Query: 10.1 Ensure that Resource Locks are set for Mission-Critical Azure Resources

Description

Resource Manager Locks provide a way for administrators to lock down Azure resources to prevent deletion of, or modifications to, a resource. These locks sit outside of the Role Based Access Controls (RBAC) hierarchy and, when applied, will place restrictions on the resource for all users.

Query

Tables used in this query:

• azure_subscription

Controls using this query:

• 10.1 Ensure that Resource Locks are set for Mission-Critical Azure Resources
• 10.1 Ensure that Resource Locks are set for Mission-Critical Azure Resources
• 10.1 Ensure that Resource Locks are set for Mission-Critical Azure Resources
• 10.1 Ensure that Resource Locks are set for Mission-Critical Azure Resources
• 10.1.2 Ensure 'SMB protocol version' is set to 'SMB 3.1.1' or higher for SMB file shares
• 10.1.3 Ensure 'SMB channel encryption' is set to 'AES-256-GCM' or higher for SMB file shares
• 10.3.1.2 Ensure that Storage Account access keys are periodically regenerated
• 10.3.10 Ensure Azure Resource Manager Delete locks are applied to Azure Storage Accounts
• 10.3.11 Ensure Azure Resource Manager ReadOnly locks are considered for Azure Storage Accounts
• 2.1.12 Ensure That Microsoft Defender for IoT Is Set To 'On'
• 2.1.12 Ensure That Microsoft Defender for Resource Manager Is Set To 'On'
• 2.1.12 Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed'
• 2.1.13 Ensure that Microsoft Cloud Security Benchmark policies are not set to 'Disabled'
• 2.1.13 Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed'
• 2.1.15 Ensure that Auto provisioning of 'Vulnerability assessment for machines' is Set to 'On'
• 2.1.16 Ensure that Auto provisioning of 'Vulnerability assessment for machines' is Set to 'On'
• 2.1.17 Ensure that Auto provisioning of 'Microsoft Defender for Containers components' is Set to 'On'
• 2.1.22 Ensure that Microsoft Defender External Attack Surface Monitoring (EASM) is enabled
• 2.2.1 Ensure That Microsoft Defender for IoT Hub Is Set To 'On'
• 2.2.1 Ensure That Microsoft Defender for IoT Hub Is Set To 'On'
• 2.2.2 Ensure that Auto provisioning of 'Vulnerability assessment for machines' is Set to 'On'
• 2.2.3 Ensure that Auto provisioning of 'Microsoft Defender for Containers components' is Set to 'On'
• 2.5 Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed'
• 3.1.10 Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed'
• 3.1.11 Ensure that Microsoft Cloud Security Benchmark policies are not set to 'Disabled'
• 3.1.15 Ensure that Microsoft Defender External Attack Surface Monitoring (EASM) is enabled
• 3.1.2 Ensure that network security groups are configured for Databricks subnets
• 3.1.3 Ensure that traffic is encrypted between cluster worker nodes
• 3.1.3.2 Ensure that 'Vulnerability assessment for machines' component status is set to 'On'
• 3.1.3.4 Ensure that 'Agentless scanning for machines' component status is set to 'On'
• 3.1.3.5 Ensure that 'File Integrity Monitoring' component status is set to 'On'
• 3.1.4.2 Ensure that 'Agentless discovery for Kubernetes' component status 'On'
• 3.1.4.3 Ensure that 'Agentless container vulnerability assessment' component status is 'On'
• 3.1.5 Ensure that Unity Catalog is configured for Azure Databricks
• 3.1.6 Ensure that usage is restricted and expiry is enforced for Databricks personal access tokens
• 3.1.7 Ensure that diagnostic log delivery is configured for Azure Databricks
• 3.16 Ensure 'Cross Tenant Replication' is not enabled
• 3.2 Ensure that storage account access keys are periodically regenerated
• 3.2 Ensure that storage account access keys are periodically regenerated
• 3.2.1 Ensure That Microsoft Defender for IoT Hub Is Set To 'On'
• 3.3 Ensure that 'Enable key rotation reminders' is enabled for each Storage Account
• 3.3.8 Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services
• 3.4 Ensure that shared access signature tokens expire within an hour
• 3.4 Ensure that shared access signature tokens expire within an hour
• 3.4 Ensure that Storage Account Access Keys are Periodically Regenerated
