Get Involved
Query: 10.1 Ensure that Resource Locks are set for Mission-Critical Azure Resources
Description
Resource Manager Locks provide a way for administrators to lock down Azure resources to prevent deletion of, or modifications to, a resource. These locks sit outside of the Role Based Access Controls (RBAC) hierarchy and, when applied, will place restrictions on the resource for all users.
Query
Tables used in this query:
Controls using this query:
- 10.1 Ensure that Resource Locks are set for Mission-Critical Azure Resources
- 10.1 Ensure that Resource Locks are set for Mission-Critical Azure Resources
- 10.1 Ensure that Resource Locks are set for Mission-Critical Azure Resources
- 10.1 Ensure that Resource Locks are set for Mission-Critical Azure Resources
- 10.1.2 Ensure 'SMB protocol version' is set to 'SMB 3.1.1' or higher for SMB file shares
- 10.1.3 Ensure 'SMB channel encryption' is set to 'AES-256-GCM' or higher for SMB file shares
- 10.3.1.1 Ensure that 'Enable key rotation reminders' is enabled for each Storage Account
- 10.3.1.2 Ensure that Storage Account access keys are periodically regenerated
- 10.3.10 Ensure Azure Resource Manager Delete locks are applied to Azure Storage Accounts
- 10.3.11 Ensure Azure Resource Manager ReadOnly locks are considered for Azure Storage Accounts
- 2.1.12 Ensure That Microsoft Defender for IoT Is Set To 'On'
- 2.1.12 Ensure That Microsoft Defender for Resource Manager Is Set To 'On'
- 2.1.12 Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed'
- 2.1.13 Ensure that Microsoft Cloud Security Benchmark policies are not set to 'Disabled'
- 2.1.13 Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed'
- 2.1.15 Ensure that Auto provisioning of 'Vulnerability assessment for machines' is Set to 'On'
- 2.1.16 Ensure that Auto provisioning of 'Vulnerability assessment for machines' is Set to 'On'
- 2.1.17 Ensure that Auto provisioning of 'Microsoft Defender for Containers components' is Set to 'On'
- 2.1.22 Ensure that Microsoft Defender External Attack Surface Monitoring (EASM) is enabled
- 2.2.1 Ensure That Microsoft Defender for IoT Hub Is Set To 'On'
- 2.2.1 Ensure That Microsoft Defender for IoT Hub Is Set To 'On'
- 2.2.2 Ensure that Auto provisioning of 'Vulnerability assessment for machines' is Set to 'On'
- 2.2.3 Ensure that Auto provisioning of 'Microsoft Defender for Containers components' is Set to 'On'
- 2.5 Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed'
- 3.1.10 Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed'
- 3.1.11 Ensure that Microsoft Cloud Security Benchmark policies are not set to 'Disabled'
- 3.1.15 Ensure that Microsoft Defender External Attack Surface Monitoring (EASM) is enabled
- 3.1.2 Ensure that network security groups are configured for Databricks subnets
- 3.1.3 Ensure that traffic is encrypted between cluster worker nodes
- 3.1.3.2 Ensure that 'Vulnerability assessment for machines' component status is set to 'On'
- 3.1.3.4 Ensure that 'Agentless scanning for machines' component status is set to 'On'
- 3.1.3.5 Ensure that 'File Integrity Monitoring' component status is set to 'On'
- 3.1.4.2 Ensure that 'Agentless discovery for Kubernetes' component status 'On'
- 3.1.4.3 Ensure that 'Agentless container vulnerability assessment' component status is 'On'
- 3.1.5 Ensure that Unity Catalog is configured for Azure Databricks
- 3.1.6 Ensure that usage is restricted and expiry is enforced for Databricks personal access tokens
- 3.1.7 Ensure that diagnostic log delivery is configured for Azure Databricks
- 3.11 Ensure Storage logging is enabled for Table service for 'Read', 'Write', and 'Delete' requests
- 3.11 Ensure Storage logging is enabled for Table service for read, write, and delete requests
- 3.16 Ensure 'Cross Tenant Replication' is not enabled
- 3.2 Ensure that storage account access keys are periodically regenerated
- 3.2 Ensure that storage account access keys are periodically regenerated
- 3.2.1 Ensure That Microsoft Defender for IoT Hub Is Set To 'On'
- 3.3 Ensure that 'Enable key rotation reminders' is enabled for each Storage Account
- 3.3 Ensure that 'Enable key rotation reminders' is enabled for each Storage Account
- 3.3 Ensure that 'Enable key rotation reminders' is enabled for each Storage Account
- 3.3.8 Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services
