Azure
Azure Diagnosis Items
| Category | Resource | Option | Item | Description | Risk Level | ISO27001 | CSAP | ISMS-P | Stability Assessment |
|---|---|---|---|---|---|---|---|---|---|
| App Service | Linux App Service | Failed Request Tracing Enabled | Logging Monitoring | Disable Failed Request Tracing Settings | MEDIUM | 9.1 Monitoring, measurement, analysis and evaluation | 7.2.2 Audit Records and Monitoring | 2.11 Incident Prevention and Response | 1.4.1 Security Audit |
| App Service | Linux App Service | Detailed Error Messages Enabled | Logging Monitoring | Disable Error Page Storage Settings | MEDIUM | 9.1 Monitoring, measurement, analysis and evaluation | 7.2.2 Audit Records and Monitoring | 2.11 Incident Prevention and Response | 1.4.1 Security Audit |
| App Service | Linux App Service | Auth Settings Enabled | User Identification and Authentication | Authentication Disabled | MEDIUM | 8.1 Operational planning and control | 10.3.3. Provision of Enhanced Authentication Measures | 2.5 Authentication and Authorization Management | 7.3.1 User Identification and Authentication |
| App Service | Linux App Service | Ftps State | Access Control | Allow Unencrypted FTP Protocol | HIGH | 8.1 Operational planning and control | 12.3.1. Encryption Policy Establishment | 2.7 Cryptography Application | 10.2.1 Encryption |
| App Service | Linux App Service | Http2 Enabled | Network Security | HTTP2 not implemented | LOW | 8.1 Operational planning and control | 11.1.1 Network Security Policy Establishment | 2.10 System and Service Security Management | 8.3.1 Infrastructure Security |
| App Service | Service Pllaan | Sku Tier | Network Security | Using SKU with Always On setting disabled | LOW | 8.1 Operational planning and control | 6.2.2. Redundancy and Backup | 2.9 System and Service Operation Management | 5.2.1 Service Availability |
| App Service | Windows App Service | Failed Request Tracing Enabled | Logging Monitoring | Disable Failed Request Tracing Settings | MEDIUM | 9.1 Monitoring, measurement, analysis and evaluation | 7.2.2 Audit Records and Monitoring | 2.11 Incident Prevention and Response | 1.4.1 Security Audit |
| App Service | Windows App Service | Detailed Error Messages Enabled | Logging Monitoring | Disable Error Page Storage Settings | MEDIUM | 9.1 Monitoring, measurement, analysis and evaluation | 7.2.2 Audit Records and Monitoring | 2.11 Incident Prevention and Response | 1.4.1 Security Audit |
| App Service | Windows App Service | Auth Settings Enabled | User Identification and Authentication | Authentication Disabled | MEDIUM | 8.1 Operational planning and control | 10.3.3. Provision of Enhanced Authentication Measures | 2.5 Authentication and Authorization Management | 7.3.1 User Identification and Authentication |
| App Service | Windows App Service | Http2 Enabled | Network Security | HTTP2 not implemented | LOW | 8.1 Operational planning and control | 11.1.1 Network Security Policy Establishment | 2.10 System and Service Security Management | 8.3.1 Infrastructure Security |
| App Service | Windows App Service | Ftps State | Access Control | Allow Unencrypted FTP Protocol | HIGH | 8.1 Operational planning and control | 12.3.1. Encryption Policy Establishment | 2.7 Cryptography Application | 10.2.1 Encryption |
| Compute | Linux Virtual Machine Sacle Set | Enable Ssh Key Authentication | User Identification and Authentication | SSH key authentication not used | HIGH | 8.1 Operational planning and control | 12.3.1. Encryption Policy Establishment | 2.7 Cryptography Application | 10.2.1 Encryption |
| Compute | Linux Virtual Mamchine | Enable Ssh Key Authentication | User Identification and Authentication | SSH key authentication not used | HIGH | 8.1 Operational planning and control | 12.3.1. Encryption Policy Establishment | 2.7 Cryptography Application | 10.2.1 Encryption |
| Container | Container Registry | Public Network Access Enabled | Access Control | Public network access allowed | CRITICAL | 8.1 Operational planning and control | 10.1.1. Access Control Policy Establishment | 2.6 Access Control | 7.1.1 Access Control Policy |
