Framework/Configurations/SVT/Services/Search.json
{
"FeatureName": "Search", "Reference": "aka.ms/azsktcp/search", "IsMaintenanceMode": false, "Controls": [ { "ControlID": "Azure_Search_AuthZ_Grant_Min_RBAC_Access", "Description": "All users/identities must be granted minimum required permissions using Role Based Access Control (RBAC)", "Id": "Search110", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckRBACAccess", "Rationale": "Granting minimum access by leveraging RBAC feature ensures that users are granted just enough permissions to perform their tasks. This minimizes exposure of the resources in case of user/service account compromise.", "Recommendation": "Remove any excessive privileges granted on the Search service. Run command: Remove-AzureRmRoleAssignment -SignInName '<SignInName>' -Scope '<Scope>' RoleDefinitionName '<RoleDefinitionName>'. Run 'Get-Help Remove-AzureRmRoleAssignment -full' for more help.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "RBAC", "Search" ], "Enabled": true }, { "ControlID": "Azure_Search_AuthZ_Least_Privilege_For_Monitoring", "Description": "Users monitoring/supporting the Search service should be provided with minimum required permissions", "Id": "Search120", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Rationale": "Granting minimum access to monitoring and support team ensures that they are granted just enough permissions to perform their tasks. This minimizes exposure of the resources in case of data compromise.", "Recommendation": "Remove any excessive privileges granted on the Search service to monitoring/support teams. Run command: Remove-AzureRmRoleAssignment -SignInName '<SignInName>' -Scope '<Scope>' RoleDefinitionName '<RoleDefinitionName>'. Run 'Get-Help Remove-AzureRmRoleAssignment -full' for more help.", "Tags": [ "SDL", "Best Practice", "Manual", "AuthZ", "Search" ], "Enabled": true }, { "ControlID": "Azure_Search_DP_Encrypt_At_Rest", "Description": "Sensitive data at data source must be encrypted at rest", "Id": "Search130", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Rationale": "Using this feature ensures that sensitive data is stored encrypted at rest. This minimizes the risk of data loss from physical theft and also helps meet regulatory compliance requirements.", "Recommendation": "To enable encryption for a SQL DB, run command 'Set-AzureRmSqlDatabaseTransparentDataEncryption -DatabaseName '<DBName>' -ResourceGroupName '<RGName>' -ServerName '<SQLServerName>' -State 'Enabled''. Run 'Get-Help Set-AzureRmSqlDatabaseTransparentDataEncryption -full' for more help.", "Tags": [ "SDL", "TCP", "Manual", "DP", "Search" ], "Enabled": true }, { "ControlID": "Azure_Search_DP_Encrypt_In_Transit", "Description": "Sensitive data must be encrypted in transit", "Id": "Search140", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Rationale": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer man-in-the-middle, eavesdropping, session-hijacking attacks.", "Recommendation": "For SQL DB, specify 'Encrypt=True, TrustServerCertificate=False' parameters in your application's connection string. For Azure Storage, use HTTPS protocol for data access.", "Tags": [ "SDL", "TCP", "Manual", "DP", "Search", "Information" ], "Enabled": true }, { "ControlID": "Azure_Search_AuthZ_Grant_Admin_Keys_For_Manage_Access_Only", "Description": "Admin keys must be furnished only for clients who need to manage the search catalog of Search service", "Id": "Search150", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Rationale": "Granting Admin keys to clients means giving access to all operations, including the ability to manage the service, create and delete indexes, indexers, and data sources. So they should be maintained and owned only by the users administering the service.", "Recommendation": "Admin keys should be maintained and owned only by Search service administrators and must be rotated periodically as per the company standards. To get the Admin keys, go to Azure Portal --> your Search service --> Settings --> Keys.", "Tags": [ "SDL", "TCP", "Manual", "AuthZ", "Search" ], "Enabled": true }, { "ControlID": "Azure_Search_AuthZ_Grant_Only_QueryKey_Access_to_Readers", "Description": "Consumers who require read access on Search service must only be granted 'query' keys", "Id": "Search160", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Rationale": "Query keys grant read-only access to indexes and documents. So to avoid giving excessive permissions like creating and deleting indexes, only QueryKey access should be given to readers", "Recommendation": "Ensure that Search clients are granted access to 'query' keys only (and not 'admin' keys). To get 'query' keys, go to Azure Portal --> your Search service --> Settings --> Keys --> Manage query keys.", "Tags": [ "SDL", "TCP", "Manual", "AuthZ", "Search" ], "Enabled": true }, { "ControlID": "Azure_Search_Availability_Configure_Three_Replicas", "Description": "Search service must have at least three replicas for high availability", "Id": "Search170", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckSearchReplicaCount", "Rationale": "High availability can be achieved by adding replicas. Each replica has one copy of an index, so adding one more replica translates to one more index that can be used to service query requests. Minimum of three replicas are required since the azure team has specified three to be the borderline value for the same", "Recommendation": "Go to Azure Portal --> your Search service --> Settings --> Scale --> Replicas. Ensure that at least 3 replicas are setup.", "Tags": [ "SDL", "TCP", "Automated", "Availability", "Search" ], "Enabled": true }, { "ControlID": "Azure_Search_Audit_Enable_Diagnostics_Log", "Description": "Diagnostics logs must be enabled with a retention period of at least $($this.ControlSettings.Diagnostics_RetentionPeriod_Min) days", "Id": "Search180", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckDiagnosticsSettings", "Rationale": "Logs should be retained for a long enough period so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. A period of 1 year is typical for several compliance requirements as well.", "Recommendation": "Run command: Set-AzureRmDiagnosticSetting -ResourceId {'ResourceId'} -Enable `$true -StorageAccountId '{StorageAccountId}' -RetentionInDays $($this.ControlSettings.Diagnostics_RetentionPeriod_Min) -RetentionEnabled `$true. Alternatively, you can also change the diagnostic settings from the Azure Portal by following the steps given here: https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/monitoring-archive-diagnostic-logs#archive-diagnostic-logs-using-the-portal", "Tags": [ "SDL", "TCP", "Automated", "Audit", "Diagnostics", "Search" ], "PolicyDefinitionGuid":"b4330a05-a843-4bc8-bf9a-cacce50c67f4", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4", "Enabled": true } ] } |