• 3.4 Ensure that Storage Account Access Keys are Periodically Regenerated
• 3.4 Ensure that Storage Account Access Keys are Periodically Regenerated
• 3.6 Ensure that Shared Access Signature Tokens Expire Within an Hour
• 3.6 Ensure that Shared Access Signature Tokens Expire Within an Hour
• 3.6 Ensure that Shared Access Signature Tokens Expire Within an Hour
• 4.1.1 Ensure only MFA enabled identities can access privileged Virtual Machine
• 4.3.7 Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled
• 4.3.7 Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled
• 4.3.8 Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled
• 4.4 Ensure that Storage Account Access Keys are Periodically Regenerated
• 4.5 Ensure that Shared Access Signature Tokens Expire Within an Hour
• 4.5.3 Use Azure Active Directory (AAD) Client Authentication and Azure RBAC where possible
• 4.5.3 Use Entra ID Client Authentication and Azure RBAC where possible
• 5.1.1 Ensure that a 'Diagnostic Setting' exists
• 5.1.1 Ensure that a 'Diagnostic Setting' exists for Subscription Activity Logs
• 5.1.1 Ensure that a 'Diagnostics Setting' exists
• 5.1.1 Ensure that a 'Diagnostics Setting' exists
• 5.1.1 Ensure that a 'Diagnostics Setting' exists
• 5.1.7 Ensure that logging for Azure AppService 'AppServiceHTTPLogs' is enabled.
• 5.3 Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it
• 5.3 Ensure that Diagnostic Logs are enabled for all services which support it
• 5.3 Ensure that Diagnostic Logs are enabled for all services which support it
• 5.4 Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it
• 5.4 Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it
• 5.4.3 Use Entra ID Client Authentication and Azure RBAC where possible
• 6.1.1 Ensure that a 'Diagnostic Setting' exists for Subscription Activity Logs
• 6.1.2 Ensure that 'multifactor authentication' is 'enabled' for all users
• 6.1.3 Ensure that 'Allow users to remember multifactor authentication on devices they trust' is disabled
• 6.10 Ensure that 'Notify users on password resets?' is set to 'Yes'
• 6.11 Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes'
• 6.12 Ensure that 'User consent for applications' is set to 'Do not allow user consent'
• 6.13 Ensure that 'User consent for applications' is set to 'Allow user consent for apps from verified publishers, for selected permissions'
• 6.17 Ensure that 'Restrict access to Microsoft Entra admin center' is set to 'Yes'
• 6.18 Ensure that 'Restrict user ability to access groups features in My Groups' is set to 'Yes'
• 6.2.3 Ensure that an exclusionary device code flow policy is considered
• 6.2.4 Ensure that a multifactor authentication policy exists for all users
• 6.2.5 Ensure that multifactor authentication is required for risky sign-ins
• 6.20 Ensure that 'Owners can manage group membership requests in My Groups' is set to 'No'
• 6.21 Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No'
• 6.22 Ensure that 'Require Multifactor Authentication to register or join devices with Microsoft Entra' is set to 'Yes'
• 6.24 Ensure that a custom role is assigned permissions for administering resource locks
• 6.25 Ensure that 'Subscription leaving Microsoft Entra tenant' and 'Subscription entering Microsoft Entra tenant' is set to 'Permit no one'
• 6.3.1 Ensure that Azure admin accounts are not used for daily operations
• 6.3.4 Ensure that all 'privileged' role assignments are periodically reviewed
• 6.4 Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it
• 6.5 Ensure that 'Number of methods required to reset' is set to '2'
• 6.6 Ensure that account 'Lockout threshold' is less than or equal to '10'
• 6.7 Ensure that account 'Lockout duration in seconds' is greater than or equal to '60'
• 6.7 Ensure that Public IP addresses are Evaluated on a Periodic Basis
• 6.7 Ensure that Public IP addresses are Evaluated on a Periodic Basis
• 6.8 Ensure that a 'Custom banned password list' is set to 'Enforce'
• 6.9 Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0'
• 7.1.1.1 Ensure that a 'Diagnostic Setting' exists for Subscription Activity Logs
