AzSKPreview

4.0.0

Framework/Configurations/SVT/Services/LoadBalancer.json

                                {

   "FeatureName": "LoadBalancer",

   "Reference": "aka.ms/azsktcp/loadbalancer",

   "IsMaintenanceMode": false,

   "Controls": [

      {

         "ControlID": "Azure_LoadBalancer_AuthZ_Grant_Min_RBAC_Access",

         "Description": "All users/identities must be granted minimum required permissions using Role Based Access Control (RBAC)",

         "Id": "LoadBalancer110",

         "ControlSeverity": "Medium",

         "Automated": "Yes",

         "MethodName": "CheckRBACAccess",

         "Rationale": "Granting minimum access by leveraging RBAC feature ensures that users are granted just enough permissions to perform their tasks. This minimizes exposure of the resources in case of user/service account compromise.",

         "Recommendation": "Remove any excessive privileges granted on the Load Balancer. Assign 'Log Analytics Contributor, Network Contributor, Virtual Machine Contributor' RBAC role to developers who manages Load Balancer configurations. Run command: Remove-AzRoleAssignment -SignInName '{signInName}' -Scope '{scope}' -RoleDefinitionName '{role definition name}'. Run 'Get-Help Remove-AzRoleAssignment -full' for more help. Refer: https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-control-manage-access-powershell",

         "Tags": [

            "SDL",

            "TCP",

            "Automated",

            "AuthZ",

            "RBAC",

            "LoadBalancer"

         ],

         "Enabled": true

      },

      {

         "ControlID": "Azure_LoadBalancer_Audit_Enable_Diagnostics_Log",

         "Description": "Diagnostics logs must be enabled with a retention period of at least $($this.ControlSettings.Diagnostics_RetentionPeriod_Min) days.",

         "Id": "LoadBalancer120",

         "ControlSeverity": "Medium",

         "Automated": "Yes",

         "MethodName": "CheckDiagnosticsSettings",

         "Rationale": "Logs should be retained for a long enough period so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. A period of 1 year is typical for several compliance requirements as well.",

         "Recommendation": "You can change the diagnostic settings from the Azure Portal by following the steps given here: https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/monitoring-archive-diagnostic-logs#archive-diagnostic-logs-using-the-portal",

         "Tags": [

            "SDL",

            "TCP",

            "Automated",

            "Audit",

            "Diagnostics",

            "LoadBalancer"

         ],

         "Enabled": true

      },

      {

         "ControlID": "Azure_LoadBalancer_NetSec_Justify_PublicIPs",

         "Description": "Public IPs on a internet facing Load Balancer should be carefully reviewed",

         "Id": "LoadBalancer130",

         "ControlSeverity": "High",

         "Automated": "Yes",

         "MethodName": "CheckPublicIP",

         "Rationale": "Public IPs provide direct access over the internet exposing the infrastructure behind the load balancer to all type of attacks over the public network.",

         "Recommendation": "Use steps on portal :LoadBalancer Properties -> Frontend IP configuration -> Click on Context menu of desired Frontend IP configuration -> Delete",

         "Tags": [

            "SDL",

            "TCP",

            "Automated",

            "NetSec",

            "LoadBalancer"

         ],

         "Enabled": true,

         "DataObjectProperties": [

            "PublicIpAllocationMethod",

            "IpConfiguration",

            "Id",

            "DnsSettings"

         ]

      }

   ]

}