To add an additional layer of security to the account resources, update the firewall and the virtual network configuration for your Cosmos DB Accounts.
Cosmos DB Account does not have Automatic Failover enabled.
To enable resource replication and fault tolerance at the account level, make sure your Cosmos DB Accounts have the Automatic Failover feature enabled.
Cosmos DB Account does not have Automatic Failover enabled.
To enable resource replication and fault tolerance at the account level, make sure your Cosmos DB Accounts have the Automatic Failover feature enabled.
PostgreSQL Server has no "connection_throttling" server parameter specified.
To enable temporary connection throttling per IP address for too many invalid login failures, ensure "connection_throttling" parameter is enabled for all PostgreSQL Database Servers.
PostgreSQL Server has no "log_checkpoints" server parameter specified.
To allow checkpoints and restart points to be logged in the PostgreSQL server log, ensure "log_checkpoints" parameter is enabled for all PostgreSQL Database Servers.
PostgreSQL Server has no "log_connections" server parameter specified.
To allow each attempted connection to the database server to be logged, ensure "log_connections" parameter is enabled for all PostgreSQL Database Servers.
PostgreSQL Server has no "log_duration" server parameter specified.
To allow recording the duration of each completed PostgreSQL statement, ensure "log_duration" parameter is enabled for all PostgreSQL Database Servers.
To fulfill HIPAA and PCI requirements on retaining logs for a minimum of 365 days, ensure that the Log Profile created for your activity log has a retention period set either to 0 (retain data forever) or 365 days or more.
Virtual Machine has Accelerated Networking feature disabled.
To provide low latency and high throughput for the network interfaces (NICs) attached to the VMs, ensure that Accelerated Networking feature is enabled for your VMs.
Virtual Machine does not have a system-assigned managed identity enabled.
To allow secure VMs authenticate to any service that supports Azure AD authentication, without having credentials in your code, ensure that your VMs have system-assigned managed identities enabled.
Virtual Machine uses no Azure Active Directory (AAD) credentials for secure SSH/RDP access.
To simplify the access permission management by enforcing policies that allow or deny access to your VMs from one central location, ensure that your VMs have AAD based SSH Login extension installed.
Virtual Machine Scale Set has Automatic Repairs feature disabled.
To have unhealthy VM instances automatically deleted and the new ones created with the latest instance model settings, ensure that your VM scale sets have Health Monitoring and Automatic Repairs features enabled.
Virtual Machine Scale Set has neither Rolling nor Automatic upgrade policy.
To ease update management by safely and automatically upgrading the OS disk for all instances in the scale set, ensure that your VM scale sets have either Rolling or Automatic upgrade policy enabled.
Virtual Machine does not have boot diagnostics enabled.
To capture server serial console output and the OS screenshots required for diagnosing and troubleshooting VM startup issues, make sure the VMs have boot diagnostics enabled.
Virtual Machine uses no Azure Active Directory (AAD) credentials for secure SSH/RDP access.
To simplify the access permission management by enforcing policies that allow or deny access to your VMs from one central location, ensure that your VMs have AAD based SSH Login extension installed.
Virtual Machine does not have a system-assigned managed identity enabled.
To allow secure VMs authenticate to any service that supports Azure AD authentication, without having credentials in your code, ensure that your VMs have system-assigned managed identities enabled.
Virtual Machine Scale Set uses no Azure Active Directory (AAD) credentials for secure SSH/RDP access.
To simplify the access permission management by enforcing policies that allow or deny access to your VM scale sets from one central location, ensure that your VM scale sets have AAD based login extension installed.
Virtual Machine Scale Set has Automatic Repairs feature disabled.
To have unhealthy VM instances automatically deleted and the new ones created with the latest instance model settings, ensure that your VM scale sets have Health Monitoring and Automatic Repairs features enabled.
Virtual Machine Scale Set has Termination Notifications feature disabled.
To receive instance termination notifications through the Azure Metadata service, ensure that your VM scale sets have Termination Notifications feature enabled.
Virtual Machine Scale Set uses no Azure Active Directory (AAD) credentials for secure SSH/RDP access.
To simplify the access permission management by enforcing policies that allow or deny access to your VM scale sets from one central location, ensure that your VM scale sets have AAD based login extension installed.
Virtual Machine Scale Set has Automatic Repairs feature disabled.
To have unhealthy VM instances automatically deleted and the new ones created with the latest instance model settings, ensure that your VM scale sets have Health Monitoring and Automatic Repairs features enabled.
Virtual Machine Scale Set has neither Rolling nor Automatic upgrade policy.
To ease update management by safely and automatically upgrading the OS disk for all instances in the scale set, ensure that your VM scale sets have either Rolling or Automatic upgrade policy enabled.
Virtual Machine Scale Set has Termination Notifications feature disabled.
