Interpretation of the Columns in Benchmark Compliance Rules:
Rule ID: A unique identifier for the specific security rule or check
Title: A brief description of the security issue or misconfiguration
Severity — Low to High: Determines the risk of being exposed to attacks
Service Type: The AWS service affected or evaluated by the rule
Resource Type: The specific AWS resource being audited
| Rule ID | Title | Severity | Service Type | Resource Type |
|---|---|---|---|---|
| CSPM-AZURE-2024-0001 | The Use of Guest Users Detected | Medium | Microsoft Graph API | Guest Users |
| CSPM-AZURE-2024-0003 | App Service Authentication is Disabled | High | Web | Authentication Settings |
| CSPM-AZURE-2024-0004 | Client Certificates are Disabled | High | Web | Apps |
| CSPM-AZURE-2024-0005 | FTP Deployment is Enabled. | High | Web | App Configuration |
| CSPM-AZURE-2024-0006 | HTTP 2.0 Disabled | Medium | Web | App Configuration |
| CSPM-AZURE-2024-0007 | HTTP traffic is Permitted | High | Web | Apps |
| CSPM-AZURE-2024-0008 | Managed Service Identities Disabled | High | Web | Apps |
| CSPM-AZURE-2024-0009 | Web App is using an Outdated Version of the .Net Framework | Medium | Web | App Configuration |
| CSPM-AZURE-2024-0011 | Web Application is using an Outdated PHP Version | High | Web | App Configuration |
| CSPM-AZURE-2024-0012 | Web Application is using an Outdated Python Version | High | Web | App Configuration |
| CSPM-AZURE-2024-0013 | Insecure TLS Version Detected | High | Web | Apps |
| CSPM-AZURE-2024-0015 | Key Vault, if deleted or purged, is Not Recoverable | High | Key Vault | Key Vaults |
| CSPM-AZURE-2024-0016 | Key Vaults Allowing Public Network Access | High | Key Vault | Key Vaults |
| CSPM-AZURE-2024-0017 | Key Vault Role Based Access Control Disabled | High | Key Vault | Key Vaults |
| CSPM-AZURE-2024-0031 | Database PostgreSQL Allows Ingress 0.0.0.0/0 (Any IP) | High | DBforPostgreSQL | Firewall Rules |
| CSPM-AZURE-2024-0047 | Microsoft Cloud App Security (MCAS) is Disabled in Security Center | Critical | Security | Security Settings |
| CSPM-AZURE-2024-0048 | Windows Defender ATP (WDATP) is Disabled in Security Center | High | Security | Security Settings |
| CSPM-AZURE-2024-0070 | Access keys are Not Rotated on Storage Accounts | Medium | Storage | Storage Accounts |
| CSPM-AZURE-2024-0071 | Secure Transfer (HTTPS) is Not Enforced on Storage Accounts | Critical | Storage | Storage Accounts |
| CSPM-AZURE-2024-0074 | Storage Accounts Allows Public Access | High | Storage | Storage Accounts |
| CSPM-AZURE-2024-0075 | Storage Account Soft Delete is Disabled | Medium | Storage | Blob Services |
| CSPM-AZURE-2024-0076 | “Allow trusted Microsoft services” is Disabled on Storage Accounts | Medium | Storage | Storage Accounts |
| CSPM-AZURE-2024-0086 | Ensure Trusted Locations Are Defined (Manual) | Critical | Microsoft Entra ID Conditional Access | Named Locations |
| CSPM-AZURE-2024-0104 | Ensure That ‘Guest users access restrictions’ is set to ‘Guest user access is restricted to properties and memberships of their own directory objects’ (Manual) | Critical | Microsoft Entra ID | Authorization Policies |
| CSPM-AZURE-2024-0105 | Ensure that ‘Guest invite restrictions’ is set to “Only users assigned to specific admin roles can invite guest users” (Manual) | Critical | Microsoft Entra ID | Authorization Policies |
| CSPM-AZURE-2024-0114 | Ensure That Microsoft Defender for App Services Is Set To ‘On’ (Automated) | Critical | Microsoft Defender | Security Configurations |