- 3.4 Ensure that shared access signature tokens expire within an hour
- 3.4 Ensure that shared access signature tokens expire within an hour
- 3.4 Ensure that Storage Account Access Keys are Periodically Regenerated
- 3.4 Ensure that Storage Account Access Keys are Periodically Regenerated
- 3.4 Ensure that Storage Account Access Keys are Periodically Regenerated
- 3.6 Ensure that Shared Access Signature Tokens Expire Within an Hour
- 3.6 Ensure that Shared Access Signature Tokens Expire Within an Hour
- 3.6 Ensure that Shared Access Signature Tokens Expire Within an Hour
- 4.1.1 Ensure only MFA enabled identities can access privileged Virtual Machine
- 4.3 Ensure that 'Enable key rotation reminders' is enabled for each Storage Account
- 4.3.7 Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled
- 4.3.7 Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled
- 4.3.8 Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled
- 4.4 Ensure that Storage Account Access Keys are Periodically Regenerated
- 4.5 Ensure that Shared Access Signature Tokens Expire Within an Hour
- 4.5.3 Use Azure Active Directory (AAD) Client Authentication and Azure RBAC where possible
- 4.5.3 Use Entra ID Client Authentication and Azure RBAC where possible
- 5.1.1 Ensure that a 'Diagnostic Setting' exists
- 5.1.1 Ensure that a 'Diagnostic Setting' exists for Subscription Activity Logs
- 5.1.1 Ensure that a 'Diagnostics Setting' exists
- 5.1.1 Ensure that a 'Diagnostics Setting' exists
- 5.1.1 Ensure that a 'Diagnostics Setting' exists
- 5.1.5 Ensure that Network Security Group Flow logs are captured and sent to Log Analytics
- 5.1.6 Ensure that Network Security Group Flow logs are captured and sent to Log Analytics
- 5.1.6 Ensure that Network Security Group Flow logs are captured and sent to Log Analytics
- 5.1.7 Ensure that logging for Azure AppService 'AppServiceHTTPLogs' is enabled.
- 5.3 Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it
- 5.3 Ensure that Diagnostic Logs are enabled for all services which support it
- 5.3 Ensure that Diagnostic Logs are enabled for all services which support it
- 5.4 Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it
- 5.4 Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it
- 5.4.3 Use Entra ID Client Authentication and Azure RBAC where possible
- 6.1.1 Ensure that a 'Diagnostic Setting' exists for Subscription Activity Logs
- 6.1.2 Ensure that 'multifactor authentication' is 'enabled' for all users
- 6.1.3 Ensure that 'Allow users to remember multifactor authentication on devices they trust' is disabled
- 6.1.5 Ensure that Network Security Group Flow logs are captured and sent to Log Analytics
- 6.10 Ensure that 'Notify users on password resets?' is set to 'Yes'
- 6.11 Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes'
- 6.12 Ensure that 'User consent for applications' is set to 'Do not allow user consent'
- 6.13 Ensure that 'User consent for applications' is set to 'Allow user consent for apps from verified publishers, for selected permissions'
- 6.17 Ensure that 'Restrict access to Microsoft Entra admin center' is set to 'Yes'
- 6.18 Ensure that 'Restrict user ability to access groups features in My Groups' is set to 'Yes'
- 6.2.3 Ensure that an exclusionary device code flow policy is considered
- 6.2.4 Ensure that a multifactor authentication policy exists for all users
- 6.2.5 Ensure that multifactor authentication is required for risky sign-ins
- 6.20 Ensure that 'Owners can manage group membership requests in My Groups' is set to 'No'
- 6.21 Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No'
- 6.22 Ensure that 'Require Multifactor Authentication to register or join devices with Microsoft Entra' is set to 'Yes'
- 6.24 Ensure that a custom role is assigned permissions for administering resource locks
- 6.25 Ensure that 'Subscription leaving Microsoft Entra tenant' and 'Subscription entering Microsoft Entra tenant' is set to 'Permit no one'
- 6.3.1 Ensure that Azure admin accounts are not used for daily operations
- 6.3.4 Ensure that all 'privileged' role assignments are periodically reviewed
- 6.4 Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it
- 6.5 Ensure that 'Number of methods required to reset' is set to '2'
- 6.6 Ensure that account 'Lockout threshold' is less than or equal to '10'