• 7.1.1.10 Ensure that Intune logs are captured and sent to Log Analytics
• 7.1.1.7 Ensure that virtual network flow logs are captured and sent to Log Analytics
• 7.1.1.8 Ensure that a Microsoft Entra diagnostic setting exists to send Microsoft Graph activity logs to an appropriate destination
• 7.1.1.9 Ensure that a Microsoft Entra diagnostic setting exists to send Microsoft Entra activity logs to an appropriate destination
• 7.1.4 Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it
• 7.1.5 Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads)
• 7.2 Ensure that Resource Locks are set for Mission-Critical Azure Resources
• 7.4 Ensure that only approved extensions are installed
• 7.4 Ensure that only approved extensions are installed
• 7.4 Ensure that only approved extensions are installed
• 7.5 Ensure that Only Approved Extensions Are Installed
• 7.5 Ensure that Only Approved Extensions Are Installed
• 7.5 Ensure that the endpoint protection for all Virtual Machines is installed
• 7.5 Ensure that the latest OS Patches for all Virtual Machines are applied
• 7.5 Ensure that the latest OS Patches for all Virtual Machines are applied
• 7.6 Ensure that Endpoint Protection for all Virtual Machines is installed
• 7.6 Ensure that Endpoint Protection for all Virtual Machines is installed
• 7.6 Ensure that the endpoint protection for all Virtual Machines is installed
• 7.6 Ensure that the endpoint protection for all Virtual Machines is installed
• 7.6 Ensure that VHD's are encrypted
• 7.7 [Legacy] Ensure that VHDs are Encrypted
• 7.7 Ensure that Public IP addresses are Evaluated on a Periodic Basis
• 7.7 Ensure that VHD's are encrypted
• 7.7 Ensure that VHD's are encrypted
• 7.7 Ensure that VHDs are Encrypted
• 7.8 Ensure only MFA enabled identities can access privileged Virtual Machine
• 8.10 Ensure only MFA enabled identities can access privileged Virtual Machine
• 8.3 Ensure that Resource Locks are set for mission critical Azure resources
• 8.5 Ensure that Resource Locks are set for mission critical Azure resources
• 8.7 Ensure that Only Approved Extensions Are Installed
• 8.7 Ensure that Public IP addresses are Evaluated on a Periodic Basis
• 8.8 Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services
• 8.8 Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services
• 8.8 Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services
• 8.8 Ensure that Endpoint Protection for all Virtual Machines is installed
• 8.9 [Legacy] Ensure that VHDs are Encrypted
• 9.1.10 Ensure that Microsoft Defender for Cloud is configured to check VM operating systems for updates
• 9.1.11 Ensure that Microsoft Cloud Security Benchmark policies are not set to 'Disabled'
• 9.1.16 Ensure that Microsoft Defender External Attack Surface Monitoring (EASM) is enabled
• 9.1.3.2 Ensure that 'Vulnerability assessment for machines' component status is set to 'On'
• 9.1.3.4 Ensure that 'Agentless scanning for machines' component status is set to 'On'
• 9.1.3.5 Ensure that 'File Integrity Monitoring' component status is set to 'On'
• 9.10 Ensure Azure Key Vaults are Used to Store Secrets
• 9.11 Ensure Azure Key Vaults are Used to Store Secrets
• 9.11 Ensure Azure Key Vaults are Used to Store Secrets
• 9.11 Ensure Azure Keyvaults are used to store secrets
• 9.11 Ensure Azure Keyvaults are used to store secrets
• 9.11 Ensure Azure Keyvaults are used to store secrets
• 9.2.1 Ensure That Microsoft Defender for IoT Hub Is Set To 'On'
• 9.3.10 Ensure that Azure Key Vault Managed HSM is used when required
• 9.3.9 Ensure automatic key rotation is enabled within Azure Key Vault
• 9.6 Ensure that 'Basic Authentication' is 'Disabled'
• 9.6 Ensure that 'PHP version' is the latest, if used to run the web app
• 9.6 Ensure that 'PHP version' is the latest, if used to run the web app
• 9.6 Ensure that 'PHP version' is the latest, if used to run the web app
• 9.6 Ensure That 'PHP version' is the Latest, If Used to Run the Web App
• 9.7 Ensure that 'Python version' is the latest stable version, if used to run the web app
