Query: 10.1 Ensure that Resource Locks are set for Mission-Critical Azure Resources

Description

Resource Manager Locks provide a way for administrators to lock down Azure resources to prevent deletion of, or modifications to, a resource. These locks sit outside of the Role Based Access Controls (RBAC) hierarchy and, when applied, will place restrictions on the resource for all users.

Query

Tables used in this query:

• azure_subscription

Controls using this query:

• 10.1 Ensure that Resource Locks are set for Mission-Critical Azure Resources
• 10.1 Ensure that Resource Locks are set for Mission-Critical Azure Resources
• 10.1 Ensure that Resource Locks are set for Mission-Critical Azure Resources
• 10.1 Ensure that Resource Locks are set for Mission-Critical Azure Resources
• 2.1.12 Ensure That Microsoft Defender for IoT Is Set To 'On'
• 2.1.12 Ensure That Microsoft Defender for Resource Manager Is Set To 'On'
• 2.1.12 Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed'
• 2.1.13 Ensure that Microsoft Cloud Security Benchmark policies are not set to 'Disabled'
• 2.1.13 Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed'
• 2.1.15 Ensure that Auto provisioning of 'Vulnerability assessment for machines' is Set to 'On'
• 2.1.16 Ensure that Auto provisioning of 'Vulnerability assessment for machines' is Set to 'On'
• 2.1.17 Ensure that Auto provisioning of 'Microsoft Defender for Containers components' is Set to 'On'
• 2.1.22 Ensure that Microsoft Defender External Attack Surface Monitoring (EASM) is enabled
• 2.2.1 Ensure That Microsoft Defender for IoT Hub Is Set To 'On'
• 2.2.1 Ensure That Microsoft Defender for IoT Hub Is Set To 'On'
• 2.2.2 Ensure that Auto provisioning of 'Vulnerability assessment for machines' is Set to 'On'
• 2.2.3 Ensure that Auto provisioning of 'Microsoft Defender for Containers components' is Set to 'On'
• 2.5 Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed'
• 3.1.10 Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed'
• 3.1.11 Ensure that Microsoft Cloud Security Benchmark policies are not set to 'Disabled'
• 3.1.15 Ensure that Microsoft Defender External Attack Surface Monitoring (EASM) is enabled
• 3.1.3.2 Ensure that 'Vulnerability assessment for machines' component status is set to 'On'
• 3.1.3.4 Ensure that 'Agentless scanning for machines' component status is set to 'On'
• 3.1.3.5 Ensure that 'File Integrity Monitoring' component status is set to 'On'
• 3.1.4.3 Ensure that 'Agentless container vulnerability assessment' component status is 'On'
• 3.11 Ensure Storage logging is enabled for Table service for 'Read', 'Write', and 'Delete' requests
• 3.11 Ensure Storage logging is enabled for Table service for read, write, and delete requests
• 3.16 Ensure 'Cross Tenant Replication' is not enabled
• 3.2 Ensure that storage account access keys are periodically regenerated
• 3.2 Ensure that storage account access keys are periodically regenerated
• 3.2.1 Ensure That Microsoft Defender for IoT Hub Is Set To 'On'
• 3.3 Ensure that 'Enable key rotation reminders' is enabled for each Storage Account
• 3.3 Ensure that 'Enable key rotation reminders' is enabled for each Storage Account
• 3.3 Ensure that 'Enable key rotation reminders' is enabled for each Storage Account
• 3.3.8 Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services
• 3.4 Ensure that shared access signature tokens expire within an hour
• 3.4 Ensure that shared access signature tokens expire within an hour
• 3.4 Ensure that Storage Account Access Keys are Periodically Regenerated
• 3.4 Ensure that Storage Account Access Keys are Periodically Regenerated
• 3.4 Ensure that Storage Account Access Keys are Periodically Regenerated
• 3.6 Ensure that Shared Access Signature Tokens Expire Within an Hour
• 3.6 Ensure that Shared Access Signature Tokens Expire Within an Hour
• 3.6 Ensure that Shared Access Signature Tokens Expire Within an Hour
• 4.16 Ensure 'Cross Tenant Replication' is not enabled
• 4.3 Ensure that 'Enable key rotation reminders' is enabled for each Storage Account
• 4.3.7 Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled
• 4.3.7 Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled
• 4.3.8 Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled
• 4.4 Ensure that Storage Account Access Keys are Periodically Regenerated
