20 Important Compliance Rules to Follow for a Secure Azure Cloud
One of the best ways to keep your Azure cloud secured is by using the many compliance rules available to you. The rules enable you to quickly view when something is not quite right and give you time to react accordingly.
Fortunately, Azure comes with many built-in compliance rules, however, Cloudockit also has its own rules that are not covered by Azure, and more importantly, it allows you to create your own custom rules. Furthermore, you can use Cloudockit for your technical documentation needs and get all of your information in one place.
Below you will find a list of important rules to keep track of your cloud security. The list is only a portion of the rules you can use with Cloudockit.
In order to create your diagram, several prerequisites are necessary.
Availability
Azure App Service Authentication Enabled
Azure App Service provides built-in authentication and authorization capabilities, however, it is not a default setting. Using Azure App Service Authentication Enabled will ensure authentication is enabled for App Services.
Azure Blob Service – Blob Containers Private Access
Azure Storage supports optional anonymous public read access for containers and blobs. By default, anonymous access to your data is never permitted, however, this setting can be changed. Azure Blob Service – Blob Containers Private Access will ensure all blob containers do not have anonymous public access set.
Azure Log Alerts – Security Policy Alerts Enabled
The Azure Activity log event provides insight into any subscription-level events that have occurred in Azure. Azure Log Alerts – Security Policy Alerts Enabled provides an alert when an activity log event is triggered when creating or updating a Security Policy Rule.
Azure Virtual Machine – Scale Set Multi-AZ
To protect your virtual machine scale sets from data center-level failures, you can create a scale set across Availability Zones. Using Azure Virtual Machine – Scale Set Multi-AZ will ensure Virtual Machine scale sets are created to be cross-AZ for high availability.
Azure CosmoDB – Firewall
To secure the data stored in your account, Azure Cosmos DB supports a secret-based authorization model and Azure Cosmos DB supports IP-based access controls for inbound firewall support. Azure CosmoDB – Firewall compliance rule will enable you to quickly see if an Azure CosmoDB Account has no Firewall configured.
Performance
Azure App Service – Quota
To make sure you do not exceed the budget, Azure App Service – Quota will ensure file system storage quota is not exceeded.
Azure Virtual Networks – Multiple Subnets
Azure Virtual Networks – Multiple Subnets will allow you to view which virtual networks have multiple subnets. Having multiple subnets in a virtual machine will accelerate the speed and enable you to have better traffic management.
Best Practice
Azure PostgreSQL Server – Connection Throttling Enabled
Connection throttling slows the number of query and error logs sent by the server from the same IP address, limiting DoS attacks or the slowing down of servers due to excessive legitimate user logs. Turning on Azure PostgreSQL Server – Connection Throttling Enabled will enable you to quickly view with PostgreSQL servers that are not throttling enabled.
Azure PostgresSQLServer – Log Retention Days
A retention period of 4 days or more, will allow you to collect the necessary amount of logging data required to identify any PostgreSQL security and performance issues. Use Azure PostgresSQLServer – Log Retention Days to ensure you always have the necessary amount of logging to identify security issues.
Azure PostgreSQL Server – Log Disconnections Enabled
Azure PostgreSQL Server – Log Disconnections Enabled ensures disconnection logs are enabled for PostgreSQL servers. Enabling the log disconnections parameter starts recording PostgreSQL activity data that can be useful to identify, troubleshoot, and repair configuration errors and sub-optimal performance for your Microsoft Azure PostgreSQL database servers.
Cloudockit can automatically keep track of all your compliance rules
Security
Azure – App Service – HTTP2.0 Enabled
This compliance rule ensures the latest HTTP version is enabled for App Services. Enabling HTTP2.0 ensures that the App Service has the latest technology which improves server performance.
Azure Container Registry – Admin User
Each container registry includes an admin user account, which is disabled by default. Ensures that the admin user is not enabled on container registries with Azure Container Registry – Admin User.
Azure – Load Balancer HTTPS Only
Azure – Load Balancer Lb Https Only will ensure load balancers are configured to only accept connections on HTTPS ports. HTTPS is used for secure communication over a computer network and is widely used on the Internet. In HTTPS, the communication protocol is encrypted using Transport Layer Security.
Azure – Security Center
Use the Azure – Security Center compliance rules to automatically extract information from Azure Security Center. The Azure Security Center is a tool for security management and threat protection. Since it is integrated with Azure Defender, Security Center protects workloads running in Azure.
Azure – Network Security Groups – Default Security Group
A network security group contains security rules that allow or deny inbound network traffic from several types of Azure resources. As an added security, Azure – Network Security Groups – Default Security Group will ensure that default security groups block all traffic by default.
Azure – SQL Server – No Firewall Rules
Get notified with this compliance rule when your SQL server has no firewall rules. For security purposes, the Azure SQL Database firewall lets you decide which IP addresses may or may not have access to either your Azure SQL Server or your Azure SQL database.
Azure – SQL Server – No Public Access
Since you can store highly sensitive data in your Azure cloud, you need to ensure that SQL Servers do not allow public access.
Azure – Storage – Not Geo Redundant
Protect your data by ensuring your storage is geo-redundant (GZRS). With a GZRS storage account, you can continue to read and write data if an availability zone becomes unavailable or is unrecoverable. Additionally, your data is also durable in the case of a complete regional outage or a disaster in which the primary region isn’t recoverable.
Azure – Virtual Machine – Auto Update
For security reasons, you should activate automatic updates. With Azure – Virtual Machine – Auto Update, you will instantly see which virtual machine does not have automatic updates enabled.
Azure – Storage – CORS
With Azure – Storage – CORS to ensure Azure Storage has CORS with AllowedOrigins equals to “*”. The origin domain is the domain from which the request originates. You can use the wildcard character “*” to allow all origin domains to make requests via CORS.
Sources
- Alerts on activity log
- Authentication and authorization in Azure App Service
- Configure anonymous public read access for containers and blobs
- Create a virtual machine scale set that uses Availability Zones
- Azure subscription and service limits, quotas, and constraints
- Check for PostgreSQL Log Retention Period
- Enable “LOG_DISCONNECTIONS” Parameter for PostgreSQL Servers
- Authenticate with an Azure container registry
- Network security groups
- Azure SQL Database and Azure Synapse IP firewall rules
- Azure Storage redundancy
- Cross-Origin Resource Sharing (CORS) support for Azure Storage