To receive instance termination notifications through the Azure Metadata service, ensure that your VM scale sets have Termination Notifications feature enabled.
Virtual Machine Scale Set uses no Azure Active Directory (AAD) credentials for secure SSH/RDP access.
To simplify the access permission management by enforcing policies that allow or deny access to your VM scale sets from one central location, ensure that your VM scale sets have AAD based login extension installed.
Virtual Machine Scale Set has Termination Notifications feature disabled.
To receive instance termination notifications through the Azure Metadata service, ensure that your VM scale sets have Termination Notifications feature enabled.
To have a more granular control over your VM data encryption/decryption process, ensure that VM disks are created using customer-managed keys (also known as Bring Your Own Keys - BYOKs).
To prevent your websites/web applications from being idled out due to inactivity and to keep them loaded even when there's no traffic, ensure that your App Services have Always On feature enabled.
To redirect all non-secure HTTP requests to HTTPS so that the traffic between the web application servers and the application clients cannot be decrypted, enforce HTTPS-only traffic for your App Services.
To fulfill HIPAA requirements on backups of all user data and inventory to secure its future availability, ensure that SQL Database instances can be restored to a recent point.
SQL Database is configured to retain backups for 5 days, while the recommended limit is 7 days.
To fulfill HIPAA requirements on backups of all user data and inventory to secure its future availability, ensure that SQL Databases have a sufficient Point in Time Restore (PITR) backup retention period configured.
SQL Server Auditing retention is 10 days, while the recommended limit is 90 days.
To fulfill HIPAA requirements on secure audit record for read/write/delete activities in the system, ensure that SQL Servers have a sufficient log data retention period, i.e. 90 days or more.
To fulfill HIPAA requirements on backups of all user data and inventory to secure its future availability, ensure that SQL Database instances can be restored to a recent point.
To provide a set of advanced SQL security capabilities for your SQL Database Servers, ensure that Advanced Data Security is enabled within your SQL Server configuration settings.
To send monitored data for unusual activity, vulnerabilities, and threats to the account admins and subscription owners, ensure that advanced data security for SQL Servers has Email Account Admins enabled.
To fulfill HIPAA requirements on secure audit record for read/write/delete activities in the system, ensure SQL Server Audit Action and Groups is configured to at least include SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP, FAILED_DATABASE_AUTHENTICATION_GROUP and BATCH_COMPLETED_GROUP.
SQL Server has TDE (Transparent data encryption) that uses Microsoft managed key instead of BYOK (Bring Your Own Key).
For greater control, transparency and increasing security by having full control of the encryption keys, ensure your SQL Server data at rest is protected with a key from your own Azure key vault.
Network Security Group (NSG) has flow log retention set to 31 days, while the recommended limit is 90 days.
To fulfill HIPAA requirements on secure audit record for read/write/delete activities in the system, ensure that NSGs have a sufficient flow log retention period, i.e. 90 days or more.
Network Load Balancer has no HTTPS configured, while other ports are open.
To fulfill HIPAA requirements for all data to be transmitted over secure channels, ensure that each Load Balancer is configured to only accept HTTPS connections.
To fulfill HIPAA and PCI DSS requirements on strong cryptographic and security protocols for transmitting user data, enable HTTPS and disable HTTP for each custom origin endpoint for each CDN Profile.
To fulfill HIPAA and PCI DSS requirements on strong cryptographic and security protocols for transmitting user data, enable HTTPS and disable HTTP for each custom origin endpoint for each CDN Profile.
Storage Account is configured to allow access to traffic from all networks (including Internet traffic).
To fulfill PCI requirements on segmenting networks using firewalls and HIPAA access controls that require data access to be restricted to known sources, configure your Storage Account to deny access to traffic from all networks by default.
Storage Account Blob has Soft Delete data retention period configured to 7 days, while the recommended minimum is 31 days or more.
To handle your data restoration process in the event of a failure more efficiently, ensure that your Storage Blob objects have a sufficient Soft Delete data retention period, i.e. greater than 30 days.
Storage Account uses Microsoft managed key instead of BYOK (Bring Your Own Key).
For greater control, transparency and increasing security by having full control of the encryption keys, ensure your Storage Account data at rest is protected with a key from your own Azure Key Vault.
Storage Account is configured not to allow trusted Azure services to access itself.
To allow trusted cloud services to access your Storage Account with the enabled firewall rules, add an exception so that the trusted Azure services can bypass your network rules and still access your Storage Account.
To fulfill HIPAA and PCI DSS requirements on strong cryptographic and security protocols for transmitting user data, ensures HTTPS-only traffic is allowed to Storage Account endpoints.
Storage Account Blob has Soft Delete data retention period configured to 3 days, while the recommended minimum is 31 days or more.