| CSPM-AZURE-2024-0115 | Ensure That Microsoft Defender for (Managed Instance) Azure SQL Databases Is Set To ‘On’ (Automated) | Critical | Microsoft Defender | Security Configurations |
| CSPM-AZURE-2024-0116 | Ensure That Microsoft Defender for SQL Servers on Machines Is Set To ‘On’ (Automated) | Critical | Microsoft Defender | Pricings |
| CSPM-AZURE-2024-0117 | Ensure That Microsoft Defender for Open Source Relational Databases Is Set To ‘On’ (Automated) | Critical | Microsoft Defender | Pricings |
| CSPM-AZURE-2024-0118 | Ensure That Microsoft Defender for Azure Cosmos DB Is Set To ‘On’ (Automated) | Critical | Microsoft Defender | Pricings |
| CSPM-AZURE-2024-0119 | Ensure That Microsoft Defender for Storage Is Set To ‘On’ (Automated) | Critical | Microsoft Defender | Pricings |
| CSPM-AZURE-2024-0120 | Ensure That Microsoft Defender for Containers Is Set To ‘On’ (Automated) | Critical | Microsoft Defender | Pricings |
| CSPM-AZURE-2024-0121 | Ensure That Microsoft Defender for Key Vault Is Set To ‘On’ (Automated) | Critical | Microsoft Defender | Security Configurations |
| CSPM-AZURE-2024-0122 | Ensure That Microsoft Defender for DNS Is Set To ‘On’ (Automated) | Critical | Microsoft Defender | Security Configurations |
| CSPM-AZURE-2024-0123 | Ensure That Microsoft Defender for Resource Manager Is Set To ‘On’ (Automated) | Critical | Microsoft Defender | Security Configurations |
| CSPM-AZURE-2024-0129 | Ensure that Microsoft Defender External Attack Surface Monitoring (EASM) | Critical | Microsoft Defender | Security Configurations |
| CSPM-AZURE-2024-0130 | Ensure That Microsoft Defender for IoT Hub Is Set To ‘On’ (Manual) | Critical | Microsoft Defender | Security Configurations |
| CSPM-AZURE-2024-0131 | Ensure that “Enable Infrastructure Encryption” for Each Storage Account in Azure Storage is Set to “enabled” (Automated) | Critical | Storage Resource Provider | Storage Accounts |
| CSPM-AZURE-2024-0132 | Ensure that ‘Enable key rotation reminders’ is enabled for each Storage Account (Manual) | Critical | Storage Resource Provider | Storage Accounts |
| CSPM-AZURE-2024-0133 | Ensure that Storage Account Access Keys are Periodically Regenerated (Manual) | Medium | Storage Resource Provider | Storage Accounts |
| CSPM-AZURE-2024-0136 | Ensure Default Network Access Rule for Storage Accounts is Set to Deny (Automated) | Critical | Storage Resource Provider | Storage Accounts |
| CSPM-AZURE-2024-0144 | Ensure ‘Allow access to Azure services’ for PostgreSQL Database Server is disabled (Automated) | Medium | PostgreSQL | PostgreSQL Server |
| CSPM-AZURE-2024-0151 | Use Entra ID Client Authentication and Azure RBAC where possible. (Manual) | Critical | Cosmos DB Resource Provider | Cosmos DB Account |
| CSPM-AZURE-2024-0154 | Ensure that Network Security Group Flow logs are captured and sent to Log Analytics (Manual) | Critical | Network Watchers | Network Watchers Flow Logs |
| CSPM-AZURE-2024-0167-01 | Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads) | Critical | Virtual Networks | Public IP Addresses |
| CSPM-AZURE-2024-0167-02 | Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads) | Critical | Load Balancer | Load Balancer |
| CSPM-AZURE-2024-0167-03 | Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads) | Critical | Redis Cache | Redis Cache |
| CSPM-AZURE-2024-0167-04 | Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads) | Critical | SQL Database | SQL Database |
| CSPM-AZURE-2024-0167-05 | Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads) | Critical | SQL Database | Database |
