Framework/Configurations/SVT/Services/LoadBalancer.json
{
"FeatureName": "LoadBalancer", "Reference": "aka.ms/azsktcp/loadbalancer", "IsMaintenanceMode": false, "Controls": [ { "ControlID": "Azure_LoadBalancer_AuthZ_Grant_Min_RBAC_Access", "Description": "All users/identities must be granted minimum required permissions using Role Based Access Control (RBAC)", "Id": "LoadBalancer110", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckRBACAccess", "Rationale": "Granting minimum access by leveraging RBAC feature ensures that users are granted just enough permissions to perform their tasks. This minimizes exposure of the resources in case of user/service account compromise.", "Recommendation": "Remove any excessive privileges granted on the Load Balancer. Assign 'Log Analytics Contributor, Network Contributor, Virtual Machine Contributor' RBAC role to developers who manages Load Balancer configurations. Run command: Remove-AzRoleAssignment -SignInName '{signInName}' -Scope '{scope}' -RoleDefinitionName '{role definition name}'. Run 'Get-Help Remove-AzRoleAssignment -full' for more help. Refer: https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-control-manage-access-powershell", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "RBAC", "LoadBalancer" ], "Enabled": true }, { "ControlID": "Azure_LoadBalancer_Audit_Enable_Diagnostics_Log", "Description": "Diagnostics logs must be enabled with a retention period of at least $($this.ControlSettings.Diagnostics_RetentionPeriod_Min) days.", "Id": "LoadBalancer120", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckDiagnosticsSettings", "Rationale": "Logs should be retained for a long enough period so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. A period of 1 year is typical for several compliance requirements as well.", "Recommendation": "You can change the diagnostic settings from the Azure Portal by following the steps given here: https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/monitoring-archive-diagnostic-logs#archive-diagnostic-logs-using-the-portal", "Tags": [ "SDL", "TCP", "Automated", "Audit", "Diagnostics", "LoadBalancer" ], "Enabled": true }, { "ControlID": "Azure_LoadBalancer_NetSec_Justify_PublicIPs", "Description": "Public IPs on a internet facing Load Balancer should be carefully reviewed", "Id": "LoadBalancer130", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckPublicIP", "Rationale": "Public IPs provide direct access over the internet exposing the infrastructure behind the load balancer to all type of attacks over the public network.", "Recommendation": "Use steps on portal :LoadBalancer Properties -> Frontend IP configuration -> Click on Context menu of desired Frontend IP configuration -> Delete", "Tags": [ "SDL", "TCP", "Automated", "NetSec", "LoadBalancer" ], "Enabled": true, "DataObjectProperties": [ "PublicIpAllocationMethod", "IpConfiguration", "Id", "DnsSettings" ], "PolicyDefinitionGuid": "LoadBalancer130" } ] } |