To handle your data restoration process in the event of a failure more efficiently, ensure that your Storage Blob objects have a sufficient Soft Delete data retention period, i.e. greater than 30 days.
Storage Account uses Microsoft managed key instead of BYOK (Bring Your Own Key).
For greater control, transparency and increasing security by having full control of the encryption keys, ensure your Storage Account data at rest is protected with a key from your own Azure Key Vault.
Storage Account is configured to allow access to traffic from all networks (including Internet traffic).
To fulfill PCI requirements on segmenting networks using firewalls and HIPAA access controls that require data access to be restricted to known sources, configure your Storage Account to deny access to traffic from all networks by default.
Storage Account Blob has no Soft Delete data retention period configured.
To handle your data restoration process in the event of a failure more efficiently, ensure that your Storage Blob objects have a sufficient Soft Delete data retention period, i.e. greater than 30 days.
To fulfill HIPAA requirements on strict integrity of the stored data and its protection against corruption or malicious destruction, ensure that all Blob Containers that store critical data have an immutable blob storage policy attached.
To fulfill HIPAA requirements on strict integrity of the stored data and its protection against corruption or malicious destruction, ensure that all Blob Containers that store critical data have an immutable blob storage policy attached.
To fulfill HIPAA requirements on strict integrity of the stored data and its protection against corruption or malicious destruction, ensure that all Blob Containers that store critical data have an immutable blob storage policy attached.
To fulfill HIPAA requirements on strict integrity of the stored data and its protection against corruption or malicious destruction, ensure that all Blob Containers that store critical data have an immutable blob storage policy attached.
To fulfill HIPAA and PCI DSS requirements on strict access controls to all data, ensure that all Blob Containers have anonymous public access disabled.
Key Vault has Soft Delete retention period set to 7 days, while the recommended limit is 90 days.
To fulfill HIPAA requirements on protecting all encryption mechanisms against loss of modification, ensure that Key Vaults have a recommended Soft Delete retention period, i.e. 90 days.
Key Vault does not grant vault access to trusted Microsoft services.
To allow trusted Azure cloud services to work as intended and be able to access your vault resources, enable "Allow trusted Microsoft services to bypass this firewall" exception in your Key Vault network firewall configuration.
Key Vault allows access to traffic from all networks, including the public Internet.
To add a layer of security by limiting access to trusted networks and/or IP addresses, change the Key Vault firewall default action from "Allow" to "Deny" and configure the appropriate access.
Security Contact is not configured to send security alerts to administrators.
To notify subscription owners/administrators about detected vulnerabilities and other security issues, ensure that security alerts are configured to be sent to subscription owners/administrators.
Automatic Provisioning of the Monitoring Agent is not enabled.
To collect security data and events from your cloud compute resources in order to help you prevent, detect, and respond effectively to security issues, ensure that automatic provisioning of the monitoring agent is enabled in your Microsoft Azure account.
Policy Assignment for Azure Security Benchmark initiative contains disabled policy "Vulnerabilities in security configuration on your machines should be remediated".
To allow Defender for Cloud determine if your Virtual Machines are vulnerable to attacks, enable the "systemConfigurationsMonitoringEffect" parameter of the Policy Assignment.
Policy Assignment for Azure Security Benchmark initiative contains disabled policy "Monitor missing Endpoint Protection in Azure Security Center".
To allow Defender for Cloud identify and remove malware from your Virtual Machines, enable the "endpointProtectionMonitoringEffect" parameter of the Policy Assignment.
Policy Assignment for Azure Security Benchmark initiative contains disabled policy "Vulnerabilities in security configuration on your machines should be remediated".
To allow Defender for Cloud determine if your Virtual Machines are vulnerable to attacks, enable the "systemConfigurationsMonitoringEffect" parameter of the Policy Assignment.
Policy Assignment for Azure Security Benchmark initiative contains disabled policy "Monitor missing Endpoint Protection in Azure Security Center".
To allow Defender for Cloud identify and remove malware from your Virtual Machines, enable the "endpointProtectionMonitoringEffect" parameter of the Policy Assignment.
Standard pricing is not enabled for the service "SqlServers".
To enable enhanced security features, such as regulatory compliance reports or threat protection, enable Microsoft Defender for Cloud for all resources in your subscription.
Standard pricing is not enabled for the service "SqlServerVirtualMachines".
To enable enhanced security features, such as regulatory compliance reports or threat protection, enable Microsoft Defender for Cloud for all resources in your subscription.
Standard pricing is not enabled for the service "OpenSourceRelationalDatabases".
To enable enhanced security features, such as regulatory compliance reports or threat protection, enable Microsoft Defender for Cloud for all resources in your subscription.
Standard pricing is not enabled for the service "CosmosDbs".
To enable enhanced security features, such as regulatory compliance reports or threat protection, enable Microsoft Defender for Cloud for all resources in your subscription.