diff --git a/docs/changelog.md b/docs/changelog.md index 2085b9424d7..cb8d620cd0a 100644 --- a/docs/changelog.md +++ b/docs/changelog.md @@ -31,6 +31,8 @@ See [upgrade notes][1] for helpful information when upgrading from previous vers ## Unreleased - New rules: + - Added naming format rules for AKS, Container Apps, Service Fabric, Cosmos DB, Redis, and SQL resources. + [#3548](https://github.com/Azure/PSRule.Rules.Azure/issues/3548) - App Configuration: - Check that replica locations are in allowed regions by @BernieWhite. [#3441](https://github.com/Azure/PSRule.Rules.Azure/issues/3441) diff --git a/docs/en/baselines/Azure.All.csv b/docs/en/baselines/Azure.All.csv index 145ccdfc3af..cd0752eb302 100644 --- a/docs/en/baselines/Azure.All.csv +++ b/docs/en/baselines/Azure.All.csv @@ -1,4 +1,5 @@ "Name","Synopsis","Severity","Pillar","Maturity" +"Azure.ACI.Naming","Container Instance resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.ACR.AdminUser","The local admin account allows depersonalized access to a container registry using a shared secret.","Critical","Security","L1" "Azure.ACR.AnonymousAccess","Anonymous pull access allows unidentified downloading of images and metadata from a container registry.","Important","Security","-" "Azure.ACR.ContainerScan","Container images or their base images may have vulnerabilities discovered after they are built.","Critical","Security","-" @@ -8,7 +9,8 @@ "Azure.ACR.GeoReplica","Applications or infrastructure relying on a container image may fail if the registry is not available at the time they start.","Important","Reliability","-" "Azure.ACR.ImageHealth","Remove container images with known vulnerabilities.","Critical","Security","L2" "Azure.ACR.MinSku","The Basic SKU provides limited performance and features for production container registry workloads.","Important","Reliability","-" -"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","L2" +"Azure.ACR.Naming","Container Registry resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.ACR.Quarantine","Enable container image quarantine, scan, and mark images as verified.","Important","Security","-" "Azure.ACR.ReplicaLocation","The replication location determines the country or region where container images and metadata are stored and processed.","Important","Security","-" "Azure.ACR.Retention","Use a retention policy to cleanup untagged manifests.","Important","Cost Optimization","-" @@ -16,6 +18,7 @@ "Azure.ACR.Usage","Regularly remove deprecated and unneeded images to reduce storage usage.","Important","Cost Optimization","-" "Azure.ADX.DiskEncryption","Use disk encryption for Azure Data Explorer (ADX) clusters.","Important","Security","L1" "Azure.ADX.ManagedIdentity","Configure Data Explorer clusters to use managed identities to access Azure resources securely.","Important","Security","L1" +"Azure.ADX.PublicAccess","Azure Data Explorer (ADX) clusters should have public network access disabled.","Critical","Security","L4" "Azure.ADX.SLA","Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters.","Important","Reliability","-" "Azure.ADX.Usage","Regularly remove unused resources to reduce costs.","Important","Cost Optimization","-" "Azure.AI.DisableLocalAuth","Access keys allow depersonalized access to Azure AI using a shared secret.","Important","Security","L1" @@ -43,7 +46,8 @@ "Azure.AKS.ManagedIdentity","Configure AKS clusters to use managed identities for managing cluster infrastructure.","Important","Security","L1" "Azure.AKS.MinNodeCount","AKS clusters should have minimum number of system nodes for failover and updates.","Important","Reliability","-" "Azure.AKS.MinUserPoolNodes","User node pools in an AKS cluster should have a minimum number of nodes for failover and updates.","Important","Reliability","-" -"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","L2" +"Azure.AKS.Naming","AKS cluster resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.AKS.NetworkPolicy","AKS clusters without inter-pod network restrictions may be permit unauthorized lateral movement.","Important","Security","-" "Azure.AKS.NodeAutoUpgrade","Operating system (OS) security updates should be applied to AKS nodes and rebooted as required to address security vulnerabilities.","Important","Security","-" "Azure.AKS.NodeMinPods","Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods.","Important","Performance Efficiency","-" @@ -53,8 +57,10 @@ "Azure.AKS.SecretStore","Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault.","Important","Security","-" "Azure.AKS.SecretStoreRotation","Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters.","Important","Security","-" "Azure.AKS.StandardLB","Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU.","Important","Performance Efficiency","-" +"Azure.AKS.SystemPoolNaming","AKS system node pool resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.AKS.UptimeSLA","AKS clusters should have Uptime SLA enabled for a financially backed SLA.","Important","Reliability","-" "Azure.AKS.UseRBAC","Deploy AKS cluster with role-based access control (RBAC) enabled.","Important","Security","-" +"Azure.AKS.UserPoolNaming","AKS user node pool resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.AKS.Version","Older versions of Kubernetes may have known bugs or security vulnerabilities, and may have limited support.","Important","Reliability","-" "Azure.Alert.HighFrequencyQuery","High frequency scheduled queries are changed as a higher rate than low frequency queries.","Important","Cost Optimization","-" "Azure.Alert.MetricAutoMitigate","Alerts that require manual intervention for mitigation can lead to increased personnel time and effort.","Important","Cost Optimization","-" @@ -103,7 +109,7 @@ "Azure.AppGwWAF.Enabled","Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources.","Critical","Security","-" "Azure.AppGwWAF.Exclusions","Application Gateway Web Application Firewall (WAF) should have all rules enabled.","Critical","Security","-" "Azure.AppGwWAF.PreventionMode","Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources.","Critical","Security","-" -"Azure.AppGwWAF.RuleGroups","Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources.","Critical","Security","-" +"Azure.AppGwWAF.RuleGroups","Application Gateway WAF policies should include both Microsoft Default Rule Set and Bot Manager Rule Set to provide comprehensive protection against web application threats and malicious bot traffic.","Critical","Security","L2" "Azure.AppInsights.LocalAuth","Local authentication allows depersonalized access to store telemetry in Application Insights using a shared identifier.","Critical","Security","L1" "Azure.AppInsights.Name","Azure Resource Manager (ARM) has requirements for Application Insights resource names.","Awareness","Operational Excellence","-" "Azure.AppInsights.Naming","Application Insights resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" @@ -144,22 +150,35 @@ "Azure.ContainerApp.APIVersion","Migrate from retired API version to a supported version.","Important","Operational Excellence","-" "Azure.ContainerApp.AvailabilityZone","Use Container Apps environments that are zone redundant to improve reliability.","Important","Reliability","-" "Azure.ContainerApp.DisableAffinity","Disable session affinity to prevent unbalanced distribution.","Awareness","Performance Efficiency","-" +"Azure.ContainerApp.EnvNaming","Container App Environment resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.ContainerApp.ExternalIngress","Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment.","Important","Security","-" "Azure.ContainerApp.Insecure","Ensure insecure inbound traffic is not permitted to the container app.","Important","Security","L1" +"Azure.ContainerApp.JobNaming","Container App Job resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.ContainerApp.ManagedIdentity","Ensure managed identity is used for authentication.","Important","Security","L1" "Azure.ContainerApp.MinReplicas","Use multiple replicas to remove a single point of failure.","Important","Reliability","-" -"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","L2" +"Azure.ContainerApp.Naming","Container App resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.ContainerApp.PublicAccess","Ensure public network access for Container Apps environment is disabled.","Important","Security","-" "Azure.ContainerApp.RestrictIngress","IP ingress restrictions mode should be set to allow action for all rules defined.","Important","Security","-" "Azure.ContainerApp.Storage","Use of Azure Files volume mounts to persistent storage container data.","Awareness","Reliability","-" -"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","L2" +"Azure.Cosmos.AvailabilityZone","Use zone redundant Cosmos DB accounts in supported regions to improve reliability.","Important","Reliability","L1" +"Azure.Cosmos.CassandraNaming","Cosmos DB for Apache Cassandra account resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Cosmos.ContinuousBackup","Enable continuous backup on Cosmos DB accounts.","Important","Reliability","-" +"Azure.Cosmos.DatabaseNaming","Cosmos DB database resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Cosmos.DefenderCloud","Enable Microsoft Defender for Azure Cosmos DB.","Critical","Security","-" "Azure.Cosmos.DisableLocalAuth","Access keys allow depersonalized access to Cosmos DB accounts using a shared secret.","Critical","Security","L1" "Azure.Cosmos.DisableMetadataWrite","Use Entra ID identities for management place operations in Azure Cosmos DB.","Important","Security","-" +"Azure.Cosmos.GremlinNaming","Cosmos DB for Apache Gremlin account resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Cosmos.MinTLS","Cosmos DB accounts should reject TLS versions older than 1.2.","Critical","Security","L1" +"Azure.Cosmos.MongoAvailabilityZone","Use zone redundant Cosmos DB vCore clusters in supported regions to improve reliability.","Important","Reliability","L1" +"Azure.Cosmos.MongoEntraID","MongoDB vCore clusters should have Microsoft Entra ID authentication enabled.","Critical","Security","L1" +"Azure.Cosmos.MongoNaming","Cosmos DB for MongoDB account resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" +"Azure.Cosmos.NoSQLNaming","Cosmos DB for NoSQL account resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" +"Azure.Cosmos.PostgreSQLNaming","Cosmos DB PostgreSQL cluster resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Cosmos.PublicAccess","Azure Cosmos DB should have public network access disabled.","Critical","Security","-" "Azure.Cosmos.SLA","Use a paid tier to qualify for a Service Level Agreement (SLA).","Important","Reliability","-" +"Azure.Cosmos.TableNaming","Cosmos DB for Table account resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Databricks.PublicAccess","Azure Databricks workspaces should disable public network access.","Critical","Security","-" "Azure.Databricks.SecureConnectivity","Use Databricks workspaces configured for secure cluster connectivity.","Critical","Security","-" "Azure.Databricks.SKU","Ensure Databricks workspaces are non-trial SKUs for production workloads.","Critical","Performance Efficiency","-" @@ -232,6 +251,7 @@ "Azure.FrontDoorWAF.Exclusions","Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions.","Critical","Security","-" "Azure.FrontDoorWAF.PreventionMode","Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources.","Critical","Security","-" "Azure.FrontDoorWAF.RuleGroups","Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources.","Critical","Security","-" +"Azure.Grafana.AvailabilityZone","Use zone redundant Grafana workspaces in supported regions to improve reliability.","Important","Reliability","L1" "Azure.Grafana.Version","Grafana workspaces should be on Grafana version 10.","Important","Reliability","-" "Azure.Group.Name","Azure Resource Manager (ARM) has requirements for Resource Groups names.","Awareness","Operational Excellence","-" "Azure.Group.Naming","Resource Groups without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" @@ -271,6 +291,7 @@ "Azure.MariaDB.ServerName","Azure Database for MariaDB servers should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.MariaDB.UseSSL","Azure Database for MariaDB servers should only accept encrypted connections.","Critical","Security","L1" "Azure.MariaDB.VNETRuleName","Azure Database for MariaDB VNET rules should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.MICassandra.AvailabilityZone","Use zone redundant Managed Instance for Apache Cassandra clusters in supported regions to improve reliability.","Important","Reliability","L1" "Azure.ML.ComputeIdleShutdown","Configure an idle shutdown timeout for Machine Learning compute instances.","Critical","Cost Optimization","-" "Azure.ML.ComputeVnet","Azure Machine Learning Computes should be hosted in a virtual network (VNet).","Critical","Security","-" "Azure.ML.DisableLocalAuth","Azure Machine Learning compute resources should have local authentication methods disabled.","Critical","Security","L1" @@ -287,6 +308,7 @@ "Azure.MySQL.MaintenanceWindow","Configure a customer-controlled maintenance window for Azure Database for MySQL servers.","Important","Reliability","-" "Azure.MySQL.MinTLS","MySQL DB servers should reject TLS versions older than 1.2.","Critical","Security","L1" "Azure.MySQL.ServerName","Azure MySQL DB server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.MySQL.ServerNaming","MySQL database server resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.MySQL.UseFlexible","Use Azure Database for MySQL Flexible Server deployment model.","Important","Reliability","-" "Azure.MySQL.UseSSL","Enforce encrypted MySQL connections.","Critical","Security","L1" "Azure.MySQL.ZoneRedundantHA","Deploy Azure Database for MySQL servers using zone-redundant high availability (HA) in supported regions to ensure high availability and resilience.","Important","Reliability","-" @@ -315,6 +337,7 @@ "Azure.PostgreSQL.MaintenanceWindow","Configure a customer-controlled maintenance window for Azure Database for PostgreSQL servers.","Important","Reliability","-" "Azure.PostgreSQL.MinTLS","PostgreSQL DB servers should reject TLS versions older than 1.2.","Critical","Security","L1" "Azure.PostgreSQL.ServerName","Azure PostgreSQL DB server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.PostgreSQL.ServerNaming","PostgreSQL database server resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.PostgreSQL.UseSSL","Enforce encrypted PostgreSQL connections.","Critical","Security","L1" "Azure.PostgreSQL.ZoneRedundantHA","Deploy Azure Database for PostgreSQL servers using zone-redundant high availability (HA) in supported regions to ensure high availability and resilience.","Important","Reliability","-" "Azure.PrivateEndpoint.Name","Private Endpoint names should meet naming requirements.","Awareness","Operational Excellence","-" @@ -339,10 +362,12 @@ "Azure.Redis.MaxMemoryReserved","Configure maxmemory-reserved to reserve memory for non-cache operations.","Important","Performance Efficiency","-" "Azure.Redis.MinSKU","Use Azure Cache for Redis instances of at least Standard C1.","Important","Performance Efficiency","-" "Azure.Redis.MinTLS","Redis Cache should reject TLS versions older than 1.2.","Critical","Security","L1" +"Azure.Redis.Naming","Azure Cache for Redis resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Redis.NonSslPort","Azure Cache for Redis should only accept secure connections.","Critical","Security","L1" "Azure.Redis.PublicNetworkAccess","Redis cache should disable public network access.","Critical","Security","-" "Azure.Redis.Version","Azure Cache for Redis should use the latest supported version of Redis.","Important","Reliability","-" "Azure.RedisEnterprise.MinTLS","Redis Cache should reject TLS versions older than 1.2.","Critical","Security","L1" +"Azure.RedisEnterprise.Naming","Azure Cache for Redis Enterprise resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.RedisEnterprise.Zones","Enterprise Redis cache should be zone-redundant for high availability.","Important","Reliability","-" "Azure.Resource.AllowedRegions","The deployment location of a resource determines the country or region where metadata and data is stored and processed.","Important","Security","-" "Azure.Resource.RequiredTags","Resources without a standard tagging convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" @@ -365,6 +390,8 @@ "Azure.ServiceBus.MinTLS","Service Bus namespaces should reject TLS versions older than 1.2.","Important","Security","L1" "Azure.ServiceBus.Usage","Regularly remove unused resources to reduce costs.","Important","Cost Optimization","-" "Azure.ServiceFabric.AAD","Use Entra ID client authentication for Service Fabric clusters.","Critical","Security","L1" +"Azure.ServiceFabric.ManagedNaming","Service Fabric managed cluster resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" +"Azure.ServiceFabric.Naming","Service Fabric cluster resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.ServiceFabric.ProtectionLevel","Node to node communication that is not signed and encrypted may be susceptible to man-in-the-middle attacks.","Important","Security","L1" "Azure.SignalR.ManagedIdentity","Configure SignalR Services to use managed identities to access Azure resources securely.","Important","Security","L1" "Azure.SignalR.Name","SignalR service instance names should meet naming requirements.","Awareness","Operational Excellence","-" @@ -373,14 +400,18 @@ "Azure.SQL.AADOnly","Ensure Entra ID only authentication is enabled with Azure SQL Database.","Important","Security","L1" "Azure.SQL.AllowAzureAccess","Determine if access from Azure services is required.","Important","Security","-" "Azure.SQL.Auditing","Enable auditing for Azure SQL logical server.","Important","Security","-" -"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","L2" +"Azure.SQL.DBNaming","Azure SQL database resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.SQL.DefenderCloud","Enable Microsoft Defender for Azure SQL logical server.","Important","Security","-" +"Azure.SQL.ElasticPoolNaming","Azure SQL Elastic Pool resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.SQL.FGName","Azure SQL failover group names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.SQL.FirewallIPRange","Each IP address in the permitted IP list is allowed network access to any databases hosted on the same logical server.","Important","Security","-" "Azure.SQL.FirewallRuleCount","Determine if there is an excessive number of firewall rules.","Awareness","Security","-" +"Azure.SQL.JobAgentNaming","Azure SQL Elastic Job agent resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.SQL.MaintenanceWindow","Configure a customer-controlled maintenance window for Azure SQL databases.","Important","Reliability","-" "Azure.SQL.MinTLS","Azure SQL Database servers should reject TLS versions older than 1.2.","Critical","Security","L1" -"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","L2" +"Azure.SQL.ServerNaming","Azure SQL Database server resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.SQL.TDE","Use Transparent Data Encryption (TDE) with Azure SQL Database.","Critical","Security","L1" "Azure.SQL.VAScan","SQL Databases may have configuration vulnerabilities discovered after they are deployed.","Important","Security","-" "Azure.SQLMI.AAD","Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance.","Critical","Security","L1" @@ -388,6 +419,7 @@ "Azure.SQLMI.MaintenanceWindow","Configure a customer-controlled maintenance window for Azure SQL Managed Instances.","Important","Reliability","-" "Azure.SQLMI.ManagedIdentity","Ensure managed identity is used to allow support for Azure AD authentication.","Important","Security","L1" "Azure.SQLMI.Name","SQL Managed Instance names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQLMI.Naming","SQL Managed Instance resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Storage.BlobAccessType","Use containers configured with a private access type that requires authorization.","Important","Security","-" "Azure.Storage.BlobPublicAccess","Storage Accounts should only accept authorized requests.","Important","Security","-" "Azure.Storage.ContainerSoftDelete","Enable container soft delete on Storage Accounts.","Important","Reliability","-" diff --git a/docs/en/baselines/Azure.All.md b/docs/en/baselines/Azure.All.md index 0a243d0f513..1e63e6ce96b 100644 --- a/docs/en/baselines/Azure.All.md +++ b/docs/en/baselines/Azure.All.md @@ -10,10 +10,11 @@ Includes all Azure rules. The following rules are included within the `Azure.All` baseline. -This baseline includes a total of 496 rules. +This baseline includes a total of 528 rules. Name | Synopsis | Severity ---- | -------- | -------- +[Azure.ACI.Naming](../rules/Azure.ACI.Naming.md) | Container Instance resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.ACR.AdminUser](../rules/Azure.ACR.AdminUser.md) | The local admin account allows depersonalized access to a container registry using a shared secret. | Critical [Azure.ACR.AnonymousAccess](../rules/Azure.ACR.AnonymousAccess.md) | Anonymous pull access allows unidentified downloading of images and metadata from a container registry. | Important [Azure.ACR.ContainerScan](../rules/Azure.ACR.ContainerScan.md) | Container images or their base images may have vulnerabilities discovered after they are built. | Critical @@ -24,6 +25,7 @@ Name | Synopsis | Severity [Azure.ACR.ImageHealth](../rules/Azure.ACR.ImageHealth.md) | Remove container images with known vulnerabilities. | Critical [Azure.ACR.MinSku](../rules/Azure.ACR.MinSku.md) | The Basic SKU provides limited performance and features for production container registry workloads. | Important [Azure.ACR.Name](../rules/Azure.ACR.Name.md) | Container registry names should meet naming requirements. | Awareness +[Azure.ACR.Naming](../rules/Azure.ACR.Naming.md) | Container Registry resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.ACR.Quarantine](../rules/Azure.ACR.Quarantine.md) | Enable container image quarantine, scan, and mark images as verified. | Important [Azure.ACR.ReplicaLocation](../rules/Azure.ACR.ReplicaLocation.md) | The replication location determines the country or region where container images and metadata are stored and processed. | Important [Azure.ACR.Retention](../rules/Azure.ACR.Retention.md) | Use a retention policy to cleanup untagged manifests. | Important @@ -31,6 +33,7 @@ Name | Synopsis | Severity [Azure.ACR.Usage](../rules/Azure.ACR.Usage.md) | Regularly remove deprecated and unneeded images to reduce storage usage. | Important [Azure.ADX.DiskEncryption](../rules/Azure.ADX.DiskEncryption.md) | Use disk encryption for Azure Data Explorer (ADX) clusters. | Important [Azure.ADX.ManagedIdentity](../rules/Azure.ADX.ManagedIdentity.md) | Configure Data Explorer clusters to use managed identities to access Azure resources securely. | Important +[Azure.ADX.PublicAccess](../rules/Azure.ADX.PublicAccess.md) | Azure Data Explorer (ADX) clusters should have public network access disabled. | Critical [Azure.ADX.SLA](../rules/Azure.ADX.SLA.md) | Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters. | Important [Azure.ADX.Usage](../rules/Azure.ADX.Usage.md) | Regularly remove unused resources to reduce costs. | Important [Azure.AI.DisableLocalAuth](../rules/Azure.AI.DisableLocalAuth.md) | Access keys allow depersonalized access to Azure AI using a shared secret. | Important @@ -59,6 +62,7 @@ Name | Synopsis | Severity [Azure.AKS.MinNodeCount](../rules/Azure.AKS.MinNodeCount.md) | AKS clusters should have minimum number of system nodes for failover and updates. | Important [Azure.AKS.MinUserPoolNodes](../rules/Azure.AKS.MinUserPoolNodes.md) | User node pools in an AKS cluster should have a minimum number of nodes for failover and updates. | Important [Azure.AKS.Name](../rules/Azure.AKS.Name.md) | Azure Kubernetes Service (AKS) cluster names should meet naming requirements. | Awareness +[Azure.AKS.Naming](../rules/Azure.AKS.Naming.md) | AKS cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.AKS.NetworkPolicy](../rules/Azure.AKS.NetworkPolicy.md) | AKS clusters without inter-pod network restrictions may be permit unauthorized lateral movement. | Important [Azure.AKS.NodeAutoUpgrade](../rules/Azure.AKS.NodeAutoUpgrade.md) | Operating system (OS) security updates should be applied to AKS nodes and rebooted as required to address security vulnerabilities. | Important [Azure.AKS.NodeMinPods](../rules/Azure.AKS.NodeMinPods.md) | Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. | Important @@ -68,8 +72,10 @@ Name | Synopsis | Severity [Azure.AKS.SecretStore](../rules/Azure.AKS.SecretStore.md) | Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. | Important [Azure.AKS.SecretStoreRotation](../rules/Azure.AKS.SecretStoreRotation.md) | Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. | Important [Azure.AKS.StandardLB](../rules/Azure.AKS.StandardLB.md) | Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. | Important +[Azure.AKS.SystemPoolNaming](../rules/Azure.AKS.SystemPoolNaming.md) | AKS system node pool resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.AKS.UptimeSLA](../rules/Azure.AKS.UptimeSLA.md) | AKS clusters should have Uptime SLA enabled for a financially backed SLA. | Important [Azure.AKS.UseRBAC](../rules/Azure.AKS.UseRBAC.md) | Deploy AKS cluster with role-based access control (RBAC) enabled. | Important +[Azure.AKS.UserPoolNaming](../rules/Azure.AKS.UserPoolNaming.md) | AKS user node pool resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.AKS.Version](../rules/Azure.AKS.Version.md) | Older versions of Kubernetes may have known bugs or security vulnerabilities, and may have limited support. | Important [Azure.Alert.HighFrequencyQuery](../rules/Azure.Alert.HighFrequencyQuery.md) | High frequency scheduled queries are changed as a higher rate than low frequency queries. | Important [Azure.Alert.MetricAutoMitigate](../rules/Azure.Alert.MetricAutoMitigate.md) | Alerts that require manual intervention for mitigation can lead to increased personnel time and effort. | Important @@ -118,7 +124,7 @@ Name | Synopsis | Severity [Azure.AppGwWAF.Enabled](../rules/Azure.AppGwWAF.Enabled.md) | Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. | Critical [Azure.AppGwWAF.Exclusions](../rules/Azure.AppGwWAF.Exclusions.md) | Application Gateway Web Application Firewall (WAF) should have all rules enabled. | Critical [Azure.AppGwWAF.PreventionMode](../rules/Azure.AppGwWAF.PreventionMode.md) | Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical -[Azure.AppGwWAF.RuleGroups](../rules/Azure.AppGwWAF.RuleGroups.md) | Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical +[Azure.AppGwWAF.RuleGroups](../rules/Azure.AppGwWAF.RuleGroups.md) | Application Gateway WAF policies should include both Microsoft Default Rule Set and Bot Manager Rule Set to provide comprehensive protection against web application threats and malicious bot traffic. | Critical [Azure.AppInsights.LocalAuth](../rules/Azure.AppInsights.LocalAuth.md) | Local authentication allows depersonalized access to store telemetry in Application Insights using a shared identifier. | Critical [Azure.AppInsights.Name](../rules/Azure.AppInsights.Name.md) | Azure Resource Manager (ARM) has requirements for Application Insights resource names. | Awareness [Azure.AppInsights.Naming](../rules/Azure.AppInsights.Naming.md) | Application Insights resources without a standard naming convention may be difficult to identify and manage. | Awareness @@ -159,22 +165,35 @@ Name | Synopsis | Severity [Azure.ContainerApp.APIVersion](../rules/Azure.ContainerApp.APIVersion.md) | Migrate from retired API version to a supported version. | Important [Azure.ContainerApp.AvailabilityZone](../rules/Azure.ContainerApp.AvailabilityZone.md) | Use Container Apps environments that are zone redundant to improve reliability. | Important [Azure.ContainerApp.DisableAffinity](../rules/Azure.ContainerApp.DisableAffinity.md) | Disable session affinity to prevent unbalanced distribution. | Awareness +[Azure.ContainerApp.EnvNaming](../rules/Azure.ContainerApp.EnvNaming.md) | Container App Environment resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.ContainerApp.ExternalIngress](../rules/Azure.ContainerApp.ExternalIngress.md) | Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment. | Important [Azure.ContainerApp.Insecure](../rules/Azure.ContainerApp.Insecure.md) | Ensure insecure inbound traffic is not permitted to the container app. | Important +[Azure.ContainerApp.JobNaming](../rules/Azure.ContainerApp.JobNaming.md) | Container App Job resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.ContainerApp.ManagedIdentity](../rules/Azure.ContainerApp.ManagedIdentity.md) | Ensure managed identity is used for authentication. | Important [Azure.ContainerApp.MinReplicas](../rules/Azure.ContainerApp.MinReplicas.md) | Use multiple replicas to remove a single point of failure. | Important [Azure.ContainerApp.Name](../rules/Azure.ContainerApp.Name.md) | Container Apps should meet naming requirements. | Awareness +[Azure.ContainerApp.Naming](../rules/Azure.ContainerApp.Naming.md) | Container App resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.ContainerApp.PublicAccess](../rules/Azure.ContainerApp.PublicAccess.md) | Ensure public network access for Container Apps environment is disabled. | Important [Azure.ContainerApp.RestrictIngress](../rules/Azure.ContainerApp.RestrictIngress.md) | IP ingress restrictions mode should be set to allow action for all rules defined. | Important [Azure.ContainerApp.Storage](../rules/Azure.ContainerApp.Storage.md) | Use of Azure Files volume mounts to persistent storage container data. | Awareness [Azure.Cosmos.AccountName](../rules/Azure.Cosmos.AccountName.md) | Cosmos DB account names should meet naming requirements. | Awareness +[Azure.Cosmos.AvailabilityZone](../rules/Azure.Cosmos.AvailabilityZone.md) | Use zone redundant Cosmos DB accounts in supported regions to improve reliability. | Important +[Azure.Cosmos.CassandraNaming](../rules/Azure.Cosmos.CassandraNaming.md) | Cosmos DB for Apache Cassandra account resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.Cosmos.ContinuousBackup](../rules/Azure.Cosmos.ContinuousBackup.md) | Enable continuous backup on Cosmos DB accounts. | Important +[Azure.Cosmos.DatabaseNaming](../rules/Azure.Cosmos.DatabaseNaming.md) | Cosmos DB database resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.Cosmos.DefenderCloud](../rules/Azure.Cosmos.DefenderCloud.md) | Enable Microsoft Defender for Azure Cosmos DB. | Critical [Azure.Cosmos.DisableLocalAuth](../rules/Azure.Cosmos.DisableLocalAuth.md) | Access keys allow depersonalized access to Cosmos DB accounts using a shared secret. | Critical [Azure.Cosmos.DisableMetadataWrite](../rules/Azure.Cosmos.DisableMetadataWrite.md) | Use Entra ID identities for management place operations in Azure Cosmos DB. | Important +[Azure.Cosmos.GremlinNaming](../rules/Azure.Cosmos.GremlinNaming.md) | Cosmos DB for Apache Gremlin account resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.Cosmos.MinTLS](../rules/Azure.Cosmos.MinTLS.md) | Cosmos DB accounts should reject TLS versions older than 1.2. | Critical +[Azure.Cosmos.MongoAvailabilityZone](../rules/Azure.Cosmos.MongoAvailabilityZone.md) | Use zone redundant Cosmos DB vCore clusters in supported regions to improve reliability. | Important +[Azure.Cosmos.MongoEntraID](../rules/Azure.Cosmos.MongoEntraID.md) | MongoDB vCore clusters should have Microsoft Entra ID authentication enabled. | Critical +[Azure.Cosmos.MongoNaming](../rules/Azure.Cosmos.MongoNaming.md) | Cosmos DB for MongoDB account resources without a standard naming convention may be difficult to identify and manage. | Awareness +[Azure.Cosmos.NoSQLNaming](../rules/Azure.Cosmos.NoSQLNaming.md) | Cosmos DB for NoSQL account resources without a standard naming convention may be difficult to identify and manage. | Awareness +[Azure.Cosmos.PostgreSQLNaming](../rules/Azure.Cosmos.PostgreSQLNaming.md) | Cosmos DB PostgreSQL cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.Cosmos.PublicAccess](../rules/Azure.Cosmos.PublicAccess.md) | Azure Cosmos DB should have public network access disabled. | Critical [Azure.Cosmos.SLA](../rules/Azure.Cosmos.SLA.md) | Use a paid tier to qualify for a Service Level Agreement (SLA). | Important +[Azure.Cosmos.TableNaming](../rules/Azure.Cosmos.TableNaming.md) | Cosmos DB for Table account resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.Databricks.PublicAccess](../rules/Azure.Databricks.PublicAccess.md) | Azure Databricks workspaces should disable public network access. | Critical [Azure.Databricks.SecureConnectivity](../rules/Azure.Databricks.SecureConnectivity.md) | Use Databricks workspaces configured for secure cluster connectivity. | Critical [Azure.Databricks.SKU](../rules/Azure.Databricks.SKU.md) | Ensure Databricks workspaces are non-trial SKUs for production workloads. | Critical @@ -247,6 +266,7 @@ Name | Synopsis | Severity [Azure.FrontDoorWAF.Exclusions](../rules/Azure.FrontDoorWAF.Exclusions.md) | Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions. | Critical [Azure.FrontDoorWAF.PreventionMode](../rules/Azure.FrontDoorWAF.PreventionMode.md) | Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. | Critical [Azure.FrontDoorWAF.RuleGroups](../rules/Azure.FrontDoorWAF.RuleGroups.md) | Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. | Critical +[Azure.Grafana.AvailabilityZone](../rules/Azure.Grafana.AvailabilityZone.md) | Use zone redundant Grafana workspaces in supported regions to improve reliability. | Important [Azure.Grafana.Version](../rules/Azure.Grafana.Version.md) | Grafana workspaces should be on Grafana version 10. | Important [Azure.Group.Name](../rules/Azure.Group.Name.md) | Azure Resource Manager (ARM) has requirements for Resource Groups names. | Awareness [Azure.Group.Naming](../rules/Azure.Group.Naming.md) | Resource Groups without a standard naming convention may be difficult to identify and manage. | Awareness @@ -286,6 +306,7 @@ Name | Synopsis | Severity [Azure.MariaDB.ServerName](../rules/Azure.MariaDB.ServerName.md) | Azure Database for MariaDB servers should meet naming requirements. | Awareness [Azure.MariaDB.UseSSL](../rules/Azure.MariaDB.UseSSL.md) | Azure Database for MariaDB servers should only accept encrypted connections. | Critical [Azure.MariaDB.VNETRuleName](../rules/Azure.MariaDB.VNETRuleName.md) | Azure Database for MariaDB VNET rules should meet naming requirements. | Awareness +[Azure.MICassandra.AvailabilityZone](../rules/Azure.MICassandra.AvailabilityZone.md) | Use zone redundant Managed Instance for Apache Cassandra clusters in supported regions to improve reliability. | Important [Azure.ML.ComputeIdleShutdown](../rules/Azure.ML.ComputeIdleShutdown.md) | Configure an idle shutdown timeout for Machine Learning compute instances. | Critical [Azure.ML.ComputeVnet](../rules/Azure.ML.ComputeVnet.md) | Azure Machine Learning Computes should be hosted in a virtual network (VNet). | Critical [Azure.ML.DisableLocalAuth](../rules/Azure.ML.DisableLocalAuth.md) | Azure Machine Learning compute resources should have local authentication methods disabled. | Critical @@ -302,6 +323,7 @@ Name | Synopsis | Severity [Azure.MySQL.MaintenanceWindow](../rules/Azure.MySQL.MaintenanceWindow.md) | Configure a customer-controlled maintenance window for Azure Database for MySQL servers. | Important [Azure.MySQL.MinTLS](../rules/Azure.MySQL.MinTLS.md) | MySQL DB servers should reject TLS versions older than 1.2. | Critical [Azure.MySQL.ServerName](../rules/Azure.MySQL.ServerName.md) | Azure MySQL DB server names should meet naming requirements. | Awareness +[Azure.MySQL.ServerNaming](../rules/Azure.MySQL.ServerNaming.md) | MySQL database server resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.MySQL.UseFlexible](../rules/Azure.MySQL.UseFlexible.md) | Use Azure Database for MySQL Flexible Server deployment model. | Important [Azure.MySQL.UseSSL](../rules/Azure.MySQL.UseSSL.md) | Enforce encrypted MySQL connections. | Critical [Azure.MySQL.ZoneRedundantHA](../rules/Azure.MySQL.ZoneRedundantHA.md) | Deploy Azure Database for MySQL servers using zone-redundant high availability (HA) in supported regions to ensure high availability and resilience. | Important @@ -330,6 +352,7 @@ Name | Synopsis | Severity [Azure.PostgreSQL.MaintenanceWindow](../rules/Azure.PostgreSQL.MaintenanceWindow.md) | Configure a customer-controlled maintenance window for Azure Database for PostgreSQL servers. | Important [Azure.PostgreSQL.MinTLS](../rules/Azure.PostgreSQL.MinTLS.md) | PostgreSQL DB servers should reject TLS versions older than 1.2. | Critical [Azure.PostgreSQL.ServerName](../rules/Azure.PostgreSQL.ServerName.md) | Azure PostgreSQL DB server names should meet naming requirements. | Awareness +[Azure.PostgreSQL.ServerNaming](../rules/Azure.PostgreSQL.ServerNaming.md) | PostgreSQL database server resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.PostgreSQL.UseSSL](../rules/Azure.PostgreSQL.UseSSL.md) | Enforce encrypted PostgreSQL connections. | Critical [Azure.PostgreSQL.ZoneRedundantHA](../rules/Azure.PostgreSQL.ZoneRedundantHA.md) | Deploy Azure Database for PostgreSQL servers using zone-redundant high availability (HA) in supported regions to ensure high availability and resilience. | Important [Azure.PrivateEndpoint.Name](../rules/Azure.PrivateEndpoint.Name.md) | Private Endpoint names should meet naming requirements. | Awareness @@ -354,10 +377,12 @@ Name | Synopsis | Severity [Azure.Redis.MaxMemoryReserved](../rules/Azure.Redis.MaxMemoryReserved.md) | Configure maxmemory-reserved to reserve memory for non-cache operations. | Important [Azure.Redis.MinSKU](../rules/Azure.Redis.MinSKU.md) | Use Azure Cache for Redis instances of at least Standard C1. | Important [Azure.Redis.MinTLS](../rules/Azure.Redis.MinTLS.md) | Redis Cache should reject TLS versions older than 1.2. | Critical +[Azure.Redis.Naming](../rules/Azure.Redis.Naming.md) | Azure Cache for Redis resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.Redis.NonSslPort](../rules/Azure.Redis.NonSslPort.md) | Azure Cache for Redis should only accept secure connections. | Critical [Azure.Redis.PublicNetworkAccess](../rules/Azure.Redis.PublicNetworkAccess.md) | Redis cache should disable public network access. | Critical [Azure.Redis.Version](../rules/Azure.Redis.Version.md) | Azure Cache for Redis should use the latest supported version of Redis. | Important [Azure.RedisEnterprise.MinTLS](../rules/Azure.RedisEnterprise.MinTLS.md) | Redis Cache should reject TLS versions older than 1.2. | Critical +[Azure.RedisEnterprise.Naming](../rules/Azure.RedisEnterprise.Naming.md) | Azure Cache for Redis Enterprise resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.RedisEnterprise.Zones](../rules/Azure.RedisEnterprise.Zones.md) | Enterprise Redis cache should be zone-redundant for high availability. | Important [Azure.Resource.AllowedRegions](../rules/Azure.Resource.AllowedRegions.md) | The deployment location of a resource determines the country or region where metadata and data is stored and processed. | Important [Azure.Resource.RequiredTags](../rules/Azure.Resource.RequiredTags.md) | Resources without a standard tagging convention may be difficult to identify and manage. | Awareness @@ -380,6 +405,8 @@ Name | Synopsis | Severity [Azure.ServiceBus.MinTLS](../rules/Azure.ServiceBus.MinTLS.md) | Service Bus namespaces should reject TLS versions older than 1.2. | Important [Azure.ServiceBus.Usage](../rules/Azure.ServiceBus.Usage.md) | Regularly remove unused resources to reduce costs. | Important [Azure.ServiceFabric.AAD](../rules/Azure.ServiceFabric.AAD.md) | Use Entra ID client authentication for Service Fabric clusters. | Critical +[Azure.ServiceFabric.ManagedNaming](../rules/Azure.ServiceFabric.ManagedNaming.md) | Service Fabric managed cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness +[Azure.ServiceFabric.Naming](../rules/Azure.ServiceFabric.Naming.md) | Service Fabric cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.ServiceFabric.ProtectionLevel](../rules/Azure.ServiceFabric.ProtectionLevel.md) | Node to node communication that is not signed and encrypted may be susceptible to man-in-the-middle attacks. | Important [Azure.SignalR.ManagedIdentity](../rules/Azure.SignalR.ManagedIdentity.md) | Configure SignalR Services to use managed identities to access Azure resources securely. | Important [Azure.SignalR.Name](../rules/Azure.SignalR.Name.md) | SignalR service instance names should meet naming requirements. | Awareness @@ -389,13 +416,17 @@ Name | Synopsis | Severity [Azure.SQL.AllowAzureAccess](../rules/Azure.SQL.AllowAzureAccess.md) | Determine if access from Azure services is required. | Important [Azure.SQL.Auditing](../rules/Azure.SQL.Auditing.md) | Enable auditing for Azure SQL logical server. | Important [Azure.SQL.DBName](../rules/Azure.SQL.DBName.md) | Azure SQL Database names should meet naming requirements. | Awareness +[Azure.SQL.DBNaming](../rules/Azure.SQL.DBNaming.md) | Azure SQL database resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.SQL.DefenderCloud](../rules/Azure.SQL.DefenderCloud.md) | Enable Microsoft Defender for Azure SQL logical server. | Important +[Azure.SQL.ElasticPoolNaming](../rules/Azure.SQL.ElasticPoolNaming.md) | Azure SQL Elastic Pool resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.SQL.FGName](../rules/Azure.SQL.FGName.md) | Azure SQL failover group names should meet naming requirements. | Awareness [Azure.SQL.FirewallIPRange](../rules/Azure.SQL.FirewallIPRange.md) | Each IP address in the permitted IP list is allowed network access to any databases hosted on the same logical server. | Important [Azure.SQL.FirewallRuleCount](../rules/Azure.SQL.FirewallRuleCount.md) | Determine if there is an excessive number of firewall rules. | Awareness +[Azure.SQL.JobAgentNaming](../rules/Azure.SQL.JobAgentNaming.md) | Azure SQL Elastic Job agent resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.SQL.MaintenanceWindow](../rules/Azure.SQL.MaintenanceWindow.md) | Configure a customer-controlled maintenance window for Azure SQL databases. | Important [Azure.SQL.MinTLS](../rules/Azure.SQL.MinTLS.md) | Azure SQL Database servers should reject TLS versions older than 1.2. | Critical [Azure.SQL.ServerName](../rules/Azure.SQL.ServerName.md) | Azure SQL logical server names should meet naming requirements. | Awareness +[Azure.SQL.ServerNaming](../rules/Azure.SQL.ServerNaming.md) | Azure SQL Database server resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.SQL.TDE](../rules/Azure.SQL.TDE.md) | Use Transparent Data Encryption (TDE) with Azure SQL Database. | Critical [Azure.SQL.VAScan](../rules/Azure.SQL.VAScan.md) | SQL Databases may have configuration vulnerabilities discovered after they are deployed. | Important [Azure.SQLMI.AAD](../rules/Azure.SQLMI.AAD.md) | Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance. | Critical @@ -403,6 +434,7 @@ Name | Synopsis | Severity [Azure.SQLMI.MaintenanceWindow](../rules/Azure.SQLMI.MaintenanceWindow.md) | Configure a customer-controlled maintenance window for Azure SQL Managed Instances. | Important [Azure.SQLMI.ManagedIdentity](../rules/Azure.SQLMI.ManagedIdentity.md) | Ensure managed identity is used to allow support for Azure AD authentication. | Important [Azure.SQLMI.Name](../rules/Azure.SQLMI.Name.md) | SQL Managed Instance names should meet naming requirements. | Awareness +[Azure.SQLMI.Naming](../rules/Azure.SQLMI.Naming.md) | SQL Managed Instance resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.Storage.BlobAccessType](../rules/Azure.Storage.BlobAccessType.md) | Use containers configured with a private access type that requires authorization. | Important [Azure.Storage.BlobPublicAccess](../rules/Azure.Storage.BlobPublicAccess.md) | Storage Accounts should only accept authorized requests. | Important [Azure.Storage.ContainerSoftDelete](../rules/Azure.Storage.ContainerSoftDelete.md) | Enable container soft delete on Storage Accounts. | Important diff --git a/docs/en/baselines/Azure.CAF_2025_03.csv b/docs/en/baselines/Azure.CAF_2025_03.csv index 81e5e076da4..0172a53a7bf 100644 --- a/docs/en/baselines/Azure.CAF_2025_03.csv +++ b/docs/en/baselines/Azure.CAF_2025_03.csv @@ -1,7 +1,7 @@ "Name","Synopsis","Severity","Pillar","Maturity" -"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.AI.FoundryNaming","Azure AI Foundry accounts without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" -"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.APIM.Name","API Management service names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.AppConfig.Name","App Configuration store names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.AppGw.Name","Application Gateways should meet naming requirements.","Awareness","Operational Excellence","-" @@ -10,8 +10,8 @@ "Azure.ASG.Name","Application Security Group (ASG) names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.Bastion.Name","Bastion hosts should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.CDN.EndpointName","Azure CDN Endpoint names should meet naming requirements.","Awareness","Operational Excellence","-" -"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","-" -"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","L2" +"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.Deployment.Name","Nested deployments should meet naming requirements of deployments.","Awareness","Operational Excellence","-" "Azure.EventGrid.DomainNaming","Event Grid domains without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" "Azure.EventGrid.SystemTopicNaming","Event Grid system topics without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" @@ -49,9 +49,9 @@ "Azure.Search.Name","Azure Resource Manager (ARM) has requirements for AI Search service names.","Awareness","Operational Excellence","-" "Azure.Search.Naming","Azure AI Search services without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" "Azure.SignalR.Name","SignalR service instance names should meet naming requirements.","Awareness","Operational Excellence","-" -"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.FGName","Azure SQL failover group names should meet naming requirements.","Awareness","Operational Excellence","-" -"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQLMI.Name","SQL Managed Instance names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.Storage.Name","Azure Resource Manager (ARM) has requirements for Storage Account names.","Awareness","Operational Excellence","-" "Azure.Storage.Naming","Storage Accounts without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" diff --git a/docs/en/baselines/Azure.CAF_2025_06.csv b/docs/en/baselines/Azure.CAF_2025_06.csv index 81e5e076da4..0172a53a7bf 100644 --- a/docs/en/baselines/Azure.CAF_2025_06.csv +++ b/docs/en/baselines/Azure.CAF_2025_06.csv @@ -1,7 +1,7 @@ "Name","Synopsis","Severity","Pillar","Maturity" -"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.AI.FoundryNaming","Azure AI Foundry accounts without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" -"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.APIM.Name","API Management service names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.AppConfig.Name","App Configuration store names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.AppGw.Name","Application Gateways should meet naming requirements.","Awareness","Operational Excellence","-" @@ -10,8 +10,8 @@ "Azure.ASG.Name","Application Security Group (ASG) names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.Bastion.Name","Bastion hosts should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.CDN.EndpointName","Azure CDN Endpoint names should meet naming requirements.","Awareness","Operational Excellence","-" -"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","-" -"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","L2" +"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.Deployment.Name","Nested deployments should meet naming requirements of deployments.","Awareness","Operational Excellence","-" "Azure.EventGrid.DomainNaming","Event Grid domains without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" "Azure.EventGrid.SystemTopicNaming","Event Grid system topics without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" @@ -49,9 +49,9 @@ "Azure.Search.Name","Azure Resource Manager (ARM) has requirements for AI Search service names.","Awareness","Operational Excellence","-" "Azure.Search.Naming","Azure AI Search services without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" "Azure.SignalR.Name","SignalR service instance names should meet naming requirements.","Awareness","Operational Excellence","-" -"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.FGName","Azure SQL failover group names should meet naming requirements.","Awareness","Operational Excellence","-" -"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQLMI.Name","SQL Managed Instance names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.Storage.Name","Azure Resource Manager (ARM) has requirements for Storage Account names.","Awareness","Operational Excellence","-" "Azure.Storage.Naming","Storage Accounts without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" diff --git a/docs/en/baselines/Azure.CAF_Compatibility.csv b/docs/en/baselines/Azure.CAF_Compatibility.csv index 81e5e076da4..0172a53a7bf 100644 --- a/docs/en/baselines/Azure.CAF_Compatibility.csv +++ b/docs/en/baselines/Azure.CAF_Compatibility.csv @@ -1,7 +1,7 @@ "Name","Synopsis","Severity","Pillar","Maturity" -"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.AI.FoundryNaming","Azure AI Foundry accounts without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" -"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.APIM.Name","API Management service names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.AppConfig.Name","App Configuration store names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.AppGw.Name","Application Gateways should meet naming requirements.","Awareness","Operational Excellence","-" @@ -10,8 +10,8 @@ "Azure.ASG.Name","Application Security Group (ASG) names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.Bastion.Name","Bastion hosts should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.CDN.EndpointName","Azure CDN Endpoint names should meet naming requirements.","Awareness","Operational Excellence","-" -"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","-" -"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","L2" +"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.Deployment.Name","Nested deployments should meet naming requirements of deployments.","Awareness","Operational Excellence","-" "Azure.EventGrid.DomainNaming","Event Grid domains without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" "Azure.EventGrid.SystemTopicNaming","Event Grid system topics without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" @@ -49,9 +49,9 @@ "Azure.Search.Name","Azure Resource Manager (ARM) has requirements for AI Search service names.","Awareness","Operational Excellence","-" "Azure.Search.Naming","Azure AI Search services without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" "Azure.SignalR.Name","SignalR service instance names should meet naming requirements.","Awareness","Operational Excellence","-" -"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.FGName","Azure SQL failover group names should meet naming requirements.","Awareness","Operational Excellence","-" -"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQLMI.Name","SQL Managed Instance names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.Storage.Name","Azure Resource Manager (ARM) has requirements for Storage Account names.","Awareness","Operational Excellence","-" "Azure.Storage.Naming","Storage Accounts without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" diff --git a/docs/en/baselines/Azure.Default.csv b/docs/en/baselines/Azure.Default.csv index e55d5dbcd5b..f2cb8586242 100644 --- a/docs/en/baselines/Azure.Default.csv +++ b/docs/en/baselines/Azure.Default.csv @@ -1,4 +1,5 @@ "Name","Synopsis","Severity","Pillar","Maturity" +"Azure.ACI.Naming","Container Instance resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.ACR.AdminUser","The local admin account allows depersonalized access to a container registry using a shared secret.","Critical","Security","L1" "Azure.ACR.AnonymousAccess","Anonymous pull access allows unidentified downloading of images and metadata from a container registry.","Important","Security","-" "Azure.ACR.ContainerScan","Container images or their base images may have vulnerabilities discovered after they are built.","Critical","Security","-" @@ -7,11 +8,13 @@ "Azure.ACR.GeoReplica","Applications or infrastructure relying on a container image may fail if the registry is not available at the time they start.","Important","Reliability","-" "Azure.ACR.ImageHealth","Remove container images with known vulnerabilities.","Critical","Security","L2" "Azure.ACR.MinSku","The Basic SKU provides limited performance and features for production container registry workloads.","Important","Reliability","-" -"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","L2" +"Azure.ACR.Naming","Container Registry resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.ACR.ReplicaLocation","The replication location determines the country or region where container images and metadata are stored and processed.","Important","Security","-" "Azure.ACR.Usage","Regularly remove deprecated and unneeded images to reduce storage usage.","Important","Cost Optimization","-" "Azure.ADX.DiskEncryption","Use disk encryption for Azure Data Explorer (ADX) clusters.","Important","Security","L1" "Azure.ADX.ManagedIdentity","Configure Data Explorer clusters to use managed identities to access Azure resources securely.","Important","Security","L1" +"Azure.ADX.PublicAccess","Azure Data Explorer (ADX) clusters should have public network access disabled.","Critical","Security","L4" "Azure.ADX.SLA","Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters.","Important","Reliability","-" "Azure.ADX.Usage","Regularly remove unused resources to reduce costs.","Important","Cost Optimization","-" "Azure.AI.DisableLocalAuth","Access keys allow depersonalized access to Azure AI using a shared secret.","Important","Security","L1" @@ -39,7 +42,8 @@ "Azure.AKS.ManagedIdentity","Configure AKS clusters to use managed identities for managing cluster infrastructure.","Important","Security","L1" "Azure.AKS.MinNodeCount","AKS clusters should have minimum number of system nodes for failover and updates.","Important","Reliability","-" "Azure.AKS.MinUserPoolNodes","User node pools in an AKS cluster should have a minimum number of nodes for failover and updates.","Important","Reliability","-" -"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","L2" +"Azure.AKS.Naming","AKS cluster resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.AKS.NetworkPolicy","AKS clusters without inter-pod network restrictions may be permit unauthorized lateral movement.","Important","Security","-" "Azure.AKS.NodeAutoUpgrade","Operating system (OS) security updates should be applied to AKS nodes and rebooted as required to address security vulnerabilities.","Important","Security","-" "Azure.AKS.NodeMinPods","Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods.","Important","Performance Efficiency","-" @@ -49,8 +53,10 @@ "Azure.AKS.SecretStore","Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault.","Important","Security","-" "Azure.AKS.SecretStoreRotation","Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters.","Important","Security","-" "Azure.AKS.StandardLB","Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU.","Important","Performance Efficiency","-" +"Azure.AKS.SystemPoolNaming","AKS system node pool resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.AKS.UptimeSLA","AKS clusters should have Uptime SLA enabled for a financially backed SLA.","Important","Reliability","-" "Azure.AKS.UseRBAC","Deploy AKS cluster with role-based access control (RBAC) enabled.","Important","Security","-" +"Azure.AKS.UserPoolNaming","AKS user node pool resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.AKS.Version","Older versions of Kubernetes may have known bugs or security vulnerabilities, and may have limited support.","Important","Reliability","-" "Azure.Alert.HighFrequencyQuery","High frequency scheduled queries are changed as a higher rate than low frequency queries.","Important","Cost Optimization","-" "Azure.Alert.MetricAutoMitigate","Alerts that require manual intervention for mitigation can lead to increased personnel time and effort.","Important","Cost Optimization","-" @@ -98,7 +104,7 @@ "Azure.AppGwWAF.Enabled","Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources.","Critical","Security","-" "Azure.AppGwWAF.Exclusions","Application Gateway Web Application Firewall (WAF) should have all rules enabled.","Critical","Security","-" "Azure.AppGwWAF.PreventionMode","Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources.","Critical","Security","-" -"Azure.AppGwWAF.RuleGroups","Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources.","Critical","Security","-" +"Azure.AppGwWAF.RuleGroups","Application Gateway WAF policies should include both Microsoft Default Rule Set and Bot Manager Rule Set to provide comprehensive protection against web application threats and malicious bot traffic.","Critical","Security","L2" "Azure.AppInsights.LocalAuth","Local authentication allows depersonalized access to store telemetry in Application Insights using a shared identifier.","Critical","Security","L1" "Azure.AppInsights.Name","Azure Resource Manager (ARM) has requirements for Application Insights resource names.","Awareness","Operational Excellence","-" "Azure.AppInsights.Naming","Application Insights resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" @@ -137,22 +143,35 @@ "Azure.ContainerApp.APIVersion","Migrate from retired API version to a supported version.","Important","Operational Excellence","-" "Azure.ContainerApp.AvailabilityZone","Use Container Apps environments that are zone redundant to improve reliability.","Important","Reliability","-" "Azure.ContainerApp.DisableAffinity","Disable session affinity to prevent unbalanced distribution.","Awareness","Performance Efficiency","-" +"Azure.ContainerApp.EnvNaming","Container App Environment resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.ContainerApp.ExternalIngress","Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment.","Important","Security","-" "Azure.ContainerApp.Insecure","Ensure insecure inbound traffic is not permitted to the container app.","Important","Security","L1" +"Azure.ContainerApp.JobNaming","Container App Job resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.ContainerApp.ManagedIdentity","Ensure managed identity is used for authentication.","Important","Security","L1" "Azure.ContainerApp.MinReplicas","Use multiple replicas to remove a single point of failure.","Important","Reliability","-" -"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","L2" +"Azure.ContainerApp.Naming","Container App resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.ContainerApp.PublicAccess","Ensure public network access for Container Apps environment is disabled.","Important","Security","-" "Azure.ContainerApp.RestrictIngress","IP ingress restrictions mode should be set to allow action for all rules defined.","Important","Security","-" "Azure.ContainerApp.Storage","Use of Azure Files volume mounts to persistent storage container data.","Awareness","Reliability","-" -"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","L2" +"Azure.Cosmos.AvailabilityZone","Use zone redundant Cosmos DB accounts in supported regions to improve reliability.","Important","Reliability","L1" +"Azure.Cosmos.CassandraNaming","Cosmos DB for Apache Cassandra account resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Cosmos.ContinuousBackup","Enable continuous backup on Cosmos DB accounts.","Important","Reliability","-" +"Azure.Cosmos.DatabaseNaming","Cosmos DB database resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Cosmos.DefenderCloud","Enable Microsoft Defender for Azure Cosmos DB.","Critical","Security","-" "Azure.Cosmos.DisableLocalAuth","Access keys allow depersonalized access to Cosmos DB accounts using a shared secret.","Critical","Security","L1" "Azure.Cosmos.DisableMetadataWrite","Use Entra ID identities for management place operations in Azure Cosmos DB.","Important","Security","-" +"Azure.Cosmos.GremlinNaming","Cosmos DB for Apache Gremlin account resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Cosmos.MinTLS","Cosmos DB accounts should reject TLS versions older than 1.2.","Critical","Security","L1" +"Azure.Cosmos.MongoAvailabilityZone","Use zone redundant Cosmos DB vCore clusters in supported regions to improve reliability.","Important","Reliability","L1" +"Azure.Cosmos.MongoEntraID","MongoDB vCore clusters should have Microsoft Entra ID authentication enabled.","Critical","Security","L1" +"Azure.Cosmos.MongoNaming","Cosmos DB for MongoDB account resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" +"Azure.Cosmos.NoSQLNaming","Cosmos DB for NoSQL account resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" +"Azure.Cosmos.PostgreSQLNaming","Cosmos DB PostgreSQL cluster resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Cosmos.PublicAccess","Azure Cosmos DB should have public network access disabled.","Critical","Security","-" "Azure.Cosmos.SLA","Use a paid tier to qualify for a Service Level Agreement (SLA).","Important","Reliability","-" +"Azure.Cosmos.TableNaming","Cosmos DB for Table account resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Databricks.PublicAccess","Azure Databricks workspaces should disable public network access.","Critical","Security","-" "Azure.Databricks.SecureConnectivity","Use Databricks workspaces configured for secure cluster connectivity.","Critical","Security","-" "Azure.Databricks.SKU","Ensure Databricks workspaces are non-trial SKUs for production workloads.","Critical","Performance Efficiency","-" @@ -224,6 +243,7 @@ "Azure.FrontDoorWAF.Exclusions","Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions.","Critical","Security","-" "Azure.FrontDoorWAF.PreventionMode","Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources.","Critical","Security","-" "Azure.FrontDoorWAF.RuleGroups","Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources.","Critical","Security","-" +"Azure.Grafana.AvailabilityZone","Use zone redundant Grafana workspaces in supported regions to improve reliability.","Important","Reliability","L1" "Azure.Grafana.Version","Grafana workspaces should be on Grafana version 10.","Important","Reliability","-" "Azure.Group.Name","Azure Resource Manager (ARM) has requirements for Resource Groups names.","Awareness","Operational Excellence","-" "Azure.Group.Naming","Resource Groups without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" @@ -263,6 +283,7 @@ "Azure.MariaDB.ServerName","Azure Database for MariaDB servers should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.MariaDB.UseSSL","Azure Database for MariaDB servers should only accept encrypted connections.","Critical","Security","L1" "Azure.MariaDB.VNETRuleName","Azure Database for MariaDB VNET rules should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.MICassandra.AvailabilityZone","Use zone redundant Managed Instance for Apache Cassandra clusters in supported regions to improve reliability.","Important","Reliability","L1" "Azure.ML.ComputeIdleShutdown","Configure an idle shutdown timeout for Machine Learning compute instances.","Critical","Cost Optimization","-" "Azure.ML.ComputeVnet","Azure Machine Learning Computes should be hosted in a virtual network (VNet).","Critical","Security","-" "Azure.ML.DisableLocalAuth","Azure Machine Learning compute resources should have local authentication methods disabled.","Critical","Security","L1" @@ -279,6 +300,7 @@ "Azure.MySQL.MaintenanceWindow","Configure a customer-controlled maintenance window for Azure Database for MySQL servers.","Important","Reliability","-" "Azure.MySQL.MinTLS","MySQL DB servers should reject TLS versions older than 1.2.","Critical","Security","L1" "Azure.MySQL.ServerName","Azure MySQL DB server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.MySQL.ServerNaming","MySQL database server resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.MySQL.UseFlexible","Use Azure Database for MySQL Flexible Server deployment model.","Important","Reliability","-" "Azure.MySQL.UseSSL","Enforce encrypted MySQL connections.","Critical","Security","L1" "Azure.MySQL.ZoneRedundantHA","Deploy Azure Database for MySQL servers using zone-redundant high availability (HA) in supported regions to ensure high availability and resilience.","Important","Reliability","-" @@ -307,6 +329,7 @@ "Azure.PostgreSQL.MaintenanceWindow","Configure a customer-controlled maintenance window for Azure Database for PostgreSQL servers.","Important","Reliability","-" "Azure.PostgreSQL.MinTLS","PostgreSQL DB servers should reject TLS versions older than 1.2.","Critical","Security","L1" "Azure.PostgreSQL.ServerName","Azure PostgreSQL DB server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.PostgreSQL.ServerNaming","PostgreSQL database server resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.PostgreSQL.UseSSL","Enforce encrypted PostgreSQL connections.","Critical","Security","L1" "Azure.PostgreSQL.ZoneRedundantHA","Deploy Azure Database for PostgreSQL servers using zone-redundant high availability (HA) in supported regions to ensure high availability and resilience.","Important","Reliability","-" "Azure.PrivateEndpoint.Name","Private Endpoint names should meet naming requirements.","Awareness","Operational Excellence","-" @@ -331,10 +354,12 @@ "Azure.Redis.MaxMemoryReserved","Configure maxmemory-reserved to reserve memory for non-cache operations.","Important","Performance Efficiency","-" "Azure.Redis.MinSKU","Use Azure Cache for Redis instances of at least Standard C1.","Important","Performance Efficiency","-" "Azure.Redis.MinTLS","Redis Cache should reject TLS versions older than 1.2.","Critical","Security","L1" +"Azure.Redis.Naming","Azure Cache for Redis resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Redis.NonSslPort","Azure Cache for Redis should only accept secure connections.","Critical","Security","L1" "Azure.Redis.PublicNetworkAccess","Redis cache should disable public network access.","Critical","Security","-" "Azure.Redis.Version","Azure Cache for Redis should use the latest supported version of Redis.","Important","Reliability","-" "Azure.RedisEnterprise.MinTLS","Redis Cache should reject TLS versions older than 1.2.","Critical","Security","L1" +"Azure.RedisEnterprise.Naming","Azure Cache for Redis Enterprise resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.RedisEnterprise.Zones","Enterprise Redis cache should be zone-redundant for high availability.","Important","Reliability","-" "Azure.Resource.AllowedRegions","The deployment location of a resource determines the country or region where metadata and data is stored and processed.","Important","Security","-" "Azure.Resource.RequiredTags","Resources without a standard tagging convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" @@ -356,6 +381,8 @@ "Azure.ServiceBus.MinTLS","Service Bus namespaces should reject TLS versions older than 1.2.","Important","Security","L1" "Azure.ServiceBus.Usage","Regularly remove unused resources to reduce costs.","Important","Cost Optimization","-" "Azure.ServiceFabric.AAD","Use Entra ID client authentication for Service Fabric clusters.","Critical","Security","L1" +"Azure.ServiceFabric.ManagedNaming","Service Fabric managed cluster resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" +"Azure.ServiceFabric.Naming","Service Fabric cluster resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.ServiceFabric.ProtectionLevel","Node to node communication that is not signed and encrypted may be susceptible to man-in-the-middle attacks.","Important","Security","L1" "Azure.SignalR.ManagedIdentity","Configure SignalR Services to use managed identities to access Azure resources securely.","Important","Security","L1" "Azure.SignalR.Name","SignalR service instance names should meet naming requirements.","Awareness","Operational Excellence","-" @@ -364,14 +391,18 @@ "Azure.SQL.AADOnly","Ensure Entra ID only authentication is enabled with Azure SQL Database.","Important","Security","L1" "Azure.SQL.AllowAzureAccess","Determine if access from Azure services is required.","Important","Security","-" "Azure.SQL.Auditing","Enable auditing for Azure SQL logical server.","Important","Security","-" -"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","L2" +"Azure.SQL.DBNaming","Azure SQL database resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.SQL.DefenderCloud","Enable Microsoft Defender for Azure SQL logical server.","Important","Security","-" +"Azure.SQL.ElasticPoolNaming","Azure SQL Elastic Pool resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.SQL.FGName","Azure SQL failover group names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.SQL.FirewallIPRange","Each IP address in the permitted IP list is allowed network access to any databases hosted on the same logical server.","Important","Security","-" "Azure.SQL.FirewallRuleCount","Determine if there is an excessive number of firewall rules.","Awareness","Security","-" +"Azure.SQL.JobAgentNaming","Azure SQL Elastic Job agent resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.SQL.MaintenanceWindow","Configure a customer-controlled maintenance window for Azure SQL databases.","Important","Reliability","-" "Azure.SQL.MinTLS","Azure SQL Database servers should reject TLS versions older than 1.2.","Critical","Security","L1" -"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","L2" +"Azure.SQL.ServerNaming","Azure SQL Database server resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.SQL.TDE","Use Transparent Data Encryption (TDE) with Azure SQL Database.","Critical","Security","L1" "Azure.SQL.VAScan","SQL Databases may have configuration vulnerabilities discovered after they are deployed.","Important","Security","-" "Azure.SQLMI.AAD","Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance.","Critical","Security","L1" @@ -379,6 +410,7 @@ "Azure.SQLMI.MaintenanceWindow","Configure a customer-controlled maintenance window for Azure SQL Managed Instances.","Important","Reliability","-" "Azure.SQLMI.ManagedIdentity","Ensure managed identity is used to allow support for Azure AD authentication.","Important","Security","L1" "Azure.SQLMI.Name","SQL Managed Instance names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQLMI.Naming","SQL Managed Instance resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Storage.BlobAccessType","Use containers configured with a private access type that requires authorization.","Important","Security","-" "Azure.Storage.BlobPublicAccess","Storage Accounts should only accept authorized requests.","Important","Security","-" "Azure.Storage.ContainerSoftDelete","Enable container soft delete on Storage Accounts.","Important","Reliability","-" diff --git a/docs/en/baselines/Azure.Default.md b/docs/en/baselines/Azure.Default.md index 9c8463f3cdb..800b8c2508d 100644 --- a/docs/en/baselines/Azure.Default.md +++ b/docs/en/baselines/Azure.Default.md @@ -10,10 +10,11 @@ Default baseline for that includes the latest rules for Azure GA features that i The following rules are included within the `Azure.Default` baseline. -This baseline includes a total of 482 rules. +This baseline includes a total of 514 rules. Name | Synopsis | Severity ---- | -------- | -------- +[Azure.ACI.Naming](../rules/Azure.ACI.Naming.md) | Container Instance resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.ACR.AdminUser](../rules/Azure.ACR.AdminUser.md) | The local admin account allows depersonalized access to a container registry using a shared secret. | Critical [Azure.ACR.AnonymousAccess](../rules/Azure.ACR.AnonymousAccess.md) | Anonymous pull access allows unidentified downloading of images and metadata from a container registry. | Important [Azure.ACR.ContainerScan](../rules/Azure.ACR.ContainerScan.md) | Container images or their base images may have vulnerabilities discovered after they are built. | Critical @@ -23,10 +24,12 @@ Name | Synopsis | Severity [Azure.ACR.ImageHealth](../rules/Azure.ACR.ImageHealth.md) | Remove container images with known vulnerabilities. | Critical [Azure.ACR.MinSku](../rules/Azure.ACR.MinSku.md) | The Basic SKU provides limited performance and features for production container registry workloads. | Important [Azure.ACR.Name](../rules/Azure.ACR.Name.md) | Container registry names should meet naming requirements. | Awareness +[Azure.ACR.Naming](../rules/Azure.ACR.Naming.md) | Container Registry resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.ACR.ReplicaLocation](../rules/Azure.ACR.ReplicaLocation.md) | The replication location determines the country or region where container images and metadata are stored and processed. | Important [Azure.ACR.Usage](../rules/Azure.ACR.Usage.md) | Regularly remove deprecated and unneeded images to reduce storage usage. | Important [Azure.ADX.DiskEncryption](../rules/Azure.ADX.DiskEncryption.md) | Use disk encryption for Azure Data Explorer (ADX) clusters. | Important [Azure.ADX.ManagedIdentity](../rules/Azure.ADX.ManagedIdentity.md) | Configure Data Explorer clusters to use managed identities to access Azure resources securely. | Important +[Azure.ADX.PublicAccess](../rules/Azure.ADX.PublicAccess.md) | Azure Data Explorer (ADX) clusters should have public network access disabled. | Critical [Azure.ADX.SLA](../rules/Azure.ADX.SLA.md) | Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters. | Important [Azure.ADX.Usage](../rules/Azure.ADX.Usage.md) | Regularly remove unused resources to reduce costs. | Important [Azure.AI.DisableLocalAuth](../rules/Azure.AI.DisableLocalAuth.md) | Access keys allow depersonalized access to Azure AI using a shared secret. | Important @@ -55,6 +58,7 @@ Name | Synopsis | Severity [Azure.AKS.MinNodeCount](../rules/Azure.AKS.MinNodeCount.md) | AKS clusters should have minimum number of system nodes for failover and updates. | Important [Azure.AKS.MinUserPoolNodes](../rules/Azure.AKS.MinUserPoolNodes.md) | User node pools in an AKS cluster should have a minimum number of nodes for failover and updates. | Important [Azure.AKS.Name](../rules/Azure.AKS.Name.md) | Azure Kubernetes Service (AKS) cluster names should meet naming requirements. | Awareness +[Azure.AKS.Naming](../rules/Azure.AKS.Naming.md) | AKS cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.AKS.NetworkPolicy](../rules/Azure.AKS.NetworkPolicy.md) | AKS clusters without inter-pod network restrictions may be permit unauthorized lateral movement. | Important [Azure.AKS.NodeAutoUpgrade](../rules/Azure.AKS.NodeAutoUpgrade.md) | Operating system (OS) security updates should be applied to AKS nodes and rebooted as required to address security vulnerabilities. | Important [Azure.AKS.NodeMinPods](../rules/Azure.AKS.NodeMinPods.md) | Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. | Important @@ -64,8 +68,10 @@ Name | Synopsis | Severity [Azure.AKS.SecretStore](../rules/Azure.AKS.SecretStore.md) | Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. | Important [Azure.AKS.SecretStoreRotation](../rules/Azure.AKS.SecretStoreRotation.md) | Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. | Important [Azure.AKS.StandardLB](../rules/Azure.AKS.StandardLB.md) | Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. | Important +[Azure.AKS.SystemPoolNaming](../rules/Azure.AKS.SystemPoolNaming.md) | AKS system node pool resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.AKS.UptimeSLA](../rules/Azure.AKS.UptimeSLA.md) | AKS clusters should have Uptime SLA enabled for a financially backed SLA. | Important [Azure.AKS.UseRBAC](../rules/Azure.AKS.UseRBAC.md) | Deploy AKS cluster with role-based access control (RBAC) enabled. | Important +[Azure.AKS.UserPoolNaming](../rules/Azure.AKS.UserPoolNaming.md) | AKS user node pool resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.AKS.Version](../rules/Azure.AKS.Version.md) | Older versions of Kubernetes may have known bugs or security vulnerabilities, and may have limited support. | Important [Azure.Alert.HighFrequencyQuery](../rules/Azure.Alert.HighFrequencyQuery.md) | High frequency scheduled queries are changed as a higher rate than low frequency queries. | Important [Azure.Alert.MetricAutoMitigate](../rules/Azure.Alert.MetricAutoMitigate.md) | Alerts that require manual intervention for mitigation can lead to increased personnel time and effort. | Important @@ -113,7 +119,7 @@ Name | Synopsis | Severity [Azure.AppGwWAF.Enabled](../rules/Azure.AppGwWAF.Enabled.md) | Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. | Critical [Azure.AppGwWAF.Exclusions](../rules/Azure.AppGwWAF.Exclusions.md) | Application Gateway Web Application Firewall (WAF) should have all rules enabled. | Critical [Azure.AppGwWAF.PreventionMode](../rules/Azure.AppGwWAF.PreventionMode.md) | Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical -[Azure.AppGwWAF.RuleGroups](../rules/Azure.AppGwWAF.RuleGroups.md) | Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical +[Azure.AppGwWAF.RuleGroups](../rules/Azure.AppGwWAF.RuleGroups.md) | Application Gateway WAF policies should include both Microsoft Default Rule Set and Bot Manager Rule Set to provide comprehensive protection against web application threats and malicious bot traffic. | Critical [Azure.AppInsights.LocalAuth](../rules/Azure.AppInsights.LocalAuth.md) | Local authentication allows depersonalized access to store telemetry in Application Insights using a shared identifier. | Critical [Azure.AppInsights.Name](../rules/Azure.AppInsights.Name.md) | Azure Resource Manager (ARM) has requirements for Application Insights resource names. | Awareness [Azure.AppInsights.Naming](../rules/Azure.AppInsights.Naming.md) | Application Insights resources without a standard naming convention may be difficult to identify and manage. | Awareness @@ -152,22 +158,35 @@ Name | Synopsis | Severity [Azure.ContainerApp.APIVersion](../rules/Azure.ContainerApp.APIVersion.md) | Migrate from retired API version to a supported version. | Important [Azure.ContainerApp.AvailabilityZone](../rules/Azure.ContainerApp.AvailabilityZone.md) | Use Container Apps environments that are zone redundant to improve reliability. | Important [Azure.ContainerApp.DisableAffinity](../rules/Azure.ContainerApp.DisableAffinity.md) | Disable session affinity to prevent unbalanced distribution. | Awareness +[Azure.ContainerApp.EnvNaming](../rules/Azure.ContainerApp.EnvNaming.md) | Container App Environment resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.ContainerApp.ExternalIngress](../rules/Azure.ContainerApp.ExternalIngress.md) | Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment. | Important [Azure.ContainerApp.Insecure](../rules/Azure.ContainerApp.Insecure.md) | Ensure insecure inbound traffic is not permitted to the container app. | Important +[Azure.ContainerApp.JobNaming](../rules/Azure.ContainerApp.JobNaming.md) | Container App Job resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.ContainerApp.ManagedIdentity](../rules/Azure.ContainerApp.ManagedIdentity.md) | Ensure managed identity is used for authentication. | Important [Azure.ContainerApp.MinReplicas](../rules/Azure.ContainerApp.MinReplicas.md) | Use multiple replicas to remove a single point of failure. | Important [Azure.ContainerApp.Name](../rules/Azure.ContainerApp.Name.md) | Container Apps should meet naming requirements. | Awareness +[Azure.ContainerApp.Naming](../rules/Azure.ContainerApp.Naming.md) | Container App resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.ContainerApp.PublicAccess](../rules/Azure.ContainerApp.PublicAccess.md) | Ensure public network access for Container Apps environment is disabled. | Important [Azure.ContainerApp.RestrictIngress](../rules/Azure.ContainerApp.RestrictIngress.md) | IP ingress restrictions mode should be set to allow action for all rules defined. | Important [Azure.ContainerApp.Storage](../rules/Azure.ContainerApp.Storage.md) | Use of Azure Files volume mounts to persistent storage container data. | Awareness [Azure.Cosmos.AccountName](../rules/Azure.Cosmos.AccountName.md) | Cosmos DB account names should meet naming requirements. | Awareness +[Azure.Cosmos.AvailabilityZone](../rules/Azure.Cosmos.AvailabilityZone.md) | Use zone redundant Cosmos DB accounts in supported regions to improve reliability. | Important +[Azure.Cosmos.CassandraNaming](../rules/Azure.Cosmos.CassandraNaming.md) | Cosmos DB for Apache Cassandra account resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.Cosmos.ContinuousBackup](../rules/Azure.Cosmos.ContinuousBackup.md) | Enable continuous backup on Cosmos DB accounts. | Important +[Azure.Cosmos.DatabaseNaming](../rules/Azure.Cosmos.DatabaseNaming.md) | Cosmos DB database resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.Cosmos.DefenderCloud](../rules/Azure.Cosmos.DefenderCloud.md) | Enable Microsoft Defender for Azure Cosmos DB. | Critical [Azure.Cosmos.DisableLocalAuth](../rules/Azure.Cosmos.DisableLocalAuth.md) | Access keys allow depersonalized access to Cosmos DB accounts using a shared secret. | Critical [Azure.Cosmos.DisableMetadataWrite](../rules/Azure.Cosmos.DisableMetadataWrite.md) | Use Entra ID identities for management place operations in Azure Cosmos DB. | Important +[Azure.Cosmos.GremlinNaming](../rules/Azure.Cosmos.GremlinNaming.md) | Cosmos DB for Apache Gremlin account resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.Cosmos.MinTLS](../rules/Azure.Cosmos.MinTLS.md) | Cosmos DB accounts should reject TLS versions older than 1.2. | Critical +[Azure.Cosmos.MongoAvailabilityZone](../rules/Azure.Cosmos.MongoAvailabilityZone.md) | Use zone redundant Cosmos DB vCore clusters in supported regions to improve reliability. | Important +[Azure.Cosmos.MongoEntraID](../rules/Azure.Cosmos.MongoEntraID.md) | MongoDB vCore clusters should have Microsoft Entra ID authentication enabled. | Critical +[Azure.Cosmos.MongoNaming](../rules/Azure.Cosmos.MongoNaming.md) | Cosmos DB for MongoDB account resources without a standard naming convention may be difficult to identify and manage. | Awareness +[Azure.Cosmos.NoSQLNaming](../rules/Azure.Cosmos.NoSQLNaming.md) | Cosmos DB for NoSQL account resources without a standard naming convention may be difficult to identify and manage. | Awareness +[Azure.Cosmos.PostgreSQLNaming](../rules/Azure.Cosmos.PostgreSQLNaming.md) | Cosmos DB PostgreSQL cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.Cosmos.PublicAccess](../rules/Azure.Cosmos.PublicAccess.md) | Azure Cosmos DB should have public network access disabled. | Critical [Azure.Cosmos.SLA](../rules/Azure.Cosmos.SLA.md) | Use a paid tier to qualify for a Service Level Agreement (SLA). | Important +[Azure.Cosmos.TableNaming](../rules/Azure.Cosmos.TableNaming.md) | Cosmos DB for Table account resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.Databricks.PublicAccess](../rules/Azure.Databricks.PublicAccess.md) | Azure Databricks workspaces should disable public network access. | Critical [Azure.Databricks.SecureConnectivity](../rules/Azure.Databricks.SecureConnectivity.md) | Use Databricks workspaces configured for secure cluster connectivity. | Critical [Azure.Databricks.SKU](../rules/Azure.Databricks.SKU.md) | Ensure Databricks workspaces are non-trial SKUs for production workloads. | Critical @@ -239,6 +258,7 @@ Name | Synopsis | Severity [Azure.FrontDoorWAF.Exclusions](../rules/Azure.FrontDoorWAF.Exclusions.md) | Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions. | Critical [Azure.FrontDoorWAF.PreventionMode](../rules/Azure.FrontDoorWAF.PreventionMode.md) | Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. | Critical [Azure.FrontDoorWAF.RuleGroups](../rules/Azure.FrontDoorWAF.RuleGroups.md) | Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. | Critical +[Azure.Grafana.AvailabilityZone](../rules/Azure.Grafana.AvailabilityZone.md) | Use zone redundant Grafana workspaces in supported regions to improve reliability. | Important [Azure.Grafana.Version](../rules/Azure.Grafana.Version.md) | Grafana workspaces should be on Grafana version 10. | Important [Azure.Group.Name](../rules/Azure.Group.Name.md) | Azure Resource Manager (ARM) has requirements for Resource Groups names. | Awareness [Azure.Group.Naming](../rules/Azure.Group.Naming.md) | Resource Groups without a standard naming convention may be difficult to identify and manage. | Awareness @@ -278,6 +298,7 @@ Name | Synopsis | Severity [Azure.MariaDB.ServerName](../rules/Azure.MariaDB.ServerName.md) | Azure Database for MariaDB servers should meet naming requirements. | Awareness [Azure.MariaDB.UseSSL](../rules/Azure.MariaDB.UseSSL.md) | Azure Database for MariaDB servers should only accept encrypted connections. | Critical [Azure.MariaDB.VNETRuleName](../rules/Azure.MariaDB.VNETRuleName.md) | Azure Database for MariaDB VNET rules should meet naming requirements. | Awareness +[Azure.MICassandra.AvailabilityZone](../rules/Azure.MICassandra.AvailabilityZone.md) | Use zone redundant Managed Instance for Apache Cassandra clusters in supported regions to improve reliability. | Important [Azure.ML.ComputeIdleShutdown](../rules/Azure.ML.ComputeIdleShutdown.md) | Configure an idle shutdown timeout for Machine Learning compute instances. | Critical [Azure.ML.ComputeVnet](../rules/Azure.ML.ComputeVnet.md) | Azure Machine Learning Computes should be hosted in a virtual network (VNet). | Critical [Azure.ML.DisableLocalAuth](../rules/Azure.ML.DisableLocalAuth.md) | Azure Machine Learning compute resources should have local authentication methods disabled. | Critical @@ -294,6 +315,7 @@ Name | Synopsis | Severity [Azure.MySQL.MaintenanceWindow](../rules/Azure.MySQL.MaintenanceWindow.md) | Configure a customer-controlled maintenance window for Azure Database for MySQL servers. | Important [Azure.MySQL.MinTLS](../rules/Azure.MySQL.MinTLS.md) | MySQL DB servers should reject TLS versions older than 1.2. | Critical [Azure.MySQL.ServerName](../rules/Azure.MySQL.ServerName.md) | Azure MySQL DB server names should meet naming requirements. | Awareness +[Azure.MySQL.ServerNaming](../rules/Azure.MySQL.ServerNaming.md) | MySQL database server resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.MySQL.UseFlexible](../rules/Azure.MySQL.UseFlexible.md) | Use Azure Database for MySQL Flexible Server deployment model. | Important [Azure.MySQL.UseSSL](../rules/Azure.MySQL.UseSSL.md) | Enforce encrypted MySQL connections. | Critical [Azure.MySQL.ZoneRedundantHA](../rules/Azure.MySQL.ZoneRedundantHA.md) | Deploy Azure Database for MySQL servers using zone-redundant high availability (HA) in supported regions to ensure high availability and resilience. | Important @@ -322,6 +344,7 @@ Name | Synopsis | Severity [Azure.PostgreSQL.MaintenanceWindow](../rules/Azure.PostgreSQL.MaintenanceWindow.md) | Configure a customer-controlled maintenance window for Azure Database for PostgreSQL servers. | Important [Azure.PostgreSQL.MinTLS](../rules/Azure.PostgreSQL.MinTLS.md) | PostgreSQL DB servers should reject TLS versions older than 1.2. | Critical [Azure.PostgreSQL.ServerName](../rules/Azure.PostgreSQL.ServerName.md) | Azure PostgreSQL DB server names should meet naming requirements. | Awareness +[Azure.PostgreSQL.ServerNaming](../rules/Azure.PostgreSQL.ServerNaming.md) | PostgreSQL database server resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.PostgreSQL.UseSSL](../rules/Azure.PostgreSQL.UseSSL.md) | Enforce encrypted PostgreSQL connections. | Critical [Azure.PostgreSQL.ZoneRedundantHA](../rules/Azure.PostgreSQL.ZoneRedundantHA.md) | Deploy Azure Database for PostgreSQL servers using zone-redundant high availability (HA) in supported regions to ensure high availability and resilience. | Important [Azure.PrivateEndpoint.Name](../rules/Azure.PrivateEndpoint.Name.md) | Private Endpoint names should meet naming requirements. | Awareness @@ -346,10 +369,12 @@ Name | Synopsis | Severity [Azure.Redis.MaxMemoryReserved](../rules/Azure.Redis.MaxMemoryReserved.md) | Configure maxmemory-reserved to reserve memory for non-cache operations. | Important [Azure.Redis.MinSKU](../rules/Azure.Redis.MinSKU.md) | Use Azure Cache for Redis instances of at least Standard C1. | Important [Azure.Redis.MinTLS](../rules/Azure.Redis.MinTLS.md) | Redis Cache should reject TLS versions older than 1.2. | Critical +[Azure.Redis.Naming](../rules/Azure.Redis.Naming.md) | Azure Cache for Redis resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.Redis.NonSslPort](../rules/Azure.Redis.NonSslPort.md) | Azure Cache for Redis should only accept secure connections. | Critical [Azure.Redis.PublicNetworkAccess](../rules/Azure.Redis.PublicNetworkAccess.md) | Redis cache should disable public network access. | Critical [Azure.Redis.Version](../rules/Azure.Redis.Version.md) | Azure Cache for Redis should use the latest supported version of Redis. | Important [Azure.RedisEnterprise.MinTLS](../rules/Azure.RedisEnterprise.MinTLS.md) | Redis Cache should reject TLS versions older than 1.2. | Critical +[Azure.RedisEnterprise.Naming](../rules/Azure.RedisEnterprise.Naming.md) | Azure Cache for Redis Enterprise resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.RedisEnterprise.Zones](../rules/Azure.RedisEnterprise.Zones.md) | Enterprise Redis cache should be zone-redundant for high availability. | Important [Azure.Resource.AllowedRegions](../rules/Azure.Resource.AllowedRegions.md) | The deployment location of a resource determines the country or region where metadata and data is stored and processed. | Important [Azure.Resource.RequiredTags](../rules/Azure.Resource.RequiredTags.md) | Resources without a standard tagging convention may be difficult to identify and manage. | Awareness @@ -371,6 +396,8 @@ Name | Synopsis | Severity [Azure.ServiceBus.MinTLS](../rules/Azure.ServiceBus.MinTLS.md) | Service Bus namespaces should reject TLS versions older than 1.2. | Important [Azure.ServiceBus.Usage](../rules/Azure.ServiceBus.Usage.md) | Regularly remove unused resources to reduce costs. | Important [Azure.ServiceFabric.AAD](../rules/Azure.ServiceFabric.AAD.md) | Use Entra ID client authentication for Service Fabric clusters. | Critical +[Azure.ServiceFabric.ManagedNaming](../rules/Azure.ServiceFabric.ManagedNaming.md) | Service Fabric managed cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness +[Azure.ServiceFabric.Naming](../rules/Azure.ServiceFabric.Naming.md) | Service Fabric cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.ServiceFabric.ProtectionLevel](../rules/Azure.ServiceFabric.ProtectionLevel.md) | Node to node communication that is not signed and encrypted may be susceptible to man-in-the-middle attacks. | Important [Azure.SignalR.ManagedIdentity](../rules/Azure.SignalR.ManagedIdentity.md) | Configure SignalR Services to use managed identities to access Azure resources securely. | Important [Azure.SignalR.Name](../rules/Azure.SignalR.Name.md) | SignalR service instance names should meet naming requirements. | Awareness @@ -380,13 +407,17 @@ Name | Synopsis | Severity [Azure.SQL.AllowAzureAccess](../rules/Azure.SQL.AllowAzureAccess.md) | Determine if access from Azure services is required. | Important [Azure.SQL.Auditing](../rules/Azure.SQL.Auditing.md) | Enable auditing for Azure SQL logical server. | Important [Azure.SQL.DBName](../rules/Azure.SQL.DBName.md) | Azure SQL Database names should meet naming requirements. | Awareness +[Azure.SQL.DBNaming](../rules/Azure.SQL.DBNaming.md) | Azure SQL database resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.SQL.DefenderCloud](../rules/Azure.SQL.DefenderCloud.md) | Enable Microsoft Defender for Azure SQL logical server. | Important +[Azure.SQL.ElasticPoolNaming](../rules/Azure.SQL.ElasticPoolNaming.md) | Azure SQL Elastic Pool resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.SQL.FGName](../rules/Azure.SQL.FGName.md) | Azure SQL failover group names should meet naming requirements. | Awareness [Azure.SQL.FirewallIPRange](../rules/Azure.SQL.FirewallIPRange.md) | Each IP address in the permitted IP list is allowed network access to any databases hosted on the same logical server. | Important [Azure.SQL.FirewallRuleCount](../rules/Azure.SQL.FirewallRuleCount.md) | Determine if there is an excessive number of firewall rules. | Awareness +[Azure.SQL.JobAgentNaming](../rules/Azure.SQL.JobAgentNaming.md) | Azure SQL Elastic Job agent resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.SQL.MaintenanceWindow](../rules/Azure.SQL.MaintenanceWindow.md) | Configure a customer-controlled maintenance window for Azure SQL databases. | Important [Azure.SQL.MinTLS](../rules/Azure.SQL.MinTLS.md) | Azure SQL Database servers should reject TLS versions older than 1.2. | Critical [Azure.SQL.ServerName](../rules/Azure.SQL.ServerName.md) | Azure SQL logical server names should meet naming requirements. | Awareness +[Azure.SQL.ServerNaming](../rules/Azure.SQL.ServerNaming.md) | Azure SQL Database server resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.SQL.TDE](../rules/Azure.SQL.TDE.md) | Use Transparent Data Encryption (TDE) with Azure SQL Database. | Critical [Azure.SQL.VAScan](../rules/Azure.SQL.VAScan.md) | SQL Databases may have configuration vulnerabilities discovered after they are deployed. | Important [Azure.SQLMI.AAD](../rules/Azure.SQLMI.AAD.md) | Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance. | Critical @@ -394,6 +425,7 @@ Name | Synopsis | Severity [Azure.SQLMI.MaintenanceWindow](../rules/Azure.SQLMI.MaintenanceWindow.md) | Configure a customer-controlled maintenance window for Azure SQL Managed Instances. | Important [Azure.SQLMI.ManagedIdentity](../rules/Azure.SQLMI.ManagedIdentity.md) | Ensure managed identity is used to allow support for Azure AD authentication. | Important [Azure.SQLMI.Name](../rules/Azure.SQLMI.Name.md) | SQL Managed Instance names should meet naming requirements. | Awareness +[Azure.SQLMI.Naming](../rules/Azure.SQLMI.Naming.md) | SQL Managed Instance resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.Storage.BlobAccessType](../rules/Azure.Storage.BlobAccessType.md) | Use containers configured with a private access type that requires authorization. | Important [Azure.Storage.BlobPublicAccess](../rules/Azure.Storage.BlobPublicAccess.md) | Storage Accounts should only accept authorized requests. | Important [Azure.Storage.ContainerSoftDelete](../rules/Azure.Storage.ContainerSoftDelete.md) | Enable container soft delete on Storage Accounts. | Important diff --git a/docs/en/baselines/Azure.GA_2020_06.csv b/docs/en/baselines/Azure.GA_2020_06.csv index 716d32d2848..f0394d1237d 100644 --- a/docs/en/baselines/Azure.GA_2020_06.csv +++ b/docs/en/baselines/Azure.GA_2020_06.csv @@ -1,11 +1,11 @@ "Name","Synopsis","Severity","Pillar","Maturity" "Azure.ACR.AdminUser","The local admin account allows depersonalized access to a container registry using a shared secret.","Critical","Security","L1" "Azure.ACR.MinSku","The Basic SKU provides limited performance and features for production container registry workloads.","Important","Reliability","-" -"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.AKS.DNSPrefix","Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.AKS.ManagedIdentity","Configure AKS clusters to use managed identities for managing cluster infrastructure.","Important","Security","L1" "Azure.AKS.MinNodeCount","AKS clusters should have minimum number of system nodes for failover and updates.","Important","Reliability","-" -"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.AKS.NetworkPolicy","AKS clusters without inter-pod network restrictions may be permit unauthorized lateral movement.","Important","Security","-" "Azure.AKS.NodeMinPods","Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods.","Important","Performance Efficiency","-" "Azure.AKS.PoolScaleSet","Deploy AKS clusters with nodes pools based on VM scale sets.","Important","Performance Efficiency","-" diff --git a/docs/en/baselines/Azure.GA_2020_09.csv b/docs/en/baselines/Azure.GA_2020_09.csv index 67b92c02310..c05c90dc458 100644 --- a/docs/en/baselines/Azure.GA_2020_09.csv +++ b/docs/en/baselines/Azure.GA_2020_09.csv @@ -1,11 +1,11 @@ "Name","Synopsis","Severity","Pillar","Maturity" "Azure.ACR.AdminUser","The local admin account allows depersonalized access to a container registry using a shared secret.","Critical","Security","L1" "Azure.ACR.MinSku","The Basic SKU provides limited performance and features for production container registry workloads.","Important","Reliability","-" -"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.AKS.DNSPrefix","Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.AKS.ManagedIdentity","Configure AKS clusters to use managed identities for managing cluster infrastructure.","Important","Security","L1" "Azure.AKS.MinNodeCount","AKS clusters should have minimum number of system nodes for failover and updates.","Important","Reliability","-" -"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.AKS.NetworkPolicy","AKS clusters without inter-pod network restrictions may be permit unauthorized lateral movement.","Important","Security","-" "Azure.AKS.NodeMinPods","Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods.","Important","Performance Efficiency","-" "Azure.AKS.PoolScaleSet","Deploy AKS clusters with nodes pools based on VM scale sets.","Important","Performance Efficiency","-" diff --git a/docs/en/baselines/Azure.GA_2020_12.csv b/docs/en/baselines/Azure.GA_2020_12.csv index af6e64485cd..823f7f46bfd 100644 --- a/docs/en/baselines/Azure.GA_2020_12.csv +++ b/docs/en/baselines/Azure.GA_2020_12.csv @@ -3,13 +3,13 @@ "Azure.ACR.ContainerScan","Container images or their base images may have vulnerabilities discovered after they are built.","Critical","Security","-" "Azure.ACR.ImageHealth","Remove container images with known vulnerabilities.","Critical","Security","L2" "Azure.ACR.MinSku","The Basic SKU provides limited performance and features for production container registry workloads.","Important","Reliability","-" -"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.ACR.Usage","Regularly remove deprecated and unneeded images to reduce storage usage.","Important","Cost Optimization","-" "Azure.AKS.AzurePolicyAddOn","Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes.","Important","Security","-" "Azure.AKS.DNSPrefix","Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.AKS.ManagedIdentity","Configure AKS clusters to use managed identities for managing cluster infrastructure.","Important","Security","L1" "Azure.AKS.MinNodeCount","AKS clusters should have minimum number of system nodes for failover and updates.","Important","Reliability","-" -"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.AKS.NetworkPolicy","AKS clusters without inter-pod network restrictions may be permit unauthorized lateral movement.","Important","Security","-" "Azure.AKS.NodeMinPods","Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods.","Important","Performance Efficiency","-" "Azure.AKS.PoolScaleSet","Deploy AKS clusters with nodes pools based on VM scale sets.","Important","Performance Efficiency","-" @@ -112,13 +112,13 @@ "Azure.SQL.AAD","Use Entra ID authentication with Azure SQL databases.","Critical","Security","L1" "Azure.SQL.AllowAzureAccess","Determine if access from Azure services is required.","Important","Security","-" "Azure.SQL.Auditing","Enable auditing for Azure SQL logical server.","Important","Security","-" -"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.DefenderCloud","Enable Microsoft Defender for Azure SQL logical server.","Important","Security","-" "Azure.SQL.FGName","Azure SQL failover group names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.SQL.FirewallIPRange","Each IP address in the permitted IP list is allowed network access to any databases hosted on the same logical server.","Important","Security","-" "Azure.SQL.FirewallRuleCount","Determine if there is an excessive number of firewall rules.","Awareness","Security","-" "Azure.SQL.MinTLS","Azure SQL Database servers should reject TLS versions older than 1.2.","Critical","Security","L1" -"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.TDE","Use Transparent Data Encryption (TDE) with Azure SQL Database.","Critical","Security","L1" "Azure.SQLMI.Name","SQL Managed Instance names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.Storage.BlobAccessType","Use containers configured with a private access type that requires authorization.","Important","Security","-" diff --git a/docs/en/baselines/Azure.GA_2021_03.csv b/docs/en/baselines/Azure.GA_2021_03.csv index 8df454ec716..c4a8413c773 100644 --- a/docs/en/baselines/Azure.GA_2021_03.csv +++ b/docs/en/baselines/Azure.GA_2021_03.csv @@ -3,13 +3,13 @@ "Azure.ACR.ContainerScan","Container images or their base images may have vulnerabilities discovered after they are built.","Critical","Security","-" "Azure.ACR.ImageHealth","Remove container images with known vulnerabilities.","Critical","Security","L2" "Azure.ACR.MinSku","The Basic SKU provides limited performance and features for production container registry workloads.","Important","Reliability","-" -"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.ACR.Usage","Regularly remove deprecated and unneeded images to reduce storage usage.","Important","Cost Optimization","-" "Azure.AKS.AzurePolicyAddOn","Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes.","Important","Security","-" "Azure.AKS.DNSPrefix","Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.AKS.ManagedIdentity","Configure AKS clusters to use managed identities for managing cluster infrastructure.","Important","Security","L1" "Azure.AKS.MinNodeCount","AKS clusters should have minimum number of system nodes for failover and updates.","Important","Reliability","-" -"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.AKS.NetworkPolicy","AKS clusters without inter-pod network restrictions may be permit unauthorized lateral movement.","Important","Security","-" "Azure.AKS.NodeMinPods","Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods.","Important","Performance Efficiency","-" "Azure.AKS.PoolScaleSet","Deploy AKS clusters with nodes pools based on VM scale sets.","Important","Performance Efficiency","-" @@ -119,13 +119,13 @@ "Azure.SQL.AAD","Use Entra ID authentication with Azure SQL databases.","Critical","Security","L1" "Azure.SQL.AllowAzureAccess","Determine if access from Azure services is required.","Important","Security","-" "Azure.SQL.Auditing","Enable auditing for Azure SQL logical server.","Important","Security","-" -"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.DefenderCloud","Enable Microsoft Defender for Azure SQL logical server.","Important","Security","-" "Azure.SQL.FGName","Azure SQL failover group names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.SQL.FirewallIPRange","Each IP address in the permitted IP list is allowed network access to any databases hosted on the same logical server.","Important","Security","-" "Azure.SQL.FirewallRuleCount","Determine if there is an excessive number of firewall rules.","Awareness","Security","-" "Azure.SQL.MinTLS","Azure SQL Database servers should reject TLS versions older than 1.2.","Critical","Security","L1" -"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.TDE","Use Transparent Data Encryption (TDE) with Azure SQL Database.","Critical","Security","L1" "Azure.SQLMI.Name","SQL Managed Instance names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.Storage.BlobAccessType","Use containers configured with a private access type that requires authorization.","Important","Security","-" diff --git a/docs/en/baselines/Azure.GA_2021_06.csv b/docs/en/baselines/Azure.GA_2021_06.csv index 76be59d2ef2..0dcccdf6c4e 100644 --- a/docs/en/baselines/Azure.GA_2021_06.csv +++ b/docs/en/baselines/Azure.GA_2021_06.csv @@ -3,7 +3,7 @@ "Azure.ACR.ContainerScan","Container images or their base images may have vulnerabilities discovered after they are built.","Critical","Security","-" "Azure.ACR.ImageHealth","Remove container images with known vulnerabilities.","Critical","Security","L2" "Azure.ACR.MinSku","The Basic SKU provides limited performance and features for production container registry workloads.","Important","Reliability","-" -"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.ACR.Usage","Regularly remove deprecated and unneeded images to reduce storage usage.","Important","Cost Optimization","-" "Azure.AKS.AuthorizedIPs","Restrict access to API server endpoints to authorized IP addresses.","Important","Security","-" "Azure.AKS.AzurePolicyAddOn","Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes.","Important","Security","-" @@ -12,7 +12,7 @@ "Azure.AKS.ManagedAAD","Use AKS-managed Azure AD to simplify authorization and improve security.","Important","Security","L1" "Azure.AKS.ManagedIdentity","Configure AKS clusters to use managed identities for managing cluster infrastructure.","Important","Security","L1" "Azure.AKS.MinNodeCount","AKS clusters should have minimum number of system nodes for failover and updates.","Important","Reliability","-" -"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.AKS.NetworkPolicy","AKS clusters without inter-pod network restrictions may be permit unauthorized lateral movement.","Important","Security","-" "Azure.AKS.NodeMinPods","Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods.","Important","Performance Efficiency","-" "Azure.AKS.PoolScaleSet","Deploy AKS clusters with nodes pools based on VM scale sets.","Important","Performance Efficiency","-" @@ -133,13 +133,13 @@ "Azure.SQL.AAD","Use Entra ID authentication with Azure SQL databases.","Critical","Security","L1" "Azure.SQL.AllowAzureAccess","Determine if access from Azure services is required.","Important","Security","-" "Azure.SQL.Auditing","Enable auditing for Azure SQL logical server.","Important","Security","-" -"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.DefenderCloud","Enable Microsoft Defender for Azure SQL logical server.","Important","Security","-" "Azure.SQL.FGName","Azure SQL failover group names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.SQL.FirewallIPRange","Each IP address in the permitted IP list is allowed network access to any databases hosted on the same logical server.","Important","Security","-" "Azure.SQL.FirewallRuleCount","Determine if there is an excessive number of firewall rules.","Awareness","Security","-" "Azure.SQL.MinTLS","Azure SQL Database servers should reject TLS versions older than 1.2.","Critical","Security","L1" -"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.TDE","Use Transparent Data Encryption (TDE) with Azure SQL Database.","Critical","Security","L1" "Azure.SQLMI.Name","SQL Managed Instance names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.Storage.BlobAccessType","Use containers configured with a private access type that requires authorization.","Important","Security","-" diff --git a/docs/en/baselines/Azure.GA_2021_09.csv b/docs/en/baselines/Azure.GA_2021_09.csv index 1857e1a33f3..38fc5daa6d5 100644 --- a/docs/en/baselines/Azure.GA_2021_09.csv +++ b/docs/en/baselines/Azure.GA_2021_09.csv @@ -3,7 +3,7 @@ "Azure.ACR.ContainerScan","Container images or their base images may have vulnerabilities discovered after they are built.","Critical","Security","-" "Azure.ACR.ImageHealth","Remove container images with known vulnerabilities.","Critical","Security","L2" "Azure.ACR.MinSku","The Basic SKU provides limited performance and features for production container registry workloads.","Important","Reliability","-" -"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.ACR.Usage","Regularly remove deprecated and unneeded images to reduce storage usage.","Important","Cost Optimization","-" "Azure.AKS.AuditLogs","AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads.","Important","Security","L1" "Azure.AKS.AuthorizedIPs","Restrict access to API server endpoints to authorized IP addresses.","Important","Security","-" @@ -17,7 +17,7 @@ "Azure.AKS.ManagedAAD","Use AKS-managed Azure AD to simplify authorization and improve security.","Important","Security","L1" "Azure.AKS.ManagedIdentity","Configure AKS clusters to use managed identities for managing cluster infrastructure.","Important","Security","L1" "Azure.AKS.MinNodeCount","AKS clusters should have minimum number of system nodes for failover and updates.","Important","Reliability","-" -"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.AKS.NetworkPolicy","AKS clusters without inter-pod network restrictions may be permit unauthorized lateral movement.","Important","Security","-" "Azure.AKS.NodeMinPods","Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods.","Important","Performance Efficiency","-" "Azure.AKS.PlatformLogs","AKS clusters should collect platform diagnostic logs to monitor the state of workloads.","Important","Operational Excellence","-" @@ -65,7 +65,7 @@ "Azure.CDN.EndpointName","Azure CDN Endpoint names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.CDN.HTTP","Unencrypted communication could allow disclosure of information to an untrusted party.","Important","Security","-" "Azure.CDN.MinTLS","Azure CDN endpoints should reject TLS versions older than 1.2.","Important","Security","L1" -"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.Cosmos.DisableMetadataWrite","Use Entra ID identities for management place operations in Azure Cosmos DB.","Important","Security","-" "Azure.DataFactory.Version","Consider migrating to DataFactory v2.","Awareness","Reliability","-" "Azure.DefenderCloud.Provisioning","Enable auto-provisioning on to improve Microsoft Defender for Cloud insights.","Important","Security","-" @@ -145,13 +145,13 @@ "Azure.SQL.AAD","Use Entra ID authentication with Azure SQL databases.","Critical","Security","L1" "Azure.SQL.AllowAzureAccess","Determine if access from Azure services is required.","Important","Security","-" "Azure.SQL.Auditing","Enable auditing for Azure SQL logical server.","Important","Security","-" -"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.DefenderCloud","Enable Microsoft Defender for Azure SQL logical server.","Important","Security","-" "Azure.SQL.FGName","Azure SQL failover group names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.SQL.FirewallIPRange","Each IP address in the permitted IP list is allowed network access to any databases hosted on the same logical server.","Important","Security","-" "Azure.SQL.FirewallRuleCount","Determine if there is an excessive number of firewall rules.","Awareness","Security","-" "Azure.SQL.MinTLS","Azure SQL Database servers should reject TLS versions older than 1.2.","Critical","Security","L1" -"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.TDE","Use Transparent Data Encryption (TDE) with Azure SQL Database.","Critical","Security","L1" "Azure.SQLMI.Name","SQL Managed Instance names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.Storage.BlobAccessType","Use containers configured with a private access type that requires authorization.","Important","Security","-" diff --git a/docs/en/baselines/Azure.GA_2021_12.csv b/docs/en/baselines/Azure.GA_2021_12.csv index 8c7f0c2f5f6..118ad1ca0dd 100644 --- a/docs/en/baselines/Azure.GA_2021_12.csv +++ b/docs/en/baselines/Azure.GA_2021_12.csv @@ -3,7 +3,7 @@ "Azure.ACR.ContainerScan","Container images or their base images may have vulnerabilities discovered after they are built.","Critical","Security","-" "Azure.ACR.ImageHealth","Remove container images with known vulnerabilities.","Critical","Security","L2" "Azure.ACR.MinSku","The Basic SKU provides limited performance and features for production container registry workloads.","Important","Reliability","-" -"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.ACR.Usage","Regularly remove deprecated and unneeded images to reduce storage usage.","Important","Cost Optimization","-" "Azure.AKS.AuditLogs","AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads.","Important","Security","L1" "Azure.AKS.AuthorizedIPs","Restrict access to API server endpoints to authorized IP addresses.","Important","Security","-" @@ -19,7 +19,7 @@ "Azure.AKS.ManagedAAD","Use AKS-managed Azure AD to simplify authorization and improve security.","Important","Security","L1" "Azure.AKS.ManagedIdentity","Configure AKS clusters to use managed identities for managing cluster infrastructure.","Important","Security","L1" "Azure.AKS.MinNodeCount","AKS clusters should have minimum number of system nodes for failover and updates.","Important","Reliability","-" -"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.AKS.NetworkPolicy","AKS clusters without inter-pod network restrictions may be permit unauthorized lateral movement.","Important","Security","-" "Azure.AKS.NodeMinPods","Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods.","Important","Performance Efficiency","-" "Azure.AKS.PlatformLogs","AKS clusters should collect platform diagnostic logs to monitor the state of workloads.","Important","Operational Excellence","-" @@ -73,7 +73,7 @@ "Azure.CDN.EndpointName","Azure CDN Endpoint names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.CDN.HTTP","Unencrypted communication could allow disclosure of information to an untrusted party.","Important","Security","-" "Azure.CDN.MinTLS","Azure CDN endpoints should reject TLS versions older than 1.2.","Important","Security","L1" -"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.Cosmos.DisableMetadataWrite","Use Entra ID identities for management place operations in Azure Cosmos DB.","Important","Security","-" "Azure.DataFactory.Version","Consider migrating to DataFactory v2.","Awareness","Reliability","-" "Azure.DefenderCloud.Provisioning","Enable auto-provisioning on to improve Microsoft Defender for Cloud insights.","Important","Security","-" @@ -163,13 +163,13 @@ "Azure.SQL.AAD","Use Entra ID authentication with Azure SQL databases.","Critical","Security","L1" "Azure.SQL.AllowAzureAccess","Determine if access from Azure services is required.","Important","Security","-" "Azure.SQL.Auditing","Enable auditing for Azure SQL logical server.","Important","Security","-" -"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.DefenderCloud","Enable Microsoft Defender for Azure SQL logical server.","Important","Security","-" "Azure.SQL.FGName","Azure SQL failover group names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.SQL.FirewallIPRange","Each IP address in the permitted IP list is allowed network access to any databases hosted on the same logical server.","Important","Security","-" "Azure.SQL.FirewallRuleCount","Determine if there is an excessive number of firewall rules.","Awareness","Security","-" "Azure.SQL.MinTLS","Azure SQL Database servers should reject TLS versions older than 1.2.","Critical","Security","L1" -"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.TDE","Use Transparent Data Encryption (TDE) with Azure SQL Database.","Critical","Security","L1" "Azure.SQLMI.Name","SQL Managed Instance names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.Storage.BlobAccessType","Use containers configured with a private access type that requires authorization.","Important","Security","-" diff --git a/docs/en/baselines/Azure.GA_2022_03.csv b/docs/en/baselines/Azure.GA_2022_03.csv index 7cb76cf059d..7d2de8d42fe 100644 --- a/docs/en/baselines/Azure.GA_2022_03.csv +++ b/docs/en/baselines/Azure.GA_2022_03.csv @@ -3,7 +3,7 @@ "Azure.ACR.ContainerScan","Container images or their base images may have vulnerabilities discovered after they are built.","Critical","Security","-" "Azure.ACR.ImageHealth","Remove container images with known vulnerabilities.","Critical","Security","L2" "Azure.ACR.MinSku","The Basic SKU provides limited performance and features for production container registry workloads.","Important","Reliability","-" -"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.ACR.Usage","Regularly remove deprecated and unneeded images to reduce storage usage.","Important","Cost Optimization","-" "Azure.ADX.DiskEncryption","Use disk encryption for Azure Data Explorer (ADX) clusters.","Important","Security","L1" "Azure.ADX.ManagedIdentity","Configure Data Explorer clusters to use managed identities to access Azure resources securely.","Important","Security","L1" @@ -23,7 +23,7 @@ "Azure.AKS.ManagedAAD","Use AKS-managed Azure AD to simplify authorization and improve security.","Important","Security","L1" "Azure.AKS.ManagedIdentity","Configure AKS clusters to use managed identities for managing cluster infrastructure.","Important","Security","L1" "Azure.AKS.MinNodeCount","AKS clusters should have minimum number of system nodes for failover and updates.","Important","Reliability","-" -"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.AKS.NetworkPolicy","AKS clusters without inter-pod network restrictions may be permit unauthorized lateral movement.","Important","Security","-" "Azure.AKS.NodeMinPods","Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods.","Important","Performance Efficiency","-" "Azure.AKS.PlatformLogs","AKS clusters should collect platform diagnostic logs to monitor the state of workloads.","Important","Operational Excellence","-" @@ -78,7 +78,7 @@ "Azure.CDN.EndpointName","Azure CDN Endpoint names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.CDN.HTTP","Unencrypted communication could allow disclosure of information to an untrusted party.","Important","Security","-" "Azure.CDN.MinTLS","Azure CDN endpoints should reject TLS versions older than 1.2.","Important","Security","L1" -"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.Cosmos.DisableMetadataWrite","Use Entra ID identities for management place operations in Azure Cosmos DB.","Important","Security","-" "Azure.DataFactory.Version","Consider migrating to DataFactory v2.","Awareness","Reliability","-" "Azure.DefenderCloud.Provisioning","Enable auto-provisioning on to improve Microsoft Defender for Cloud insights.","Important","Security","-" @@ -177,13 +177,13 @@ "Azure.SQL.AAD","Use Entra ID authentication with Azure SQL databases.","Critical","Security","L1" "Azure.SQL.AllowAzureAccess","Determine if access from Azure services is required.","Important","Security","-" "Azure.SQL.Auditing","Enable auditing for Azure SQL logical server.","Important","Security","-" -"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.DefenderCloud","Enable Microsoft Defender for Azure SQL logical server.","Important","Security","-" "Azure.SQL.FGName","Azure SQL failover group names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.SQL.FirewallIPRange","Each IP address in the permitted IP list is allowed network access to any databases hosted on the same logical server.","Important","Security","-" "Azure.SQL.FirewallRuleCount","Determine if there is an excessive number of firewall rules.","Awareness","Security","-" "Azure.SQL.MinTLS","Azure SQL Database servers should reject TLS versions older than 1.2.","Critical","Security","L1" -"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.TDE","Use Transparent Data Encryption (TDE) with Azure SQL Database.","Critical","Security","L1" "Azure.SQLMI.Name","SQL Managed Instance names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.Storage.BlobAccessType","Use containers configured with a private access type that requires authorization.","Important","Security","-" diff --git a/docs/en/baselines/Azure.GA_2022_06.csv b/docs/en/baselines/Azure.GA_2022_06.csv index fe1e6615695..ec28b90a884 100644 --- a/docs/en/baselines/Azure.GA_2022_06.csv +++ b/docs/en/baselines/Azure.GA_2022_06.csv @@ -3,7 +3,7 @@ "Azure.ACR.ContainerScan","Container images or their base images may have vulnerabilities discovered after they are built.","Critical","Security","-" "Azure.ACR.ImageHealth","Remove container images with known vulnerabilities.","Critical","Security","L2" "Azure.ACR.MinSku","The Basic SKU provides limited performance and features for production container registry workloads.","Important","Reliability","-" -"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.ACR.Usage","Regularly remove deprecated and unneeded images to reduce storage usage.","Important","Cost Optimization","-" "Azure.ADX.DiskEncryption","Use disk encryption for Azure Data Explorer (ADX) clusters.","Important","Security","L1" "Azure.ADX.ManagedIdentity","Configure Data Explorer clusters to use managed identities to access Azure resources securely.","Important","Security","L1" @@ -23,7 +23,7 @@ "Azure.AKS.ManagedAAD","Use AKS-managed Azure AD to simplify authorization and improve security.","Important","Security","L1" "Azure.AKS.ManagedIdentity","Configure AKS clusters to use managed identities for managing cluster infrastructure.","Important","Security","L1" "Azure.AKS.MinNodeCount","AKS clusters should have minimum number of system nodes for failover and updates.","Important","Reliability","-" -"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.AKS.NetworkPolicy","AKS clusters without inter-pod network restrictions may be permit unauthorized lateral movement.","Important","Security","-" "Azure.AKS.NodeMinPods","Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods.","Important","Performance Efficiency","-" "Azure.AKS.PlatformLogs","AKS clusters should collect platform diagnostic logs to monitor the state of workloads.","Important","Operational Excellence","-" @@ -81,7 +81,7 @@ "Azure.CDN.EndpointName","Azure CDN Endpoint names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.CDN.HTTP","Unencrypted communication could allow disclosure of information to an untrusted party.","Important","Security","-" "Azure.CDN.MinTLS","Azure CDN endpoints should reject TLS versions older than 1.2.","Important","Security","L1" -"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.Cosmos.DisableMetadataWrite","Use Entra ID identities for management place operations in Azure Cosmos DB.","Important","Security","-" "Azure.DataFactory.Version","Consider migrating to DataFactory v2.","Awareness","Reliability","-" "Azure.DefenderCloud.Provisioning","Enable auto-provisioning on to improve Microsoft Defender for Cloud insights.","Important","Security","-" @@ -181,13 +181,13 @@ "Azure.SQL.AAD","Use Entra ID authentication with Azure SQL databases.","Critical","Security","L1" "Azure.SQL.AllowAzureAccess","Determine if access from Azure services is required.","Important","Security","-" "Azure.SQL.Auditing","Enable auditing for Azure SQL logical server.","Important","Security","-" -"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.DefenderCloud","Enable Microsoft Defender for Azure SQL logical server.","Important","Security","-" "Azure.SQL.FGName","Azure SQL failover group names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.SQL.FirewallIPRange","Each IP address in the permitted IP list is allowed network access to any databases hosted on the same logical server.","Important","Security","-" "Azure.SQL.FirewallRuleCount","Determine if there is an excessive number of firewall rules.","Awareness","Security","-" "Azure.SQL.MinTLS","Azure