Interpretation of the Columns in Benchmark Compliance Rules:
Rule ID: A unique identifier for the specific security rule or check
Title: A brief description of the security issue or misconfiguration
Severity — Low to High: Determines the risk of being exposed to attacks
Service Type: The AWS service affected or evaluated by the rule
Resource Type: The specific AWS resource being audited
| Rule ID | Title | Severity | Service Type | Resource Type |
|---|---|---|---|---|
| CSPM-AZURE-2024-0114 | Ensure That Microsoft Defender for App Services Is Set To ‘On’ (Automated) | Medium | Microsoft Defender | Security Configurations |
| CSPM-AZURE-2024-0116 | Ensure That Microsoft Defender for SQL Servers on Machines Is Set To ‘On’ (Automated) | High | Microsoft Defender | Pricings |
| CSPM-AZURE-2024-0121 | Ensure That Microsoft Defender for Key Vault Is Set To ‘On’ (Automated) | High | Microsoft Defender | Security Configurations |
| CSPM-AZURE-2024-0123 | Ensure That Microsoft Defender for Resource Manager Is Set To ‘On’ (Automated) | High | Microsoft Defender | Security Configurations |
| CSPM-AZURE-2024-0199 | Azure AI Services resources should have key access disabled (disable local authentication) | Medium | Azure AI Services | Cognitive Services Account |
| CSPM-AZURE-2024-0201 | Blocked accounts with read and write permissions on Azure resources should be removed | High | Microsoft Entra | Custom Roles |
| CSPM-AZURE-2024-0206 | Function apps should use managed identity | Medium | App Service | Apps |
| CSPM-AZURE-2024-0207 | Guest accounts with owner permissions on Azure resources should be removed | High | Microsoft Entra | Users |
| CSPM-AZURE-2024-0208 | Guest accounts with read permissions on Azure resources should be removed | Medium | Microsoft Entra | Users |
| CSPM-AZURE-2024-0209 | Guest accounts with write permissions on Azure resources should be removed | High | Microsoft Entra | Users |
| CSPM-AZURE-2024-0231 | Azure Defender for Azure SQL Database servers should be enabled | High | Microsoft Defender | Security Configurations |
| CSPM-AZURE-2024-0260 | Storage account public access should be disallowed | High | Storage Resource Provider | Storage Accounts |
| CSPM-AZURE-2024-0263 | App Configuration should use private link | Medium | App Configuration | Configuration Stores |
| CSPM-AZURE-2024-0271 | Azure Cosmos DB accounts should have firewall rules | High | Cosmos DB Resource Provider | Cosmos DB Account |
| CSPM-AZURE-2024-0275 | Azure File Sync should use private link | Medium | Storage Sync | Storage Sync Services |
| CSPM-AZURE-2024-0276 | Azure Key Vault should have firewall enabled | High | Key Vault | Key Vaults |
| CSPM-AZURE-2024-0277 | Azure Key Vaults should use private link | High | Key Vault | Key Vaults |
| CSPM-AZURE-2024-0279 | Azure Service Bus namespaces should use private link | High | Service Bus | Service Bus |
| CSPM-AZURE-2024-0280 | Azure SignalR Service should use private link | Medium | SignalR Service | SignalR Services |
| CSPM-AZURE-2024-0299 | Public network access on Azure SQL Database should be disabled | High | SQL Database | SQL Server |
| CSPM-AZURE-2024-0300 | Public network access should be disabled for MariaDB servers | High | MariaDB | MariaDB Servers |
| CSPM-AZURE-2024-0301 | Public network access should be disabled for MySQL servers | High | MySQL | Servers |
| CSPM-AZURE-2024-0302 | Public network access should be disabled for PostgreSQL servers | High | PostgreSQL | PostgreSQL Server |
| CSPM-AZURE-2024-0303 | Storage accounts should restrict network access | High | Storage Resource Provider | Storage Accounts |
| CSPM-AZURE-2024-0304 | Storage accounts should restrict network access using virtual network rules | Medium | Storage Resource Provider | Storage Accounts |
| CSPM-AZURE-2024-0326 | Provide the logout capability | Medium | Microsoft Entra ID | Application |
| CSPM-AZURE-2024-0476 | Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters | High | AKS | Kubernetes Cluster Extensions |
| CSPM-AZURE-2024-0529 | Geo-redundant backup should be enabled for Azure Database for MySQL | High | MySQL | Servers |
| CSPM-AZURE-2024-0530 | Geo-redundant backup should be enabled for Azure Database for PostgreSQL | Medium | PostgreSQL | PostgreSQL Server |
| CSPM-AZURE-2024-0531 | Geo-redundant storage should be enabled for Storage Accounts | High | Storage Resource Provider | Storage Accounts |
| CSPM-AZURE-2024-0771 | Azure Key Vault should have firewall enabled | High | Key Vault | Key Vaults |
| CSPM-AZURE-2024-0782 | App Service apps should require FTPS only | Medium | App Service | Apps |
| CSPM-AZURE-2024-0783 | App Service apps should use the latest TLS version | High | App Service | Apps |
| CSPM-AZURE-2024-0788 | Function apps should require FTPS only | High | App Service | App Configuration |
| CSPM-AZURE-2024-0789 | Function apps should use the latest TLS version | High | App Service | Apps |
| CSPM-AZURE-2024-0792 | Secure transfer to storage accounts should be enabled | High | Storage Resource Provider | Storage Accounts |
| CSPM-AZURE-2024-0803 | Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest | Medium | Cosmos DB Resource Provider | Cosmos DB Account |
| CSPM-AZURE-2024-0811 | Azure Stream Analytics jobs should use customer-managed keys to encrypt data | Medium | Stream Analytics | Streaming Job |
| CSPM-AZURE-2024-0824 | Managed disks should be double encrypted with both platform-managed and customer-managed keys | High | Compute | Disks |
| CSPM-AZURE-2024-0833 | Storage accounts should use customer-managed key for encryption | Medium | Storage Resource Provider | Storage Accounts |
| CSPM-AZURE-2024-0858 | Storage accounts should have infrastructure encryption | Medium | Storage Resource Provider | Storage Accounts |
| CSPM-AZURE-2024-0864 | App Service apps should use latest ‘HTTP Version’ | Medium | App Service | App Configuration |
| CSPM-AZURE-2024-0865 | Function apps should use latest ‘HTTP Version’ | Medium | App Service | App Configuration |