- 6.7 Ensure that account 'Lockout duration in seconds' is greater than or equal to '60'
- 6.7 Ensure that Public IP addresses are Evaluated on a Periodic Basis
- 6.7 Ensure that Public IP addresses are Evaluated on a Periodic Basis
- 6.8 Ensure that a 'Custom banned password list' is set to 'Enforce'
- 6.9 Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0'
- 7.1.1.1 Ensure that a 'Diagnostic Setting' exists for Subscription Activity Logs
- 7.1.1.10 Ensure that Intune logs are captured and sent to Log Analytics
- 7.1.1.5 Ensure that Network Security Group Flow logs are captured and sent to Log Analytics
- 7.1.1.7 Ensure that virtual network flow logs are captured and sent to Log Analytics
- 7.1.1.8 Ensure that a Microsoft Entra diagnostic setting exists to send Microsoft Graph activity logs to an appropriate destination
- 7.1.1.9 Ensure that a Microsoft Entra diagnostic setting exists to send Microsoft Entra activity logs to an appropriate destination
- 7.1.4 Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it
- 7.1.5 Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads)
- 7.2 Ensure that Resource Locks are set for Mission-Critical Azure Resources
- 7.4 Ensure that only approved extensions are installed
- 7.4 Ensure that only approved extensions are installed
- 7.4 Ensure that only approved extensions are installed
- 7.5 Ensure that Only Approved Extensions Are Installed
- 7.5 Ensure that Only Approved Extensions Are Installed
- 7.5 Ensure that the endpoint protection for all Virtual Machines is installed
- 7.5 Ensure that the latest OS Patches for all Virtual Machines are applied
- 7.5 Ensure that the latest OS Patches for all Virtual Machines are applied
- 7.6 Ensure that Endpoint Protection for all Virtual Machines is installed
- 7.6 Ensure that Endpoint Protection for all Virtual Machines is installed
- 7.6 Ensure that the endpoint protection for all Virtual Machines is installed
- 7.6 Ensure that the endpoint protection for all Virtual Machines is installed
- 7.6 Ensure that VHD's are encrypted
- 7.7 [Legacy] Ensure that VHDs are Encrypted
- 7.7 Ensure that Public IP addresses are Evaluated on a Periodic Basis
- 7.7 Ensure that VHD's are encrypted
- 7.7 Ensure that VHD's are encrypted
- 7.7 Ensure that VHDs are Encrypted
- 7.8 Ensure only MFA enabled identities can access privileged Virtual Machine
- 8.10 Ensure only MFA enabled identities can access privileged Virtual Machine
- 8.3 Ensure that Resource Locks are set for mission critical Azure resources
- 8.5 Ensure that Resource Locks are set for mission critical Azure resources
- 8.7 Ensure that Only Approved Extensions Are Installed
- 8.7 Ensure that Public IP addresses are Evaluated on a Periodic Basis
- 8.8 Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services
- 8.8 Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services
- 8.8 Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services
- 8.8 Ensure that Endpoint Protection for all Virtual Machines is installed
- 8.9 [Legacy] Ensure that VHDs are Encrypted
- 9.1.10 Ensure that Microsoft Defender for Cloud is configured to check VM operating systems for updates
- 9.1.11 Ensure that Microsoft Cloud Security Benchmark policies are not set to 'Disabled'
- 9.1.16 Ensure that Microsoft Defender External Attack Surface Monitoring (EASM) is enabled
- 9.1.3.2 Ensure that 'Vulnerability assessment for machines' component status is set to 'On'
- 9.1.3.4 Ensure that 'Agentless scanning for machines' component status is set to 'On'
- 9.1.3.5 Ensure that 'File Integrity Monitoring' component status is set to 'On'
- 9.10 Ensure Azure Key Vaults are Used to Store Secrets
- 9.11 Ensure Azure Key Vaults are Used to Store Secrets
- 9.11 Ensure Azure Key Vaults are Used to Store Secrets
- 9.11 Ensure Azure Keyvaults are used to store secrets
- 9.11 Ensure Azure Keyvaults are used to store secrets
- 9.11 Ensure Azure Keyvaults are used to store secrets
- 9.2.1 Ensure That Microsoft Defender for IoT Hub Is Set To 'On'
- 9.3.10 Ensure that Azure Key Vault Managed HSM is used when required
- 9.3.9 Ensure automatic key rotation is enabled within Azure Key Vault
- 9.6 Ensure that 'Basic Authentication' is 'Disabled'
- 9.6 Ensure that 'PHP version' is the latest, if used to run the web app
- 9.6 Ensure that 'PHP version' is the latest, if used to run the web app
