Get Involved
Query: 10.1 Ensure that Resource Locks are set for Mission-Critical Azure Resources
Description
Resource Manager Locks provide a way for administrators to lock down Azure resources to prevent deletion of, or modifications to, a resource. These locks sit outside of the Role Based Access Controls (RBAC) hierarchy and, when applied, will place restrictions on the resource for all users.
Query
Tables used in this query:
Controls using this query:
- 10.1 Ensure that Resource Locks are set for Mission-Critical Azure Resources
- 10.1 Ensure that Resource Locks are set for Mission-Critical Azure Resources
- 10.1 Ensure that Resource Locks are set for Mission-Critical Azure Resources
- 10.1 Ensure that Resource Locks are set for Mission-Critical Azure Resources
- 2.1.12 Ensure That Microsoft Defender for IoT Is Set To 'On'
- 2.1.12 Ensure That Microsoft Defender for Resource Manager Is Set To 'On'
- 2.1.12 Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed'
- 2.1.13 Ensure that Microsoft Cloud Security Benchmark policies are not set to 'Disabled'
- 2.1.13 Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed'
- 2.1.15 Ensure that Auto provisioning of 'Vulnerability assessment for machines' is Set to 'On'
- 2.1.16 Ensure that Auto provisioning of 'Vulnerability assessment for machines' is Set to 'On'
- 2.1.17 Ensure that Auto provisioning of 'Microsoft Defender for Containers components' is Set to 'On'
- 2.1.22 Ensure that Microsoft Defender External Attack Surface Monitoring (EASM) is enabled
- 2.2.1 Ensure That Microsoft Defender for IoT Hub Is Set To 'On'
- 2.2.1 Ensure That Microsoft Defender for IoT Hub Is Set To 'On'
- 2.2.2 Ensure that Auto provisioning of 'Vulnerability assessment for machines' is Set to 'On'
- 2.2.3 Ensure that Auto provisioning of 'Microsoft Defender for Containers components' is Set to 'On'
- 2.5 Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed'
- 3.1.10 Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed'
- 3.1.11 Ensure that Microsoft Cloud Security Benchmark policies are not set to 'Disabled'
- 3.1.15 Ensure that Microsoft Defender External Attack Surface Monitoring (EASM) is enabled
- 3.1.3.2 Ensure that 'Vulnerability assessment for machines' component status is set to 'On'
- 3.1.3.4 Ensure that 'Agentless scanning for machines' component status is set to 'On'
- 3.1.3.5 Ensure that 'File Integrity Monitoring' component status is set to 'On'
- 3.1.4.3 Ensure that 'Agentless container vulnerability assessment' component status is 'On'
- 3.11 Ensure Storage logging is enabled for Table service for 'Read', 'Write', and 'Delete' requests
- 3.11 Ensure Storage logging is enabled for Table service for read, write, and delete requests
- 3.16 Ensure 'Cross Tenant Replication' is not enabled
- 3.2 Ensure that storage account access keys are periodically regenerated
- 3.2 Ensure that storage account access keys are periodically regenerated
- 3.2.1 Ensure That Microsoft Defender for IoT Hub Is Set To 'On'
- 3.3 Ensure that 'Enable key rotation reminders' is enabled for each Storage Account
- 3.3 Ensure that 'Enable key rotation reminders' is enabled for each Storage Account
- 3.3 Ensure that 'Enable key rotation reminders' is enabled for each Storage Account
- 3.3.8 Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services
- 3.4 Ensure that shared access signature tokens expire within an hour
- 3.4 Ensure that shared access signature tokens expire within an hour
- 3.4 Ensure that Storage Account Access Keys are Periodically Regenerated
- 3.4 Ensure that Storage Account Access Keys are Periodically Regenerated
- 3.4 Ensure that Storage Account Access Keys are Periodically Regenerated
- 3.6 Ensure that Shared Access Signature Tokens Expire Within an Hour
- 3.6 Ensure that Shared Access Signature Tokens Expire Within an Hour
- 3.6 Ensure that Shared Access Signature Tokens Expire Within an Hour
- 4.16 Ensure 'Cross Tenant Replication' is not enabled
- 4.3 Ensure that 'Enable key rotation reminders' is enabled for each Storage Account
- 4.3.7 Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled
- 4.3.7 Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled
- 4.3.8 Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled
- 4.4 Ensure that Storage Account Access Keys are Periodically Regenerated