• 4.5 Ensure that Shared Access Signature Tokens Expire Within an Hour
• 4.5.3 Use Azure Active Directory (AAD) Client Authentication and Azure RBAC where possible
• 4.5.3 Use Entra ID Client Authentication and Azure RBAC where possible
• 5.1.1 Ensure that a 'Diagnostic Setting' exists
• 5.1.1 Ensure that a 'Diagnostic Setting' exists for Subscription Activity Logs
• 5.1.1 Ensure that a 'Diagnostics Setting' exists
• 5.1.1 Ensure that a 'Diagnostics Setting' exists
• 5.1.1 Ensure that a 'Diagnostics Setting' exists
• 5.1.5 Ensure that Network Security Group Flow logs are captured and sent to Log Analytics
• 5.1.6 Ensure that logging for Azure AppService 'HTTP logs' is enabled
• 5.1.6 Ensure that Network Security Group Flow logs are captured and sent to Log Analytics
• 5.1.6 Ensure that Network Security Group Flow logs are captured and sent to Log Analytics
• 5.1.7 Ensure that logging for Azure AppService 'AppServiceHTTPLogs' is enabled.
• 5.1.7 Ensure that logging for Azure AppService 'HTTP logs' is enabled
• 5.3 Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it
• 5.3 Ensure that Diagnostic Logs are enabled for all services which support it
• 5.3 Ensure that Diagnostic Logs are enabled for all services which support it
• 5.4 Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it
• 5.4 Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it
• 5.4.3 Use Entra ID Client Authentication and Azure RBAC where possible
• 6.1.1 Ensure that a 'Diagnostic Setting' exists for Subscription Activity Logs
• 6.1.5 Ensure that Network Security Group Flow logs are captured and sent to Log Analytics
• 6.1.6 Ensure that logging for Azure AppService 'HTTP logs' is enabled
• 6.4 Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it
• 6.7 Ensure that Public IP addresses are Evaluated on a Periodic Basis
• 6.7 Ensure that Public IP addresses are Evaluated on a Periodic Basis
• 7.4 Ensure that only approved extensions are installed
• 7.4 Ensure that only approved extensions are installed
• 7.4 Ensure that only approved extensions are installed
• 7.5 Ensure that Only Approved Extensions Are Installed
• 7.5 Ensure that Only Approved Extensions Are Installed
• 7.5 Ensure that the endpoint protection for all Virtual Machines is installed
• 7.5 Ensure that the latest OS Patches for all Virtual Machines are applied
• 7.5 Ensure that the latest OS Patches for all Virtual Machines are applied
• 7.6 Ensure that Endpoint Protection for all Virtual Machines is installed
• 7.6 Ensure that Endpoint Protection for all Virtual Machines is installed
• 7.6 Ensure that the endpoint protection for all Virtual Machines is installed
• 7.6 Ensure that the endpoint protection for all Virtual Machines is installed
• 7.6 Ensure that VHD's are encrypted
• 7.7 [Legacy] Ensure that VHDs are Encrypted
• 7.7 Ensure that Public IP addresses are Evaluated on a Periodic Basis
• 7.7 Ensure that VHD's are encrypted
• 7.7 Ensure that VHD's are encrypted
• 7.7 Ensure that VHDs are Encrypted
• 7.8 Ensure only MFA enabled identities can access privileged Virtual Machine
• 7.9 Ensure Trusted Launch is enabled on Virtual Machines
• 8.10 Ensure only MFA enabled identities can access privileged Virtual Machine
• 8.11 Ensure Trusted Launch is enabled on Virtual Machines
• 8.3 Ensure that Resource Locks are set for mission critical Azure resources
• 8.5 Ensure that Resource Locks are set for mission critical Azure resources
• 8.7 Ensure that Only Approved Extensions Are Installed
• 8.8 Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services
• 8.8 Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services
• 8.8 Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services
• 8.8 Ensure that Endpoint Protection for all Virtual Machines is installed
• 8.9 [Legacy] Ensure that VHDs are Encrypted
• 9.10 Ensure Azure Key Vaults are Used to Store Secrets
• 9.11 Ensure Azure Key Vaults are Used to Store Secrets
• 9.11 Ensure Azure Key Vaults are Used to Store Secrets
• 9.11 Ensure Azure Keyvaults are used to store secrets
• 9.11 Ensure Azure Keyvaults are used to store secrets
• 9.11 Ensure Azure Keyvaults are used to store secrets
• 9.6 Ensure that 'Basic Authentication' is 'Disabled'
• 9.6 Ensure that 'PHP version' is the latest, if used to run the web app
• 9.6 Ensure that 'PHP version' is the latest, if used to run the web app