| CSPM-AZURE-2024-0186 | Ensure that Register with Entra ID is enabled on App Service (Automated) | Critical | App Service | Apps |
| CSPM-AZURE-2024-0199 | Azure AI Services resources should have key access disabled (disable local authentication) | Medium | Azure AI Services | Cognitive Services Account |
| CSPM-AZURE-2024-0206 | Function apps should use managed identity | Medium | App Service | Apps |
| CSPM-AZURE-2024-0207 | Guest accounts with owner permissions on Azure resources should be removed | High | Microsoft Entra | Users |
| CSPM-AZURE-2024-0208 | Guest accounts with read permissions on Azure resources should be removed | Medium | Microsoft Entra | Users |
| CSPM-AZURE-2024-0209 | Guest accounts with write permissions on Azure resources should be removed | High | Microsoft Entra | Users |
| CSPM-AZURE-2024-0231 | Azure Defender for Azure SQL Database servers should be enabled | High | Microsoft Defender | Security Configurations |
| CSPM-AZURE-2024-0263 | App Configuration should use private link | Medium | App Configuration | Configuration Stores |
| CSPM-AZURE-2024-0271 | Azure Cosmos DB accounts should have firewall rules | High | Cosmos DB Resource Provider | Cosmos DB Account |
| CSPM-AZURE-2024-0276 | Azure Key Vault should have firewall enabled | High | Key Vault | Key Vaults |
| CSPM-AZURE-2024-0299 | Public network access on Azure SQL Database should be disabled | High | SQL Database | SQL Server |
| CSPM-AZURE-2024-0300 | Public network access should be disabled for MariaDB servers | High | MariaDB | MariaDB Servers |
| CSPM-AZURE-2024-0301 | Public network access should be disabled for MySQL servers | High | MySQL | Servers |
| CSPM-AZURE-2024-0302 | Public network access should be disabled for PostgreSQL servers | High | PostgreSQL | PostgreSQL Server |
| CSPM-AZURE-2024-0326 | Provide the logout capability | Medium | Microsoft Entra ID | Application |
| CSPM-AZURE-2024-0476 | Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters | High | AKS | Kubernetes Cluster Extensions |
| CSPM-AZURE-2024-0529 | Geo-redundant backup should be enabled for Azure Database for MySQL | High | MySQL | Servers |
| CSPM-AZURE-2024-0530 | Geo-redundant backup should be enabled for Azure Database for PostgreSQL | Medium | PostgreSQL | PostgreSQL Server |
| CSPM-AZURE-2024-0771 | Azure Key Vault should have firewall enabled | High | Key Vault | Key Vaults |
| CSPM-AZURE-2024-0782 | App Service apps should require FTPS only | Medium | App Service | Apps |
| CSPM-AZURE-2024-0783 | App Service apps should use the latest TLS version | High | App Service | Apps |
| CSPM-AZURE-2024-0788 | Function apps should require FTPS only | High | App Service | App Configuration |
| CSPM-AZURE-2024-0789 | Function apps should use the latest TLS version | High | App Service | Apps |
| CSPM-AZURE-2024-0792 | Secure transfer to storage accounts should be enabled | High | Storage Resource Provider | Storage Accounts |
| CSPM-AZURE-2024-0858 | Storage accounts should have infrastructure encryption | Medium | Storage Resource Provider | Storage Accounts |
| CSPM-AZURE-2024-0864 | App Service apps should use latest ‘HTTP Version’ | Medium | App Service | App Configuration |
| CSPM-AZURE-2024-0865 | Function apps should use latest ‘HTTP Version’ | Medium | App Service | App Configuration |
| CSPM-AZURE-2024-0969 | Azure Key Vault Managed HSM should have purge protection enabled | Medium | Key Vault | Key Vaults |
| CSPM-AZURE-2024-1074 | Remove Unattached Virtual Machine Disk Volumes | Medium | Compute | Disks |
| CSPM-AZURE-2024-1076 | Enable Defender for APIs | Medium | Defender for Cloud | APIs |