- 4.5 Ensure that Shared Access Signature Tokens Expire Within an Hour
- 4.5.3 Use Azure Active Directory (AAD) Client Authentication and Azure RBAC where possible
- 4.5.3 Use Entra ID Client Authentication and Azure RBAC where possible
- 5.1.1 Ensure that a 'Diagnostic Setting' exists
- 5.1.1 Ensure that a 'Diagnostic Setting' exists for Subscription Activity Logs
- 5.1.1 Ensure that a 'Diagnostics Setting' exists
- 5.1.1 Ensure that a 'Diagnostics Setting' exists
- 5.1.1 Ensure that a 'Diagnostics Setting' exists
- 5.1.5 Ensure that Network Security Group Flow logs are captured and sent to Log Analytics
- 5.1.6 Ensure that logging for Azure AppService 'HTTP logs' is enabled
- 5.1.6 Ensure that Network Security Group Flow logs are captured and sent to Log Analytics
- 5.1.6 Ensure that Network Security Group Flow logs are captured and sent to Log Analytics
- 5.1.7 Ensure that logging for Azure AppService 'AppServiceHTTPLogs' is enabled.
- 5.1.7 Ensure that logging for Azure AppService 'HTTP logs' is enabled
- 5.3 Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it
- 5.3 Ensure that Diagnostic Logs are enabled for all services which support it
- 5.3 Ensure that Diagnostic Logs are enabled for all services which support it
- 5.4 Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it
- 5.4 Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it
- 5.4.3 Use Entra ID Client Authentication and Azure RBAC where possible
- 6.1.1 Ensure that a 'Diagnostic Setting' exists for Subscription Activity Logs
- 6.1.5 Ensure that Network Security Group Flow logs are captured and sent to Log Analytics
- 6.1.6 Ensure that logging for Azure AppService 'HTTP logs' is enabled
- 6.4 Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it
- 6.7 Ensure that Public IP addresses are Evaluated on a Periodic Basis
- 6.7 Ensure that Public IP addresses are Evaluated on a Periodic Basis
- 7.4 Ensure that only approved extensions are installed
- 7.4 Ensure that only approved extensions are installed
- 7.4 Ensure that only approved extensions are installed
- 7.5 Ensure that Only Approved Extensions Are Installed
- 7.5 Ensure that Only Approved Extensions Are Installed
- 7.5 Ensure that the endpoint protection for all Virtual Machines is installed
- 7.5 Ensure that the latest OS Patches for all Virtual Machines are applied
- 7.5 Ensure that the latest OS Patches for all Virtual Machines are applied
- 7.6 Ensure that Endpoint Protection for all Virtual Machines is installed
- 7.6 Ensure that Endpoint Protection for all Virtual Machines is installed
- 7.6 Ensure that the endpoint protection for all Virtual Machines is installed
- 7.6 Ensure that the endpoint protection for all Virtual Machines is installed
- 7.6 Ensure that VHD's are encrypted
- 7.7 [Legacy] Ensure that VHDs are Encrypted
- 7.7 Ensure that Public IP addresses are Evaluated on a Periodic Basis
- 7.7 Ensure that VHD's are encrypted
- 7.7 Ensure that VHD's are encrypted
- 7.7 Ensure that VHDs are Encrypted
- 7.8 Ensure only MFA enabled identities can access privileged Virtual Machine
- 7.9 Ensure Trusted Launch is enabled on Virtual Machines
- 8.10 Ensure only MFA enabled identities can access privileged Virtual Machine
- 8.11 Ensure Trusted Launch is enabled on Virtual Machines
- 8.3 Ensure that Resource Locks are set for mission critical Azure resources
- 8.5 Ensure that Resource Locks are set for mission critical Azure resources
- 8.7 Ensure that Only Approved Extensions Are Installed
- 8.8 Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services
- 8.8 Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services
- 8.8 Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services
- 8.8 Ensure that Endpoint Protection for all Virtual Machines is installed
- 8.9 [Legacy] Ensure that VHDs are Encrypted
- 9.10 Ensure Azure Key Vaults are Used to Store Secrets
- 9.11 Ensure Azure Key Vaults are Used to Store Secrets
- 9.11 Ensure Azure Key Vaults are Used to Store Secrets
- 9.11 Ensure Azure Keyvaults are used to store secrets
- 9.11 Ensure Azure Keyvaults are used to store secrets
- 9.11 Ensure Azure Keyvaults are used to store secrets
- 9.6 Ensure that 'Basic Authentication' is 'Disabled'
- 9.6 Ensure that 'PHP version' is the latest, if used to run the web app
- 9.6 Ensure that 'PHP version' is the latest, if used to run the web app