• 9.7 Ensure that 'Python version' is the Latest Stable Version, if Used to Run the Web App
• 9.7 Ensure that 'Python version' is the latest, if used to run the web app
• 9.7 Ensure that 'Python version' is the latest, if used to run the web app
• 9.8 Ensure that 'Java version' is the latest, if used to run the web app
• 9.8 Ensure that 'Java version' is the latest, if used to run the web app
• 9.8 Ensure that 'Java version' is the latest, if used to run the web app
• 9.8 Ensure that 'Java version' is the latest, if used to run the Web App
• Accounts with owner permissions on Azure resources should be MFA enabled
• Accounts with read permissions on Azure resources should be MFA enabled
• Accounts with write permissions on Azure resources should be MFA enabled
• All Internet traffic should be routed via your deployed Azure Firewall
• Allowlist rules in your adaptive application control policy should be updated
• Audit Linux machines that do not have the passwd file permissions set to 0644
• Authorize access to security functions and information
• Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed
• Azure Automation accounts should use customer-managed keys to encrypt data at rest
• Azure Backup should be enabled for Virtual Machines
• Azure Data Box jobs should enable double encryption for data at rest on the device
• Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password
• Azure Machine Learning workspaces should use private link
• Azure Monitor Logs clusters should be created with infrastructure-encryption enabled (double encryption)
• Azure Monitor Logs clusters should be encrypted with customer-managed key
• Azure Recovery Services vaults should use customer-managed keys for encrypting backup data
• Azure Stream Analytics jobs should use customer-managed keys to encrypt data
• Azure Web PubSub Service should use private link
• Bot Service should be encrypted with a customer-managed key
• Certificates should have the specified maximum validity period
• Container registry images should have vulnerability findings resolved
• Endpoint protection solution should be installed on virtual machine scale sets
• IoT Hub device provisioning service data should be encrypted using customer-managed keys (CMK)
• Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits
• Kubernetes cluster containers should not share host process ID or host IPC namespace
• Kubernetes cluster containers should only use allowed AppArmor profiles
• Kubernetes cluster containers should only use allowed capabilities
• Kubernetes cluster containers should only use allowed images
• Kubernetes cluster containers should run with a read only root file system
• Kubernetes cluster pod hostPath volumes should only use allowed host paths
• Kubernetes cluster pods and containers should only run with approved user and group IDs
• Kubernetes cluster pods should only use approved host network and port range
• Kubernetes cluster services should listen only on allowed ports
• Kubernetes cluster should not allow privileged containers
• Kubernetes clusters should be accessible only over HTTPS
• Kubernetes clusters should not allow container privilege escalation
• Logic Apps Integration Service Environment should be encrypted with customer-managed keys
• Monitor missing Endpoint Protection in Azure Security Center
• Non-internet-facing virtual machines should be protected with network security groups
• Saved-queries in Azure Monitor should be saved in customer storage account for logs encryption
• SQL servers on machines should have vulnerability findings resolved
• System updates on virtual machine scale sets should be installed
• Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
• VM Image Builder templates should use private link
• Vulnerabilities in container security configurations should be remediated
• Windows machines should meet requirements for 'Security Options - Network Access'
• Windows machines should meet requirements for 'Security Options - Recovery console'
• Windows machines should meet requirements for 'Security Options - User Account Control'

SQL