- 9.6 Ensure that 'PHP version' is the latest, if used to run the web app
- 9.6 Ensure That 'PHP version' is the Latest, If Used to Run the Web App
- 9.7 Ensure that 'Python version' is the latest stable version, if used to run the web app
- 9.7 Ensure that 'Python version' is the Latest Stable Version, if Used to Run the Web App
- 9.7 Ensure that 'Python version' is the latest, if used to run the web app
- 9.7 Ensure that 'Python version' is the latest, if used to run the web app
- 9.8 Ensure that 'Java version' is the latest, if used to run the web app
- 9.8 Ensure that 'Java version' is the latest, if used to run the web app
- 9.8 Ensure that 'Java version' is the latest, if used to run the web app
- 9.8 Ensure that 'Java version' is the latest, if used to run the Web App
- Accounts with owner permissions on Azure resources should be MFA enabled
- Accounts with read permissions on Azure resources should be MFA enabled
- Accounts with write permissions on Azure resources should be MFA enabled
- All Internet traffic should be routed via your deployed Azure Firewall
- Allowlist rules in your adaptive application control policy should be updated
- Audit Linux machines that do not have the passwd file permissions set to 0644
- Authorize access to security functions and information
- Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed
- Azure Automation accounts should use customer-managed keys to encrypt data at rest
- Azure Backup should be enabled for Virtual Machines
- Azure Data Box jobs should enable double encryption for data at rest on the device
- Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password
- Azure Machine Learning workspaces should use private link
- Azure Monitor Logs clusters should be created with infrastructure-encryption enabled (double encryption)
- Azure Monitor Logs clusters should be encrypted with customer-managed key
- Azure Recovery Services vaults should use customer-managed keys for encrypting backup data
- Azure Stream Analytics jobs should use customer-managed keys to encrypt data
- Azure Web PubSub Service should use private link
- Bot Service should be encrypted with a customer-managed key
- Certificates should have the specified maximum validity period
- Container registry images should have vulnerability findings resolved
- Endpoint protection solution should be installed on virtual machine scale sets
- IoT Hub device provisioning service data should be encrypted using customer-managed keys (CMK)
- Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits
- Kubernetes cluster containers should not share host process ID or host IPC namespace
- Kubernetes cluster containers should only use allowed AppArmor profiles
- Kubernetes cluster containers should only use allowed capabilities
- Kubernetes cluster containers should only use allowed images
- Kubernetes cluster containers should run with a read only root file system
- Kubernetes cluster pod hostPath volumes should only use allowed host paths
- Kubernetes cluster pods and containers should only run with approved user and group IDs
- Kubernetes cluster pods should only use approved host network and port range
- Kubernetes cluster services should listen only on allowed ports
- Kubernetes cluster should not allow privileged containers
- Kubernetes clusters should be accessible only over HTTPS
- Kubernetes clusters should not allow container privilege escalation
- Logic Apps Integration Service Environment should be encrypted with customer-managed keys
- Monitor missing Endpoint Protection in Azure Security Center
- Non-internet-facing virtual machines should be protected with network security groups
- Saved-queries in Azure Monitor should be saved in customer storage account for logs encryption
- SQL servers on machines should have vulnerability findings resolved
- System updates on virtual machine scale sets should be installed
- Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
- VM Image Builder templates should use private link
- Vulnerabilities in container security configurations should be remediated
- Windows machines should meet requirements for 'Security Options - Network Access'
- Windows machines should meet requirements for 'Security Options - Recovery console'
- Windows machines should meet requirements for 'Security Options - User Account Control'