
        "AuthZ",
        "RedisCache"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_RedisCache_BCDR_Use_RDB_Backup",
      "Description": "Redis Data Persistence should be enabled to back up Redis Cache data",
      "Id": "RedisCache140",
      "ControlSeverity": "Medium",
      "Automated": "Yes",
      "MethodName": "CheckRedisCacheRDBBackup",
      "Rationale": "Enabling backup on Redis Cache ensures that there is always a previous snapshot of data that can be leveraged towards recovery scenarios.",
      "Recommendation": "Configure data persistence. Refer: https://docs.microsoft.com/en-us/azure/redis-cache/cache-configure#redis-data-persistence",
      "Tags": [
        "SDL",
        "Best Practice",
        "Automated",
        "BCDR" ,
        "RedisCache"
      ],
      "Enabled": true
    },
   {
      "ControlID": "Azure_RedisCache_DP_Use_SSL_Port",
      "Description": "Non-SSL port must not be enabled",
      "Id": "RedisCache150",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckRedisCacheSSLConfig",
      "Rationale": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer man-in-the-middle, eavesdropping, session-hijacking attacks.",
      "Recommendation": "To disable Non-SSL port for Redis Cache, run command : Set-AzRedisCache -ResourceGroupName <String> -Name <String> -EnableNonSslPort `$false",
      "Tags": [
         "SDL",
         "TCP",
         "Automated",
         "DP",
         "RedisCache"
      ],
      "Enabled": true,
      "FixControl": {
         "FixMethodName": "DisableNon_SSLport_RedisCache",
         "FixControlImpact": "High"
      }
   },
    {
      "ControlID": "Azure_RedisCache_DP_Rotate_Keys",
      "Description": "Access keys must be rotated periodically",
      "Id": "RedisCache160",
      "ControlSeverity": "Medium",
      "Automated": "No",
      "MethodName": "",
      "Rationale": "Periodic key/password rotation is a good security hygiene practice as, over time, it minimizes the likelihood of data loss/compromise which can arise from key theft/brute forcing/recovery attacks.",
      "Recommendation": "Rotate keys at regular intervals. To generate a new key, run command 'New-AzureRmRedisCacheKey'. Run 'Get-Help New-AzureRmRedisCacheKey -full' for more help.",
      "Tags": [
        "SDL",
        "TCP",
        "Manual",
        "DP",
        "RedisCache"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_RedisCache_AuthN_Dont_Share_Cache_Instances",
      "Description": "Do not share cache instances across applications",
      "Id": "RedisCache170",
      "ControlSeverity": "High",
      "Automated": "No",
      "MethodName": "",
      "Rationale": "There is no access control within a cache. If multiple applications share the same cache they will be able to freely access each others cached data which may lead to compromise.",
      "Recommendation": "Create a separate Redis Cache instance for each application. Refer: https://docs.microsoft.com/en-us/azure/redis-cache/cache-web-app-howto#configure-the-application-to-use-redis-cache",
      "Tags": [
        "SDL",
        "TCP",
        "Manual",
        "AuthN",
        "RedisCache"
      ],
      "Enabled": true
    },
      {
      "ControlID": "Azure_RedisCache_NetSec_Configure_Virtual_Network_For_Domain_App",
      "Description": "Redis Cache instance should be confined within a virtual network for domain-joined scenarios",
      "Id": "RedisCache180",
      "ControlSeverity": "Medium",
      "Automated": "No",
      "MethodName": "",
      "Rationale": "Azure Virtual Network (VNet) deployment provides enhanced security and isolation for Azure Redis Cache, as well as subnets, access control policies, and other features to further restrict access.",
      "Recommendation": "For steps to configure Azure Redis Cache on a Virtual Network, refer: https://docs.microsoft.com/en-us/azure/redis-cache/cache-how-to-premium-vnet",
      "Tags": [
        "SDL",
        "TCP",
        "Manual",
        "NetSec",
        "RedisCache"
      ],
      "Enabled": true
    }
  ]
}