| Container | Container Registry | Admin Enabled | Access Control | Administrator enabled | MEDIUM | 8.1 Operational planning and control | 10.2.1. User Registration and Authorization | 2.5 Authentication and Authorization Management | 7.2.2 Access Rights Management |
| Container | Kubernetes | Default Node Pool > Enable Node Public Ip | Access Control | Node Public IP enabled | CRITICAL | 8.1 Operational planning and control | 10.1.1. Access Control Policy Establishment | 2.6 Access Control | 7.1.1 Access Control Policy |
| Container | Kubernetes Cluster | Sku Tier | Network Security | Free SKU does not provide Uptime SLA service | HIGH | 8.1 Operational planning and control | 6.2.2. Redundancy and Backup | 2.9 System and Service Operation Management | 5.2.1 Service Availability |
| Container | Kubernetes Cluster | Default Node Pool > Max Pods | Network Security | Insufficient maximum number of pods that can be created | HIGH | 8.1 Operational planning and control | 6.2.2. Redundancy and Backup | 2.9 System and Service Operation Management | 5.2.1 Service Availability |
| Container | Kubernetes Cluster | Api Server Authorized Ip Ranges | Access Control | Setting the entire range of accessible IP addresses | CRITICAL | 8.1 Operational planning and control | 10.1.1. Access Control Policy Establishment | 2.6 Access Control | 7.1.1 Access Control Policy |
| Container | Kubernetes Cluster | Network Policy | Network Security | Network policy not configured | CRITICAL | 8.1 Operational planning and control | 11.1.1 Network Security Policy Establishment | 2.10 System and Service Security Management | 8.3.1 Infrastructure Security |
| Cosmosdb | Cosmosdb Cassandra, Cosmosdb Gremlin, Cosmosdb Mongo, Cosmosdb Sql, Cosmosdb Table | Public Network Access Enabled | Access Control | Public network access allowed | CRITICAL | 8.1 Operational planning and control | 10.1.1. Access Control Policy Establishment | 2.6 Access Control | 7.1.1 Access Control Policy |
| Database | Mssql Server | Auditing Policy > Enable Storage Destination, Auditing Policy > Enable Log Analytics Destination | Logging Monitoring | Audit policy disabled | MEDIUM | 9.1 Monitoring, measurement, analysis and evaluation | 7.2.2 Audit Records and Monitoring | 2.11 Incident Prevention and Response | 1.4.1 Security Audit |
| Database | Mssql Server | Enable Storage Destination, Storage Retention Days | Logging Monitoring | Short log retention period | MEDIUM | 9.1 Monitoring, measurement, analysis and evaluation | 7.2.2 Audit Records and Monitoring | 2.11 Incident Prevention and Response | 1.4.1 Security Audit |
| Database | Mssql Server | Security Alert Policy > Alert Policy State, Security Alert Policy > Disabled Alerts | Logging Monitoring | Specific threat alerts disabled | MEDIUM | 9.1 Monitoring, measurement, analysis and evaluation | 7.2.2 Audit Records and Monitoring | 2.11 Incident Prevention and Response | 1.4.1 Security Audit |
| Database | Mssql Server | Security Alert Policy > Alert Policy State, Security Alert Policy > Alert Retention Days | Logging Monitoring | Short log retention period | MEDIUM | 9.1 Monitoring, measurement, analysis and evaluation | 7.2.2 Audit Records and Monitoring | 2.11 Incident Prevention and Response | 1.4.1 Security Audit |
| Database | Mssql Server | Security Alert Policy > Alert Policy State, Security Alert Policy > Alert Email Addresses | Logging Monitoring | Security alert email address not configured | MEDIUM | 9.1 Monitoring, measurement, analysis and evaluation | 7.2.2 Audit Records and Monitoring | 2.11 Incident Prevention and Response | 1.4.1 Security Audit |
| Database | Mssql Server | Security Alert Policy > Alert Policy State, Security Alert Policy > Alert Email Account Admins | Logging Monitoring | Subscriber security alerts disabled | LOW | 9.1 Monitoring, measurement, analysis and evaluation | 7.2.2 Audit Records and Monitoring | 2.11 Incident Prevention and Response | 1.4.1 Security Audit |