SQL Database servers should reject TLS versions older than 1.2.","Critical","Security","L1" -"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.TDE","Use Transparent Data Encryption (TDE) with Azure SQL Database.","Critical","Security","L1" "Azure.SQLMI.Name","SQL Managed Instance names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.Storage.BlobAccessType","Use containers configured with a private access type that requires authorization.","Important","Security","-" diff --git a/docs/en/baselines/Azure.GA_2022_09.csv b/docs/en/baselines/Azure.GA_2022_09.csv index ad35c4b7ca3..1cf370fc25c 100644 --- a/docs/en/baselines/Azure.GA_2022_09.csv +++ b/docs/en/baselines/Azure.GA_2022_09.csv @@ -3,7 +3,7 @@ "Azure.ACR.ContainerScan","Container images or their base images may have vulnerabilities discovered after they are built.","Critical","Security","-" "Azure.ACR.ImageHealth","Remove container images with known vulnerabilities.","Critical","Security","L2" "Azure.ACR.MinSku","The Basic SKU provides limited performance and features for production container registry workloads.","Important","Reliability","-" -"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.ACR.Usage","Regularly remove deprecated and unneeded images to reduce storage usage.","Important","Cost Optimization","-" "Azure.ADX.DiskEncryption","Use disk encryption for Azure Data Explorer (ADX) clusters.","Important","Security","L1" "Azure.ADX.ManagedIdentity","Configure Data Explorer clusters to use managed identities to access Azure resources securely.","Important","Security","L1" @@ -28,7 +28,7 @@ "Azure.AKS.ManagedAAD","Use AKS-managed Azure AD to simplify authorization and improve security.","Important","Security","L1" "Azure.AKS.ManagedIdentity","Configure AKS clusters to use managed identities for managing cluster infrastructure.","Important","Security","L1" "Azure.AKS.MinNodeCount","AKS clusters should have minimum number of system nodes for failover and updates.","Important","Reliability","-" -"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.AKS.NetworkPolicy","AKS clusters without inter-pod network restrictions may be permit unauthorized lateral movement.","Important","Security","-" "Azure.AKS.NodeMinPods","Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods.","Important","Performance Efficiency","-" "Azure.AKS.PlatformLogs","AKS clusters should collect platform diagnostic logs to monitor the state of workloads.","Important","Operational Excellence","-" @@ -93,7 +93,7 @@ "Azure.CDN.HTTP","Unencrypted communication could allow disclosure of information to an untrusted party.","Important","Security","-" "Azure.CDN.MinTLS","Azure CDN endpoints should reject TLS versions older than 1.2.","Important","Security","L1" "Azure.CDN.UseFrontDoor","Use Azure Front Door Standard or Premium SKU to improve the performance of web pages with dynamic content and overall capabilities.","Important","Performance Efficiency","-" -"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.Cosmos.DisableMetadataWrite","Use Entra ID identities for management place operations in Azure Cosmos DB.","Important","Security","-" "Azure.DataFactory.Version","Consider migrating to DataFactory v2.","Awareness","Reliability","-" "Azure.Defender.AppServices","Enable Microsoft Defender for App Service.","Critical","Security","-" @@ -209,13 +209,13 @@ "Azure.SQL.AAD","Use Entra ID authentication with Azure SQL databases.","Critical","Security","L1" "Azure.SQL.AllowAzureAccess","Determine if access from Azure services is required.","Important","Security","-" "Azure.SQL.Auditing","Enable auditing for Azure SQL logical server.","Important","Security","-" -"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.DefenderCloud","Enable Microsoft Defender for Azure SQL logical server.","Important","Security","-" "Azure.SQL.FGName","Azure SQL failover group names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.SQL.FirewallIPRange","Each IP address in the permitted IP list is allowed network access to any databases hosted on the same logical server.","Important","Security","-" "Azure.SQL.FirewallRuleCount","Determine if there is an excessive number of firewall rules.","Awareness","Security","-" "Azure.SQL.MinTLS","Azure SQL Database servers should reject TLS versions older than 1.2.","Critical","Security","L1" -"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.TDE","Use Transparent Data Encryption (TDE) with Azure SQL Database.","Critical","Security","L1" "Azure.SQLMI.Name","SQL Managed Instance names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.Storage.BlobAccessType","Use containers configured with a private access type that requires authorization.","Important","Security","-" diff --git a/docs/en/baselines/Azure.GA_2022_12.csv b/docs/en/baselines/Azure.GA_2022_12.csv index 10a05f7cc7b..91b145b1d64 100644 --- a/docs/en/baselines/Azure.GA_2022_12.csv +++ b/docs/en/baselines/Azure.GA_2022_12.csv @@ -3,7 +3,7 @@ "Azure.ACR.ContainerScan","Container images or their base images may have vulnerabilities discovered after they are built.","Critical","Security","-" "Azure.ACR.ImageHealth","Remove container images with known vulnerabilities.","Critical","Security","L2" "Azure.ACR.MinSku","The Basic SKU provides limited performance and features for production container registry workloads.","Important","Reliability","-" -"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.ACR.Usage","Regularly remove deprecated and unneeded images to reduce storage usage.","Important","Cost Optimization","-" "Azure.ADX.DiskEncryption","Use disk encryption for Azure Data Explorer (ADX) clusters.","Important","Security","L1" "Azure.ADX.ManagedIdentity","Configure Data Explorer clusters to use managed identities to access Azure resources securely.","Important","Security","L1" @@ -28,7 +28,7 @@ "Azure.AKS.ManagedAAD","Use AKS-managed Azure AD to simplify authorization and improve security.","Important","Security","L1" "Azure.AKS.ManagedIdentity","Configure AKS clusters to use managed identities for managing cluster infrastructure.","Important","Security","L1" "Azure.AKS.MinNodeCount","AKS clusters should have minimum number of system nodes for failover and updates.","Important","Reliability","-" -"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.AKS.NetworkPolicy","AKS clusters without inter-pod network restrictions may be permit unauthorized lateral movement.","Important","Security","-" "Azure.AKS.NodeMinPods","Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods.","Important","Performance Efficiency","-" "Azure.AKS.PlatformLogs","AKS clusters should collect platform diagnostic logs to monitor the state of workloads.","Important","Operational Excellence","-" @@ -99,7 +99,7 @@ "Azure.CDN.HTTP","Unencrypted communication could allow disclosure of information to an untrusted party.","Important","Security","-" "Azure.CDN.MinTLS","Azure CDN endpoints should reject TLS versions older than 1.2.","Important","Security","L1" "Azure.CDN.UseFrontDoor","Use Azure Front Door Standard or Premium SKU to improve the performance of web pages with dynamic content and overall capabilities.","Important","Performance Efficiency","-" -"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.Cosmos.DisableMetadataWrite","Use Entra ID identities for management place operations in Azure Cosmos DB.","Important","Security","-" "Azure.DataFactory.Version","Consider migrating to DataFactory v2.","Awareness","Reliability","-" "Azure.Defender.AppServices","Enable Microsoft Defender for App Service.","Critical","Security","-" @@ -236,13 +236,13 @@ "Azure.SQL.AAD","Use Entra ID authentication with Azure SQL databases.","Critical","Security","L1" "Azure.SQL.AllowAzureAccess","Determine if access from Azure services is required.","Important","Security","-" "Azure.SQL.Auditing","Enable auditing for Azure SQL logical server.","Important","Security","-" -"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.DefenderCloud","Enable Microsoft Defender for Azure SQL logical server.","Important","Security","-" "Azure.SQL.FGName","Azure SQL failover group names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.SQL.FirewallIPRange","Each IP address in the permitted IP list is allowed network access to any databases hosted on the same logical server.","Important","Security","-" "Azure.SQL.FirewallRuleCount","Determine if there is an excessive number of firewall rules.","Awareness","Security","-" "Azure.SQL.MinTLS","Azure SQL Database servers should reject TLS versions older than 1.2.","Critical","Security","L1" -"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.TDE","Use Transparent Data Encryption (TDE) with Azure SQL Database.","Critical","Security","L1" "Azure.SQLMI.Name","SQL Managed Instance names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.Storage.BlobAccessType","Use containers configured with a private access type that requires authorization.","Important","Security","-" diff --git a/docs/en/baselines/Azure.GA_2023_03.csv b/docs/en/baselines/Azure.GA_2023_03.csv index 50e6d053a04..ae02e25a615 100644 --- a/docs/en/baselines/Azure.GA_2023_03.csv +++ b/docs/en/baselines/Azure.GA_2023_03.csv @@ -3,7 +3,7 @@ "Azure.ACR.ContainerScan","Container images or their base images may have vulnerabilities discovered after they are built.","Critical","Security","-" "Azure.ACR.ImageHealth","Remove container images with known vulnerabilities.","Critical","Security","L2" "Azure.ACR.MinSku","The Basic SKU provides limited performance and features for production container registry workloads.","Important","Reliability","-" -"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.ACR.Usage","Regularly remove deprecated and unneeded images to reduce storage usage.","Important","Cost Optimization","-" "Azure.ADX.DiskEncryption","Use disk encryption for Azure Data Explorer (ADX) clusters.","Important","Security","L1" "Azure.ADX.ManagedIdentity","Configure Data Explorer clusters to use managed identities to access Azure resources securely.","Important","Security","L1" @@ -29,7 +29,7 @@ "Azure.AKS.ManagedAAD","Use AKS-managed Azure AD to simplify authorization and improve security.","Important","Security","L1" "Azure.AKS.ManagedIdentity","Configure AKS clusters to use managed identities for managing cluster infrastructure.","Important","Security","L1" "Azure.AKS.MinNodeCount","AKS clusters should have minimum number of system nodes for failover and updates.","Important","Reliability","-" -"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.AKS.NetworkPolicy","AKS clusters without inter-pod network restrictions may be permit unauthorized lateral movement.","Important","Security","-" "Azure.AKS.NodeMinPods","Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods.","Important","Performance Efficiency","-" "Azure.AKS.PlatformLogs","AKS clusters should collect platform diagnostic logs to monitor the state of workloads.","Important","Operational Excellence","-" @@ -103,10 +103,10 @@ "Azure.CDN.UseFrontDoor","Use Azure Front Door Standard or Premium SKU to improve the performance of web pages with dynamic content and overall capabilities.","Important","Performance Efficiency","-" "Azure.ContainerApp.ExternalIngress","Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment.","Important","Security","-" "Azure.ContainerApp.ManagedIdentity","Ensure managed identity is used for authentication.","Important","Security","L1" -"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.ContainerApp.PublicAccess","Ensure public network access for Container Apps environment is disabled.","Important","Security","-" "Azure.ContainerApp.Storage","Use of Azure Files volume mounts to persistent storage container data.","Awareness","Reliability","-" -"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.Cosmos.DisableMetadataWrite","Use Entra ID identities for management place operations in Azure Cosmos DB.","Important","Security","-" "Azure.DataFactory.Version","Consider migrating to DataFactory v2.","Awareness","Reliability","-" "Azure.Defender.AppServices","Enable Microsoft Defender for App Service.","Critical","Security","-" @@ -252,13 +252,13 @@ "Azure.SQL.AADOnly","Ensure Entra ID only authentication is enabled with Azure SQL Database.","Important","Security","L1" "Azure.SQL.AllowAzureAccess","Determine if access from Azure services is required.","Important","Security","-" "Azure.SQL.Auditing","Enable auditing for Azure SQL logical server.","Important","Security","-" -"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.DefenderCloud","Enable Microsoft Defender for Azure SQL logical server.","Important","Security","-" "Azure.SQL.FGName","Azure SQL failover group names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.SQL.FirewallIPRange","Each IP address in the permitted IP list is allowed network access to any databases hosted on the same logical server.","Important","Security","-" "Azure.SQL.FirewallRuleCount","Determine if there is an excessive number of firewall rules.","Awareness","Security","-" "Azure.SQL.MinTLS","Azure SQL Database servers should reject TLS versions older than 1.2.","Critical","Security","L1" -"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.TDE","Use Transparent Data Encryption (TDE) with Azure SQL Database.","Critical","Security","L1" "Azure.SQLMI.AAD","Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance.","Critical","Security","L1" "Azure.SQLMI.AADOnly","Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance.","Important","Security","L1" diff --git a/docs/en/baselines/Azure.GA_2023_06.csv b/docs/en/baselines/Azure.GA_2023_06.csv index 585ba58664b..b85c09df9e9 100644 --- a/docs/en/baselines/Azure.GA_2023_06.csv +++ b/docs/en/baselines/Azure.GA_2023_06.csv @@ -3,7 +3,7 @@ "Azure.ACR.ContainerScan","Container images or their base images may have vulnerabilities discovered after they are built.","Critical","Security","-" "Azure.ACR.ImageHealth","Remove container images with known vulnerabilities.","Critical","Security","L2" "Azure.ACR.MinSku","The Basic SKU provides limited performance and features for production container registry workloads.","Important","Reliability","-" -"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.ACR.Usage","Regularly remove deprecated and unneeded images to reduce storage usage.","Important","Cost Optimization","-" "Azure.ADX.DiskEncryption","Use disk encryption for Azure Data Explorer (ADX) clusters.","Important","Security","L1" "Azure.ADX.ManagedIdentity","Configure Data Explorer clusters to use managed identities to access Azure resources securely.","Important","Security","L1" @@ -29,7 +29,7 @@ "Azure.AKS.ManagedAAD","Use AKS-managed Azure AD to simplify authorization and improve security.","Important","Security","L1" "Azure.AKS.ManagedIdentity","Configure AKS clusters to use managed identities for managing cluster infrastructure.","Important","Security","L1" "Azure.AKS.MinNodeCount","AKS clusters should have minimum number of system nodes for failover and updates.","Important","Reliability","-" -"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.AKS.NetworkPolicy","AKS clusters without inter-pod network restrictions may be permit unauthorized lateral movement.","Important","Security","-" "Azure.AKS.NodeMinPods","Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods.","Important","Performance Efficiency","-" "Azure.AKS.PlatformLogs","AKS clusters should collect platform diagnostic logs to monitor the state of workloads.","Important","Operational Excellence","-" @@ -107,11 +107,11 @@ "Azure.ContainerApp.ExternalIngress","Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment.","Important","Security","-" "Azure.ContainerApp.Insecure","Ensure insecure inbound traffic is not permitted to the container app.","Important","Security","L1" "Azure.ContainerApp.ManagedIdentity","Ensure managed identity is used for authentication.","Important","Security","L1" -"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.ContainerApp.PublicAccess","Ensure public network access for Container Apps environment is disabled.","Important","Security","-" "Azure.ContainerApp.RestrictIngress","IP ingress restrictions mode should be set to allow action for all rules defined.","Important","Security","-" "Azure.ContainerApp.Storage","Use of Azure Files volume mounts to persistent storage container data.","Awareness","Reliability","-" -"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.Cosmos.DefenderCloud","Enable Microsoft Defender for Azure Cosmos DB.","Critical","Security","-" "Azure.Cosmos.DisableMetadataWrite","Use Entra ID identities for management place operations in Azure Cosmos DB.","Important","Security","-" "Azure.DataFactory.Version","Consider migrating to DataFactory v2.","Awareness","Reliability","-" @@ -266,13 +266,13 @@ "Azure.SQL.AADOnly","Ensure Entra ID only authentication is enabled with Azure SQL Database.","Important","Security","L1" "Azure.SQL.AllowAzureAccess","Determine if access from Azure services is required.","Important","Security","-" "Azure.SQL.Auditing","Enable auditing for Azure SQL logical server.","Important","Security","-" -"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.DefenderCloud","Enable Microsoft Defender for Azure SQL logical server.","Important","Security","-" "Azure.SQL.FGName","Azure SQL failover group names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.SQL.FirewallIPRange","Each IP address in the permitted IP list is allowed network access to any databases hosted on the same logical server.","Important","Security","-" "Azure.SQL.FirewallRuleCount","Determine if there is an excessive number of firewall rules.","Awareness","Security","-" "Azure.SQL.MinTLS","Azure SQL Database servers should reject TLS versions older than 1.2.","Critical","Security","L1" -"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.TDE","Use Transparent Data Encryption (TDE) with Azure SQL Database.","Critical","Security","L1" "Azure.SQLMI.AAD","Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance.","Critical","Security","L1" "Azure.SQLMI.AADOnly","Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance.","Important","Security","L1" diff --git a/docs/en/baselines/Azure.GA_2023_09.csv b/docs/en/baselines/Azure.GA_2023_09.csv index 703d2a4cc64..da3391e9885 100644 --- a/docs/en/baselines/Azure.GA_2023_09.csv +++ b/docs/en/baselines/Azure.GA_2023_09.csv @@ -4,7 +4,7 @@ "Azure.ACR.Firewall","Container Registry without restrictions can be accessed from any network location including the Internet.","Important","Security","-" "Azure.ACR.ImageHealth","Remove container images with known vulnerabilities.","Critical","Security","L2" "Azure.ACR.MinSku","The Basic SKU provides limited performance and features for production container registry workloads.","Important","Reliability","-" -"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.ACR.Usage","Regularly remove deprecated and unneeded images to reduce storage usage.","Important","Cost Optimization","-" "Azure.ADX.DiskEncryption","Use disk encryption for Azure Data Explorer (ADX) clusters.","Important","Security","L1" "Azure.ADX.ManagedIdentity","Configure Data Explorer clusters to use managed identities to access Azure resources securely.","Important","Security","L1" @@ -31,7 +31,7 @@ "Azure.AKS.ManagedAAD","Use AKS-managed Azure AD to simplify authorization and improve security.","Important","Security","L1" "Azure.AKS.ManagedIdentity","Configure AKS clusters to use managed identities for managing cluster infrastructure.","Important","Security","L1" "Azure.AKS.MinNodeCount","AKS clusters should have minimum number of system nodes for failover and updates.","Important","Reliability","-" -"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.AKS.NetworkPolicy","AKS clusters without inter-pod network restrictions may be permit unauthorized lateral movement.","Important","Security","-" "Azure.AKS.NodeMinPods","Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods.","Important","Performance Efficiency","-" "Azure.AKS.PlatformLogs","AKS clusters should collect platform diagnostic logs to monitor the state of workloads.","Important","Operational Excellence","-" @@ -112,11 +112,11 @@ "Azure.ContainerApp.ExternalIngress","Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment.","Important","Security","-" "Azure.ContainerApp.Insecure","Ensure insecure inbound traffic is not permitted to the container app.","Important","Security","L1" "Azure.ContainerApp.ManagedIdentity","Ensure managed identity is used for authentication.","Important","Security","L1" -"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.ContainerApp.PublicAccess","Ensure public network access for Container Apps environment is disabled.","Important","Security","-" "Azure.ContainerApp.RestrictIngress","IP ingress restrictions mode should be set to allow action for all rules defined.","Important","Security","-" "Azure.ContainerApp.Storage","Use of Azure Files volume mounts to persistent storage container data.","Awareness","Reliability","-" -"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.Cosmos.DefenderCloud","Enable Microsoft Defender for Azure Cosmos DB.","Critical","Security","-" "Azure.Cosmos.DisableMetadataWrite","Use Entra ID identities for management place operations in Azure Cosmos DB.","Important","Security","-" "Azure.Databricks.SecureConnectivity","Use Databricks workspaces configured for secure cluster connectivity.","Critical","Security","-" @@ -277,13 +277,13 @@ "Azure.SQL.AADOnly","Ensure Entra ID only authentication is enabled with Azure SQL Database.","Important","Security","L1" "Azure.SQL.AllowAzureAccess","Determine if access from Azure services is required.","Important","Security","-" "Azure.SQL.Auditing","Enable auditing for Azure SQL logical server.","Important","Security","-" -"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.DefenderCloud","Enable Microsoft Defender for Azure SQL logical server.","Important","Security","-" "Azure.SQL.FGName","Azure SQL failover group names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.SQL.FirewallIPRange","Each IP address in the permitted IP list is allowed network access to any databases hosted on the same logical server.","Important","Security","-" "Azure.SQL.FirewallRuleCount","Determine if there is an excessive number of firewall rules.","Awareness","Security","-" "Azure.SQL.MinTLS","Azure SQL Database servers should reject TLS versions older than 1.2.","Critical","Security","L1" -"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.TDE","Use Transparent Data Encryption (TDE) with Azure SQL Database.","Critical","Security","L1" "Azure.SQLMI.AAD","Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance.","Critical","Security","L1" "Azure.SQLMI.AADOnly","Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance.","Important","Security","L1" diff --git a/docs/en/baselines/Azure.GA_2023_12.csv b/docs/en/baselines/Azure.GA_2023_12.csv index 653f23ca95f..c5422f29d14 100644 --- a/docs/en/baselines/Azure.GA_2023_12.csv +++ b/docs/en/baselines/Azure.GA_2023_12.csv @@ -4,7 +4,7 @@ "Azure.ACR.Firewall","Container Registry without restrictions can be accessed from any network location including the Internet.","Important","Security","-" "Azure.ACR.ImageHealth","Remove container images with known vulnerabilities.","Critical","Security","L2" "Azure.ACR.MinSku","The Basic SKU provides limited performance and features for production container registry workloads.","Important","Reliability","-" -"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.ACR.Usage","Regularly remove deprecated and unneeded images to reduce storage usage.","Important","Cost Optimization","-" "Azure.ADX.DiskEncryption","Use disk encryption for Azure Data Explorer (ADX) clusters.","Important","Security","L1" "Azure.ADX.ManagedIdentity","Configure Data Explorer clusters to use managed identities to access Azure resources securely.","Important","Security","L1" @@ -31,7 +31,7 @@ "Azure.AKS.ManagedAAD","Use AKS-managed Azure AD to simplify authorization and improve security.","Important","Security","L1" "Azure.AKS.ManagedIdentity","Configure AKS clusters to use managed identities for managing cluster infrastructure.","Important","Security","L1" "Azure.AKS.MinNodeCount","AKS clusters should have minimum number of system nodes for failover and updates.","Important","Reliability","-" -"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.AKS.NetworkPolicy","AKS clusters without inter-pod network restrictions may be permit unauthorized lateral movement.","Important","Security","-" "Azure.AKS.NodeMinPods","Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods.","Important","Performance Efficiency","-" "Azure.AKS.PlatformLogs","AKS clusters should collect platform diagnostic logs to monitor the state of workloads.","Important","Operational Excellence","-" @@ -114,11 +114,11 @@ "Azure.ContainerApp.ExternalIngress","Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment.","Important","Security","-" "Azure.ContainerApp.Insecure","Ensure insecure inbound traffic is not permitted to the container app.","Important","Security","L1" "Azure.ContainerApp.ManagedIdentity","Ensure managed identity is used for authentication.","Important","Security","L1" -"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.ContainerApp.PublicAccess","Ensure public network access for Container Apps environment is disabled.","Important","Security","-" "Azure.ContainerApp.RestrictIngress","IP ingress restrictions mode should be set to allow action for all rules defined.","Important","Security","-" "Azure.ContainerApp.Storage","Use of Azure Files volume mounts to persistent storage container data.","Awareness","Reliability","-" -"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.Cosmos.DefenderCloud","Enable Microsoft Defender for Azure Cosmos DB.","Critical","Security","-" "Azure.Cosmos.DisableMetadataWrite","Use Entra ID identities for management place operations in Azure Cosmos DB.","Important","Security","-" "Azure.Databricks.SecureConnectivity","Use Databricks workspaces configured for secure cluster connectivity.","Critical","Security","-" @@ -286,13 +286,13 @@ "Azure.SQL.AADOnly","Ensure Entra ID only authentication is enabled with Azure SQL Database.","Important","Security","L1" "Azure.SQL.AllowAzureAccess","Determine if access from Azure services is required.","Important","Security","-" "Azure.SQL.Auditing","Enable auditing for Azure SQL logical server.","Important","Security","-" -"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.DefenderCloud","Enable Microsoft Defender for Azure SQL logical server.","Important","Security","-" "Azure.SQL.FGName","Azure SQL failover group names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.SQL.FirewallIPRange","Each IP address in the permitted IP list is allowed network access to any databases hosted on the same logical server.","Important","Security","-" "Azure.SQL.FirewallRuleCount","Determine if there is an excessive number of firewall rules.","Awareness","Security","-" "Azure.SQL.MinTLS","Azure SQL Database servers should reject TLS versions older than 1.2.","Critical","Security","L1" -"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.TDE","Use Transparent Data Encryption (TDE) with Azure SQL Database.","Critical","Security","L1" "Azure.SQLMI.AAD","Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance.","Critical","Security","L1" "Azure.SQLMI.AADOnly","Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance.","Important","Security","L1" diff --git a/docs/en/baselines/Azure.GA_2024_03.csv b/docs/en/baselines/Azure.GA_2024_03.csv index 7a2a6120895..ecb0fd2c9b8 100644 --- a/docs/en/baselines/Azure.GA_2024_03.csv +++ b/docs/en/baselines/Azure.GA_2024_03.csv @@ -4,7 +4,7 @@ "Azure.ACR.Firewall","Container Registry without restrictions can be accessed from any network location including the Internet.","Important","Security","-" "Azure.ACR.ImageHealth","Remove container images with known vulnerabilities.","Critical","Security","L2" "Azure.ACR.MinSku","The Basic SKU provides limited performance and features for production container registry workloads.","Important","Reliability","-" -"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.ACR.Usage","Regularly remove deprecated and unneeded images to reduce storage usage.","Important","Cost Optimization","-" "Azure.ADX.DiskEncryption","Use disk encryption for Azure Data Explorer (ADX) clusters.","Important","Security","L1" "Azure.ADX.ManagedIdentity","Configure Data Explorer clusters to use managed identities to access Azure resources securely.","Important","Security","L1" @@ -32,7 +32,7 @@ "Azure.AKS.ManagedIdentity","Configure AKS clusters to use managed identities for managing cluster infrastructure.","Important","Security","L1" "Azure.AKS.MinNodeCount","AKS clusters should have minimum number of system nodes for failover and updates.","Important","Reliability","-" "Azure.AKS.MinUserPoolNodes","User node pools in an AKS cluster should have a minimum number of nodes for failover and updates.","Important","Reliability","-" -"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.AKS.NetworkPolicy","AKS clusters without inter-pod network restrictions may be permit unauthorized lateral movement.","Important","Security","-" "Azure.AKS.NodeMinPods","Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods.","Important","Performance Efficiency","-" "Azure.AKS.PlatformLogs","AKS clusters should collect platform diagnostic logs to monitor the state of workloads.","Important","Operational Excellence","-" @@ -83,7 +83,6 @@ "Azure.AppGwWAF.Enabled","Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources.","Critical","Security","-" "Azure.AppGwWAF.Exclusions","Application Gateway Web Application Firewall (WAF) should have all rules enabled.","Critical","Security","-" "Azure.AppGwWAF.PreventionMode","Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources.","Critical","Security","-" -"Azure.AppGwWAF.RuleGroups","Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources.","Critical","Security","-" "Azure.AppInsights.Name","Azure Resource Manager (ARM) has requirements for Application Insights resource names.","Awareness","Operational Excellence","-" "Azure.AppInsights.Workspace","Configure Application Insights resources to store data in a workspace.","Important","Operational Excellence","-" "Azure.AppService.AlwaysOn","Configure Always On for App Service apps.","Important","Reliability","-" @@ -118,11 +117,11 @@ "Azure.ContainerApp.ExternalIngress","Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment.","Important","Security","-" "Azure.ContainerApp.Insecure","Ensure insecure inbound traffic is not permitted to the container app.","Important","Security","L1" "Azure.ContainerApp.ManagedIdentity","Ensure managed identity is used for authentication.","Important","Security","L1" -"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.ContainerApp.PublicAccess","Ensure public network access for Container Apps environment is disabled.","Important","Security","-" "Azure.ContainerApp.RestrictIngress","IP ingress restrictions mode should be set to allow action for all rules defined.","Important","Security","-" "Azure.ContainerApp.Storage","Use of Azure Files volume mounts to persistent storage container data.","Awareness","Reliability","-" -"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.Cosmos.DefenderCloud","Enable Microsoft Defender for Azure Cosmos DB.","Critical","Security","-" "Azure.Cosmos.DisableMetadataWrite","Use Entra ID identities for management place operations in Azure Cosmos DB.","Important","Security","-" "Azure.Databricks.PublicAccess","Azure Databricks workspaces should disable public network access.","Critical","Security","-" @@ -295,13 +294,13 @@ "Azure.SQL.AADOnly","Ensure Entra ID only authentication is enabled with Azure SQL Database.","Important","Security","L1" "Azure.SQL.AllowAzureAccess","Determine if access from Azure services is required.","Important","Security","-" "Azure.SQL.Auditing","Enable auditing for Azure SQL logical server.","Important","Security","-" -"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.DefenderCloud","Enable Microsoft Defender for Azure SQL logical server.","Important","Security","-" "Azure.SQL.FGName","Azure SQL failover group names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.SQL.FirewallIPRange","Each IP address in the permitted IP list is allowed network access to any databases hosted on the same logical server.","Important","Security","-" "Azure.SQL.FirewallRuleCount","Determine if there is an excessive number of firewall rules.","Awareness","Security","-" "Azure.SQL.MinTLS","Azure SQL Database servers should reject TLS versions older than 1.2.","Critical","Security","L1" -"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.TDE","Use Transparent Data Encryption (TDE) with Azure SQL Database.","Critical","Security","L1" "Azure.SQLMI.AAD","Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance.","Critical","Security","L1" "Azure.SQLMI.AADOnly","Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance.","Important","Security","L1" diff --git a/docs/en/baselines/Azure.GA_2024_03.md b/docs/en/baselines/Azure.GA_2024_03.md index 7ec555d74b6..8ea340d81db 100644 --- a/docs/en/baselines/Azure.GA_2024_03.md +++ b/docs/en/baselines/Azure.GA_2024_03.md @@ -15,7 +15,7 @@ Include rules released March 2024 or prior for Azure GA features. The following rules are included within the `Azure.GA_2024_03` baseline. -This baseline includes a total of 391 rules. +This baseline includes a total of 390 rules. Name | Synopsis | Severity ---- | -------- | -------- @@ -103,7 +103,6 @@ Name | Synopsis | Severity [Azure.AppGwWAF.Enabled](../rules/Azure.AppGwWAF.Enabled.md) | Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. | Critical [Azure.AppGwWAF.Exclusions](../rules/Azure.AppGwWAF.Exclusions.md) | Application Gateway Web Application Firewall (WAF) should have all rules enabled. | Critical [Azure.AppGwWAF.PreventionMode](../rules/Azure.AppGwWAF.PreventionMode.md) | Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical -[Azure.AppGwWAF.RuleGroups](../rules/Azure.AppGwWAF.RuleGroups.md) | Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical [Azure.AppInsights.Name](../rules/Azure.AppInsights.Name.md) | Azure Resource Manager (ARM) has requirements for Application Insights resource names. | Awareness [Azure.AppInsights.Workspace](../rules/Azure.AppInsights.Workspace.md) | Configure Application Insights resources to store data in a workspace. | Important [Azure.AppService.AlwaysOn](../rules/Azure.AppService.AlwaysOn.md) | Configure Always On for App Service apps. | Important diff --git a/docs/en/baselines/Azure.GA_2024_06.csv b/docs/en/baselines/Azure.GA_2024_06.csv index 33f14b72cb3..bd3587b7a6a 100644 --- a/docs/en/baselines/Azure.GA_2024_06.csv +++ b/docs/en/baselines/Azure.GA_2024_06.csv @@ -4,7 +4,7 @@ "Azure.ACR.Firewall","Container Registry without restrictions can be accessed from any network location including the Internet.","Important","Security","-" "Azure.ACR.ImageHealth","Remove container images with known vulnerabilities.","Critical","Security","L2" "Azure.ACR.MinSku","The Basic SKU provides limited performance and features for production container registry workloads.","Important","Reliability","-" -"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.ACR.Usage","Regularly remove deprecated and unneeded images to reduce storage usage.","Important","Cost Optimization","-" "Azure.ADX.DiskEncryption","Use disk encryption for Azure Data Explorer (ADX) clusters.","Important","Security","L1" "Azure.ADX.ManagedIdentity","Configure Data Explorer clusters to use managed identities to access Azure resources securely.","Important","Security","L1" @@ -32,7 +32,7 @@ "Azure.AKS.ManagedIdentity","Configure AKS clusters to use managed identities for managing cluster infrastructure.","Important","Security","L1" "Azure.AKS.MinNodeCount","AKS clusters should have minimum number of system nodes for failover and updates.","Important","Reliability","-" "Azure.AKS.MinUserPoolNodes","User node pools in an AKS cluster should have a minimum number of nodes for failover and updates.","Important","Reliability","-" -"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.AKS.NetworkPolicy","AKS clusters without inter-pod network restrictions may be permit unauthorized lateral movement.","Important","Security","-" "Azure.AKS.NodeAutoUpgrade","Operating system (OS) security updates should be applied to AKS nodes and rebooted as required to address security vulnerabilities.","Important","Security","-" "Azure.AKS.NodeMinPods","Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods.","Important","Performance Efficiency","-" @@ -87,7 +87,6 @@ "Azure.AppGwWAF.Enabled","Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources.","Critical","Security","-" "Azure.AppGwWAF.Exclusions","Application Gateway Web Application Firewall (WAF) should have all rules enabled.","Critical","Security","-" "Azure.AppGwWAF.PreventionMode","Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources.","Critical","Security","-" -"Azure.AppGwWAF.RuleGroups","Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources.","Critical","Security","-" "Azure.AppInsights.Name","Azure Resource Manager (ARM) has requirements for Application Insights resource names.","Awareness","Operational Excellence","-" "Azure.AppInsights.Workspace","Configure Application Insights resources to store data in a workspace.","Important","Operational Excellence","-" "Azure.AppService.AlwaysOn","Configure Always On for App Service apps.","Important","Reliability","-" @@ -126,11 +125,11 @@ "Azure.ContainerApp.Insecure","Ensure insecure inbound traffic is not permitted to the container app.","Important","Security","L1" "Azure.ContainerApp.ManagedIdentity","Ensure managed identity is used for authentication.","Important","Security","L1" "Azure.ContainerApp.MinReplicas","Use multiple replicas to remove a single point of failure.","Important","Reliability","-" -"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.ContainerApp.PublicAccess","Ensure public network access for Container Apps environment is disabled.","Important","Security","-" "Azure.ContainerApp.RestrictIngress","IP ingress restrictions mode should be set to allow action for all rules defined.","Important","Security","-" "Azure.ContainerApp.Storage","Use of Azure Files volume mounts to persistent storage container data.","Awareness","Reliability","-" -"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.Cosmos.DefenderCloud","Enable Microsoft Defender for Azure Cosmos DB.","Critical","Security","-" "Azure.Cosmos.DisableLocalAuth","Access keys allow depersonalized access to Cosmos DB accounts using a shared secret.","Critical","Security","L1" "Azure.Cosmos.DisableMetadataWrite","Use Entra ID identities for management place operations in Azure Cosmos DB.","Important","Security","-" @@ -314,13 +313,13 @@ "Azure.SQL.AADOnly","Ensure Entra ID only authentication is enabled with Azure SQL Database.","Important","Security","L1" "Azure.SQL.AllowAzureAccess","Determine if access from Azure services is required.","Important","Security","-" "Azure.SQL.Auditing","Enable auditing for Azure SQL logical server.","Important","Security","-" -"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.DefenderCloud","Enable Microsoft Defender for Azure SQL logical server.","Important","Security","-" "Azure.SQL.FGName","Azure SQL failover group names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.SQL.FirewallIPRange","Each IP address in the permitted IP list is allowed network access to any databases hosted on the same logical server.","Important","Security","-" "Azure.SQL.FirewallRuleCount","Determine if there is an excessive number of firewall rules.","Awareness","Security","-" "Azure.SQL.MinTLS","Azure SQL Database servers should reject TLS versions older than 1.2.","Critical","Security","L1" -"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.TDE","Use Transparent Data Encryption (TDE) with Azure SQL Database.","Critical","Security","L1" "Azure.SQLMI.AAD","Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance.","Critical","Security","L1" "Azure.SQLMI.AADOnly","Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance.","Important","Security","L1" diff --git a/docs/en/baselines/Azure.GA_2024_06.md b/docs/en/baselines/Azure.GA_2024_06.md index f8bca1a7db7..8bb0fb182d2 100644 --- a/docs/en/baselines/Azure.GA_2024_06.md +++ b/docs/en/baselines/Azure.GA_2024_06.md @@ -15,7 +15,7 @@ Include rules released June 2024 or prior for Azure GA features. The following rules are included within the `Azure.GA_2024_06` baseline. -This baseline includes a total of 411 rules. +This baseline includes a total of 410 rules. Name | Synopsis | Severity ---- | -------- | -------- @@ -107,7 +107,6 @@ Name | Synopsis | Severity [Azure.AppGwWAF.Enabled](../rules/Azure.AppGwWAF.Enabled.md) | Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. | Critical [Azure.AppGwWAF.Exclusions](../rules/Azure.AppGwWAF.Exclusions.md) | Application Gateway Web Application Firewall (WAF) should have all rules enabled. | Critical [Azure.AppGwWAF.PreventionMode](../rules/Azure.AppGwWAF.PreventionMode.md) | Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical -[Azure.AppGwWAF.RuleGroups](../rules/Azure.AppGwWAF.RuleGroups.md) | Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical [Azure.AppInsights.Name](../rules/Azure.AppInsights.Name.md) | Azure Resource Manager (ARM) has requirements for Application Insights resource names. | Awareness [Azure.AppInsights.Workspace](../rules/Azure.AppInsights.Workspace.md) | Configure Application Insights resources to store data in a workspace. | Important [Azure.AppService.AlwaysOn](../rules/Azure.AppService.AlwaysOn.md) | Configure Always On for App Service apps. | Important diff --git a/docs/en/baselines/Azure.GA_2024_09.csv b/docs/en/baselines/Azure.GA_2024_09.csv index b75a54929a4..d9a62491a3e 100644 --- a/docs/en/baselines/Azure.GA_2024_09.csv +++ b/docs/en/baselines/Azure.GA_2024_09.csv @@ -4,7 +4,7 @@ "Azure.ACR.Firewall","Container Registry without restrictions can be accessed from any network location including the Internet.","Important","Security","-" "Azure.ACR.ImageHealth","Remove container images with known vulnerabilities.","Critical","Security","L2" "Azure.ACR.MinSku","The Basic SKU provides limited performance and features for production container registry workloads.","Important","Reliability","-" -"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.ACR.Usage","Regularly remove deprecated and unneeded images to reduce storage usage.","Important","Cost Optimization","-" "Azure.ADX.DiskEncryption","Use disk encryption for Azure Data Explorer (ADX) clusters.","Important","Security","L1" "Azure.ADX.ManagedIdentity","Configure Data Explorer clusters to use managed identities to access Azure resources securely.","Important","Security","L1" @@ -34,7 +34,7 @@ "Azure.AKS.ManagedIdentity","Configure AKS clusters to use managed identities for managing cluster infrastructure.","Important","Security","L1" "Azure.AKS.MinNodeCount","AKS clusters should have minimum number of system nodes for failover and updates.","Important","Reliability","-" "Azure.AKS.MinUserPoolNodes","User node pools in an AKS cluster should have a minimum number of nodes for failover and updates.","Important","Reliability","-" -"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.AKS.NetworkPolicy","AKS clusters without inter-pod network restrictions may be permit unauthorized lateral movement.","Important","Security","-" "Azure.AKS.NodeAutoUpgrade","Operating system (OS) security updates should be applied to AKS nodes and rebooted as required to address security vulnerabilities.","Important","Security","-" "Azure.AKS.NodeMinPods","Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods.","Important","Performance Efficiency","-" @@ -89,7 +89,6 @@ "Azure.AppGwWAF.Enabled","Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources.","Critical","Security","-" "Azure.AppGwWAF.Exclusions","Application Gateway Web Application Firewall (WAF) should have all rules enabled.","Critical","Security","-" "Azure.AppGwWAF.PreventionMode","Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources.","Critical","Security","-" -"Azure.AppGwWAF.RuleGroups","Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources.","Critical","Security","-" "Azure.AppInsights.Name","Azure Resource Manager (ARM) has requirements for Application Insights resource names.","Awareness","Operational Excellence","-" "Azure.AppInsights.Workspace","Configure Application Insights resources to store data in a workspace.","Important","Operational Excellence","-" "Azure.AppService.AlwaysOn","Configure Always On for App Service apps.","Important","Reliability","-" @@ -130,11 +129,11 @@ "Azure.ContainerApp.Insecure","Ensure insecure inbound traffic is not permitted to the container app.","Important","Security","L1" "Azure.ContainerApp.ManagedIdentity","Ensure managed identity is used for authentication.","Important","Security","L1" "Azure.ContainerApp.MinReplicas","Use multiple replicas to remove a single point of failure.","Important","Reliability","-" -"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.ContainerApp.PublicAccess","Ensure public network access for Container Apps environment is disabled.","Important","Security","-" "Azure.ContainerApp.RestrictIngress","IP ingress restrictions mode should be set to allow action for all rules defined.","Important","Security","-" "Azure.ContainerApp.Storage","Use of Azure Files volume mounts to persistent storage container data.","Awareness","Reliability","-" -"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.Cosmos.ContinuousBackup","Enable continuous backup on Cosmos DB accounts.","Important","Reliability","-" "Azure.Cosmos.DefenderCloud","Enable Microsoft Defender for Azure Cosmos DB.","Critical","Security","-" "Azure.Cosmos.DisableLocalAuth","Access keys allow depersonalized access to Cosmos DB accounts using a shared secret.","Critical","Security","L1" @@ -322,14 +321,14 @@ "Azure.SQL.AADOnly","Ensure Entra ID only authentication is enabled with Azure SQL Database.","Important","Security","L1" "Azure.SQL.AllowAzureAccess","Determine if access from Azure services is required.","Important","Security","-" "Azure.SQL.Auditing","Enable auditing for Azure SQL logical server.","Important","Security","-" -"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.DefenderCloud","Enable Microsoft Defender for Azure SQL logical server.","Important","Security","-" "Azure.SQL.FGName","Azure SQL failover group names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.SQL.FirewallIPRange","Each IP address in the permitted IP list is allowed network access to any databases hosted on the same logical server.","Important","Security","-" "Azure.SQL.FirewallRuleCount","Determine if there is an excessive number of firewall rules.","Awareness","Security","-" "Azure.SQL.MaintenanceWindow","Configure a customer-controlled maintenance window for Azure SQL databases.","Important","Reliability","-" "Azure.SQL.MinTLS","Azure SQL Database servers should reject TLS versions older than 1.2.","Critical","Security","L1" -"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.TDE","Use Transparent Data Encryption (TDE) with Azure SQL Database.","Critical","Security","L1" "Azure.SQLMI.AAD","Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance.","Critical","Security","L1" "Azure.SQLMI.AADOnly","Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance.","Important","Security","L1" diff --git a/docs/en/baselines/Azure.GA_2024_09.md b/docs/en/baselines/Azure.GA_2024_09.md index b3110e9207a..93550525260 100644 --- a/docs/en/baselines/Azure.GA_2024_09.md +++ b/docs/en/baselines/Azure.GA_2024_09.md @@ -15,7 +15,7 @@ Include rules released September 2024 or prior for Azure GA features. The following rules are included within the `Azure.GA_2024_09` baseline. -This baseline includes a total of 428 rules. +This baseline includes a total of 427 rules. Name | Synopsis | Severity ---- | -------- | -------- @@ -109,7 +109,6 @@ Name | Synopsis | Severity [Azure.AppGwWAF.Enabled](../rules/Azure.AppGwWAF.Enabled.md) | Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. | Critical [Azure.AppGwWAF.Exclusions](../rules/Azure.AppGwWAF.Exclusions.md) | Application Gateway Web Application Firewall (WAF) should have all rules enabled. | Critical [Azure.AppGwWAF.PreventionMode](../rules/Azure.AppGwWAF.PreventionMode.md) | Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical -[Azure.AppGwWAF.RuleGroups](../rules/Azure.AppGwWAF.RuleGroups.md) | Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical [Azure.AppInsights.Name](../rules/Azure.AppInsights.Name.md) | Azure Resource Manager (ARM) has requirements for Application Insights resource names. | Awareness [Azure.AppInsights.Workspace](../rules/Azure.AppInsights.Workspace.md) | Configure Application Insights resources to store data in a workspace. | Important [Azure.AppService.AlwaysOn](../rules/Azure.AppService.AlwaysOn.md) | Configure Always On for App Service apps. | Important diff --git a/docs/en/baselines/Azure.GA_2024_12.csv b/docs/en/baselines/Azure.GA_2024_12.csv index 1bdcae2854a..304364e84d4 100644 --- a/docs/en/baselines/Azure.GA_2024_12.csv +++ b/docs/en/baselines/Azure.GA_2024_12.csv @@ -5,7 +5,7 @@ "Azure.ACR.Firewall","Container Registry without restrictions can be accessed from any network location including the Internet.","Important","Security","-" "Azure.ACR.ImageHealth","Remove container images with known vulnerabilities.","Critical","Security","L2" "Azure.ACR.MinSku","The Basic SKU provides limited performance and features for production container registry workloads.","Important","Reliability","-" -"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.ACR.Usage","Regularly remove deprecated and unneeded images to reduce storage usage.","Important","Cost Optimization","-" "Azure.ADX.DiskEncryption","Use disk encryption for Azure Data Explorer (ADX) clusters.","Important","Security","L1" "Azure.ADX.ManagedIdentity","Configure Data Explorer clusters to use managed identities to access Azure resources securely.","Important","Security","L1" @@ -35,7 +35,7 @@ "Azure.AKS.ManagedIdentity","Configure AKS clusters to use managed identities for managing cluster infrastructure.","Important","Security","L1" "Azure.AKS.MinNodeCount","AKS clusters should have minimum number of system nodes for failover and updates.","Important","Reliability","-" "Azure.AKS.MinUserPoolNodes","User node pools in an AKS cluster should have a minimum number of nodes for failover and updates.","Important","Reliability","-" -"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.AKS.NetworkPolicy","AKS clusters without inter-pod network restrictions may be permit unauthorized lateral movement.","Important","Security","-" "Azure.AKS.NodeAutoUpgrade","Operating system (OS) security updates should be applied to AKS nodes and rebooted as required to address security vulnerabilities.","Important","Security","-" "Azure.AKS.NodeMinPods","Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods.","Important","Performance Efficiency","-" @@ -90,7 +90,6 @@ "Azure.AppGwWAF.Enabled","Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources.","Critical","Security","-" "Azure.AppGwWAF.Exclusions","Application Gateway Web Application Firewall (WAF) should have all rules enabled.","Critical","Security","-" "Azure.AppGwWAF.PreventionMode","Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources.","Critical","Security","-" -"Azure.AppGwWAF.RuleGroups","Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources.","Critical","Security","-" "Azure.AppInsights.Name","Azure Resource Manager (ARM) has requirements for Application Insights resource names.","Awareness","Operational Excellence","-" "Azure.AppInsights.Workspace","Configure Application Insights resources to store data in a workspace.","Important","Operational Excellence","-" "Azure.AppService.AlwaysOn","Configure Always On for App Service apps.","Important","Reliability","-" @@ -131,11 +130,11 @@ "Azure.ContainerApp.Insecure","Ensure insecure inbound traffic is not permitted to the container app.","Important","Security","L1" "Azure.ContainerApp.ManagedIdentity","Ensure managed identity is used for authentication.","Important","Security","L1" "Azure.ContainerApp.MinReplicas","Use multiple replicas to remove a single point of failure.","Important","Reliability","-" -"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.ContainerApp.PublicAccess","Ensure public network access for Container Apps environment is disabled.","Important","Security","-" "Azure.ContainerApp.RestrictIngress","IP ingress restrictions mode should be set to allow action for all rules defined.","Important","Security","-" "Azure.ContainerApp.Storage","Use of Azure Files volume mounts to persistent storage container data.","Awareness","Reliability","-" -"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.Cosmos.ContinuousBackup","Enable continuous backup on Cosmos DB accounts.","Important","Reliability","-" "Azure.Cosmos.DefenderCloud","Enable Microsoft Defender for Azure Cosmos DB.","Critical","Security","-" "Azure.Cosmos.DisableLocalAuth","Access keys allow depersonalized access to Cosmos DB accounts using a shared secret.","Critical","Security","L1" @@ -325,14 +324,14 @@ "Azure.SQL.AADOnly","Ensure Entra ID only authentication is enabled with Azure SQL Database.","Important","Security","L1" "Azure.SQL.AllowAzureAccess","Determine if access from Azure services is required.","Important","Security","-" "Azure.SQL.Auditing","Enable auditing for Azure SQL logical server.","Important","Security","-" -"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.DefenderCloud","Enable Microsoft Defender for Azure SQL logical server.","Important","Security","-" "Azure.SQL.FGName","Azure SQL failover group names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.SQL.FirewallIPRange","Each IP address in the permitted IP list is allowed network access to any databases hosted on the same logical server.","Important","Security","-" "Azure.SQL.FirewallRuleCount","Determine if there is an excessive number of firewall rules.","Awareness","Security","-" "Azure.SQL.MaintenanceWindow","Configure a customer-controlled maintenance window for Azure SQL databases.","Important","Reliability","-" "Azure.SQL.MinTLS","Azure SQL Database servers should reject TLS versions older than 1.2.","Critical","Security","L1" -"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.TDE","Use Transparent Data Encryption (TDE) with Azure SQL Database.","Critical","Security","L1" "Azure.SQLMI.AAD","Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance.","Critical","Security","L1" "Azure.SQLMI.AADOnly","Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance.","Important","Security","L1" diff --git a/docs/en/baselines/Azure.GA_2024_12.md b/docs/en/baselines/Azure.GA_2024_12.md index 658d33ebc5f..24e0babcce8 100644 --- a/docs/en/baselines/Azure.GA_2024_12.md +++ b/docs/en/baselines/Azure.GA_2024_12.md @@ -15,7 +15,7 @@ Include rules released December 2024 or prior for Azure GA features. The following rules are included within the `Azure.GA_2024_12` baseline. -This baseline includes a total of 431 rules. +This baseline includes a total of 430 rules. Name | Synopsis | Severity ---- | -------- | -------- @@ -110,7 +110,6 @@ Name | Synopsis | Severity [Azure.AppGwWAF.Enabled](../rules/Azure.AppGwWAF.Enabled.md) | Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. | Critical [Azure.AppGwWAF.Exclusions](../rules/Azure.AppGwWAF.Exclusions.md) | Application Gateway Web Application Firewall (WAF) should have all rules enabled. | Critical [Azure.AppGwWAF.PreventionMode](../rules/Azure.AppGwWAF.PreventionMode.md) | Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical -[Azure.AppGwWAF.RuleGroups](../rules/Azure.AppGwWAF.RuleGroups.md) | Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical [Azure.AppInsights.Name](../rules/Azure.AppInsights.Name.md) | Azure Resource Manager (ARM) has requirements for Application Insights resource names. | Awareness [Azure.AppInsights.Workspace](../rules/Azure.AppInsights.Workspace.md) | Configure Application Insights resources to store data in a workspace. | Important [Azure.AppService.AlwaysOn](../rules/Azure.AppService.AlwaysOn.md) | Configure Always On for App Service apps. | Important diff --git a/docs/en/baselines/Azure.GA_2025_03.csv b/docs/en/baselines/Azure.GA_2025_03.csv index 55d7ae10a17..b83a5cb4538 100644 --- a/docs/en/baselines/Azure.GA_2025_03.csv +++ b/docs/en/baselines/Azure.GA_2025_03.csv @@ -5,7 +5,7 @@ "Azure.ACR.Firewall","Container Registry without restrictions can be accessed from any network location including the Internet.","Important","Security","-" "Azure.ACR.ImageHealth","Remove container images with known vulnerabilities.","Critical","Security","L2" "Azure.ACR.MinSku","The Basic SKU provides limited performance and features for production container registry workloads.","Important","Reliability","-" -"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.ACR.Usage","Regularly remove deprecated and unneeded images to reduce storage usage.","Important","Cost Optimization","-" "Azure.ADX.DiskEncryption","Use disk encryption for Azure Data Explorer (ADX) clusters.","Important","Security","L1" "Azure.ADX.ManagedIdentity","Configure Data Explorer clusters to use managed identities to access Azure resources securely.","Important","Security","L1" @@ -35,7 +35,7 @@ "Azure.AKS.ManagedIdentity","Configure AKS clusters to use managed identities for managing cluster infrastructure.","Important","Security","L1" "Azure.AKS.MinNodeCount","AKS clusters should have minimum number of system nodes for failover and updates.","Important","Reliability","-" "Azure.AKS.MinUserPoolNodes","User node pools in an AKS cluster should have a minimum number of nodes for failover and updates.","Important","Reliability","-" -"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.AKS.NetworkPolicy","AKS clusters without inter-pod network restrictions may be permit unauthorized lateral movement.","Important","Security","-" "Azure.AKS.NodeAutoUpgrade","Operating system (OS) security updates should be applied to AKS nodes and rebooted as required to address security vulnerabilities.","Important","Security","-" "Azure.AKS.NodeMinPods","Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods.","Important","Performance Efficiency","-" @@ -90,7 +90,6 @@ "Azure.AppGwWAF.Enabled","Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources.","Critical","Security","-" "Azure.AppGwWAF.Exclusions","Application Gateway Web Application Firewall (WAF) should have all rules enabled.","Critical","Security","-" "Azure.AppGwWAF.PreventionMode","Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources.","Critical","Security","-" -"Azure.AppGwWAF.RuleGroups","Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources.","Critical","Security","-" "Azure.AppInsights.Name","Azure Resource Manager (ARM) has requirements for Application Insights resource names.","Awareness","Operational Excellence","-" "Azure.AppInsights.Workspace","Configure Application Insights resources to store data in a workspace.","Important","Operational Excellence","-" "Azure.AppService.AlwaysOn","Configure Always On for App Service apps.","Important","Reliability","-" @@ -131,11 +130,11 @@ "Azure.ContainerApp.Insecure","Ensure insecure inbound traffic is not permitted to the container app.","Important","Security","L1" "Azure.ContainerApp.ManagedIdentity","Ensure managed identity is used for authentication.","Important","Security","L1" "Azure.ContainerApp.MinReplicas","Use multiple replicas to remove a single point of failure.","Important","Reliability","-" -"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.ContainerApp.PublicAccess","Ensure public network access for Container Apps environment is disabled.","Important","Security","-" "Azure.ContainerApp.RestrictIngress","IP ingress restrictions mode should be set to allow action for all rules defined.","Important","Security","-" "Azure.ContainerApp.Storage","Use of Azure Files volume mounts to persistent storage container data.","Awareness","Reliability","-" -"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.Cosmos.ContinuousBackup","Enable continuous backup on Cosmos DB accounts.","Important","Reliability","-" "Azure.Cosmos.DefenderCloud","Enable Microsoft Defender for Azure Cosmos DB.","Critical","Security","-" "Azure.Cosmos.DisableLocalAuth","Access keys allow depersonalized access to Cosmos DB accounts using a shared secret.","Critical","Security","L1" @@ -331,14 +330,14 @@ "Azure.SQL.AADOnly","Ensure Entra ID only authentication is enabled with Azure SQL Database.","Important","Security","L1" "Azure.SQL.AllowAzureAccess","Determine if access from Azure services is required.","Important","Security","-" "Azure.SQL.Auditing","Enable auditing for Azure SQL logical server.","Important","Security","-" -"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.DefenderCloud","Enable Microsoft Defender for Azure SQL logical server.","Important","Security","-" "Azure.SQL.FGName","Azure SQL failover group names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.SQL.FirewallIPRange","Each IP address in the permitted IP list is allowed network access to any databases hosted on the same logical server.","Important","Security","-" "Azure.SQL.FirewallRuleCount","Determine if there is an excessive number of firewall rules.","Awareness","Security","-" "Azure.SQL.MaintenanceWindow","Configure a customer-controlled maintenance window for Azure SQL databases.","Important","Reliability","-" "Azure.SQL.MinTLS","Azure SQL Database servers should reject TLS versions older than 1.2.","Critical","Security","L1" -"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.TDE","Use Transparent Data Encryption (TDE) with Azure SQL Database.","Critical","Security","L1" "Azure.SQL.VAScan","SQL Databases may have configuration vulnerabilities discovered after they are deployed.","Important","Security","-" "Azure.SQLMI.AAD","Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance.","Critical","Security","L1" diff --git a/docs/en/baselines/Azure.GA_2025_03.md b/docs/en/baselines/Azure.GA_2025_03.md index 86a4d602c6b..7a086bd5415 100644 --- a/docs/en/baselines/Azure.GA_2025_03.md +++ b/docs/en/baselines/Azure.GA_2025_03.md @@ -15,7 +15,7 @@ Include rules released March 2025 or prior for Azure GA features. The following rules are included within the `Azure.GA_2025_03` baseline. -This baseline includes a total of 438 rules. +This baseline includes a total of 437 rules. Name | Synopsis | Severity ---- | -------- | -------- @@ -110,7 +110,6 @@ Name | Synopsis | Severity [Azure.AppGwWAF.Enabled](../rules/Azure.AppGwWAF.Enabled.md) | Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. | Critical [Azure.AppGwWAF.Exclusions](../rules/Azure.AppGwWAF.Exclusions.md) | Application Gateway Web Application Firewall (WAF) should have all rules enabled. | Critical [Azure.AppGwWAF.PreventionMode](../rules/Azure.AppGwWAF.PreventionMode.md) | Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical -[Azure.AppGwWAF.RuleGroups](../rules/Azure.AppGwWAF.RuleGroups.md) | Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical [Azure.AppInsights.Name](../rules/Azure.AppInsights.Name.md) | Azure Resource Manager (ARM) has requirements for Application Insights resource names. | Awareness [Azure.AppInsights.Workspace](../rules/Azure.AppInsights.Workspace.md) | Configure Application Insights resources to store data in a workspace. | Important [Azure.AppService.AlwaysOn](../rules/Azure.AppService.AlwaysOn.md) | Configure Always On for App Service apps. | Important diff --git a/docs/en/baselines/Azure.GA_2025_06.csv b/docs/en/baselines/Azure.GA_2025_06.csv index c929eff5e87..979b29c85dc 100644 --- a/docs/en/baselines/Azure.GA_2025_06.csv +++ b/docs/en/baselines/Azure.GA_2025_06.csv @@ -5,7 +5,7 @@ "Azure.ACR.Firewall","Container Registry without restrictions can be accessed from any network location including the Internet.","Important","Security","-" "Azure.ACR.ImageHealth","Remove container images with known vulnerabilities.","Critical","Security","L2" "Azure.ACR.MinSku","The Basic SKU provides limited performance and features for production container registry workloads.","Important","Reliability","-" -"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.ACR.Usage","Regularly remove deprecated and unneeded images to reduce storage usage.","Important","Cost Optimization","-" "Azure.ADX.DiskEncryption","Use disk encryption for Azure Data Explorer (ADX) clusters.","Important","Security","L1" "Azure.ADX.ManagedIdentity","Configure Data Explorer clusters to use managed identities to access Azure resources securely.","Important","Security","L1" @@ -36,7 +36,7 @@ "Azure.AKS.ManagedIdentity","Configure AKS clusters to use managed identities for managing cluster infrastructure.","Important","Security","L1" "Azure.AKS.MinNodeCount","AKS clusters should have minimum number of system nodes for failover and updates.","Important","Reliability","-" "Azure.AKS.MinUserPoolNodes","User node pools in an AKS cluster should have a minimum number of nodes for failover and updates.","Important","Reliability","-" -"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.AKS.NetworkPolicy","AKS clusters without inter-pod network restrictions may be permit unauthorized lateral movement.","Important","Security","-" "Azure.AKS.NodeAutoUpgrade","Operating system (OS) security updates should be applied to AKS nodes and rebooted as required to address security vulnerabilities.","Important","Security","-" "Azure.AKS.NodeMinPods","Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods.","Important","Performance Efficiency","-" @@ -94,7 +94,6 @@ "Azure.AppGwWAF.Enabled","Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources.","Critical","Security","-" "Azure.AppGwWAF.Exclusions","Application Gateway Web Application Firewall (WAF) should have all rules enabled.","Critical","Security","-" "Azure.AppGwWAF.PreventionMode","Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources.","Critical","Security","-" -"Azure.AppGwWAF.RuleGroups","Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources.","Critical","Security","-" "Azure.AppInsights.LocalAuth","Local authentication allows depersonalized access to store telemetry in Application Insights using a shared identifier.","Critical","Security","L1" "Azure.AppInsights.Name","Azure Resource Manager (ARM) has requirements for Application Insights resource names.","Awareness","Operational Excellence","-" "Azure.AppInsights.Naming","Application Insights resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" @@ -137,11 +136,11 @@ "Azure.ContainerApp.Insecure","Ensure insecure inbound traffic is not permitted to the container app.","Important","Security","L1" "Azure.ContainerApp.ManagedIdentity","Ensure managed identity is used for authentication.","Important","Security","L1" "Azure.ContainerApp.MinReplicas","Use multiple replicas to remove a single point of failure.","Important","Reliability","-" -"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.ContainerApp.PublicAccess","Ensure public network access for Container Apps environment is disabled.","Important","Security","-" "Azure.ContainerApp.RestrictIngress","IP ingress restrictions mode should be set to allow action for all rules defined.","Important","Security","-" "Azure.ContainerApp.Storage","Use of Azure Files volume mounts to persistent storage container data.","Awareness","Reliability","-" -"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.Cosmos.ContinuousBackup","Enable continuous backup on Cosmos DB accounts.","Important","Reliability","-" "Azure.Cosmos.DefenderCloud","Enable Microsoft Defender for Azure Cosmos DB.","Critical","Security","-" "Azure.Cosmos.DisableLocalAuth","Access keys allow depersonalized access to Cosmos DB accounts using a shared secret.","Critical","Security","L1" @@ -359,14 +358,14 @@ "Azure.SQL.AADOnly","Ensure Entra ID only authentication is enabled with Azure SQL Database.","Important","Security","L1" "Azure.SQL.AllowAzureAccess","Determine if access from Azure services is required.","Important","Security","-" "Azure.SQL.Auditing","Enable auditing for Azure SQL logical server.","Important","Security","-" -"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.DefenderCloud","Enable Microsoft Defender for Azure SQL logical server.","Important","Security","-" "Azure.SQL.FGName","Azure SQL failover group names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.SQL.FirewallIPRange","Each IP address in the permitted IP list is allowed network access to any databases hosted on the same logical server.","Important","Security","-" "Azure.SQL.FirewallRuleCount","Determine if there is an excessive number of firewall rules.","Awareness","Security","-" "Azure.SQL.MaintenanceWindow","Configure a customer-controlled maintenance window for Azure SQL databases.","Important","Reliability","-" "Azure.SQL.MinTLS","Azure SQL Database servers should reject TLS versions older than 1.2.","Critical","Security","L1" -"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.TDE","Use Transparent Data Encryption (TDE) with Azure SQL Database.","Critical","Security","L1" "Azure.SQL.VAScan","SQL Databases may have configuration vulnerabilities discovered after they are deployed.","Important","Security","-" "Azure.SQLMI.AAD","Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance.","Critical","Security","L1" diff --git a/docs/en/baselines/Azure.GA_2025_06.md b/docs/en/baselines/Azure.GA_2025_06.md index b8111e7911c..81f5778edd5 100644 --- a/docs/en/baselines/Azure.GA_2025_06.md +++ b/docs/en/baselines/Azure.GA_2025_06.md @@ -15,7 +15,7 @@ Include rules released June 2025 or prior for Azure GA features. The following rules are included within the `Azure.GA_2025_06` baseline. -This baseline includes a total of 476 rules. +This baseline includes a total of 475 rules. Name | Synopsis | Severity ---- | -------- | -------- @@ -114,7 +114,6 @@ Name | Synopsis | Severity [Azure.AppGwWAF.Enabled](../rules/Azure.AppGwWAF.Enabled.md) | Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. | Critical [Azure.AppGwWAF.Exclusions](../rules/Azure.AppGwWAF.Exclusions.md) | Application Gateway Web Application Firewall (WAF) should have all rules enabled. | Critical [Azure.AppGwWAF.PreventionMode](../rules/Azure.AppGwWAF.PreventionMode.md) | Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical -[Azure.AppGwWAF.RuleGroups](../rules/Azure.AppGwWAF.RuleGroups.md) | Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical [Azure.AppInsights.LocalAuth](../rules/Azure.AppInsights.LocalAuth.md) | Local authentication allows depersonalized access to store telemetry in Application Insights using a shared identifier. | Critical [Azure.AppInsights.Name](../rules/Azure.AppInsights.Name.md) | Azure Resource Manager (ARM) has requirements for Application Insights resource names. | Awareness [Azure.AppInsights.Naming](../rules/Azure.AppInsights.Naming.md) | Application Insights resources without a standard naming convention may be difficult to identify and manage. | Awareness diff --git a/docs/en/baselines/Azure.GA_2025_09.csv b/docs/en/baselines/Azure.GA_2025_09.csv index 3d9e8a22683..320b72308a8 100644 --- a/docs/en/baselines/Azure.GA_2025_09.csv +++ b/docs/en/baselines/Azure.GA_2025_09.csv @@ -7,7 +7,7 @@ "Azure.ACR.GeoReplica","Applications or infrastructure relying on a container image may fail if the registry is not available at the time they start.","Important","Reliability","-" "Azure.ACR.ImageHealth","Remove container images with known vulnerabilities.","Critical","Security","L2" "Azure.ACR.MinSku","The Basic SKU provides limited performance and features for production container registry workloads.","Important","Reliability","-" -"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.ACR.ReplicaLocation","The replication location determines the country or region where container images and metadata are stored and processed.","Important","Security","-" "Azure.ACR.Usage","Regularly remove deprecated and unneeded images to reduce storage usage.","Important","Cost Optimization","-" "Azure.ADX.DiskEncryption","Use disk encryption for Azure Data Explorer (ADX) clusters.","Important","Security","L1" @@ -39,7 +39,7 @@ "Azure.AKS.ManagedIdentity","Configure AKS clusters to use managed identities for managing cluster infrastructure.","Important","Security","L1" "Azure.AKS.MinNodeCount","AKS clusters should have minimum number of system nodes for failover and updates.","Important","Reliability","-" "Azure.AKS.MinUserPoolNodes","User node pools in an AKS cluster should have a minimum number of nodes for failover and updates.","Important","Reliability","-" -"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.AKS.NetworkPolicy","AKS clusters without inter-pod network restrictions may be permit unauthorized lateral movement.","Important","Security","-" "Azure.AKS.NodeAutoUpgrade","Operating system (OS) security updates should be applied to AKS nodes and rebooted as required to address security vulnerabilities.","Important","Security","-" "Azure.AKS.NodeMinPods","Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods.","Important","Performance Efficiency","-" @@ -97,7 +97,6 @@ "Azure.AppGwWAF.Enabled","Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources.","Critical","Security","-" "Azure.AppGwWAF.Exclusions","Application Gateway Web Application Firewall (WAF) should have all rules enabled.","Critical","Security","-" "Azure.AppGwWAF.PreventionMode","Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources.","Critical","Security","-" -"Azure.AppGwWAF.RuleGroups","Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources.","Critical","Security","-" "Azure.AppInsights.LocalAuth","Local authentication allows depersonalized access to store telemetry in Application Insights using a shared identifier.","Critical","Security","L1" "Azure.AppInsights.Name","Azure Resource Manager (ARM) has requirements for Application Insights resource names.","Awareness","Operational Excellence","-" "Azure.AppInsights.Naming","Application Insights resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" @@ -140,11 +139,11 @@ "Azure.ContainerApp.Insecure","Ensure insecure inbound traffic is not permitted to the container app.","Important","Security","L1" "Azure.ContainerApp.ManagedIdentity","Ensure managed identity is used for authentication.","Important","Security","L1" "Azure.ContainerApp.MinReplicas","Use multiple replicas to remove a single point of failure.","Important","Reliability","-" -"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.ContainerApp.PublicAccess","Ensure public network access for Container Apps environment is disabled.","Important","Security","-" "Azure.ContainerApp.RestrictIngress","IP ingress restrictions mode should be set to allow action for all rules defined.","Important","Security","-" "Azure.ContainerApp.Storage","Use of Azure Files volume mounts to persistent storage container data.","Awareness","Reliability","-" -"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.Cosmos.ContinuousBackup","Enable continuous backup on Cosmos DB accounts.","Important","Reliability","-" "Azure.Cosmos.DefenderCloud","Enable Microsoft Defender for Azure Cosmos DB.","Critical","Security","-" "Azure.Cosmos.DisableLocalAuth","Access keys allow depersonalized access to Cosmos DB accounts using a shared secret.","Critical","Security","L1" @@ -363,14 +362,14 @@ "Azure.SQL.AADOnly","Ensure Entra ID only authentication is enabled with Azure SQL Database.","Important","Security","L1" "Azure.SQL.AllowAzureAccess","Determine if access from Azure services is required.","Important","Security","-" "Azure.SQL.Auditing","Enable auditing for Azure SQL logical server.","Important","Security","-" -"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.DefenderCloud","Enable Microsoft Defender for Azure SQL logical server.","Important","Security","-" "Azure.SQL.FGName","Azure SQL failover group names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.SQL.FirewallIPRange","Each IP address in the permitted IP list is allowed network access to any databases hosted on the same logical server.","Important","Security","-" "Azure.SQL.FirewallRuleCount","Determine if there is an excessive number of firewall rules.","Awareness","Security","-" "Azure.SQL.MaintenanceWindow","Configure a customer-controlled maintenance window for Azure SQL databases.","Important","Reliability","-" "Azure.SQL.MinTLS","Azure SQL Database servers should reject TLS versions older than 1.2.","Critical","Security","L1" -"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.TDE","Use Transparent Data Encryption (TDE) with Azure SQL Database.","Critical","Security","L1" "Azure.SQL.VAScan","SQL Databases may have configuration vulnerabilities discovered after they are deployed.","Important","Security","-" "Azure.SQLMI.AAD","Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance.","Critical","Security","L1" diff --git a/docs/en/baselines/Azure.GA_2025_09.md b/docs/en/baselines/Azure.GA_2025_09.md index 5f3afb555f4..dffcb68cc41 100644 --- a/docs/en/baselines/Azure.GA_2025_09.md +++ b/docs/en/baselines/Azure.GA_2025_09.md @@ -12,7 +12,7 @@ Include rules released September 2025 or prior for Azure GA features. The following rules are included within the `Azure.GA_2025_09` baseline. -This baseline includes a total of 481 rules. +This baseline includes a total of 480 rules. Name | Synopsis | Severity ---- | -------- | -------- @@ -114,7 +114,6 @@ Name | Synopsis | Severity [Azure.AppGwWAF.Enabled](../rules/Azure.AppGwWAF.Enabled.md) | Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. | Critical [Azure.AppGwWAF.Exclusions](../rules/Azure.AppGwWAF.Exclusions.md) | Application Gateway Web Application Firewall (WAF) should have all rules enabled. | Critical [Azure.AppGwWAF.PreventionMode](../rules/Azure.AppGwWAF.PreventionMode.md) | Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical -[Azure.AppGwWAF.RuleGroups](../rules/Azure.AppGwWAF.RuleGroups.md) | Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical [Azure.AppInsights.LocalAuth](../rules/Azure.AppInsights.LocalAuth.md) | Local authentication allows depersonalized access to store telemetry in Application Insights using a shared identifier. | Critical [Azure.AppInsights.Name](../rules/Azure.AppInsights.Name.md) | Azure Resource Manager (ARM) has requirements for Application Insights resource names. | Awareness [Azure.AppInsights.Naming](../rules/Azure.AppInsights.Naming.md) | Application Insights resources without a standard naming convention may be difficult to identify and manage. | Awareness diff --git a/docs/en/baselines/Azure.MCSB.v1.csv b/docs/en/baselines/Azure.MCSB.v1.csv index 65ede0dc856..767ed7d2161 100644 --- a/docs/en/baselines/Azure.MCSB.v1.csv +++ b/docs/en/baselines/Azure.MCSB.v1.csv @@ -7,6 +7,7 @@ "Azure.ACR.ImageHealth","Remove container images with known vulnerabilities.","Critical","Security","L2" "Azure.ADX.DiskEncryption","Use disk encryption for Azure Data Explorer (ADX) clusters.","Important","Security","L1" "Azure.ADX.ManagedIdentity","Configure Data Explorer clusters to use managed identities to access Azure resources securely.","Important","Security","L1" +"Azure.ADX.PublicAccess","Azure Data Explorer (ADX) clusters should have public network access disabled.","Critical","Security","L4" "Azure.AI.DisableLocalAuth","Access keys allow depersonalized access to Azure AI using a shared secret.","Important","Security","L1" "Azure.AI.ManagedIdentity","Configure managed identities to access Azure resources.","Important","Security","L1" "Azure.AI.PrivateEndpoints","Use Private Endpoints to access Azure AI services accounts.","Important","Security","-" @@ -59,6 +60,7 @@ "Azure.Cosmos.DefenderCloud","Enable Microsoft Defender for Azure Cosmos DB.","Critical","Security","-" "Azure.Cosmos.DisableLocalAuth","Access keys allow depersonalized access to Cosmos DB accounts using a shared secret.","Critical","Security","L1" "Azure.Cosmos.DisableMetadataWrite","Use Entra ID identities for management place operations in Azure Cosmos DB.","Important","Security","-" +"Azure.Cosmos.MongoEntraID","MongoDB vCore clusters should have Microsoft Entra ID authentication enabled.","Critical","Security","L1" "Azure.Cosmos.PublicAccess","Azure Cosmos DB should have public network access disabled.","Critical","Security","-" "Azure.Defender.Api","Enable Microsoft Defender for APIs.","Critical","Security","-" "Azure.Defender.AppServices","Enable Microsoft Defender for App Service.","Critical","Security","-" diff --git a/docs/en/baselines/Azure.MCSB.v1.md b/docs/en/baselines/Azure.MCSB.v1.md index 83b87ba2f3c..b47a0d5948a 100644 --- a/docs/en/baselines/Azure.MCSB.v1.md +++ b/docs/en/baselines/Azure.MCSB.v1.md @@ -16,7 +16,7 @@ Rules for GA Azure features that align to the Microsoft Cloud Security Benchmark The following rules are included within the `Azure.MCSB.v1` baseline. -This baseline includes a total of 143 rules. +This baseline includes a total of 145 rules. Name | Synopsis | Severity ---- | -------- | -------- @@ -28,6 +28,7 @@ Name | Synopsis | Severity [Azure.ACR.ImageHealth](../rules/Azure.ACR.ImageHealth.md) | Remove container images with known vulnerabilities. | Critical [Azure.ADX.DiskEncryption](../rules/Azure.ADX.DiskEncryption.md) | Use disk encryption for Azure Data Explorer (ADX) clusters. | Important [Azure.ADX.ManagedIdentity](../rules/Azure.ADX.ManagedIdentity.md) | Configure Data Explorer clusters to use managed identities to access Azure resources securely. | Important +[Azure.ADX.PublicAccess](../rules/Azure.ADX.PublicAccess.md) | Azure Data Explorer (ADX) clusters should have public network access disabled. | Critical [Azure.AI.DisableLocalAuth](../rules/Azure.AI.DisableLocalAuth.md) | Access keys allow depersonalized access to Azure AI using a shared secret. | Important [Azure.AI.ManagedIdentity](../rules/Azure.AI.ManagedIdentity.md) | Configure managed identities to access Azure resources. | Important [Azure.AI.PrivateEndpoints](../rules/Azure.AI.PrivateEndpoints.md) | Use Private Endpoints to access Azure AI services accounts. | Important @@ -80,6 +81,7 @@ Name | Synopsis | Severity [Azure.Cosmos.DefenderCloud](../rules/Azure.Cosmos.DefenderCloud.md) | Enable Microsoft Defender for Azure Cosmos DB. | Critical [Azure.Cosmos.DisableLocalAuth](../rules/Azure.Cosmos.DisableLocalAuth.md) | Access keys allow depersonalized access to Cosmos DB accounts using a shared secret. | Critical [Azure.Cosmos.DisableMetadataWrite](../rules/Azure.Cosmos.DisableMetadataWrite.md) | Use Entra ID identities for management place operations in Azure Cosmos DB. | Important +[Azure.Cosmos.MongoEntraID](../rules/Azure.Cosmos.MongoEntraID.md) | MongoDB vCore clusters should have Microsoft Entra ID authentication enabled. | Critical [Azure.Cosmos.PublicAccess](../rules/Azure.Cosmos.PublicAccess.md) | Azure Cosmos DB should have public network access disabled. | Critical [Azure.Defender.Api](../rules/Azure.Defender.Api.md) | Enable Microsoft Defender for APIs. | Critical [Azure.Defender.AppServices](../rules/Azure.Defender.AppServices.md) | Enable Microsoft Defender for App Service. | Critical diff --git a/docs/en/baselines/Azure.Pillar.OperationalExcellence.csv b/docs/en/baselines/Azure.Pillar.OperationalExcellence.csv index 7c892adc7bf..2c86cda38ca 100644 --- a/docs/en/baselines/Azure.Pillar.OperationalExcellence.csv +++ b/docs/en/baselines/Azure.Pillar.OperationalExcellence.csv @@ -1,10 +1,15 @@ "Name","Synopsis","Severity","Pillar","Maturity" -"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ACI.Naming","Container Instance resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" +"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","L2" +"Azure.ACR.Naming","Container Registry resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.AI.FoundryNaming","Azure AI Foundry accounts without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" "Azure.AKS.ContainerInsights","Enable Container insights to monitor AKS cluster workloads.","Important","Operational Excellence","-" "Azure.AKS.DNSPrefix","Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements.","Awareness","Operational Excellence","-" -"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","L2" +"Azure.AKS.Naming","AKS cluster resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.AKS.PlatformLogs","AKS clusters should collect platform diagnostic logs to monitor the state of workloads.","Important","Operational Excellence","-" +"Azure.AKS.SystemPoolNaming","AKS system node pool resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" +"Azure.AKS.UserPoolNaming","AKS user node pool resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.APIM.APIDescriptors","APIs should have a display name and description.","Awareness","Operational Excellence","-" "Azure.APIM.MinAPIVersion","API Management instances should limit control plane API calls to API Management with version '2021-08-01' or newer.","Important","Operational Excellence","-" "Azure.APIM.Name","API Management service names should meet naming requirements.","Awareness","Operational Excellence","-" @@ -22,8 +27,18 @@ "Azure.Bastion.Name","Bastion hosts should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.CDN.EndpointName","Azure CDN Endpoint names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.ContainerApp.APIVersion","Migrate from retired API version to a supported version.","Important","Operational Excellence","-" -"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","-" -"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ContainerApp.EnvNaming","Container App Environment resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" +"Azure.ContainerApp.JobNaming","Container App Job resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" +"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","L2" +"Azure.ContainerApp.Naming","Container App resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" +"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","L2" +"Azure.Cosmos.CassandraNaming","Cosmos DB for Apache Cassandra account resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" +"Azure.Cosmos.DatabaseNaming","Cosmos DB database resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" +"Azure.Cosmos.GremlinNaming","Cosmos DB for Apache Gremlin account resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" +"Azure.Cosmos.MongoNaming","Cosmos DB for MongoDB account resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" +"Azure.Cosmos.NoSQLNaming","Cosmos DB for NoSQL account resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" +"Azure.Cosmos.PostgreSQLNaming","Cosmos DB PostgreSQL cluster resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" +"Azure.Cosmos.TableNaming","Cosmos DB for Table account resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Deployment.Name","Nested deployments should meet naming requirements of deployments.","Awareness","Operational Excellence","-" "Azure.EventGrid.DomainNaming","Event Grid domains without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" "Azure.EventGrid.SystemTopicNaming","Event Grid system topics without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" @@ -48,6 +63,7 @@ "Azure.MariaDB.ServerName","Azure Database for MariaDB servers should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.MariaDB.VNETRuleName","Azure Database for MariaDB VNET rules should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.MySQL.ServerName","Azure MySQL DB server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.MySQL.ServerNaming","MySQL database server resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.NIC.Name","Network Interface (NIC) names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.NSG.AKSRules","AKS Network Security Group (NSG) should not have custom rules.","Awareness","Operational Excellence","-" "Azure.NSG.Name","Azure Resource Manager (ARM) has requirements for Network Security Group (NSG) names.","Awareness","Operational Excellence","-" @@ -57,22 +73,32 @@ "Azure.Policy.Descriptors","Policy and initiative definitions should use a display name, description, and category.","Awareness","Operational Excellence","-" "Azure.Policy.ExemptionDescriptors","Policy exemptions should use a display name and description.","Awareness","Operational Excellence","-" "Azure.PostgreSQL.ServerName","Azure PostgreSQL DB server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.PostgreSQL.ServerNaming","PostgreSQL database server resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.PrivateEndpoint.Name","Private Endpoint names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.PublicIP.DNSLabel","Public IP domain name labels should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.PublicIP.MigrateStandard","Use the Standard SKU for Public IP addresses as the Basic SKU will be retired.","Important","Operational Excellence","-" "Azure.PublicIP.Name","Azure Resource Manager (ARM) has requirements for Public IP address names.","Awareness","Operational Excellence","-" "Azure.PublicIP.Naming","Public IP addresses without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" +"Azure.Redis.Naming","Azure Cache for Redis resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" +"Azure.RedisEnterprise.Naming","Azure Cache for Redis Enterprise resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Resource.RequiredTags","Resources without a standard tagging convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" "Azure.Route.Name","Azure Resource Manager (ARM) has requirements for Route table names.","Awareness","Operational Excellence","-" "Azure.Route.Naming","Route tables without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" "Azure.RSV.Name","Recovery Services vaults should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.Search.Name","Azure Resource Manager (ARM) has requirements for AI Search service names.","Awareness","Operational Excellence","-" "Azure.Search.Naming","Azure AI Search services without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" +"Azure.ServiceFabric.ManagedNaming","Service Fabric managed cluster resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" +"Azure.ServiceFabric.Naming","Service Fabric cluster resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.SignalR.Name","SignalR service instance names should meet naming requirements.","Awareness","Operational Excellence","-" -"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","L2" +"Azure.SQL.DBNaming","Azure SQL database resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" +"Azure.SQL.ElasticPoolNaming","Azure SQL Elastic Pool resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.SQL.FGName","Azure SQL failover group names should meet naming requirements.","Awareness","Operational Excellence","-" -"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.JobAgentNaming","Azure SQL Elastic Job agent resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" +"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","L2" +"Azure.SQL.ServerNaming","Azure SQL Database server resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.SQLMI.Name","SQL Managed Instance names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQLMI.Naming","SQL Managed Instance resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Storage.Name","Azure Resource Manager (ARM) has requirements for Storage Account names.","Awareness","Operational Excellence","-" "Azure.Storage.Naming","Storage Accounts without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" "Azure.Subscription.RequiredTags","Subscriptions without a standard tagging convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" diff --git a/docs/en/baselines/Azure.Pillar.OperationalExcellence.md b/docs/en/baselines/Azure.Pillar.OperationalExcellence.md index 70c453ea4bc..921b508bf82 100644 --- a/docs/en/baselines/Azure.Pillar.OperationalExcellence.md +++ b/docs/en/baselines/Azure.Pillar.OperationalExcellence.md @@ -14,16 +14,21 @@ Microsoft Azure Well-Architected Framework - Operational Excellence pillar speci The following rules are included within the `Azure.Pillar.OperationalExcellence` baseline. -This baseline includes a total of 119 rules. +This baseline includes a total of 145 rules. Name | Synopsis | Severity | Maturity ---- | -------- | -------- | -------- -[Azure.ACR.Name](../rules/Azure.ACR.Name.md) | Container registry names should meet naming requirements. | Awareness | - +[Azure.ACI.Naming](../rules/Azure.ACI.Naming.md) | Container Instance resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 +[Azure.ACR.Name](../rules/Azure.ACR.Name.md) | Container registry names should meet naming requirements. | Awareness | L2 +[Azure.ACR.Naming](../rules/Azure.ACR.Naming.md) | Container Registry resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 [Azure.AI.FoundryNaming](../rules/Azure.AI.FoundryNaming.md) | Azure AI Foundry accounts without a standard naming convention may be difficult to identify and manage. | Awareness | - [Azure.AKS.ContainerInsights](../rules/Azure.AKS.ContainerInsights.md) | Enable Container insights to monitor AKS cluster workloads. | Important | - [Azure.AKS.DNSPrefix](../rules/Azure.AKS.DNSPrefix.md) | Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. | Awareness | - -[Azure.AKS.Name](../rules/Azure.AKS.Name.md) | Azure Kubernetes Service (AKS) cluster names should meet naming requirements. | Awareness | - +[Azure.AKS.Name](../rules/Azure.AKS.Name.md) | Azure Kubernetes Service (AKS) cluster names should meet naming requirements. | Awareness | L2 +[Azure.AKS.Naming](../rules/Azure.AKS.Naming.md) | AKS cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 [Azure.AKS.PlatformLogs](../rules/Azure.AKS.PlatformLogs.md) | AKS clusters should collect platform diagnostic logs to monitor the state of workloads. | Important | - +[Azure.AKS.SystemPoolNaming](../rules/Azure.AKS.SystemPoolNaming.md) | AKS system node pool resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 +[Azure.AKS.UserPoolNaming](../rules/Azure.AKS.UserPoolNaming.md) | AKS user node pool resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 [Azure.APIM.APIDescriptors](../rules/Azure.APIM.APIDescriptors.md) | APIs should have a display name and description. | Awareness | - [Azure.APIM.MinAPIVersion](../rules/Azure.APIM.MinAPIVersion.md) | API Management instances should limit control plane API calls to API Management with version '2021-08-01' or newer. | Important | - [Azure.APIM.Name](../rules/Azure.APIM.Name.md) | API Management service names should meet naming requirements. | Awareness | - @@ -41,8 +46,18 @@ Name | Synopsis | Severity | Maturity [Azure.Bastion.Name](../rules/Azure.Bastion.Name.md) | Bastion hosts should meet naming requirements. | Awareness | - [Azure.CDN.EndpointName](../rules/Azure.CDN.EndpointName.md) | Azure CDN Endpoint names should meet naming requirements. | Awareness | - [Azure.ContainerApp.APIVersion](../rules/Azure.ContainerApp.APIVersion.md) | Migrate from retired API version to a supported version. | Important | - -[Azure.ContainerApp.Name](../rules/Azure.ContainerApp.Name.md) | Container Apps should meet naming requirements. | Awareness | - -[Azure.Cosmos.AccountName](../rules/Azure.Cosmos.AccountName.md) | Cosmos DB account names should meet naming requirements. | Awareness | - +[Azure.ContainerApp.EnvNaming](../rules/Azure.ContainerApp.EnvNaming.md) | Container App Environment resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 +[Azure.ContainerApp.JobNaming](../rules/Azure.ContainerApp.JobNaming.md) | Container App Job resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 +[Azure.ContainerApp.Name](../rules/Azure.ContainerApp.Name.md) | Container Apps should meet naming requirements. | Awareness | L2 +[Azure.ContainerApp.Naming](../rules/Azure.ContainerApp.Naming.md) | Container App resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 +[Azure.Cosmos.AccountName](../rules/Azure.Cosmos.AccountName.md) | Cosmos DB account names should meet naming requirements. | Awareness | L2 +[Azure.Cosmos.CassandraNaming](../rules/Azure.Cosmos.CassandraNaming.md) | Cosmos DB for Apache Cassandra account resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 +[Azure.Cosmos.DatabaseNaming](../rules/Azure.Cosmos.DatabaseNaming.md) | Cosmos DB database resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 +[Azure.Cosmos.GremlinNaming](../rules/Azure.Cosmos.GremlinNaming.md) | Cosmos DB for Apache Gremlin account resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 +[Azure.Cosmos.MongoNaming](../rules/Azure.Cosmos.MongoNaming.md) | Cosmos DB for MongoDB account resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 +[Azure.Cosmos.NoSQLNaming](../rules/Azure.Cosmos.NoSQLNaming.md) | Cosmos DB for NoSQL account resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 +[Azure.Cosmos.PostgreSQLNaming](../rules/Azure.Cosmos.PostgreSQLNaming.md) | Cosmos DB PostgreSQL cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 +[Azure.Cosmos.TableNaming](../rules/Azure.Cosmos.TableNaming.md) | Cosmos DB for Table account resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 [Azure.Deployment.Name](../rules/Azure.Deployment.Name.md) | Nested deployments should meet naming requirements of deployments. | Awareness | - [Azure.EventGrid.DomainNaming](../rules/Azure.EventGrid.DomainNaming.md) | Event Grid domains without a standard naming convention may be difficult to identify and manage. | Awareness | - [Azure.EventGrid.SystemTopicNaming](../rules/Azure.EventGrid.SystemTopicNaming.md) | Event Grid system topics without a standard naming convention may be difficult to identify and manage. | Awareness | - @@ -67,6 +82,7 @@ Name | Synopsis | Severity | Maturity [Azure.MariaDB.ServerName](../rules/Azure.MariaDB.ServerName.md) | Azure Database for MariaDB servers should meet naming requirements. | Awareness | - [Azure.MariaDB.VNETRuleName](../rules/Azure.MariaDB.VNETRuleName.md) | Azure Database for MariaDB VNET rules should meet naming requirements. | Awareness | - [Azure.MySQL.ServerName](../rules/Azure.MySQL.ServerName.md) | Azure MySQL DB server names should meet naming requirements. | Awareness | - +[Azure.MySQL.ServerNaming](../rules/Azure.MySQL.ServerNaming.md) | MySQL database server resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 [Azure.NIC.Name](../rules/Azure.NIC.Name.md) | Network Interface (NIC) names should meet naming requirements. | Awareness | - [Azure.NSG.AKSRules](../rules/Azure.NSG.AKSRules.md) | AKS Network Security Group (NSG) should not have custom rules. | Awareness | - [Azure.NSG.Name](../rules/Azure.NSG.Name.md) | Azure Resource Manager (ARM) has requirements for Network Security Group (NSG) names. | Awareness | - @@ -76,22 +92,32 @@ Name | Synopsis | Severity | Maturity [Azure.Policy.Descriptors](../rules/Azure.Policy.Descriptors.md) | Policy and initiative definitions should use a display name, description, and category. | Awareness | - [Azure.Policy.ExemptionDescriptors](../rules/Azure.Policy.ExemptionDescriptors.md) | Policy exemptions should use a display name and description. | Awareness | - [Azure.PostgreSQL.ServerName](../rules/Azure.PostgreSQL.ServerName.md) | Azure PostgreSQL DB server names should meet naming requirements. | Awareness | - +[Azure.PostgreSQL.ServerNaming](../rules/Azure.PostgreSQL.ServerNaming.md) | PostgreSQL database server resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 [Azure.PrivateEndpoint.Name](../rules/Azure.PrivateEndpoint.Name.md) | Private Endpoint names should meet naming requirements. | Awareness | - [Azure.PublicIP.DNSLabel](../rules/Azure.PublicIP.DNSLabel.md) | Public IP domain name labels should meet naming requirements. | Awareness | - [Azure.PublicIP.MigrateStandard](../rules/Azure.PublicIP.MigrateStandard.md) | Use the Standard SKU for Public IP addresses as the Basic SKU will be retired. | Important | - [Azure.PublicIP.Name](../rules/Azure.PublicIP.Name.md) | Azure Resource Manager (ARM) has requirements for Public IP address names. | Awareness | - [Azure.PublicIP.Naming](../rules/Azure.PublicIP.Naming.md) | Public IP addresses without a standard naming convention may be difficult to identify and manage. | Awareness | - +[Azure.Redis.Naming](../rules/Azure.Redis.Naming.md) | Azure Cache for Redis resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 +[Azure.RedisEnterprise.Naming](../rules/Azure.RedisEnterprise.Naming.md) | Azure Cache for Redis Enterprise resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 [Azure.Resource.RequiredTags](../rules/Azure.Resource.RequiredTags.md) | Resources without a standard tagging convention may be difficult to identify and manage. | Awareness | - [Azure.Route.Name](../rules/Azure.Route.Name.md) | Azure Resource Manager (ARM) has requirements for Route table names. | Awareness | - [Azure.Route.Naming](../rules/Azure.Route.Naming.md) | Route tables without a standard naming convention may be difficult to identify and manage. | Awareness | - [Azure.RSV.Name](../rules/Azure.RSV.Name.md) | Recovery Services vaults should meet naming requirements. | Awareness | - [Azure.Search.Name](../rules/Azure.Search.Name.md) | Azure Resource Manager (ARM) has requirements for AI Search service names. | Awareness | - [Azure.Search.Naming](../rules/Azure.Search.Naming.md) | Azure AI Search services without a standard naming convention may be difficult to identify and manage. | Awareness | - +[Azure.ServiceFabric.ManagedNaming](../rules/Azure.ServiceFabric.ManagedNaming.md) | Service Fabric managed cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 +[Azure.ServiceFabric.Naming](../rules/Azure.ServiceFabric.Naming.md) | Service Fabric cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 [Azure.SignalR.Name](../rules/Azure.SignalR.Name.md) | SignalR service instance names should meet naming requirements. | Awareness | - -[Azure.SQL.DBName](../rules/Azure.SQL.DBName.md) | Azure SQL Database names should meet naming requirements. | Awareness | - +[Azure.SQL.DBName](../rules/Azure.SQL.DBName.md) | Azure SQL Database names should meet naming requirements. | Awareness | L2 +[Azure.SQL.DBNaming](../rules/Azure.SQL.DBNaming.md) | Azure SQL database resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 +[Azure.SQL.ElasticPoolNaming](../rules/Azure.SQL.ElasticPoolNaming.md) | Azure SQL Elastic Pool resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 [Azure.SQL.FGName](../rules/Azure.SQL.FGName.md) | Azure SQL failover group names should meet naming requirements. | Awareness | - -[Azure.SQL.ServerName](../rules/Azure.SQL.ServerName.md) | Azure SQL logical server names should meet naming requirements. | Awareness | - +[Azure.SQL.JobAgentNaming](../rules/Azure.SQL.JobAgentNaming.md) | Azure SQL Elastic Job agent resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 +[Azure.SQL.ServerName](../rules/Azure.SQL.ServerName.md) | Azure SQL logical server names should meet naming requirements. | Awareness | L2 +[Azure.SQL.ServerNaming](../rules/Azure.SQL.ServerNaming.md) | Azure SQL Database server resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 [Azure.SQLMI.Name](../rules/Azure.SQLMI.Name.md) | SQL Managed Instance names should meet naming requirements. | Awareness | - +[Azure.SQLMI.Naming](../rules/Azure.SQLMI.Naming.md) | SQL Managed Instance resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 [Azure.Storage.Name](../rules/Azure.Storage.Name.md) | Azure Resource Manager (ARM) has requirements for Storage Account names. | Awareness | - [Azure.Storage.Naming](../rules/Azure.Storage.Naming.md) | Storage Accounts without a standard naming convention may be difficult to identify and manage. | Awareness | - [Azure.Subscription.RequiredTags](../rules/Azure.Subscription.RequiredTags.md) | Subscriptions without a standard tagging convention may be difficult to identify and manage. | Awareness | - diff --git a/docs/en/baselines/Azure.Pillar.Reliability.csv b/docs/en/baselines/Azure.Pillar.Reliability.csv index 7c2172b95d1..b903718b3c0 100644 --- a/docs/en/baselines/Azure.Pillar.Reliability.csv +++ b/docs/en/baselines/Azure.Pillar.Reliability.csv @@ -30,7 +30,9 @@ "Azure.ContainerApp.AvailabilityZone","Use Container Apps environments that are zone redundant to improve reliability.","Important","Reliability","-" "Azure.ContainerApp.MinReplicas","Use multiple replicas to remove a single point of failure.","Important","Reliability","-" "Azure.ContainerApp.Storage","Use of Azure Files volume mounts to persistent storage container data.","Awareness","Reliability","-" +"Azure.Cosmos.AvailabilityZone","Use zone redundant Cosmos DB accounts in supported regions to improve reliability.","Important","Reliability","L1" "Azure.Cosmos.ContinuousBackup","Enable continuous backup on Cosmos DB accounts.","Important","Reliability","-" +"Azure.Cosmos.MongoAvailabilityZone","Use zone redundant Cosmos DB vCore clusters in supported regions to improve reliability.","Important","Reliability","L1" "Azure.Cosmos.SLA","Use a paid tier to qualify for a Service Level Agreement (SLA).","Important","Reliability","-" "Azure.DataFactory.Version","Consider migrating to DataFactory v2.","Awareness","Reliability","-" "Azure.EntraDS.MinReplicas","Applications or infrastructure relying on a managed domain may fail if the domain is not available.","Important","Reliability","-" @@ -39,6 +41,7 @@ "Azure.FrontDoor.Probe","Use health probes to check the health of each backend.","Important","Reliability","-" "Azure.FrontDoor.ProbeMethod","Configure health probes to use HEAD requests to reduce performance overhead.","Important","Reliability","-" "Azure.FrontDoor.ProbePath","Configure a dedicated path for health probe requests.","Important","Reliability","-" +"Azure.Grafana.AvailabilityZone","Use zone redundant Grafana workspaces in supported regions to improve reliability.","Important","Reliability","L1" "Azure.Grafana.Version","Grafana workspaces should be on Grafana version 10.","Important","Reliability","-" "Azure.KeyVault.PurgeProtect","Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items.","Important","Reliability","-" "Azure.KeyVault.SoftDelete","Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion.","Important","Reliability","-" @@ -47,6 +50,7 @@ "Azure.LB.StandardSKU","Load balancers should be deployed with Standard SKU for production workloads.","Important","Reliability","-" "Azure.Log.Replication","Log Analytics workspaces should have workspace replication enabled to improve service availability.","Important","Reliability","-" "Azure.MariaDB.GeoRedundantBackup","Azure Database for MariaDB should store backups in a geo-redundant storage.","Important","Reliability","-" +"Azure.MICassandra.AvailabilityZone","Use zone redundant Managed Instance for Apache Cassandra clusters in supported regions to improve reliability.","Important","Reliability","L1" "Azure.Monitor.ServiceHealth","Configure Service Health alerts to notify administrators.","Important","Reliability","-" "Azure.MySQL.GeoRedundantBackup","Azure Database for MySQL should store backups in a geo-redundant storage.","Important","Reliability","-" "Azure.MySQL.MaintenanceWindow","Configure a customer-controlled maintenance window for Azure Database for MySQL servers.","Important","Reliability","-" diff --git a/docs/en/baselines/Azure.Pillar.Reliability.md b/docs/en/baselines/Azure.Pillar.Reliability.md index 0c2e09c0562..b80fd2cbf29 100644 --- a/docs/en/baselines/Azure.Pillar.Reliability.md +++ b/docs/en/baselines/Azure.Pillar.Reliability.md @@ -14,7 +14,7 @@ Microsoft Azure Well-Architected Framework - Reliability pillar specific baselin The following rules are included within the `Azure.Pillar.Reliability` baseline. -This baseline includes a total of 96 rules. +This baseline includes a total of 100 rules. Name | Synopsis | Severity | Maturity ---- | -------- | -------- | -------- @@ -49,7 +49,9 @@ Name | Synopsis | Severity | Maturity [Azure.ContainerApp.AvailabilityZone](../rules/Azure.ContainerApp.AvailabilityZone.md) | Use Container Apps environments that are zone redundant to improve reliability. | Important | - [Azure.ContainerApp.MinReplicas](../rules/Azure.ContainerApp.MinReplicas.md) | Use multiple replicas to remove a single point of failure. | Important | - [Azure.ContainerApp.Storage](../rules/Azure.ContainerApp.Storage.md) | Use of Azure Files volume mounts to persistent storage container data. | Awareness | - +[Azure.Cosmos.AvailabilityZone](../rules/Azure.Cosmos.AvailabilityZone.md) | Use zone redundant Cosmos DB accounts in supported regions to improve reliability. | Important | L1 [Azure.Cosmos.ContinuousBackup](../rules/Azure.Cosmos.ContinuousBackup.md) | Enable continuous backup on Cosmos DB accounts. | Important | - +[Azure.Cosmos.MongoAvailabilityZone](../rules/Azure.Cosmos.MongoAvailabilityZone.md) | Use zone redundant Cosmos DB vCore clusters in supported regions to improve reliability. | Important | L1 [Azure.Cosmos.SLA](../rules/Azure.Cosmos.SLA.md) | Use a paid tier to qualify for a Service Level Agreement (SLA). | Important | - [Azure.DataFactory.Version](../rules/Azure.DataFactory.Version.md) | Consider migrating to DataFactory v2. | Awareness | - [Azure.EntraDS.MinReplicas](../rules/Azure.EntraDS.MinReplicas.md) | Applications or infrastructure relying on a managed domain may fail if the domain is not available. | Important | - @@ -58,6 +60,7 @@ Name | Synopsis | Severity | Maturity [Azure.FrontDoor.Probe](../rules/Azure.FrontDoor.Probe.md) | Use health probes to check the health of each backend. | Important | - [Azure.FrontDoor.ProbeMethod](../rules/Azure.FrontDoor.ProbeMethod.md) | Configure health probes to use HEAD requests to reduce performance overhead. | Important | - [Azure.FrontDoor.ProbePath](../rules/Azure.FrontDoor.ProbePath.md) | Configure a dedicated path for health probe requests. | Important | - +[Azure.Grafana.AvailabilityZone](../rules/Azure.Grafana.AvailabilityZone.md) | Use zone redundant Grafana workspaces in supported regions to improve reliability. | Important | L1 [Azure.Grafana.Version](../rules/Azure.Grafana.Version.md) | Grafana workspaces should be on Grafana version 10. | Important | - [Azure.KeyVault.PurgeProtect](../rules/Azure.KeyVault.PurgeProtect.md) | Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. | Important | - [Azure.KeyVault.SoftDelete](../rules/Azure.KeyVault.SoftDelete.md) | Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. | Important | - @@ -66,6 +69,7 @@ Name | Synopsis | Severity | Maturity [Azure.LB.StandardSKU](../rules/Azure.LB.StandardSKU.md) | Load balancers should be deployed with Standard SKU for production workloads. | Important | - [Azure.Log.Replication](../rules/Azure.Log.Replication.md) | Log Analytics workspaces should have workspace replication enabled to improve service availability. | Important | - [Azure.MariaDB.GeoRedundantBackup](../rules/Azure.MariaDB.GeoRedundantBackup.md) | Azure Database for MariaDB should store backups in a geo-redundant storage. | Important | - +[Azure.MICassandra.AvailabilityZone](../rules/Azure.MICassandra.AvailabilityZone.md) | Use zone redundant Managed Instance for Apache Cassandra clusters in supported regions to improve reliability. | Important | L1 [Azure.Monitor.ServiceHealth](../rules/Azure.Monitor.ServiceHealth.md) | Configure Service Health alerts to notify administrators. | Important | - [Azure.MySQL.GeoRedundantBackup](../rules/Azure.MySQL.GeoRedundantBackup.md) | Azure Database for MySQL should store backups in a geo-redundant storage. | Important | - [Azure.MySQL.MaintenanceWindow](../rules/Azure.MySQL.MaintenanceWindow.md) | Configure a customer-controlled maintenance window for Azure Database for MySQL servers. | Important | - diff --git a/docs/en/baselines/Azure.Pillar.Security.L1.csv b/docs/en/baselines/Azure.Pillar.Security.L1.csv index 6a7ea459dd0..8ee86156a22 100644 --- a/docs/en/baselines/Azure.Pillar.Security.L1.csv +++ b/docs/en/baselines/Azure.Pillar.Security.L1.csv @@ -30,6 +30,7 @@ "Azure.ContainerApp.ManagedIdentity","Ensure managed identity is used for authentication.","Important","Security","L1" "Azure.Cosmos.DisableLocalAuth","Access keys allow depersonalized access to Cosmos DB accounts using a shared secret.","Critical","Security","L1" "Azure.Cosmos.MinTLS","Cosmos DB accounts should reject TLS versions older than 1.2.","Critical","Security","L1" +"Azure.Cosmos.MongoEntraID","MongoDB vCore clusters should have Microsoft Entra ID authentication enabled.","Critical","Security","L1" "Azure.EntraDS.NTLM","Disable NTLM v1 for Microsoft Entra Domain Services.","Critical","Security","L1" "Azure.EntraDS.RC4","Disable RC4 encryption for Microsoft Entra Domain Services.","Critical","Security","L1" "Azure.EntraDS.TLS","Disable TLS v1 for Microsoft Entra Domain Services.","Critical","Security","L1" diff --git a/docs/en/baselines/Azure.Pillar.Security.L1.md b/docs/en/baselines/Azure.Pillar.Security.L1.md index 02a3a765ad2..cc3eaae11b1 100644 --- a/docs/en/baselines/Azure.Pillar.Security.L1.md +++ b/docs/en/baselines/Azure.Pillar.Security.L1.md @@ -16,7 +16,7 @@ Microsoft Azure Well-Architected Framework - Security pillar Level 1 maturity ba The following rules are included within the `Azure.Pillar.Security.L1` baseline. -This baseline includes a total of 84 rules. +This baseline includes a total of 85 rules. Name | Synopsis | Severity | Maturity ---- | -------- | -------- | -------- @@ -51,6 +51,7 @@ Name | Synopsis | Severity | Maturity [Azure.ContainerApp.ManagedIdentity](../rules/Azure.ContainerApp.ManagedIdentity.md) | Ensure managed identity is used for authentication. | Important | L1 [Azure.Cosmos.DisableLocalAuth](../rules/Azure.Cosmos.DisableLocalAuth.md) | Access keys allow depersonalized access to Cosmos DB accounts using a shared secret. | Critical | L1 [Azure.Cosmos.MinTLS](../rules/Azure.Cosmos.MinTLS.md) | Cosmos DB accounts should reject TLS versions older than 1.2. | Critical | L1 +[Azure.Cosmos.MongoEntraID](../rules/Azure.Cosmos.MongoEntraID.md) | MongoDB vCore clusters should have Microsoft Entra ID authentication enabled. | Critical | L1 [Azure.EntraDS.NTLM](../rules/Azure.EntraDS.NTLM.md) | Disable NTLM v1 for Microsoft Entra Domain Services. | Critical | L1 [Azure.EntraDS.RC4](../rules/Azure.EntraDS.RC4.md) | Disable RC4 encryption for Microsoft Entra Domain Services. | Critical | L1 [Azure.EntraDS.TLS](../rules/Azure.EntraDS.TLS.md) | Disable TLS v1 for Microsoft Entra Domain Services. | Critical | L1 diff --git a/docs/en/baselines/Azure.Pillar.Security.csv b/docs/en/baselines/Azure.Pillar.Security.csv index 7eb3b5e7154..065c01cfc68 100644 --- a/docs/en/baselines/Azure.Pillar.Security.csv +++ b/docs/en/baselines/Azure.Pillar.Security.csv @@ -8,6 +8,7 @@ "Azure.ACR.ReplicaLocation","The replication location determines the country or region where container images and metadata are stored and processed.","Important","Security","-" "Azure.ADX.DiskEncryption","Use disk encryption for Azure Data Explorer (ADX) clusters.","Important","Security","L1" "Azure.ADX.ManagedIdentity","Configure Data Explorer clusters to use managed identities to access Azure resources securely.","Important","Security","L1" +"Azure.ADX.PublicAccess","Azure Data Explorer (ADX) clusters should have public network access disabled.","Critical","Security","L4" "Azure.AI.DisableLocalAuth","Access keys allow depersonalized access to Azure AI using a shared secret.","Important","Security","L1" "Azure.AI.ManagedIdentity","Configure managed identities to access Azure resources.","Important","Security","L1" "Azure.AI.PrivateEndpoints","Use Private Endpoints to access Azure AI services accounts.","Important","Security","-" @@ -53,7 +54,7 @@ "Azure.AppGwWAF.Enabled","Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources.","Critical","Security","-" "Azure.AppGwWAF.Exclusions","Application Gateway Web Application Firewall (WAF) should have all rules enabled.","Critical","Security","-" "Azure.AppGwWAF.PreventionMode","Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources.","Critical","Security","-" -"Azure.AppGwWAF.RuleGroups","Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources.","Critical","Security","-" +"Azure.AppGwWAF.RuleGroups","Application Gateway WAF policies should include both Microsoft Default Rule Set and Bot Manager Rule Set to provide comprehensive protection against web application threats and malicious bot traffic.","Critical","Security","L2" "Azure.AppInsights.LocalAuth","Local authentication allows depersonalized access to store telemetry in Application Insights using a shared identifier.","Critical","Security","L1" "Azure.AppService.ManagedIdentity","Configure managed identities to access Azure resources.","Important","Security","L1" "Azure.AppService.MinTLS","App Service should not accept weak or deprecated transport protocols for client-server communication.","Critical","Security","L1" @@ -79,6 +80,7 @@ "Azure.Cosmos.DisableLocalAuth","Access keys allow depersonalized access to Cosmos DB accounts using a shared secret.","Critical","Security","L1" "Azure.Cosmos.DisableMetadataWrite","Use Entra ID identities for management place operations in Azure Cosmos DB.","Important","Security","-" "Azure.Cosmos.MinTLS","Cosmos DB accounts should reject TLS versions older than 1.2.","Critical","Security","L1" +"Azure.Cosmos.MongoEntraID","MongoDB vCore clusters should have Microsoft Entra ID authentication enabled.","Critical","Security","L1" "Azure.Cosmos.PublicAccess","Azure Cosmos DB should have public network access disabled.","Critical","Security","-" "Azure.Databricks.PublicAccess","Azure Databricks workspaces should disable public network access.","Critical","Security","-" "Azure.Databricks.SecureConnectivity","Use Databricks workspaces configured for secure cluster connectivity.","Critical","Security","-" diff --git a/docs/en/baselines/Azure.Pillar.Security.md b/docs/en/baselines/Azure.Pillar.Security.md index 530260453f5..88467e78261 100644 --- a/docs/en/baselines/Azure.Pillar.Security.md +++ b/docs/en/baselines/Azure.Pillar.Security.md @@ -14,7 +14,7 @@ Microsoft Azure Well-Architected Framework - Security pillar specific baseline. The following rules are included within the `Azure.Pillar.Security` baseline. -This baseline includes a total of 230 rules. +This baseline includes a total of 232 rules. Name | Synopsis | Severity | Maturity ---- | -------- | -------- | -------- @@ -27,6 +27,7 @@ Name | Synopsis | Severity | Maturity [Azure.ACR.ReplicaLocation](../rules/Azure.ACR.ReplicaLocation.md) | The replication location determines the country or region where container images and metadata are stored and processed. | Important | - [Azure.ADX.DiskEncryption](../rules/Azure.ADX.DiskEncryption.md) | Use disk encryption for Azure Data Explorer (ADX) clusters. | Important | L1 [Azure.ADX.ManagedIdentity](../rules/Azure.ADX.ManagedIdentity.md) | Configure Data Explorer clusters to use managed identities to access Azure resources securely. | Important | L1 +[Azure.ADX.PublicAccess](../rules/Azure.ADX.PublicAccess.md) | Azure Data Explorer (ADX) clusters should have public network access disabled. | Critical | L4 [Azure.AI.DisableLocalAuth](../rules/Azure.AI.DisableLocalAuth.md) | Access keys allow depersonalized access to Azure AI using a shared secret. | Important | L1 [Azure.AI.ManagedIdentity](../rules/Azure.AI.ManagedIdentity.md) | Configure managed identities to access Azure resources. | Important | L1 [Azure.AI.PrivateEndpoints](../rules/Azure.AI.PrivateEndpoints.md) | Use Private Endpoints to access Azure AI services accounts. | Important | - @@ -72,7 +73,7 @@ Name | Synopsis | Severity | Maturity [Azure.AppGwWAF.Enabled](../rules/Azure.AppGwWAF.Enabled.md) | Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. | Critical | - [Azure.AppGwWAF.Exclusions](../rules/Azure.AppGwWAF.Exclusions.md) | Application Gateway Web Application Firewall (WAF) should have all rules enabled. | Critical | - [Azure.AppGwWAF.PreventionMode](../rules/Azure.AppGwWAF.PreventionMode.md) | Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical | - -[Azure.AppGwWAF.RuleGroups](../rules/Azure.AppGwWAF.RuleGroups.md) | Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical | - +[Azure.AppGwWAF.RuleGroups](../rules/Azure.AppGwWAF.RuleGroups.md) | Application Gateway WAF policies should include both Microsoft Default Rule Set and Bot Manager Rule Set to provide comprehensive protection against web application threats and malicious bot traffic. | Critical | L2 [Azure.AppInsights.LocalAuth](../rules/Azure.AppInsights.LocalAuth.md) | Local authentication allows depersonalized access to store telemetry in Application Insights using a shared identifier. | Critical | L1 [Azure.AppService.ManagedIdentity](../rules/Azure.AppService.ManagedIdentity.md) | Configure managed identities to access Azure resources. | Important | L1 [Azure.AppService.MinTLS](../rules/Azure.AppService.MinTLS.md) | App Service should not accept weak or deprecated transport protocols for client-server communication. | Critical | L1 @@ -98,6 +99,7 @@ Name | Synopsis | Severity | Maturity [Azure.Cosmos.DisableLocalAuth](../rules/Azure.Cosmos.DisableLocalAuth.md) | Access keys allow depersonalized access to Cosmos DB accounts using a shared secret. | Critical | L1 [Azure.Cosmos.DisableMetadataWrite](../rules/Azure.Cosmos.DisableMetadataWrite.md) | Use Entra ID identities for management place operations in Azure Cosmos DB. | Important | - [Azure.Cosmos.MinTLS](../rules/Azure.Cosmos.MinTLS.md) | Cosmos DB accounts should reject TLS versions older than 1.2. | Critical | L1 +[Azure.Cosmos.MongoEntraID](../rules/Azure.Cosmos.MongoEntraID.md) | MongoDB vCore clusters should have Microsoft Entra ID authentication enabled. | Critical | L1 [Azure.Cosmos.PublicAccess](../rules/Azure.Cosmos.PublicAccess.md) | Azure Cosmos DB should have public network access disabled. | Critical | - [Azure.Databricks.PublicAccess](../rules/Azure.Databricks.PublicAccess.md) | Azure Databricks workspaces should disable public network access. | Critical | - [Azure.Databricks.SecureConnectivity](../rules/Azure.Databricks.SecureConnectivity.md) | Use Databricks workspaces configured for secure cluster connectivity. | Critical | - diff --git a/docs/en/baselines/Azure.Preview.csv b/docs/en/baselines/Azure.Preview.csv index d8b6801ed85..ed67f0675fc 100644 --- a/docs/en/baselines/Azure.Preview.csv +++ b/docs/en/baselines/Azure.Preview.csv @@ -1,4 +1,5 @@ "Name","Synopsis","Severity","Pillar","Maturity" +"Azure.ACI.Naming","Container Instance resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.ACR.AdminUser","The local admin account allows depersonalized access to a container registry using a shared secret.","Critical","Security","L1" "Azure.ACR.AnonymousAccess","Anonymous pull access allows unidentified downloading of images and metadata from a container registry.","Important","Security","-" "Azure.ACR.ContainerScan","Container images or their base images may have vulnerabilities discovered after they are built.","Critical","Security","-" @@ -7,7 +8,8 @@ "Azure.ACR.GeoReplica","Applications or infrastructure relying on a container image may fail if the registry is not available at the time they start.","Important","Reliability","-" "Azure.ACR.ImageHealth","Remove container images with known vulnerabilities.","Critical","Security","L2" "Azure.ACR.MinSku","The Basic SKU provides limited performance and