Framework/Configurations/SVT/Services/LogicApps.json
{
"FeatureName": "LogicApps", "Reference": "aka.ms/azsktcp/logicapps", "IsMaintenanceMode": false, "Controls": [ { "ControlID": "Azure_LogicApps_Deploy_Dont_Use_Apps_In_Same_RG_Unless_Trust", "Description": "Multiple Logic Apps should not be deployed in the same resource group unless they trust each other", "Id": "LogicApps110", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckLogicAppsInSameRG", "Rationale": "API Connections contain critical information like credentials/secrets, etc., provided as part of configuration. Logic App can use all API Connections present in the same Resource Group. Thus, Resource Group should be considered as security boundary when threat modeling.", "Recommendation": "Separate Logic Apps into different resource groups unless the apps trust each other and need to use API Connections present in the resource group.", "Tags": [ "SDL", "Best Practice", "Automated", "Deploy" ], "Enabled": true }, { "ControlID": "Azure_LogicApps_AuthZ_Connector_Use_Min_Permissions", "Description": "Logic App connectors must have minimum required permissions on data source", "Id": "LogicApps130", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Rationale": "This ensures that connectors can be used only towards intended actions in the Logic App", "Recommendation": "Connectors must be configured with minimum permissions. E.g., 'SQL Server-Get Row' must use an account with only Read permission on the required table.", "Tags": [ "SDL", "TCP", "Manual", "AuthZ" ], "Enabled": true }, { "ControlID": "Azure_LogicApps_AuthZ_Grant_Min_RBAC_Access", "Description": "All users/identities must be granted minimum required permissions using Role Based Access Control (RBAC)", "Id": "LogicApps140", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckRBACAccess", "Rationale": "Granting minimum access by leveraging RBAC feature ensures that users are granted just enough permissions to perform their tasks. This minimizes exposure of the resources in case of user/service account compromise.", "Recommendation": "Assign 'Logic App Contributor' role to developers and 'Logic App Operator' role to operators. Refer: https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-securing-a-logic-app#secure-access-to-manage-or-edit-logic-apps", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "RBAC" ], "Enabled": true }, { "ControlID": "Azure_LogicApps_AuthZ_Provide_Triggers_Access_Control", "Description": "If Logic App fires on an HTTP Request (e.g. Request or Webhook) then provide IP ranges for triggers to prevent unauthorized access", "Id": "LogicApps150", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckTriggersAccessControl", "Rationale": "Specifying the IP range ensures that the triggers can be invoked only from a restricted set of endpoints.", "Recommendation": "Provide access control by navigating to Portal --> Logic App --> Workflow settings --> Access Control Configuration and setting the IP addresses/ranges. Do not add IP range $($this.ControlSettings.UniversalIPRange) as this means access to all IPs. Note: In case the IP range is indeterminate (for instance, if the client is a PaaS endpoint), you may need to attest this control.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "NetSec" ], "Enabled": true }, { "ControlID": "Azure_LogicApps_AuthZ_Provide_Contents_Access_Control", "Description": "Must provide IP ranges for contents to prevent unauthorized access to inputs/outputs data of Logic App run history", "Id": "LogicApps160", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckContentsAccessControl", "Rationale": "Using the firewall feature ensures that access to the data or the service is restricted to a specific set/group of clients. While this may not be feasible in all scenarios, when it can be used, it provides an extra layer of access control protection for critical assets.", "Recommendation": "Provide access control by navigating to Portal --> Logic App --> Workflow settings --> Access Control Configuration and setting the IP addresses/ranges. Do not add IP range $($this.ControlSettings.UniversalIPRange) as this means access to all IPs. Note: In case the IP range is indeterminate (for instance, if the client is a PaaS endpoint), you may need to attest this control.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "NetSec" ], "Enabled": true }, { "ControlID": "Azure_LogicApps_DP_Dont_Allow_PlainText_Secrets_In_Codeview", "Description": "Application secrets and credentials must not be in plain text in source code (code view) of a Logic App", "Id": "LogicApps180", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckConnectorsSecretsHandling", "Rationale": "Keeping secrets such as DB connection strings, passwords, keys, etc. in clear text can lead to easy compromise at various avenues during an application's lifecycle. Storing them in a key vault ensures that they are protected at rest.", "Recommendation": "Use 'secureString' type parameter in Logic App code view for secret parameters. Refer: https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-securing-a-logic-app#secure-parameters-and-inputs-within-a-workflow", "Tags": [ "SDL", "TCP", "Automated", "DP" ], "Enabled": true }, { "ControlID": "Azure_LogicApps_DP_Rotate_Keys", "Description": "Logic App access keys must be rotated periodically", "Id": "LogicApps190", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Rationale": "Periodic key/password rotation is a good security hygiene practice as, over time, it minimizes the likelihood of data loss/compromise which can arise from key theft/brute forcing/recovery attacks.", "Recommendation": "Rotate access keys at regular intervals. Naviagte to Logic App --> Access Keys --> Regenerate Access Key to generate a new access key.", "Tags": [ "SDL", "TCP", "Manual", "DP" ], "Enabled": true }, { "ControlID": "Azure_LogicApps_Audit_Enable_Diagnostics_Log", "Description": "Diagnostics logs must be enabled with a retention period of at least $($this.ControlSettings.Diagnostics_RetentionPeriod_Min) days.", "Id": "LogicApps200", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckDiagnosticsSettings", "Rationale": "Logs should be retained for a long enough period so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. A period of 1 year is typical for several compliance requirements as well.", "Recommendation": "You can change the diagnostic settings from the Azure Portal by following the steps given here: https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/monitoring-archive-diagnostic-logs#archive-diagnostic-logs-using-the-portal", "Tags": [ "SDL", "TCP", "Automated", "Audit", "Diagnostics" ], "PolicyDefinitionGuid":"34f95f76-5386-4de7-b824-0d8478470c9d", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/34f95f76-5386-4de7-b824-0d8478470c9d", "Enabled": true }, { "ControlID": "Azure_LogicApps_BCDR_Backup_Periodically", "Description": "Logic App Code View code should be backed up periodically", "Id": "LogicApps210", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Rationale": "Logic App code view contains application's workflow logic and API connections detail which could be lost if there is no backup. No backup/disaster recovery feature is available out of the box in Logic Apps.", "Recommendation": "Navigate to Logic App --> Logic App Code View and save content to a backup location.", "Tags": [ "SDL", "Best Practice", "Manual", "BCDR" ], "Enabled": true } ] } |