Interpretation of the Columns in Benchmark Compliance Rules:
Rule ID: A unique identifier for the specific security rule or check
Title: A brief description of the security issue or misconfiguration
Severity — Low to High: Determines the risk of being exposed to attacks
Service Type: The AWS service affected or evaluated by the rule
Resource Type: The specific AWS resource being audited
| Rule ID | Title | Description | Severity | Service Type | Resource Type |
|---|---|---|---|---|---|
| CSPM-AZURE-2024-0201 | Blocked accounts with read and write permissions on Azure resources should be removed | Ensure that any blocked accounts with read and write permissions on Azure resources are promptly removed. Blocked accounts pose a security risk as they can potentially be exploited to gain unauthorized access. Removing these accounts helps to maintain the integrity and security of your Azure environment. | High | Microsoft Entra | Custom Roles |
| CSPM-AZURE-2024-0207 | Guest accounts with owner permissions on Azure resources should be removed | Guest accounts with owner permissions pose a significant security risk as they have full control over your Azure resources. It is crucial to remove such permissions to prevent unauthorized access and potential misuse. Ensure that only necessary and verified users have owner-level access to maintain the integrity and security of your cloud environment. | High | Microsoft Entra | Users |
| CSPM-AZURE-2024-0208 | Guest accounts with read permissions on Azure resources should be removed | Guest accounts with read permissions on Azure resources pose a security risk as they can access sensitive information. It is recommended to remove these permissions to ensure that only authorized users have access to your Azure resources. This practice helps in maintaining a secure and compliant cloud environment. | Medium | Microsoft Entra | Users |
| CSPM-AZURE-2024-0209 | Guest accounts with write permissions on Azure resources should be removed | Guest accounts with write permissions on Azure resources pose a significant security risk, as they can make unauthorized changes to your environment. To ensure the integrity and security of your Azure resources, it is recommended to remove any guest accounts that have write permissions. This will help prevent potential data breaches and unauthorized modifications. | High | Microsoft Entra | Users |
| CSPM-AZURE-2024-0231 | Azure Defender for Azure SQL Database servers should be enabled | Enabling Azure Defender for Azure SQL Database servers provides advanced threat protection capabilities that help detect and mitigate potential security vulnerabilities. This proactive defense mechanism ensures that your SQL databases are safeguarded against malicious activities and breaches, thereby maintaining the integrity and security of your data. Make sure Azure Defender is activated to leverage these enhanced security features. | High | Microsoft Defender | Security Configurations |
| CSPM-AZURE-2024-0476 | Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters | Ensure that the Azure Policy Add-on for Kubernetes service (AKS) is installed and enabled on your clusters to enforce compliance and security policies. This add-on helps you manage and audit the policies applied to your AKS clusters, ensuring that they adhere to your organization’s security and governance standards. By enabling this add-on, you can automatically detect and remediate misconfigurations, enhancing the overall security posture of your Kubernetes environment. | High | AKS | Kubernetes Cluster Extensions |
| CSPM-AZURE-2024-0529 | Geo-redundant backup should be enabled for Azure Database for MySQL | Enabling geo-redundant backups for Azure Database for MySQL ensures that your data is replicated across different geographical regions. This provides enhanced data protection and availability in the event of a regional outage or disaster. Configuring geo-redundant backups is crucial for maintaining business continuity and safeguarding against data loss. | High | MySQL | Servers |
| CSPM-AZURE-2024-0530 | Geo-redundant backup should be enabled for Azure Database for PostgreSQL | Enabling geo-redundant backup for Azure Database for PostgreSQL ensures that your data is replicated to a secondary region. This provides enhanced data protection and ensures business continuity in case of regional outages. It is a crucial configuration to safeguard your database against data loss and to maintain high availability. | Medium | PostgreSQL | PostgreSQL Server |
| CSPM-AZURE-2024-0782 | App Service apps should require FTPS only | Ensure that your App Service applications are configured to require FTPS (FTP over SSL) only. This configuration enhances security by encrypting data transmitted between your applications and users, protecting sensitive information from potential interception and unauthorized access. | Medium | App Service | Apps |
| CSPM-AZURE-2024-0788 | Function apps should require FTPS only | Ensure that your Azure Function Apps are configured to require FTPS (FTP over SSL/TLS) only. This enhances the security of your file transfers by encrypting the data in transit, protecting it from interception and unauthorized access. Configuring FTPS only helps in maintaining the confidentiality and integrity of your data. | High | App Service | App Configuration |
| CSPM-AZURE-2024-0789 | Function apps should use the latest TLS version | Ensure that your Azure Function Apps are configured to use the latest version of TLS (Transport Layer Security). This helps to enhance the security of data in transit by using the most up-to-date encryption protocols, mitigating potential vulnerabilities associated with older versions of TLS. | High | App Service | Apps |
| CSPM-AZURE-2024-0792 | Secure transfer to storage accounts should be enabled | Enabling secure transfer to storage accounts ensures that all data transferred to the storage account is encrypted using HTTPS. This helps to protect data in transit from being intercepted by malicious actors. It is a critical security measure to safeguard sensitive information and maintain compliance with security best practices. | High | Storage Resource Provider | Storage Accounts |
| CSPM-AZURE-2024-0803 | Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest | Ensure that your Azure Cosmos DB accounts utilize customer-managed keys (CMKs) for encrypting data at rest. This enhances security by allowing you to control and manage the encryption keys, ensuring compliance with your organization’s security policies and regulatory requirements. | Medium | Cosmos DB Resource Provider | Cosmos DB Account |
| CSPM-AZURE-2024-0833 | Storage accounts should use customer-managed key for encryption | Ensure that your storage accounts are configured to use customer-managed keys for encryption. This provides enhanced security by allowing you to manage and control the encryption keys used for securing your data, rather than relying on Microsoft-managed keys. This helps to meet compliance requirements and enhances data protection. | Medium | Storage Resource Provider | Storage Accounts |
| CSPM-AZURE-2024-0864 | App Service apps should use latest ‘HTTP Version’ | Ensure that your App Service applications are configured to use the latest HTTP version to benefit from improved performance, security features, and support for modern web standards. Using the latest HTTP version helps protect your applications against known vulnerabilities and enhances the overall user experience. | Medium | App Service | App Configuration |
| CSPM-AZURE-2024-0865 | Function apps should use latest ‘HTTP Version’ | Ensuring that your Function Apps use the latest HTTP version is crucial for maintaining optimal security and performance. The latest HTTP version includes improvements in speed, security features, and support for modern web standards. This helps protect against potential vulnerabilities and ensures that your applications can handle current web traffic efficiently. | Medium | App Service | App Configuration |
| CSPM-AZURE-2024-1002-02 | Audit Virtual Machine Scale Sets that do not use managed disks | This rule identifies Azure Virtual Machine Scale Sets that are not configured to use managed disks. Managed disks provide enhanced availability, reliability, and performance compared to unmanaged disks. Ensuring that your VM Scale Sets use managed disks can help improve the overall security and efficiency of your cloud infrastructure. | Medium | Compute | Virtual Machine Scale Sets |
| CSPM-AZURE-2024-1012 | Azure Defender for open-source relational databases should be enabled | Ensure that Azure Defender is enabled for open-source relational databases such as MySQL and PostgreSQL. This provides advanced threat protection, vulnerability assessments, and security alerts to safeguard your data against potential threats and security breaches. | High | PostgreSQL, MySQL, MariaDB | Databases |