| Database | Mssql Server | Security Alert Policy > Alert Policy State | Logging Monitoring | Security alert disabled | MEDIUM | 9.1 Monitoring, measurement, analysis and evaluation | 7.2.2 Audit Records and Monitoring | 2.11 Incident Prevention and Response | 1.4.1 Security Audit |
| Database | Mssql Server | Minimum Tls Version | Encryption | Use of Weak TLS Versions | HIGH | 8.1 Operational planning and control | 12.3.1. Encryption Policy Establishment | 2.7 Cryptography Application | 10.2.1 Encryption |
| Database | Mysql | Threat Detection Enabled | Logging Monitoring | Threat Detection Disabled | HIGH | 9.1 Monitoring, measurement, analysis and evaluation | 7.2.2 Audit Records and Monitoring | 2.11 Incident Prevention and Response | 1.4.1 Security Audit |
| Database | Mysql | Firewall Rule > Start Ip Address, Firewall Rule > End Ip Address | Access Control | Setting the entire range of accessible IP addresses | HIGH | 8.1 Operational planning and control | 10.1.1. Access Control Policy Establishment | 2.6 Access Control | 7.1.1 Access Control Policy |
| Database | Mysql | Public Network Access Enabled | Access Control | Public network access allowed | CRITICAL | 8.1 Operational planning and control | 10.1.1. Access Control Policy Establishment | 2.6 Access Control | 7.1.1 Access Control Policy |
| Database | Mysql | Minimum Tls Version | Encryption | Use of Weak TLS Versions | HIGH | 8.1 Operational planning and control | 12.3.1. Encryption Policy Establishment | 2.7 Cryptography Application | 10.2.1 Encryption |
| Database | Mysql | Ssl Enforcement Enabled | Network Security | Encryption Connection Not Applied | HIGH | 8.1 Operational planning and control | 12.3.1. Encryption Policy Establishment | 2.7 Cryptography Application | 10.2.1 Encryption |
| Database | Mysql Database | Enable Storage Destination, Storage Retention Days | Logging Monitoring | Short log retention period | MEDIUM | 9.1 Monitoring, measurement, analysis and evaluation | 7.2.2 Audit Records and Monitoring | 2.11 Incident Prevention and Response | 1.4.1 Security Audit |
| Database | Mysql Database | Auditing Policy > Enable Storage Destination, Auditing Policy > Enable Log Analytics Destination | Logging Monitoring | Audit policy disabled | MEDIUM | 9.1 Monitoring, measurement, analysis and evaluation | 7.2.2 Audit Records and Monitoring | 2.11 Incident Prevention and Response | 1.4.1 Security Audit |
| Database | Mysql Database | Zone Redundant | Data Protection | Zone Redundancy Disabled | HIGH | 8.1 Operational planning and control | 12.1.4. Data Protection | 2.9 System and Service Operation Management | 10.1.4 Data Protection |
| Database | Mysql Flexible | Firewall Rule > Start Ip Address, Firewall Rule > End Ip Address | Access Control | Setting the entire range of accessible IP addresses | HIGH | 8.1 Operational planning and control | 10.1.1. Access Control Policy Establishment | 2.6 Access Control | 7.1.1 Access Control Policy |
| Database | Mysql Server | Public Network Access Enabled | Access Control | Public network access allowed | CRITICAL | 8.1 Operational planning and control | 10.1.1. Access Control Policy Establishment | 2.6 Access Control | 7.1.1 Access Control Policy |
| Database | Postgresql | Configuration > Log Retention | Logging Monitoring | Log Retention Disabled | MEDIUM | 9.1 Monitoring, measurement, analysis and evaluation | 7.2.2 Audit Records and Monitoring | 2.11 Incident Prevention and Response | 1.4.1 Security Audit |
| Database | Postgresql | Configuration > Connection Throttling | Logging Monitoring | Connection Throttling Disabled | MEDIUM | 9.1 Monitoring, measurement, analysis and evaluation | 7.2.2 Audit Records and Monitoring | 2.11 Incident Prevention and Response | 1.4.1 Security Audit |
| Database | Postgresql | Configuration > Log Checkpoint | Logging Monitoring | Log Checkpointing Disabled | MEDIUM | 9.1 Monitoring, measurement, analysis and evaluation | 7.2.2 Audit Records and Monitoring | 2.11 Incident Prevention and Response | 1.4.1 Security Audit |