- 9.6 Ensure that 'PHP version' is the latest, if used to run the web app
- 9.6 Ensure That 'PHP version' is the Latest, If Used to Run the Web App
- 9.7 Ensure that 'Python version' is the latest stable version, if used to run the web app
- 9.7 Ensure that 'Python version' is the Latest Stable Version, if Used to Run the Web App
- 9.7 Ensure that 'Python version' is the latest, if used to run the web app
- 9.7 Ensure that 'Python version' is the latest, if used to run the web app
- 9.8 Ensure that 'Java version' is the latest, if used to run the web app
- 9.8 Ensure that 'Java version' is the latest, if used to run the web app
- 9.8 Ensure that 'Java version' is the latest, if used to run the web app
- 9.8 Ensure that 'Java version' is the latest, if used to run the Web App
- Accounts with owner permissions on Azure resources should be MFA enabled
- Accounts with read permissions on Azure resources should be MFA enabled
- Accounts with write permissions on Azure resources should be MFA enabled
- All Internet traffic should be routed via your deployed Azure Firewall
- Allowlist rules in your adaptive application control policy should be updated
- Audit Linux machines that do not have the passwd file permissions set to 0644
- Authorize access to security functions and information
- Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed
- Azure Automation accounts should use customer-managed keys to encrypt data at rest
- Azure Backup should be enabled for Virtual Machines
- Azure Data Box jobs should enable double encryption for data at rest on the device
- Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password
- Azure Machine Learning workspaces should use private link
- Azure Monitor Logs clusters should be created with infrastructure-encryption enabled (double encryption)
- Azure Monitor Logs clusters should be encrypted with customer-managed key
- Azure Recovery Services vaults should use customer-managed keys for encrypting backup data
- Azure Stream Analytics jobs should use customer-managed keys to encrypt data
- Azure Web PubSub Service should use private link
- Bot Service should be encrypted with a customer-managed key
- Certificates should have the specified maximum validity period
- Container registry images should have vulnerability findings resolved
- Endpoint protection solution should be installed on virtual machine scale sets
- IoT Hub device provisioning service data should be encrypted using customer-managed keys (CMK)
- Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits
- Kubernetes cluster containers should not share host process ID or host IPC namespace
- Kubernetes cluster containers should only use allowed AppArmor profiles
- Kubernetes cluster containers should only use allowed capabilities
- Kubernetes cluster containers should only use allowed images
- Kubernetes cluster containers should run with a read only root file system
- Kubernetes cluster pod hostPath volumes should only use allowed host paths
- Kubernetes cluster pods and containers should only run with approved user and group IDs
- Kubernetes cluster pods should only use approved host network and port range
- Kubernetes cluster services should listen only on allowed ports
- Kubernetes cluster should not allow privileged containers
- Kubernetes clusters should be accessible only over HTTPS
- Kubernetes clusters should not allow container privilege escalation
- Logic Apps Integration Service Environment should be encrypted with customer-managed keys
- Monitor missing Endpoint Protection in Azure Security Center
- Non-internet-facing virtual machines should be protected with network security groups
- Saved-queries in Azure Monitor should be saved in customer storage account for logs encryption
- SQL servers on machines should have vulnerability findings resolved
- System updates on virtual machine scale sets should be installed
- Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
- VM Image Builder templates should use private link
- Vulnerabilities in container security configurations should be remediated
- Windows machines should meet requirements for 'Security Options - Network Access'
- Windows machines should meet requirements for 'Security Options - Recovery console'
- Windows machines should meet requirements for 'Security Options - User Account Control'