• 9.6 Ensure that 'PHP version' is the latest, if used to run the web app
• 9.6 Ensure That 'PHP version' is the Latest, If Used to Run the Web App
• 9.7 Ensure that 'Python version' is the latest stable version, if used to run the web app
• 9.7 Ensure that 'Python version' is the Latest Stable Version, if Used to Run the Web App
• 9.7 Ensure that 'Python version' is the latest, if used to run the web app
• 9.7 Ensure that 'Python version' is the latest, if used to run the web app
• 9.8 Ensure that 'Java version' is the latest, if used to run the web app
• 9.8 Ensure that 'Java version' is the latest, if used to run the web app
• 9.8 Ensure that 'Java version' is the latest, if used to run the web app
• 9.8 Ensure that 'Java version' is the latest, if used to run the Web App
• Accounts with owner permissions on Azure resources should be MFA enabled
• Accounts with read permissions on Azure resources should be MFA enabled
• Accounts with write permissions on Azure resources should be MFA enabled
• All Internet traffic should be routed via your deployed Azure Firewall
• Allowlist rules in your adaptive application control policy should be updated
• Audit Linux machines that do not have the passwd file permissions set to 0644
• Authorize access to security functions and information
• Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed
• Azure Automation accounts should use customer-managed keys to encrypt data at rest
• Azure Backup should be enabled for Virtual Machines
• Azure Data Box jobs should enable double encryption for data at rest on the device
• Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password
• Azure Machine Learning workspaces should use private link
• Azure Monitor Logs clusters should be created with infrastructure-encryption enabled (double encryption)
• Azure Monitor Logs clusters should be encrypted with customer-managed key
• Azure Recovery Services vaults should use customer-managed keys for encrypting backup data
• Azure Stream Analytics jobs should use customer-managed keys to encrypt data
• Azure Web PubSub Service should use private link
• Bot Service should be encrypted with a customer-managed key
• Certificates should have the specified maximum validity period
• Container registry images should have vulnerability findings resolved
• Endpoint protection solution should be installed on virtual machine scale sets
• IoT Hub device provisioning service data should be encrypted using customer-managed keys (CMK)
• Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits
• Kubernetes cluster containers should not share host process ID or host IPC namespace
• Kubernetes cluster containers should only use allowed AppArmor profiles
• Kubernetes cluster containers should only use allowed capabilities
• Kubernetes cluster containers should only use allowed images
• Kubernetes cluster containers should run with a read only root file system
• Kubernetes cluster pod hostPath volumes should only use allowed host paths
• Kubernetes cluster pods and containers should only run with approved user and group IDs
• Kubernetes cluster pods should only use approved host network and port range
• Kubernetes cluster services should listen only on allowed ports
• Kubernetes cluster should not allow privileged containers
• Kubernetes clusters should be accessible only over HTTPS
• Kubernetes clusters should not allow container privilege escalation
• Logic Apps Integration Service Environment should be encrypted with customer-managed keys
• Monitor missing Endpoint Protection in Azure Security Center
• Non-internet-facing virtual machines should be protected with network security groups
• Saved-queries in Azure Monitor should be saved in customer storage account for logs encryption
• SQL servers on machines should have vulnerability findings resolved
• System updates on virtual machine scale sets should be installed
• Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
• VM Image Builder templates should use private link
• Vulnerabilities in container security configurations should be remediated
• Windows machines should meet requirements for 'Security Options - Network Access'
• Windows machines should meet requirements for 'Security Options - Recovery console'
• Windows machines should meet requirements for 'Security Options - User Account Control'

SQL