| Database | Postgresql | Configuration > Log Connections | Logging Monitoring | Log Connections Disabled | MEDIUM | 9.1 Monitoring, measurement, analysis and evaluation | 7.2.2 Audit Records and Monitoring | 2.11 Incident Prevention and Response | 1.4.1 Security Audit |
| Database | Postgresql | Firewall Rule > Start Ip Address, Firewall Rule > End Ip Address | Access Control | Setting the entire range of accessible IP addresses | HIGH | 8.1 Operational planning and control | 10.1.1. Access Control Policy Establishment | 2.6 Access Control | 7.1.1 Access Control Policy |
| Database | Postgresql | Public Network Access Enabled | Access Control | Public network access allowed | CRITICAL | 8.1 Operational planning and control | 10.1.1. Access Control Policy Establishment | 2.6 Access Control | 7.1.1 Access Control Policy |
| Database | Postgresql | Minimum Tls Version | Encryption | Use of Weak TLS Versions | HIGH | 8.1 Operational planning and control | 12.3.1. Encryption Policy Establishment | 2.7 Cryptography Application | 10.2.1 Encryption |
| Database | Postgresql | Ssl Enforcement Enabled | Network Security | Encryption Connection Not Applied | HIGH | 8.1 Operational planning and control | 12.3.1. Encryption Policy Establishment | 2.7 Cryptography Application | 10.2.1 Encryption |
| Database | Postgresql Flexible | Geo Redundant Backup Enabled | Data Protection | Geo-Redundant Backup Disabled | HIGH | 8.1 Operational planning and control | 6.2.2. Redundancy and Backup | 2.9 System and Service Operation Management | 5.2.1 Service Availability |
| Database | Postgresql Flexible | Firewall Rule > Start Ip Address, Firewall Rule > End Ip Address | Access Control | Setting the entire range of accessible IP addresses | HIGH | 8.1 Operational planning and control | 10.1.1. Access Control Policy Establishment | 2.6 Access Control | 7.1.1 Access Control Policy |
| Key Vault | Key Vault | Network Acl Action | Access Control | Deny Requests That Do Not Match Configured IP | CRITICAL | 8.1 Operational planning and control | 10.1.1. Access Control Policy Establishment | 2.6 Access Control | 7.1.1 Access Control Policy |
| Key Vault | Key Vault | Purge Protection Enabled | Data Protection | Disable Deletion Protection | MEDIUM | 8.1 Operational planning and control | 12.1.4. Data Protection | 2.9 System and Service Operation Management | 10.1.4 Data Protection |
| Key Vault | Key Vault | Key Vault Secret > Content Type | Encryption | Secret Content Type Not Configured | LOW | 8.1 Operational planning and control | 12.3.2. Encryption Key Management | 2.7 Cryptography Application | 10.2.2 Encryption |
| Key Vault | Key Vault | Key Vault Secret > Enabled Expiration Date | Encryption | Secret Expiration Setting Disabled | LOW | 8.1 Operational planning and control | 12.3.2. Encryption Key Management | 2.7 Cryptography Application | 10.2.2 Encryption |
| Key Vault | Key Vault | Key Vault Key > Enabled Expiration Date | Encryption | Key Expiration Setting Disabled | MEDIUM | 8.1 Operational planning and control | 12.3.2. Encryption Key Management | 2.7 Cryptography Application | 10.2.2 Encryption |
| Network | Application Gateway | Http Listener > Protocol | Access Control | Use of Unencrypted HTTP Protocol | CRITICAL | 8.1 Operational planning and control | 12.3.1. Encryption Policy Establishment | 2.7 Cryptography Application | 10.2.1 Encryption |
| Network | Network Security Group | Security Rules > Direction, Security Rules > Access, Security Rules > Source Address Prefixes, Security Rules > Destination Port Ranges | Access Control | FTP Access Allowed from the Internet | CRITICAL | 8.1 Operational planning and control | 10.1.1. Access Control Policy Establishment | 2.6 Access Control | 7.1.1 Access Control Policy |
| Network | Network Security Group | Security Rules > Direction, Security Rules > Access, Security Rules > Source Address Prefixes, Security Rules > Destination Port Ranges | Access Control | SSH Access Allowed from the Internet | CRITICAL | 8.1 Operational planning and control | 10.1.1. Access Control Policy Establishment | 2.6 Access Control | 7.1.1 Access Control Policy |
| Network | Network Security Group | Security Rules > Direction, Security Rules > Access, Security Rules > Source Address Prefixes, Security Rules > Destination Port Ranges | Access Control | HTTP Access Allowed from the Internet | CRITICAL | 8.1 Operational planning and control | 10.1.1. Access Control Policy Establishment | 2.6 Access Control | 7.1.1 Access Control Policy |
| Network | Network Security Group | Security Rules > Direction, Security Rules > Access, Security Rules > Source Address Prefixes, Security Rules > Destination Port Ranges | Access Control | RDP Access Allowed from the Internet | CRITICAL | 8.1 Operational planning and control | 10.1.1. Access Control Policy Establishment | 2.6 Access Control | 7.1.1 Access Control Policy |
| Network | Network Security Group | Security Rules > Direction, Security Rules > Access, Security Rules > Source Address Prefixes / | Access Control | CIDR Exposed Entirely | CRITICAL | 8.1 Operational planning and control | 10.1.1. Access Control Policy Establishment | 2.6 Access Control | 7.1.1 Access Control Policy |
| Network | Network Security Group | Security Rules > Direction, Security Rules > Access, Security Rules > Source Address Prefixes / | Access Control | CIDR Exposed Entirely | CRITICAL | 8.1 Operational planning and control | 10.1.1. Access Control Policy Establishment | 2.6 Access Control | 7.1.1 Access Control Policy |
| Network | Web Application Firewall Policy | Owasp Version | Data Protection | Using a Version Without Rules to Defend Against Log4jShell | CRITICAL | 8.1 Operational planning and control | 12.1.4. Data Protection | 2.9 System and Service Operation Management | 10.1.4 Data Protection |
| Redis Cache | Redis Cache | Public Network Access Enabled | Access Control | Public network access allowed | CRITICAL | 8.1 Operational planning and control | 10.1.1. Access Control Policy Establishment | 2.6 Access Control | 7.1.1 Access Control Policy |
| Redis Cache | Redis Cache | Sku Name | Data Protection | Using a SKU That Does Not Provide Replication Features | HIGH | 8.1 Operational planning and control | 12.1.4. Data Protection | 2.9 System and Service Operation Management | 10.1.4 Data Protection |
| Redis Cache | Redis Cache | Minimum Tls Version | Encryption | Use of Weak TLS Versions | HIGH | 8.1 Operational planning and control | 12.3.1. Encryption Policy Establishment | 2.7 Cryptography Application | 10.2.1 Encryption |
| Redis Cache | Redis Cache | Enable Non Ssl Port | Access Control | Allowing Unencrypted Communication | HIGH | 8.1 Operational planning and control | 12.3.1. Encryption Policy Establishment | 2.7 Cryptography Application | 10.2.1 Encryption |
| Storage | Storage Account | Networking > Bypass | Access Control | Bypass of Azure Service Not Possible | HIGH | 8.1 Operational planning and control | 10.1.1. Access Control Policy Establishment | 2.6 Access Control | 7.1.1 Access Control Policy |
| Storage | Storage Account | Storage Container > Container Access Type | Access Control | Public Access Item Configuration | HIGH | 8.1 Operational planning and control | 10.1.1. Access Control Policy Establishment | 2.6 Access Control | 7.1.1 Access Control Policy |
| Storage | Storage Account | Public Network Access Enabled | Access Control | Public network access allowed | CRITICAL | 8.1 Operational planning and control | 10.1.1. Access Control Policy Establishment | 2.6 Access Control | 7.1.1 Access Control Policy |
| Storage | Storage Account | Minimum Tls Version | Encryption | Use of Weak TLS Versions | HIGH | 8.1 Operational planning and control | 12.3.1. Encryption Policy Establishment | 2.7 Cryptography Application | 10.2.1 Encryption |
| Storage | Storage Account | Enable Https Traffic Only | Access Control | Using Unencrypted HTTP Protocol | CRITICAL | 8.1 Operational planning and control | 12.3.1. Encryption Policy Establishment | 2.7 Cryptography Application | 10.2.1 Encryption |