features for production container registry workloads.","Important","Reliability","-" -"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","L2" +"Azure.ACR.Naming","Container Registry resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.ACR.Quarantine","Enable container image quarantine, scan, and mark images as verified.","Important","Security","-" "Azure.ACR.ReplicaLocation","The replication location determines the country or region where container images and metadata are stored and processed.","Important","Security","-" "Azure.ACR.Retention","Use a retention policy to cleanup untagged manifests.","Important","Cost Optimization","-" @@ -15,6 +17,7 @@ "Azure.ACR.Usage","Regularly remove deprecated and unneeded images to reduce storage usage.","Important","Cost Optimization","-" "Azure.ADX.DiskEncryption","Use disk encryption for Azure Data Explorer (ADX) clusters.","Important","Security","L1" "Azure.ADX.ManagedIdentity","Configure Data Explorer clusters to use managed identities to access Azure resources securely.","Important","Security","L1" +"Azure.ADX.PublicAccess","Azure Data Explorer (ADX) clusters should have public network access disabled.","Critical","Security","L4" "Azure.ADX.SLA","Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters.","Important","Reliability","-" "Azure.ADX.Usage","Regularly remove unused resources to reduce costs.","Important","Cost Optimization","-" "Azure.AI.DisableLocalAuth","Access keys allow depersonalized access to Azure AI using a shared secret.","Important","Security","L1" @@ -42,7 +45,8 @@ "Azure.AKS.ManagedIdentity","Configure AKS clusters to use managed identities for managing cluster infrastructure.","Important","Security","L1" "Azure.AKS.MinNodeCount","AKS clusters should have minimum number of system nodes for failover and updates.","Important","Reliability","-" "Azure.AKS.MinUserPoolNodes","User node pools in an AKS cluster should have a minimum number of nodes for failover and updates.","Important","Reliability","-" -"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","L2" +"Azure.AKS.Naming","AKS cluster resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.AKS.NetworkPolicy","AKS clusters without inter-pod network restrictions may be permit unauthorized lateral movement.","Important","Security","-" "Azure.AKS.NodeAutoUpgrade","Operating system (OS) security updates should be applied to AKS nodes and rebooted as required to address security vulnerabilities.","Important","Security","-" "Azure.AKS.NodeMinPods","Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods.","Important","Performance Efficiency","-" @@ -52,8 +56,10 @@ "Azure.AKS.SecretStore","Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault.","Important","Security","-" "Azure.AKS.SecretStoreRotation","Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters.","Important","Security","-" "Azure.AKS.StandardLB","Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU.","Important","Performance Efficiency","-" +"Azure.AKS.SystemPoolNaming","AKS system node pool resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.AKS.UptimeSLA","AKS clusters should have Uptime SLA enabled for a financially backed SLA.","Important","Reliability","-" "Azure.AKS.UseRBAC","Deploy AKS cluster with role-based access control (RBAC) enabled.","Important","Security","-" +"Azure.AKS.UserPoolNaming","AKS user node pool resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.AKS.Version","Older versions of Kubernetes may have known bugs or security vulnerabilities, and may have limited support.","Important","Reliability","-" "Azure.Alert.HighFrequencyQuery","High frequency scheduled queries are changed as a higher rate than low frequency queries.","Important","Cost Optimization","-" "Azure.Alert.MetricAutoMitigate","Alerts that require manual intervention for mitigation can lead to increased personnel time and effort.","Important","Cost Optimization","-" @@ -101,7 +107,7 @@ "Azure.AppGwWAF.Enabled","Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources.","Critical","Security","-" "Azure.AppGwWAF.Exclusions","Application Gateway Web Application Firewall (WAF) should have all rules enabled.","Critical","Security","-" "Azure.AppGwWAF.PreventionMode","Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources.","Critical","Security","-" -"Azure.AppGwWAF.RuleGroups","Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources.","Critical","Security","-" +"Azure.AppGwWAF.RuleGroups","Application Gateway WAF policies should include both Microsoft Default Rule Set and Bot Manager Rule Set to provide comprehensive protection against web application threats and malicious bot traffic.","Critical","Security","L2" "Azure.AppInsights.LocalAuth","Local authentication allows depersonalized access to store telemetry in Application Insights using a shared identifier.","Critical","Security","L1" "Azure.AppInsights.Name","Azure Resource Manager (ARM) has requirements for Application Insights resource names.","Awareness","Operational Excellence","-" "Azure.AppInsights.Naming","Application Insights resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" @@ -142,22 +148,35 @@ "Azure.ContainerApp.APIVersion","Migrate from retired API version to a supported version.","Important","Operational Excellence","-" "Azure.ContainerApp.AvailabilityZone","Use Container Apps environments that are zone redundant to improve reliability.","Important","Reliability","-" "Azure.ContainerApp.DisableAffinity","Disable session affinity to prevent unbalanced distribution.","Awareness","Performance Efficiency","-" +"Azure.ContainerApp.EnvNaming","Container App Environment resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.ContainerApp.ExternalIngress","Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment.","Important","Security","-" "Azure.ContainerApp.Insecure","Ensure insecure inbound traffic is not permitted to the container app.","Important","Security","L1" +"Azure.ContainerApp.JobNaming","Container App Job resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.ContainerApp.ManagedIdentity","Ensure managed identity is used for authentication.","Important","Security","L1" "Azure.ContainerApp.MinReplicas","Use multiple replicas to remove a single point of failure.","Important","Reliability","-" -"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","L2" +"Azure.ContainerApp.Naming","Container App resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.ContainerApp.PublicAccess","Ensure public network access for Container Apps environment is disabled.","Important","Security","-" "Azure.ContainerApp.RestrictIngress","IP ingress restrictions mode should be set to allow action for all rules defined.","Important","Security","-" "Azure.ContainerApp.Storage","Use of Azure Files volume mounts to persistent storage container data.","Awareness","Reliability","-" -"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","L2" +"Azure.Cosmos.AvailabilityZone","Use zone redundant Cosmos DB accounts in supported regions to improve reliability.","Important","Reliability","L1" +"Azure.Cosmos.CassandraNaming","Cosmos DB for Apache Cassandra account resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Cosmos.ContinuousBackup","Enable continuous backup on Cosmos DB accounts.","Important","Reliability","-" +"Azure.Cosmos.DatabaseNaming","Cosmos DB database resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Cosmos.DefenderCloud","Enable Microsoft Defender for Azure Cosmos DB.","Critical","Security","-" "Azure.Cosmos.DisableLocalAuth","Access keys allow depersonalized access to Cosmos DB accounts using a shared secret.","Critical","Security","L1" "Azure.Cosmos.DisableMetadataWrite","Use Entra ID identities for management place operations in Azure Cosmos DB.","Important","Security","-" +"Azure.Cosmos.GremlinNaming","Cosmos DB for Apache Gremlin account resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Cosmos.MinTLS","Cosmos DB accounts should reject TLS versions older than 1.2.","Critical","Security","L1" +"Azure.Cosmos.MongoAvailabilityZone","Use zone redundant Cosmos DB vCore clusters in supported regions to improve reliability.","Important","Reliability","L1" +"Azure.Cosmos.MongoEntraID","MongoDB vCore clusters should have Microsoft Entra ID authentication enabled.","Critical","Security","L1" +"Azure.Cosmos.MongoNaming","Cosmos DB for MongoDB account resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" +"Azure.Cosmos.NoSQLNaming","Cosmos DB for NoSQL account resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" +"Azure.Cosmos.PostgreSQLNaming","Cosmos DB PostgreSQL cluster resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Cosmos.PublicAccess","Azure Cosmos DB should have public network access disabled.","Critical","Security","-" "Azure.Cosmos.SLA","Use a paid tier to qualify for a Service Level Agreement (SLA).","Important","Reliability","-" +"Azure.Cosmos.TableNaming","Cosmos DB for Table account resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Databricks.PublicAccess","Azure Databricks workspaces should disable public network access.","Critical","Security","-" "Azure.Databricks.SecureConnectivity","Use Databricks workspaces configured for secure cluster connectivity.","Critical","Security","-" "Azure.Databricks.SKU","Ensure Databricks workspaces are non-trial SKUs for production workloads.","Critical","Performance Efficiency","-" @@ -230,6 +249,7 @@ "Azure.FrontDoorWAF.Exclusions","Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions.","Critical","Security","-" "Azure.FrontDoorWAF.PreventionMode","Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources.","Critical","Security","-" "Azure.FrontDoorWAF.RuleGroups","Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources.","Critical","Security","-" +"Azure.Grafana.AvailabilityZone","Use zone redundant Grafana workspaces in supported regions to improve reliability.","Important","Reliability","L1" "Azure.Grafana.Version","Grafana workspaces should be on Grafana version 10.","Important","Reliability","-" "Azure.Group.Name","Azure Resource Manager (ARM) has requirements for Resource Groups names.","Awareness","Operational Excellence","-" "Azure.Group.Naming","Resource Groups without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" @@ -269,6 +289,7 @@ "Azure.MariaDB.ServerName","Azure Database for MariaDB servers should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.MariaDB.UseSSL","Azure Database for MariaDB servers should only accept encrypted connections.","Critical","Security","L1" "Azure.MariaDB.VNETRuleName","Azure Database for MariaDB VNET rules should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.MICassandra.AvailabilityZone","Use zone redundant Managed Instance for Apache Cassandra clusters in supported regions to improve reliability.","Important","Reliability","L1" "Azure.ML.ComputeIdleShutdown","Configure an idle shutdown timeout for Machine Learning compute instances.","Critical","Cost Optimization","-" "Azure.ML.ComputeVnet","Azure Machine Learning Computes should be hosted in a virtual network (VNet).","Critical","Security","-" "Azure.ML.DisableLocalAuth","Azure Machine Learning compute resources should have local authentication methods disabled.","Critical","Security","L1" @@ -285,6 +306,7 @@ "Azure.MySQL.MaintenanceWindow","Configure a customer-controlled maintenance window for Azure Database for MySQL servers.","Important","Reliability","-" "Azure.MySQL.MinTLS","MySQL DB servers should reject TLS versions older than 1.2.","Critical","Security","L1" "Azure.MySQL.ServerName","Azure MySQL DB server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.MySQL.ServerNaming","MySQL database server resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.MySQL.UseFlexible","Use Azure Database for MySQL Flexible Server deployment model.","Important","Reliability","-" "Azure.MySQL.UseSSL","Enforce encrypted MySQL connections.","Critical","Security","L1" "Azure.MySQL.ZoneRedundantHA","Deploy Azure Database for MySQL servers using zone-redundant high availability (HA) in supported regions to ensure high availability and resilience.","Important","Reliability","-" @@ -313,6 +335,7 @@ "Azure.PostgreSQL.MaintenanceWindow","Configure a customer-controlled maintenance window for Azure Database for PostgreSQL servers.","Important","Reliability","-" "Azure.PostgreSQL.MinTLS","PostgreSQL DB servers should reject TLS versions older than 1.2.","Critical","Security","L1" "Azure.PostgreSQL.ServerName","Azure PostgreSQL DB server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.PostgreSQL.ServerNaming","PostgreSQL database server resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.PostgreSQL.UseSSL","Enforce encrypted PostgreSQL connections.","Critical","Security","L1" "Azure.PostgreSQL.ZoneRedundantHA","Deploy Azure Database for PostgreSQL servers using zone-redundant high availability (HA) in supported regions to ensure high availability and resilience.","Important","Reliability","-" "Azure.PrivateEndpoint.Name","Private Endpoint names should meet naming requirements.","Awareness","Operational Excellence","-" @@ -337,10 +360,12 @@ "Azure.Redis.MaxMemoryReserved","Configure maxmemory-reserved to reserve memory for non-cache operations.","Important","Performance Efficiency","-" "Azure.Redis.MinSKU","Use Azure Cache for Redis instances of at least Standard C1.","Important","Performance Efficiency","-" "Azure.Redis.MinTLS","Redis Cache should reject TLS versions older than 1.2.","Critical","Security","L1" +"Azure.Redis.Naming","Azure Cache for Redis resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Redis.NonSslPort","Azure Cache for Redis should only accept secure connections.","Critical","Security","L1" "Azure.Redis.PublicNetworkAccess","Redis cache should disable public network access.","Critical","Security","-" "Azure.Redis.Version","Azure Cache for Redis should use the latest supported version of Redis.","Important","Reliability","-" "Azure.RedisEnterprise.MinTLS","Redis Cache should reject TLS versions older than 1.2.","Critical","Security","L1" +"Azure.RedisEnterprise.Naming","Azure Cache for Redis Enterprise resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.RedisEnterprise.Zones","Enterprise Redis cache should be zone-redundant for high availability.","Important","Reliability","-" "Azure.Resource.AllowedRegions","The deployment location of a resource determines the country or region where metadata and data is stored and processed.","Important","Security","-" "Azure.Resource.RequiredTags","Resources without a standard tagging convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" @@ -363,6 +388,8 @@ "Azure.ServiceBus.MinTLS","Service Bus namespaces should reject TLS versions older than 1.2.","Important","Security","L1" "Azure.ServiceBus.Usage","Regularly remove unused resources to reduce costs.","Important","Cost Optimization","-" "Azure.ServiceFabric.AAD","Use Entra ID client authentication for Service Fabric clusters.","Critical","Security","L1" +"Azure.ServiceFabric.ManagedNaming","Service Fabric managed cluster resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" +"Azure.ServiceFabric.Naming","Service Fabric cluster resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.ServiceFabric.ProtectionLevel","Node to node communication that is not signed and encrypted may be susceptible to man-in-the-middle attacks.","Important","Security","L1" "Azure.SignalR.ManagedIdentity","Configure SignalR Services to use managed identities to access Azure resources securely.","Important","Security","L1" "Azure.SignalR.Name","SignalR service instance names should meet naming requirements.","Awareness","Operational Excellence","-" @@ -371,14 +398,18 @@ "Azure.SQL.AADOnly","Ensure Entra ID only authentication is enabled with Azure SQL Database.","Important","Security","L1" "Azure.SQL.AllowAzureAccess","Determine if access from Azure services is required.","Important","Security","-" "Azure.SQL.Auditing","Enable auditing for Azure SQL logical server.","Important","Security","-" -"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","L2" +"Azure.SQL.DBNaming","Azure SQL database resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.SQL.DefenderCloud","Enable Microsoft Defender for Azure SQL logical server.","Important","Security","-" +"Azure.SQL.ElasticPoolNaming","Azure SQL Elastic Pool resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.SQL.FGName","Azure SQL failover group names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.SQL.FirewallIPRange","Each IP address in the permitted IP list is allowed network access to any databases hosted on the same logical server.","Important","Security","-" "Azure.SQL.FirewallRuleCount","Determine if there is an excessive number of firewall rules.","Awareness","Security","-" +"Azure.SQL.JobAgentNaming","Azure SQL Elastic Job agent resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.SQL.MaintenanceWindow","Configure a customer-controlled maintenance window for Azure SQL databases.","Important","Reliability","-" "Azure.SQL.MinTLS","Azure SQL Database servers should reject TLS versions older than 1.2.","Critical","Security","L1" -"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","L2" +"Azure.SQL.ServerNaming","Azure SQL Database server resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.SQL.TDE","Use Transparent Data Encryption (TDE) with Azure SQL Database.","Critical","Security","L1" "Azure.SQL.VAScan","SQL Databases may have configuration vulnerabilities discovered after they are deployed.","Important","Security","-" "Azure.SQLMI.AAD","Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance.","Critical","Security","L1" @@ -386,6 +417,7 @@ "Azure.SQLMI.MaintenanceWindow","Configure a customer-controlled maintenance window for Azure SQL Managed Instances.","Important","Reliability","-" "Azure.SQLMI.ManagedIdentity","Ensure managed identity is used to allow support for Azure AD authentication.","Important","Security","L1" "Azure.SQLMI.Name","SQL Managed Instance names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQLMI.Naming","SQL Managed Instance resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Storage.BlobAccessType","Use containers configured with a private access type that requires authorization.","Important","Security","-" "Azure.Storage.BlobPublicAccess","Storage Accounts should only accept authorized requests.","Important","Security","-" "Azure.Storage.ContainerSoftDelete","Enable container soft delete on Storage Accounts.","Important","Reliability","-" diff --git a/docs/en/baselines/Azure.Preview.md b/docs/en/baselines/Azure.Preview.md index dc284019354..c57df8a3d35 100644 --- a/docs/en/baselines/Azure.Preview.md +++ b/docs/en/baselines/Azure.Preview.md @@ -10,10 +10,11 @@ Includes the latest rules for Azure GA and preview features that is updated each The following rules are included within the `Azure.Preview` baseline. -This baseline includes a total of 490 rules. +This baseline includes a total of 522 rules. Name | Synopsis | Severity ---- | -------- | -------- +[Azure.ACI.Naming](../rules/Azure.ACI.Naming.md) | Container Instance resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.ACR.AdminUser](../rules/Azure.ACR.AdminUser.md) | The local admin account allows depersonalized access to a container registry using a shared secret. | Critical [Azure.ACR.AnonymousAccess](../rules/Azure.ACR.AnonymousAccess.md) | Anonymous pull access allows unidentified downloading of images and metadata from a container registry. | Important [Azure.ACR.ContainerScan](../rules/Azure.ACR.ContainerScan.md) | Container images or their base images may have vulnerabilities discovered after they are built. | Critical @@ -23,6 +24,7 @@ Name | Synopsis | Severity [Azure.ACR.ImageHealth](../rules/Azure.ACR.ImageHealth.md) | Remove container images with known vulnerabilities. | Critical [Azure.ACR.MinSku](../rules/Azure.ACR.MinSku.md) | The Basic SKU provides limited performance and features for production container registry workloads. | Important [Azure.ACR.Name](../rules/Azure.ACR.Name.md) | Container registry names should meet naming requirements. | Awareness +[Azure.ACR.Naming](../rules/Azure.ACR.Naming.md) | Container Registry resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.ACR.Quarantine](../rules/Azure.ACR.Quarantine.md) | Enable container image quarantine, scan, and mark images as verified. | Important [Azure.ACR.ReplicaLocation](../rules/Azure.ACR.ReplicaLocation.md) | The replication location determines the country or region where container images and metadata are stored and processed. | Important [Azure.ACR.Retention](../rules/Azure.ACR.Retention.md) | Use a retention policy to cleanup untagged manifests. | Important @@ -30,6 +32,7 @@ Name | Synopsis | Severity [Azure.ACR.Usage](../rules/Azure.ACR.Usage.md) | Regularly remove deprecated and unneeded images to reduce storage usage. | Important [Azure.ADX.DiskEncryption](../rules/Azure.ADX.DiskEncryption.md) | Use disk encryption for Azure Data Explorer (ADX) clusters. | Important [Azure.ADX.ManagedIdentity](../rules/Azure.ADX.ManagedIdentity.md) | Configure Data Explorer clusters to use managed identities to access Azure resources securely. | Important +[Azure.ADX.PublicAccess](../rules/Azure.ADX.PublicAccess.md) | Azure Data Explorer (ADX) clusters should have public network access disabled. | Critical [Azure.ADX.SLA](../rules/Azure.ADX.SLA.md) | Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters. | Important [Azure.ADX.Usage](../rules/Azure.ADX.Usage.md) | Regularly remove unused resources to reduce costs. | Important [Azure.AI.DisableLocalAuth](../rules/Azure.AI.DisableLocalAuth.md) | Access keys allow depersonalized access to Azure AI using a shared secret. | Important @@ -58,6 +61,7 @@ Name | Synopsis | Severity [Azure.AKS.MinNodeCount](../rules/Azure.AKS.MinNodeCount.md) | AKS clusters should have minimum number of system nodes for failover and updates. | Important [Azure.AKS.MinUserPoolNodes](../rules/Azure.AKS.MinUserPoolNodes.md) | User node pools in an AKS cluster should have a minimum number of nodes for failover and updates. | Important [Azure.AKS.Name](../rules/Azure.AKS.Name.md) | Azure Kubernetes Service (AKS) cluster names should meet naming requirements. | Awareness +[Azure.AKS.Naming](../rules/Azure.AKS.Naming.md) | AKS cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.AKS.NetworkPolicy](../rules/Azure.AKS.NetworkPolicy.md) | AKS clusters without inter-pod network restrictions may be permit unauthorized lateral movement. | Important [Azure.AKS.NodeAutoUpgrade](../rules/Azure.AKS.NodeAutoUpgrade.md) | Operating system (OS) security updates should be applied to AKS nodes and rebooted as required to address security vulnerabilities. | Important [Azure.AKS.NodeMinPods](../rules/Azure.AKS.NodeMinPods.md) | Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. | Important @@ -67,8 +71,10 @@ Name | Synopsis | Severity [Azure.AKS.SecretStore](../rules/Azure.AKS.SecretStore.md) | Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. | Important [Azure.AKS.SecretStoreRotation](../rules/Azure.AKS.SecretStoreRotation.md) | Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. | Important [Azure.AKS.StandardLB](../rules/Azure.AKS.StandardLB.md) | Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. | Important +[Azure.AKS.SystemPoolNaming](../rules/Azure.AKS.SystemPoolNaming.md) | AKS system node pool resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.AKS.UptimeSLA](../rules/Azure.AKS.UptimeSLA.md) | AKS clusters should have Uptime SLA enabled for a financially backed SLA. | Important [Azure.AKS.UseRBAC](../rules/Azure.AKS.UseRBAC.md) | Deploy AKS cluster with role-based access control (RBAC) enabled. | Important +[Azure.AKS.UserPoolNaming](../rules/Azure.AKS.UserPoolNaming.md) | AKS user node pool resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.AKS.Version](../rules/Azure.AKS.Version.md) | Older versions of Kubernetes may have known bugs or security vulnerabilities, and may have limited support. | Important [Azure.Alert.HighFrequencyQuery](../rules/Azure.Alert.HighFrequencyQuery.md) | High frequency scheduled queries are changed as a higher rate than low frequency queries. | Important [Azure.Alert.MetricAutoMitigate](../rules/Azure.Alert.MetricAutoMitigate.md) | Alerts that require manual intervention for mitigation can lead to increased personnel time and effort. | Important @@ -116,7 +122,7 @@ Name | Synopsis | Severity [Azure.AppGwWAF.Enabled](../rules/Azure.AppGwWAF.Enabled.md) | Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. | Critical [Azure.AppGwWAF.Exclusions](../rules/Azure.AppGwWAF.Exclusions.md) | Application Gateway Web Application Firewall (WAF) should have all rules enabled. | Critical [Azure.AppGwWAF.PreventionMode](../rules/Azure.AppGwWAF.PreventionMode.md) | Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical -[Azure.AppGwWAF.RuleGroups](../rules/Azure.AppGwWAF.RuleGroups.md) | Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical +[Azure.AppGwWAF.RuleGroups](../rules/Azure.AppGwWAF.RuleGroups.md) | Application Gateway WAF policies should include both Microsoft Default Rule Set and Bot Manager Rule Set to provide comprehensive protection against web application threats and malicious bot traffic. | Critical [Azure.AppInsights.LocalAuth](../rules/Azure.AppInsights.LocalAuth.md) | Local authentication allows depersonalized access to store telemetry in Application Insights using a shared identifier. | Critical [Azure.AppInsights.Name](../rules/Azure.AppInsights.Name.md) | Azure Resource Manager (ARM) has requirements for Application Insights resource names. | Awareness [Azure.AppInsights.Naming](../rules/Azure.AppInsights.Naming.md) | Application Insights resources without a standard naming convention may be difficult to identify and manage. | Awareness @@ -157,22 +163,35 @@ Name | Synopsis | Severity [Azure.ContainerApp.APIVersion](../rules/Azure.ContainerApp.APIVersion.md) | Migrate from retired API version to a supported version. | Important [Azure.ContainerApp.AvailabilityZone](../rules/Azure.ContainerApp.AvailabilityZone.md) | Use Container Apps environments that are zone redundant to improve reliability. | Important [Azure.ContainerApp.DisableAffinity](../rules/Azure.ContainerApp.DisableAffinity.md) | Disable session affinity to prevent unbalanced distribution. | Awareness +[Azure.ContainerApp.EnvNaming](../rules/Azure.ContainerApp.EnvNaming.md) | Container App Environment resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.ContainerApp.ExternalIngress](../rules/Azure.ContainerApp.ExternalIngress.md) | Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment. | Important [Azure.ContainerApp.Insecure](../rules/Azure.ContainerApp.Insecure.md) | Ensure insecure inbound traffic is not permitted to the container app. | Important +[Azure.ContainerApp.JobNaming](../rules/Azure.ContainerApp.JobNaming.md) | Container App Job resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.ContainerApp.ManagedIdentity](../rules/Azure.ContainerApp.ManagedIdentity.md) | Ensure managed identity is used for authentication. | Important [Azure.ContainerApp.MinReplicas](../rules/Azure.ContainerApp.MinReplicas.md) | Use multiple replicas to remove a single point of failure. | Important [Azure.ContainerApp.Name](../rules/Azure.ContainerApp.Name.md) | Container Apps should meet naming requirements. | Awareness +[Azure.ContainerApp.Naming](../rules/Azure.ContainerApp.Naming.md) | Container App resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.ContainerApp.PublicAccess](../rules/Azure.ContainerApp.PublicAccess.md) | Ensure public network access for Container Apps environment is disabled. | Important [Azure.ContainerApp.RestrictIngress](../rules/Azure.ContainerApp.RestrictIngress.md) | IP ingress restrictions mode should be set to allow action for all rules defined. | Important [Azure.ContainerApp.Storage](../rules/Azure.ContainerApp.Storage.md) | Use of Azure Files volume mounts to persistent storage container data. | Awareness [Azure.Cosmos.AccountName](../rules/Azure.Cosmos.AccountName.md) | Cosmos DB account names should meet naming requirements. | Awareness +[Azure.Cosmos.AvailabilityZone](../rules/Azure.Cosmos.AvailabilityZone.md) | Use zone redundant Cosmos DB accounts in supported regions to improve reliability. | Important +[Azure.Cosmos.CassandraNaming](../rules/Azure.Cosmos.CassandraNaming.md) | Cosmos DB for Apache Cassandra account resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.Cosmos.ContinuousBackup](../rules/Azure.Cosmos.ContinuousBackup.md) | Enable continuous backup on Cosmos DB accounts. | Important +[Azure.Cosmos.DatabaseNaming](../rules/Azure.Cosmos.DatabaseNaming.md) | Cosmos DB database resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.Cosmos.DefenderCloud](../rules/Azure.Cosmos.DefenderCloud.md) | Enable Microsoft Defender for Azure Cosmos DB. | Critical [Azure.Cosmos.DisableLocalAuth](../rules/Azure.Cosmos.DisableLocalAuth.md) | Access keys allow depersonalized access to Cosmos DB accounts using a shared secret. | Critical [Azure.Cosmos.DisableMetadataWrite](../rules/Azure.Cosmos.DisableMetadataWrite.md) | Use Entra ID identities for management place operations in Azure Cosmos DB. | Important +[Azure.Cosmos.GremlinNaming](../rules/Azure.Cosmos.GremlinNaming.md) | Cosmos DB for Apache Gremlin account resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.Cosmos.MinTLS](../rules/Azure.Cosmos.MinTLS.md) | Cosmos DB accounts should reject TLS versions older than 1.2. | Critical +[Azure.Cosmos.MongoAvailabilityZone](../rules/Azure.Cosmos.MongoAvailabilityZone.md) | Use zone redundant Cosmos DB vCore clusters in supported regions to improve reliability. | Important +[Azure.Cosmos.MongoEntraID](../rules/Azure.Cosmos.MongoEntraID.md) | MongoDB vCore clusters should have Microsoft Entra ID authentication enabled. | Critical +[Azure.Cosmos.MongoNaming](../rules/Azure.Cosmos.MongoNaming.md) | Cosmos DB for MongoDB account resources without a standard naming convention may be difficult to identify and manage. | Awareness +[Azure.Cosmos.NoSQLNaming](../rules/Azure.Cosmos.NoSQLNaming.md) | Cosmos DB for NoSQL account resources without a standard naming convention may be difficult to identify and manage. | Awareness +[Azure.Cosmos.PostgreSQLNaming](../rules/Azure.Cosmos.PostgreSQLNaming.md) | Cosmos DB PostgreSQL cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.Cosmos.PublicAccess](../rules/Azure.Cosmos.PublicAccess.md) | Azure Cosmos DB should have public network access disabled. | Critical [Azure.Cosmos.SLA](../rules/Azure.Cosmos.SLA.md) | Use a paid tier to qualify for a Service Level Agreement (SLA). | Important +[Azure.Cosmos.TableNaming](../rules/Azure.Cosmos.TableNaming.md) | Cosmos DB for Table account resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.Databricks.PublicAccess](../rules/Azure.Databricks.PublicAccess.md) | Azure Databricks workspaces should disable public network access. | Critical [Azure.Databricks.SecureConnectivity](../rules/Azure.Databricks.SecureConnectivity.md) | Use Databricks workspaces configured for secure cluster connectivity. | Critical [Azure.Databricks.SKU](../rules/Azure.Databricks.SKU.md) | Ensure Databricks workspaces are non-trial SKUs for production workloads. | Critical @@ -245,6 +264,7 @@ Name | Synopsis | Severity [Azure.FrontDoorWAF.Exclusions](../rules/Azure.FrontDoorWAF.Exclusions.md) | Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions. | Critical [Azure.FrontDoorWAF.PreventionMode](../rules/Azure.FrontDoorWAF.PreventionMode.md) | Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. | Critical [Azure.FrontDoorWAF.RuleGroups](../rules/Azure.FrontDoorWAF.RuleGroups.md) | Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. | Critical +[Azure.Grafana.AvailabilityZone](../rules/Azure.Grafana.AvailabilityZone.md) | Use zone redundant Grafana workspaces in supported regions to improve reliability. | Important [Azure.Grafana.Version](../rules/Azure.Grafana.Version.md) | Grafana workspaces should be on Grafana version 10. | Important [Azure.Group.Name](../rules/Azure.Group.Name.md) | Azure Resource Manager (ARM) has requirements for Resource Groups names. | Awareness [Azure.Group.Naming](../rules/Azure.Group.Naming.md) | Resource Groups without a standard naming convention may be difficult to identify and manage. | Awareness @@ -284,6 +304,7 @@ Name | Synopsis | Severity [Azure.MariaDB.ServerName](../rules/Azure.MariaDB.ServerName.md) | Azure Database for MariaDB servers should meet naming requirements. | Awareness [Azure.MariaDB.UseSSL](../rules/Azure.MariaDB.UseSSL.md) | Azure Database for MariaDB servers should only accept encrypted connections. | Critical [Azure.MariaDB.VNETRuleName](../rules/Azure.MariaDB.VNETRuleName.md) | Azure Database for MariaDB VNET rules should meet naming requirements. | Awareness +[Azure.MICassandra.AvailabilityZone](../rules/Azure.MICassandra.AvailabilityZone.md) | Use zone redundant Managed Instance for Apache Cassandra clusters in supported regions to improve reliability. | Important [Azure.ML.ComputeIdleShutdown](../rules/Azure.ML.ComputeIdleShutdown.md) | Configure an idle shutdown timeout for Machine Learning compute instances. | Critical [Azure.ML.ComputeVnet](../rules/Azure.ML.ComputeVnet.md) | Azure Machine Learning Computes should be hosted in a virtual network (VNet). | Critical [Azure.ML.DisableLocalAuth](../rules/Azure.ML.DisableLocalAuth.md) | Azure Machine Learning compute resources should have local authentication methods disabled. | Critical @@ -300,6 +321,7 @@ Name | Synopsis | Severity [Azure.MySQL.MaintenanceWindow](../rules/Azure.MySQL.MaintenanceWindow.md) | Configure a customer-controlled maintenance window for Azure Database for MySQL servers. | Important [Azure.MySQL.MinTLS](../rules/Azure.MySQL.MinTLS.md) | MySQL DB servers should reject TLS versions older than 1.2. | Critical [Azure.MySQL.ServerName](../rules/Azure.MySQL.ServerName.md) | Azure MySQL DB server names should meet naming requirements. | Awareness +[Azure.MySQL.ServerNaming](../rules/Azure.MySQL.ServerNaming.md) | MySQL database server resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.MySQL.UseFlexible](../rules/Azure.MySQL.UseFlexible.md) | Use Azure Database for MySQL Flexible Server deployment model. | Important [Azure.MySQL.UseSSL](../rules/Azure.MySQL.UseSSL.md) | Enforce encrypted MySQL connections. | Critical [Azure.MySQL.ZoneRedundantHA](../rules/Azure.MySQL.ZoneRedundantHA.md) | Deploy Azure Database for MySQL servers using zone-redundant high availability (HA) in supported regions to ensure high availability and resilience. | Important @@ -328,6 +350,7 @@ Name | Synopsis | Severity [Azure.PostgreSQL.MaintenanceWindow](../rules/Azure.PostgreSQL.MaintenanceWindow.md) | Configure a customer-controlled maintenance window for Azure Database for PostgreSQL servers. | Important [Azure.PostgreSQL.MinTLS](../rules/Azure.PostgreSQL.MinTLS.md) | PostgreSQL DB servers should reject TLS versions older than 1.2. | Critical [Azure.PostgreSQL.ServerName](../rules/Azure.PostgreSQL.ServerName.md) | Azure PostgreSQL DB server names should meet naming requirements. | Awareness +[Azure.PostgreSQL.ServerNaming](../rules/Azure.PostgreSQL.ServerNaming.md) | PostgreSQL database server resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.PostgreSQL.UseSSL](../rules/Azure.PostgreSQL.UseSSL.md) | Enforce encrypted PostgreSQL connections. | Critical [Azure.PostgreSQL.ZoneRedundantHA](../rules/Azure.PostgreSQL.ZoneRedundantHA.md) | Deploy Azure Database for PostgreSQL servers using zone-redundant high availability (HA) in supported regions to ensure high availability and resilience. | Important [Azure.PrivateEndpoint.Name](../rules/Azure.PrivateEndpoint.Name.md) | Private Endpoint names should meet naming requirements. | Awareness @@ -352,10 +375,12 @@ Name | Synopsis | Severity [Azure.Redis.MaxMemoryReserved](../rules/Azure.Redis.MaxMemoryReserved.md) | Configure maxmemory-reserved to reserve memory for non-cache operations. | Important [Azure.Redis.MinSKU](../rules/Azure.Redis.MinSKU.md) | Use Azure Cache for Redis instances of at least Standard C1. | Important [Azure.Redis.MinTLS](../rules/Azure.Redis.MinTLS.md) | Redis Cache should reject TLS versions older than 1.2. | Critical +[Azure.Redis.Naming](../rules/Azure.Redis.Naming.md) | Azure Cache for Redis resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.Redis.NonSslPort](../rules/Azure.Redis.NonSslPort.md) | Azure Cache for Redis should only accept secure connections. | Critical [Azure.Redis.PublicNetworkAccess](../rules/Azure.Redis.PublicNetworkAccess.md) | Redis cache should disable public network access. | Critical [Azure.Redis.Version](../rules/Azure.Redis.Version.md) | Azure Cache for Redis should use the latest supported version of Redis. | Important [Azure.RedisEnterprise.MinTLS](../rules/Azure.RedisEnterprise.MinTLS.md) | Redis Cache should reject TLS versions older than 1.2. | Critical +[Azure.RedisEnterprise.Naming](../rules/Azure.RedisEnterprise.Naming.md) | Azure Cache for Redis Enterprise resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.RedisEnterprise.Zones](../rules/Azure.RedisEnterprise.Zones.md) | Enterprise Redis cache should be zone-redundant for high availability. | Important [Azure.Resource.AllowedRegions](../rules/Azure.Resource.AllowedRegions.md) | The deployment location of a resource determines the country or region where metadata and data is stored and processed. | Important [Azure.Resource.RequiredTags](../rules/Azure.Resource.RequiredTags.md) | Resources without a standard tagging convention may be difficult to identify and manage. | Awareness @@ -378,6 +403,8 @@ Name | Synopsis | Severity [Azure.ServiceBus.MinTLS](../rules/Azure.ServiceBus.MinTLS.md) | Service Bus namespaces should reject TLS versions older than 1.2. | Important [Azure.ServiceBus.Usage](../rules/Azure.ServiceBus.Usage.md) | Regularly remove unused resources to reduce costs. | Important [Azure.ServiceFabric.AAD](../rules/Azure.ServiceFabric.AAD.md) | Use Entra ID client authentication for Service Fabric clusters. | Critical +[Azure.ServiceFabric.ManagedNaming](../rules/Azure.ServiceFabric.ManagedNaming.md) | Service Fabric managed cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness +[Azure.ServiceFabric.Naming](../rules/Azure.ServiceFabric.Naming.md) | Service Fabric cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.ServiceFabric.ProtectionLevel](../rules/Azure.ServiceFabric.ProtectionLevel.md) | Node to node communication that is not signed and encrypted may be susceptible to man-in-the-middle attacks. | Important [Azure.SignalR.ManagedIdentity](../rules/Azure.SignalR.ManagedIdentity.md) | Configure SignalR Services to use managed identities to access Azure resources securely. | Important [Azure.SignalR.Name](../rules/Azure.SignalR.Name.md) | SignalR service instance names should meet naming requirements. | Awareness @@ -387,13 +414,17 @@ Name | Synopsis | Severity [Azure.SQL.AllowAzureAccess](../rules/Azure.SQL.AllowAzureAccess.md) | Determine if access from Azure services is required. | Important [Azure.SQL.Auditing](../rules/Azure.SQL.Auditing.md) | Enable auditing for Azure SQL logical server. | Important [Azure.SQL.DBName](../rules/Azure.SQL.DBName.md) | Azure SQL Database names should meet naming requirements. | Awareness +[Azure.SQL.DBNaming](../rules/Azure.SQL.DBNaming.md) | Azure SQL database resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.SQL.DefenderCloud](../rules/Azure.SQL.DefenderCloud.md) | Enable Microsoft Defender for Azure SQL logical server. | Important +[Azure.SQL.ElasticPoolNaming](../rules/Azure.SQL.ElasticPoolNaming.md) | Azure SQL Elastic Pool resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.SQL.FGName](../rules/Azure.SQL.FGName.md) | Azure SQL failover group names should meet naming requirements. | Awareness [Azure.SQL.FirewallIPRange](../rules/Azure.SQL.FirewallIPRange.md) | Each IP address in the permitted IP list is allowed network access to any databases hosted on the same logical server. | Important [Azure.SQL.FirewallRuleCount](../rules/Azure.SQL.FirewallRuleCount.md) | Determine if there is an excessive number of firewall rules. | Awareness +[Azure.SQL.JobAgentNaming](../rules/Azure.SQL.JobAgentNaming.md) | Azure SQL Elastic Job agent resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.SQL.MaintenanceWindow](../rules/Azure.SQL.MaintenanceWindow.md) | Configure a customer-controlled maintenance window for Azure SQL databases. | Important [Azure.SQL.MinTLS](../rules/Azure.SQL.MinTLS.md) | Azure SQL Database servers should reject TLS versions older than 1.2. | Critical [Azure.SQL.ServerName](../rules/Azure.SQL.ServerName.md) | Azure SQL logical server names should meet naming requirements. | Awareness +[Azure.SQL.ServerNaming](../rules/Azure.SQL.ServerNaming.md) | Azure SQL Database server resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.SQL.TDE](../rules/Azure.SQL.TDE.md) | Use Transparent Data Encryption (TDE) with Azure SQL Database. | Critical [Azure.SQL.VAScan](../rules/Azure.SQL.VAScan.md) | SQL Databases may have configuration vulnerabilities discovered after they are deployed. | Important [Azure.SQLMI.AAD](../rules/Azure.SQLMI.AAD.md) | Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance. | Critical @@ -401,6 +432,7 @@ Name | Synopsis | Severity [Azure.SQLMI.MaintenanceWindow](../rules/Azure.SQLMI.MaintenanceWindow.md) | Configure a customer-controlled maintenance window for Azure SQL Managed Instances. | Important [Azure.SQLMI.ManagedIdentity](../rules/Azure.SQLMI.ManagedIdentity.md) | Ensure managed identity is used to allow support for Azure AD authentication. | Important [Azure.SQLMI.Name](../rules/Azure.SQLMI.Name.md) | SQL Managed Instance names should meet naming requirements. | Awareness +[Azure.SQLMI.Naming](../rules/Azure.SQLMI.Naming.md) | SQL Managed Instance resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.Storage.BlobAccessType](../rules/Azure.Storage.BlobAccessType.md) | Use containers configured with a private access type that requires authorization. | Important [Azure.Storage.BlobPublicAccess](../rules/Azure.Storage.BlobPublicAccess.md) | Storage Accounts should only accept authorized requests. | Important [Azure.Storage.ContainerSoftDelete](../rules/Azure.Storage.ContainerSoftDelete.md) | Enable container soft delete on Storage Accounts. | Important diff --git a/docs/en/rules/Azure.ACI.Naming.md b/docs/en/rules/Azure.ACI.Naming.md new file mode 100644 index 00000000000..0abdb69ea5b --- /dev/null +++ b/docs/en/rules/Azure.ACI.Naming.md @@ -0,0 +1,182 @@ +--- +reviewed: 2025-10-26 +severity: Awareness +pillar: Operational Excellence +category: OE:04 Tools and processes +resource: Container Instance +resourceType: Microsoft.ContainerInstance/containerGroups +online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.ACI.Naming/ +--- + +# Container Instance resources must use standard naming + +## SYNOPSIS + +Container Instance resources without a standard naming convention may be difficult to identify and manage. + +## DESCRIPTION + +An effective naming convention allows operators to quickly identify resources, related systems, and their purpose. +Identifying resources easily is important to improve operational efficiency, reduce the time to respond to incidents, +and minimize the risk of human error. + +Some of the benefits of using standardized tagging and naming conventions are: + +- They provide consistency and clarity for resource identification and discovery across the Azure Portal, CLIs, and APIs. +- They enable filtering and grouping of resources for billing, monitoring, security, and compliance purposes. +- They support resource lifecycle management, such as provisioning, decommissioning, backup, and recovery. + +For example, if you come upon a security incident, it's critical to quickly identify affected systems, +the functions that those systems support, and the potential business impact. + +For Container Instance, the Cloud Adoption Framework (CAF) recommends using the `ci-` prefix. + +Requirements for Container Instance resource names: + +- Between 1 and 63 characters long. +- Lowercase letters, numbers, and hyphens. +- Start with letter and end with alphanumeric. +- Can not contain consecutive hyphens. + +## RECOMMENDATION + +Consider creating Container Instance resources with a standard name. +Additionally consider using Azure Policy to only permit creation using a standard naming convention. + +## EXAMPLES + +### Configure with Bicep + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```bicep +@minLength(1) +@maxLength(63) +@description('The name of the resource.') +param name string + +@description('The location resources will be deployed.') +param location string = resourceGroup().location + +resource containerGroup 'Microsoft.ContainerInstance/containerGroups@2025-09-01' = { + name: name + location: location + properties: { + containers: containers + osType: 'Linux' + sku: 'Standard' + restartPolicy: 'Always' + ipAddress: { + ports: [ + { + port: 80 + protocol: 'TCP' + } + ] + type: 'Private' + } + subnetIds: [ + { + id: subnetId + } + ] + } +} +``` + +### Configure with Azure template + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "type": "string", + "minLength": 1, + "maxLength": 63, + "metadata": { + "description": "The name of the resource." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The location resources will be deployed." + } + }, + }, + "resources": [ + { + "type": "Microsoft.ContainerInstance/containerGroups", + "apiVersion": "2025-09-01", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "properties": { + "containers": "[variables('containers')]", + "osType": "Linux", + "sku": "Standard", + "restartPolicy": "Always", + "ipAddress": { + "ports": [ + { + "port": 80, + "protocol": "TCP" + } + ], + "type": "Private" + }, + "subnetIds": [ + { + "id": "[parameters('subnetId')]" + } + ] + } + } + ] +} +``` + +## NOTES + +This rule does not check if Container Instance resource names are unique. + + + +### Rule configuration + + + +To configure this rule set the `AZURE_CONTAINER_INSTANCE_NAME_FORMAT` configuration value to a regular expression +that matches the required format. + +For example: + +```yaml +configuration: + AZURE_CONTAINER_INSTANCE_NAME_FORMAT: '^ci-' +``` + +## LINKS + +- [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) +- [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) +- [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) +- [Bicep functions](https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.containerinstance/containergroups) diff --git a/docs/en/rules/Azure.ACR.Name.md b/docs/en/rules/Azure.ACR.Name.md index 00c1db14d94..f566a4df778 100644 --- a/docs/en/rules/Azure.ACR.Name.md +++ b/docs/en/rules/Azure.ACR.Name.md @@ -1,5 +1,5 @@ --- -reviewed: 2023-12-01 +reviewed: 2025-10-25 severity: Awareness pillar: Operational Excellence category: OE:04 Continuous integration @@ -30,12 +30,66 @@ Additionally consider naming resources with a standard naming convention. ## EXAMPLES +### Configure with Bicep + +To deploy registries that pass this rule, consider: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```bicep +@minLength(5) +@maxLength(50) +@description('The name of the resource.') +param name string + +@description('The location resources will be deployed.') +param location string = resourceGroup().location + +resource registry 'Microsoft.ContainerRegistry/registries@2025-05-01-preview' = { + name: name + location: location + sku: { + name: 'Premium' + } + identity: { + type: 'SystemAssigned' + } + properties: { + adminUserEnabled: false + anonymousPullEnabled: false + publicNetworkAccess: 'Disabled' + zoneRedundancy: 'Enabled' + policies: { + quarantinePolicy: { + status: 'enabled' + } + retentionPolicy: { + days: 30 + status: 'enabled' + } + softDeletePolicy: { + retentionDays: 90 + status: 'enabled' + } + exportPolicy: { + status: 'disabled' + } + } + } +} +``` + + + ### Configure with Azure template To deploy registries that pass this rule, consider: -- Configuring a `minLength` and `maxLength` constraint for the resource name parameter. -- Optionally, you could also use a `uniqueString()` function to generate a unique name. +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. For example: @@ -63,7 +117,7 @@ For example: "resources": [ { "type": "Microsoft.ContainerRegistry/registries", - "apiVersion": "2023-08-01-preview", + "apiVersion": "2025-05-01-preview", "name": "[parameters('name')]", "location": "[parameters('location')]", "sku": { @@ -74,14 +128,23 @@ For example: }, "properties": { "adminUserEnabled": false, + "anonymousPullEnabled": false, + "publicNetworkAccess": "Disabled", + "zoneRedundancy": "Enabled", "policies": { - "trustPolicy": { - "status": "enabled", - "type": "Notary" + "quarantinePolicy": { + "status": "enabled" }, "retentionPolicy": { "days": 30, "status": "enabled" + }, + "softDeletePolicy": { + "retentionDays": 90, + "status": "enabled" + }, + "exportPolicy": { + "status": "disabled" } } } @@ -90,51 +153,6 @@ For example: } ``` -### Configure with Bicep - -To deploy registries that pass this rule, consider: - -- Configuring a `minLength` and `maxLength` constraint for the resource name parameter. -- Optionally, you could also use a `uniqueString()` function to generate a unique name. - -For example: - -```bicep -@minLength(5) -@maxLength(50) -@sys.description('The name of the resource.') -param name string - -@sys.description('The location resources will be deployed.') -param location string = resourceGroup().location - -resource registry 'Microsoft.ContainerRegistry/registries@2023-08-01-preview' = { - name: name - location: location - sku: { - name: 'Premium' - } - identity: { - type: 'SystemAssigned' - } - properties: { - adminUserEnabled: false - policies: { - trustPolicy: { - status: 'enabled' - type: 'Notary' - } - retentionPolicy: { - days: 30 - status: 'enabled' - } - } - } -} -``` - - - ## NOTES This rule does not check if container registry names are unique. @@ -142,6 +160,7 @@ This rule does not check if container registry names are unique. ## LINKS - [OE:04 Continuous integration](https://learn.microsoft.com/azure/well-architected/operational-excellence/release-engineering-continuous-integration) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) diff --git a/docs/en/rules/Azure.ACR.Naming.md b/docs/en/rules/Azure.ACR.Naming.md new file mode 100644 index 00000000000..b9d9345f1b1 --- /dev/null +++ b/docs/en/rules/Azure.ACR.Naming.md @@ -0,0 +1,199 @@ +--- +reviewed: 2025-10-25 +severity: Awareness +pillar: Operational Excellence +category: OE:04 Tools and processes +resource: Container Registry +resourceType: Microsoft.ContainerRegistry/registries +online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.ACR.Naming/ +--- + +# Container Registry resources must use standard naming + +## SYNOPSIS + +Container Registry resources without a standard naming convention may be difficult to identify and manage. + +## DESCRIPTION + +An effective naming convention allows operators to quickly identify resources, related systems, and their purpose. +Identifying resources easily is important to improve operational efficiency, reduce the time to respond to incidents, +and minimize the risk of human error. + +Some of the benefits of using standardized tagging and naming conventions are: + +- They provide consistency and clarity for resource identification and discovery across the Azure Portal, CLIs, and APIs. +- They enable filtering and grouping of resources for billing, monitoring, security, and compliance purposes. +- They support resource lifecycle management, such as provisioning, decommissioning, backup, and recovery. + +For example, if you come upon a security incident, it's critical to quickly identify affected systems, +the functions that those systems support, and the potential business impact. + +For Container Registry, the Cloud Adoption Framework (CAF) recommends using the `cr` prefix. + +Requirements for Container Registry resource names: + +- Between 5 and 50 characters long. +- Alphanumerics. +- Container registry names must be globally unique. + +## RECOMMENDATION + +Consider creating Container Registry resources with a standard name. +Additionally consider using Azure Policy to only permit creation using a standard naming convention. + +## EXAMPLES + +### Configure with Bicep + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```bicep +@minLength(5) +@maxLength(50) +@description('The name of the resource.') +param name string + +@description('The location resources will be deployed.') +param location string = resourceGroup().location + +resource registry 'Microsoft.ContainerRegistry/registries@2025-05-01-preview' = { + name: name + location: location + sku: { + name: 'Premium' + } + identity: { + type: 'SystemAssigned' + } + properties: { + adminUserEnabled: false + anonymousPullEnabled: false + publicNetworkAccess: 'Disabled' + zoneRedundancy: 'Enabled' + policies: { + quarantinePolicy: { + status: 'enabled' + } + retentionPolicy: { + days: 30 + status: 'enabled' + } + softDeletePolicy: { + retentionDays: 90 + status: 'enabled' + } + exportPolicy: { + status: 'disabled' + } + } + } +} +``` + + + +### Configure with Azure template + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "type": "string", + "minLength": 5, + "maxLength": 50, + "metadata": { + "description": "The name of the resource." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The location resources will be deployed." + } + } + }, + "resources": [ + { + "type": "Microsoft.ContainerRegistry/registries", + "apiVersion": "2025-05-01-preview", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "sku": { + "name": "Premium" + }, + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "adminUserEnabled": false, + "anonymousPullEnabled": false, + "publicNetworkAccess": "Disabled", + "zoneRedundancy": "Enabled", + "policies": { + "quarantinePolicy": { + "status": "enabled" + }, + "retentionPolicy": { + "days": 30, + "status": "enabled" + }, + "softDeletePolicy": { + "retentionDays": 90, + "status": "enabled" + }, + "exportPolicy": { + "status": "disabled" + } + } + } + } + ] +} +``` + +## NOTES + +This rule does not check if Container Registry resource names are unique. + + + +### Rule configuration + + + +To configure this rule set the `AZURE_CONTAINER_REGISTRY_NAME_FORMAT` configuration value to a regular expression +that matches the required format. + +For example: + +```yaml +configuration: + AZURE_CONTAINER_REGISTRY_NAME_FORMAT: '^cr' +``` + +## LINKS + +- [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) +- [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) +- [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) +- [Bicep functions](https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.containerregistry/registries) diff --git a/docs/en/rules/Azure.AI.FoundryNaming.md b/docs/en/rules/Azure.AI.FoundryNaming.md index 4cc3adc150e..0b2392fab53 100644 --- a/docs/en/rules/Azure.AI.FoundryNaming.md +++ b/docs/en/rules/Azure.AI.FoundryNaming.md @@ -1,5 +1,5 @@ --- -reviewed: 2025-007-10 +reviewed: 2025-10-25 severity: Awareness pillar: Operational Excellence category: OE:04 Tools and processes @@ -166,7 +166,10 @@ configuration: ## LINKS - [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) +- [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) +- [Bicep functions](https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.cognitiveservices/accounts) diff --git a/docs/en/rules/Azure.AKS.Name.md b/docs/en/rules/Azure.AKS.Name.md index c2ab7a81f0b..18388c50f9a 100644 --- a/docs/en/rules/Azure.AKS.Name.md +++ b/docs/en/rules/Azure.AKS.Name.md @@ -1,5 +1,5 @@ --- -reviewed: 2023-12-01 +reviewed: 2025-10-25 severity: Awareness pillar: Operational Excellence category: OE:04 Continuous integration @@ -29,6 +29,179 @@ The requirements for AKS cluster names are: Consider using names that meet AKS cluster naming requirements. Additionally consider naming resources with a standard naming convention. +## EXAMPLES + +### Configure with Bicep + +To deploy clusters that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```bicep +@minLength(1) +@maxLength(63) +@description('The name of the resource.') +param name string + +@description('The location resources will be deployed.') +param location string = resourceGroup().location + +resource cluster 'Microsoft.ContainerService/managedClusters@2025-07-01' = { + location: location + name: name + identity: { + type: 'UserAssigned' + userAssignedIdentities: { + '${identity.id}': {} + } + } + properties: { + kubernetesVersion: kubernetesVersion + disableLocalAccounts: true + enableRBAC: true + dnsPrefix: dnsPrefix + agentPoolProfiles: allPools + aadProfile: { + managed: true + enableAzureRBAC: true + adminGroupObjectIDs: clusterAdmins + tenantID: subscription().tenantId + } + networkProfile: { + networkPlugin: 'azure' + networkPolicy: 'azure' + loadBalancerSku: 'standard' + serviceCidr: serviceCidr + dnsServiceIP: dnsServiceIP + } + apiServerAccessProfile: { + authorizedIPRanges: [ + '0.0.0.0/32' + ] + } + autoUpgradeProfile: { + upgradeChannel: 'stable' + } + oidcIssuerProfile: { + enabled: true + } + addonProfiles: { + azurepolicy: { + enabled: true + } + omsagent: { + enabled: true + config: { + logAnalyticsWorkspaceResourceID: workspaceId + } + } + azureKeyvaultSecretsProvider: { + enabled: true + config: { + enableSecretRotation: 'true' + } + } + } + } +} +``` + + + +### Configure with Azure template + +To deploy clusters that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "type": "string", + "metadata": { + "description": "The name of the AKS cluster." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. The Azure region to deploy to." + } + } + }, + "resources": [ + { + "type": "Microsoft.ContainerService/managedClusters", + "apiVersion": "2025-07-01", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "identity": { + "type": "UserAssigned", + "userAssignedIdentities": { + "[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName')))]": {} + } + }, + "properties": { + "kubernetesVersion": "[parameters('kubernetesVersion')]", + "disableLocalAccounts": true, + "enableRBAC": true, + "dnsPrefix": "[parameters('dnsPrefix')]", + "agentPoolProfiles": "[variables('allPools')]", + "aadProfile": { + "managed": true, + "enableAzureRBAC": true, + "adminGroupObjectIDs": "[parameters('clusterAdmins')]", + "tenantID": "[subscription().tenantId]" + }, + "networkProfile": { + "networkPlugin": "azure", + "networkPolicy": "azure", + "loadBalancerSku": "standard", + "serviceCidr": "[variables('serviceCidr')]", + "dnsServiceIP": "[variables('dnsServiceIP')]" + }, + "apiServerAccessProfile": { + "authorizedIPRanges": [ + "0.0.0.0/32" + ] + }, + "autoUpgradeProfile": { + "upgradeChannel": "stable" + }, + "oidcIssuerProfile": { + "enabled": true + }, + "addonProfiles": { + "azurepolicy": { + "enabled": true + }, + "omsagent": { + "enabled": true, + "config": { + "logAnalyticsWorkspaceResourceID": "[parameters('workspaceId')]" + } + }, + "azureKeyvaultSecretsProvider": { + "enabled": true, + "config": { + "enableSecretRotation": "true" + } + } + } + } + } + ] +} +``` + ## NOTES This rule does not check if cluster names are unique. @@ -43,6 +216,7 @@ The requirements for DNS prefixes are: ## LINKS - [OE:04 Continuous integration](https://learn.microsoft.com/azure/well-architected/operational-excellence/release-engineering-continuous-integration) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) diff --git a/docs/en/rules/Azure.AKS.Naming.md b/docs/en/rules/Azure.AKS.Naming.md new file mode 100644 index 00000000000..87412f777f6 --- /dev/null +++ b/docs/en/rules/Azure.AKS.Naming.md @@ -0,0 +1,247 @@ +--- +reviewed: 2025-10-25 +severity: Awareness +pillar: Operational Excellence +category: OE:04 Tools and processes +resource: Azure Kubernetes Service +resourceType: Microsoft.ContainerService/managedClusters +online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.AKS.Naming/ +--- + +# AKS cluster resources must use standard naming + +## SYNOPSIS + +AKS cluster resources without a standard naming convention may be difficult to identify and manage. + +## DESCRIPTION + +An effective naming convention allows operators to quickly identify resources, related systems, and their purpose. +Identifying resources easily is important to improve operational efficiency, reduce the time to respond to incidents, +and minimize the risk of human error. + +Some of the benefits of using standardized tagging and naming conventions are: + +- They provide consistency and clarity for resource identification and discovery across the Azure Portal, CLIs, and APIs. +- They enable filtering and grouping of resources for billing, monitoring, security, and compliance purposes. +- They support resource lifecycle management, such as provisioning, decommissioning, backup, and recovery. + +For example, if you come upon a security incident, it's critical to quickly identify affected systems, +the functions that those systems support, and the potential business impact. + +For AKS cluster, the Cloud Adoption Framework (CAF) recommends using the `aks-` prefix. + +Requirements for AKS cluster resource names: + +- Between 1 and 63 characters long. +- Can include alphanumeric characters, hyphens, underscores, and periods (restrictions vary by resource type). +- Resource names must be unique within their scope. + +## RECOMMENDATION + +Consider creating AKS cluster resources with a standard name. +Additionally consider using Azure Policy to only permit creation using a standard naming convention. + +## EXAMPLES + +### Configure with Bicep + +To deploy clusters that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```bicep +@minLength(1) +@maxLength(63) +@description('The name of the resource.') +param name string + +@description('The location resources will be deployed.') +param location string = resourceGroup().location + +resource cluster 'Microsoft.ContainerService/managedClusters@2025-07-01' = { + location: location + name: name + identity: { + type: 'UserAssigned' + userAssignedIdentities: { + '${identity.id}': {} + } + } + properties: { + kubernetesVersion: kubernetesVersion + disableLocalAccounts: true + enableRBAC: true + dnsPrefix: dnsPrefix + agentPoolProfiles: allPools + aadProfile: { + managed: true + enableAzureRBAC: true + adminGroupObjectIDs: clusterAdmins + tenantID: subscription().tenantId + } + networkProfile: { + networkPlugin: 'azure' + networkPolicy: 'azure' + loadBalancerSku: 'standard' + serviceCidr: serviceCidr + dnsServiceIP: dnsServiceIP + } + apiServerAccessProfile: { + authorizedIPRanges: [ + '0.0.0.0/32' + ] + } + autoUpgradeProfile: { + upgradeChannel: 'stable' + } + oidcIssuerProfile: { + enabled: true + } + addonProfiles: { + azurepolicy: { + enabled: true + } + omsagent: { + enabled: true + config: { + logAnalyticsWorkspaceResourceID: workspaceId + } + } + azureKeyvaultSecretsProvider: { + enabled: true + config: { + enableSecretRotation: 'true' + } + } + } + } +} +``` + + + +### Configure with Azure template + +To deploy clusters that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "type": "string", + "metadata": { + "description": "The name of the AKS cluster." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. The Azure region to deploy to." + } + } + }, + "resources": [ + { + "type": "Microsoft.ContainerService/managedClusters", + "apiVersion": "2025-07-01", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "identity": { + "type": "UserAssigned", + "userAssignedIdentities": { + "[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName')))]": {} + } + }, + "properties": { + "kubernetesVersion": "[parameters('kubernetesVersion')]", + "disableLocalAccounts": true, + "enableRBAC": true, + "dnsPrefix": "[parameters('dnsPrefix')]", + "agentPoolProfiles": "[variables('allPools')]", + "aadProfile": { + "managed": true, + "enableAzureRBAC": true, + "adminGroupObjectIDs": "[parameters('clusterAdmins')]", + "tenantID": "[subscription().tenantId]" + }, + "networkProfile": { + "networkPlugin": "azure", + "networkPolicy": "azure", + "loadBalancerSku": "standard", + "serviceCidr": "[variables('serviceCidr')]", + "dnsServiceIP": "[variables('dnsServiceIP')]" + }, + "apiServerAccessProfile": { + "authorizedIPRanges": [ + "0.0.0.0/32" + ] + }, + "autoUpgradeProfile": { + "upgradeChannel": "stable" + }, + "oidcIssuerProfile": { + "enabled": true + }, + "addonProfiles": { + "azurepolicy": { + "enabled": true + }, + "omsagent": { + "enabled": true, + "config": { + "logAnalyticsWorkspaceResourceID": "[parameters('workspaceId')]" + } + }, + "azureKeyvaultSecretsProvider": { + "enabled": true, + "config": { + "enableSecretRotation": "true" + } + } + } + } + } + ] +} +``` + +## NOTES + +This rule does not check if AKS cluster resource names are unique. + + + +### Rule configuration + + + +To configure this rule set the `AZURE_AKS_CLUSTER_NAME_FORMAT` configuration value to a regular expression +that matches the required format. + +For example: + +```yaml +configuration: + AZURE_AKS_CLUSTER_NAME_FORMAT: '^aks-' +``` + +## LINKS + +- [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) +- [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) +- [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) +- [Bicep functions](https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.containerservice/managedclusters) diff --git a/docs/en/rules/Azure.AKS.SystemPoolNaming.md b/docs/en/rules/Azure.AKS.SystemPoolNaming.md new file mode 100644 index 00000000000..973c8ccfc2d --- /dev/null +++ b/docs/en/rules/Azure.AKS.SystemPoolNaming.md @@ -0,0 +1,166 @@ +--- +reviewed: 2025-10-26 +severity: Awareness +pillar: Operational Excellence +category: OE:04 Tools and processes +resource: Azure Kubernetes Service +resourceType: Microsoft.ContainerService/managedClusters,Microsoft.ContainerService/managedClusters/agentPools +online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.AKS.SystemPoolNaming/ +--- + +# AKS system node pool resources must use standard naming + +## SYNOPSIS + +AKS system node pool resources without a standard naming convention may be difficult to identify and manage. + +## DESCRIPTION + +An effective naming convention allows operators to quickly identify resources, related systems, and their purpose. +Identifying resources easily is important to improve operational efficiency, reduce the time to respond to incidents, +and minimize the risk of human error. + +Some of the benefits of using standardized tagging and naming conventions are: + +- They provide consistency and clarity for resource identification and discovery across the Azure Portal, CLIs, and APIs. +- They enable filtering and grouping of resources for billing, monitoring, security, and compliance purposes. +- They support resource lifecycle management, such as provisioning, decommissioning, backup, and recovery. + +For example, if you come upon a security incident, it's critical to quickly identify affected systems, +the functions that those systems support, and the potential business impact. + +For AKS system node pool, the Cloud Adoption Framework (CAF) recommends using the `npsystem` prefix. + +Requirements for AKS system node pool resource names: + +- Between 1 and 12 characters long. +- Lowercase letters and numbers +- Can't start with a number. + +## RECOMMENDATION + +Consider creating AKS system node pool resources with a standard name. +Additionally consider using Azure Policy to only permit creation using a standard naming convention. + +## EXAMPLES + +### Configure with Bicep + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```bicep +@minLength(1) +@maxLength(12) +@description('The name of the resource.') +param name string + +@description('The location resources will be deployed.') +param location string = resourceGroup().location + +resource system 'Microsoft.ContainerService/managedClusters/agentPools@2025-07-01' = { + parent: cluster + name: name + properties: { + osDiskSizeGB: osDiskSizeGB + minCount: 3 + maxCount: 7 + enableAutoScaling: true + maxPods: systemPoolMaxPods + vmSize: 'Standard_D16ds_v6' + osType: 'Linux' + type: 'VirtualMachineScaleSets' + vnetSubnetID: clusterSubnetId + mode: 'System' + osDiskType: 'Ephemeral' + scaleSetPriority: 'Regular' + } +} +``` + +### Configure with Azure template + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "type": "string", + "metadata": { + "description": "The name of the resource." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The location resources will be deployed." + } + } + }, + "resources": [ + { + "type": "Microsoft.ContainerService/managedClusters/agentPools", + "apiVersion": "2025-07-01", + "name": "[format('{0}/{1}', parameters('name'), 'system')]", + "properties": { + "osDiskSizeGB": "[parameters('osDiskSizeGB')]", + "minCount": 3, + "maxCount": 7, + "enableAutoScaling": true, + "maxPods": "[parameters('systemPoolMaxPods')]", + "vmSize": "Standard_D16ds_v6", + "osType": "Linux", + "type": "VirtualMachineScaleSets", + "vnetSubnetID": "[parameters('clusterSubnetId')]", + "mode": "System", + "osDiskType": "Ephemeral", + "scaleSetPriority": "Regular" + } + } + ] +} +``` + +## NOTES + +This rule does not check if AKS system node pool resource names are unique. + + + +### Rule configuration + + + +To configure this rule set the `AZURE_AKS_SYSTEM_POOL_NAME_FORMAT` configuration value to a regular expression +that matches the required format. + +For example: + +```yaml +configuration: + AZURE_AKS_SYSTEM_POOL_NAME_FORMAT: '^npsystem' +``` + +## LINKS + +- [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) +- [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) +- [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) +- [Bicep functions](https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.containerservice/managedclusters/agentpools) diff --git a/docs/en/rules/Azure.AKS.UserPoolNaming.md b/docs/en/rules/Azure.AKS.UserPoolNaming.md new file mode 100644 index 00000000000..443de104b67 --- /dev/null +++ b/docs/en/rules/Azure.AKS.UserPoolNaming.md @@ -0,0 +1,166 @@ +--- +reviewed: 2025-10-26 +severity: Awareness +pillar: Operational Excellence +category: OE:04 Tools and processes +resource: Azure Kubernetes Service +resourceType: Microsoft.ContainerService/managedClusters,Microsoft.ContainerService/managedClusters/agentPools +online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.AKS.UserPoolNaming/ +--- + +# AKS user node pool resources must use standard naming + +## SYNOPSIS + +AKS user node pool resources without a standard naming convention may be difficult to identify and manage. + +## DESCRIPTION + +An effective naming convention allows operators to quickly identify resources, related systems, and their purpose. +Identifying resources easily is important to improve operational efficiency, reduce the time to respond to incidents, +and minimize the risk of human error. + +Some of the benefits of using standardized tagging and naming conventions are: + +- They provide consistency and clarity for resource identification and discovery across the Azure Portal, CLIs, and APIs. +- They enable filtering and grouping of resources for billing, monitoring, security, and compliance purposes. +- They support resource lifecycle management, such as provisioning, decommissioning, backup, and recovery. + +For example, if you come upon a security incident, it's critical to quickly identify affected systems, +the functions that those systems support, and the potential business impact. + +For AKS user node pool, the Cloud Adoption Framework (CAF) recommends using the `np` prefix. + +Requirements for AKS user node pool resource names: + +- Between 1 and 12 characters long for Linux, and between 1 and 6 characters long for Windows. +- Lowercase letters and numbers +- Can't start with a number. + +## RECOMMENDATION + +Consider creating AKS user node pool resources with a standard name. +Additionally consider using Azure Policy to only permit creation using a standard naming convention. + +## EXAMPLES + +### Configure with Bicep + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```bicep +@minLength(1) +@maxLength(12) +@description('The name of the resource.') +param name string + +@description('The location resources will be deployed.') +param location string = resourceGroup().location + +resource user 'Microsoft.ContainerService/managedClusters/agentPools@2025-07-01' = { + parent: cluster + name: name + properties: { + osDiskSizeGB: osDiskSizeGB + minCount: 3 + maxCount: 20 + enableAutoScaling: true + maxPods: 150 + vmSize: 'Standard_D16ds_v6' + osType: 'Linux' + type: 'VirtualMachineScaleSets' + vnetSubnetID: clusterSubnetId + mode: 'User' + osDiskType: 'Ephemeral' + scaleSetPriority: 'Regular' + } +} +``` + +### Configure with Azure template + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "type": "string", + "metadata": { + "description": "The name of the resource." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The location resources will be deployed." + } + } + }, + "resources": [ + { + "type": "Microsoft.ContainerService/managedClusters/agentPools", + "apiVersion": "2025-07-01", + "name": "[format('{0}/{1}', parameters('name'), 'user')]", + "properties": { + "osDiskSizeGB": "[parameters('osDiskSizeGB')]", + "minCount": 3, + "maxCount": 20, + "enableAutoScaling": true, + "maxPods": 150, + "vmSize": "Standard_D16ds_v6", + "osType": "Linux", + "type": "VirtualMachineScaleSets", + "vnetSubnetID": "[parameters('clusterSubnetId')]", + "mode": "User", + "osDiskType": "Ephemeral", + "scaleSetPriority": "Regular" + } + } + ] +} +``` + +## NOTES + +This rule does not check if AKS user node pool resource names are unique. + + + +### Rule configuration + + + +To configure this rule set the `AZURE_AKS_USER_POOL_NAME_FORMAT` configuration value to a regular expression +that matches the required format. + +For example: + +```yaml +configuration: + AZURE_AKS_USER_POOL_NAME_FORMAT: '^np' +``` + +## LINKS + +- [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) +- [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) +- [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) +- [Bicep functions](https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.containerservice/managedclusters/agentpools) diff --git a/docs/en/rules/Azure.ContainerApp.EnvNaming.md b/docs/en/rules/Azure.ContainerApp.EnvNaming.md new file mode 100644 index 00000000000..83bd5c60186 --- /dev/null +++ b/docs/en/rules/Azure.ContainerApp.EnvNaming.md @@ -0,0 +1,182 @@ +--- +reviewed: 2025-10-26 +severity: Awareness +pillar: Operational Excellence +category: OE:04 Tools and processes +resource: Container App Environment +resourceType: Microsoft.App/managedEnvironments +online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.ContainerApp.EnvNaming/ +--- + +# Container App Environment resources must use standard naming + +## SYNOPSIS + +Container App Environment resources without a standard naming convention may be difficult to identify and manage. + +## DESCRIPTION + +An effective naming convention allows operators to quickly identify resources, related systems, and their purpose. +Identifying resources easily is important to improve operational efficiency, reduce the time to respond to incidents, +and minimize the risk of human error. + +Some of the benefits of using standardized tagging and naming conventions are: + +- They provide consistency and clarity for resource identification and discovery across the Azure Portal, CLIs, and APIs. +- They enable filtering and grouping of resources for billing, monitoring, security, and compliance purposes. +- They support resource lifecycle management, such as provisioning, decommissioning, backup, and recovery. + +For example, if you come upon a security incident, it's critical to quickly identify affected systems, +the functions that those systems support, and the potential business impact. + +For Container App Environment, the Cloud Adoption Framework (CAF) recommends using the `cae-` prefix. + +Requirements for Container App Environment resource names: + +- Between 2 and 60 characters long. +- Lowercase letters, numbers, and hyphens. + +## RECOMMENDATION + +Consider creating Container App Environment resources with a standard name. +Additionally consider using Azure Policy to only permit creation using a standard naming convention. + +## EXAMPLES + +### Configure with Bicep + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```bicep +@minLength(2) +@maxLength(60) +@description('The name of the resource.') +param name string + +@description('The location resources will be deployed.') +param location string = resourceGroup().location + +resource containerEnv 'Microsoft.App/managedEnvironments@2025-01-01' = { + name: name + location: location + properties: { + appLogsConfiguration: { + destination: 'log-analytics' + logAnalyticsConfiguration: { + customerId: workspace.properties.customerId + sharedKey: workspace.listKeys().primarySharedKey + } + } + zoneRedundant: true + workloadProfiles: [ + { + name: 'Consumption' + workloadProfileType: 'Consumption' + } + ] + vnetConfiguration: { + infrastructureSubnetId: subnetId + internal: true + } + } +} +``` + + + +### Configure with Azure template + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "type": "string", + "minLength": 2, + "maxLength": 60, + "metadata": { + "description": "The name of the resource." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The location resources will be deployed." + } + } + }, + "resources": [ + { + "type": "Microsoft.App/managedEnvironments", + "apiVersion": "2025-01-01", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "properties": { + "appLogsConfiguration": { + "destination": "log-analytics", + "logAnalyticsConfiguration": { + "customerId": "[reference(resourceId('Microsoft.OperationalInsights/workspaces', split(parameters('workspaceId'), '/')[8]), '2022-10-01').customerId]", + "sharedKey": "[listKeys(resourceId('Microsoft.OperationalInsights/workspaces', split(parameters('workspaceId'), '/')[8]), '2022-10-01').primarySharedKey]" + } + }, + "zoneRedundant": true, + "workloadProfiles": [ + { + "name": "Consumption", + "workloadProfileType": "Consumption" + } + ], + "vnetConfiguration": { + "infrastructureSubnetId": "[parameters('subnetId')]", + "internal": true + } + } + } + ] +} +``` + +## NOTES + +This rule does not check if Container App Environment resource names are unique. + + + +### Rule configuration + + + +To configure this rule set the `AZURE_CONTAINER_APP_ENVIRONMENT_NAME_FORMAT` configuration value to a regular expression +that matches the required format. + +For example: + +```yaml +configuration: + AZURE_CONTAINER_APP_ENVIRONMENT_NAME_FORMAT: '^cae-' +``` + +## LINKS + +- [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) +- [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) +- [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) +- [Bicep functions](https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.app/managedenvironments) diff --git a/docs/en/rules/Azure.ContainerApp.JobNaming.md b/docs/en/rules/Azure.ContainerApp.JobNaming.md new file mode 100644 index 00000000000..7d95cf2d8d5 --- /dev/null +++ b/docs/en/rules/Azure.ContainerApp.JobNaming.md @@ -0,0 +1,174 @@ +--- +reviewed: 2025-10-26 +severity: Awareness +pillar: Operational Excellence +category: OE:04 Tools and processes +resource: Container App Job +resourceType: Microsoft.App/jobs +online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.ContainerApp.JobNaming/ +--- + +# Container App Job resources must use standard naming + +## SYNOPSIS + +Container App Job resources without a standard naming convention may be difficult to identify and manage. + +## DESCRIPTION + +An effective naming convention allows operators to quickly identify resources, related systems, and their purpose. +Identifying resources easily is important to improve operational efficiency, reduce the time to respond to incidents, +and minimize the risk of human error. + +Some of the benefits of using standardized tagging and naming conventions are: + +- They provide consistency and clarity for resource identification and discovery across the Azure Portal, CLIs, and APIs. +- They enable filtering and grouping of resources for billing, monitoring, security, and compliance purposes. +- They support resource lifecycle management, such as provisioning, decommissioning, backup, and recovery. + +For example, if you come upon a security incident, it's critical to quickly identify affected systems, +the functions that those systems support, and the potential business impact. + +For Container App Job, the Cloud Adoption Framework (CAF) recommends using the `caj-` prefix. + +Requirements for Container App Job resource names: + +- Between 2 and 32 characters long. +- Lowercase letters, numbers, and hyphens. +- Start with letter and end with alphanumeric. +- Can not contain consecutive hyphens. + +## RECOMMENDATION + +Consider creating Container App Job resources with a standard name. +Additionally consider using Azure Policy to only permit creation using a standard naming convention. + +## EXAMPLES + +### Configure with Bicep + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```bicep +@minLength(2) +@maxLength(32) +@description('The name of the resource.') +param name string + +@description('The location resources will be deployed.') +param location string = resourceGroup().location + +resource job 'Microsoft.App/jobs@2025-01-01' = { + name: name + location: location + identity: { + type: 'SystemAssigned' + } + properties: { + environmentId: containerEnv.id + template: { + containers: containers + } + workloadProfileName: workloadProfileName + configuration: { + replicaTimeout: 300 + triggerType: 'Manual' + manualTriggerConfig: {} + } + } +} +``` + + + +### Configure with Azure template + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "type": "string", + "minLength": 2, + "maxLength": 32, + "metadata": { + "description": "The name of the resource." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The location resources will be deployed." + } + } + }, + "resources": [ + { + "type": "Microsoft.App/jobs", + "apiVersion": "2025-01-01", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "environmentId": "[resourceId('Microsoft.App/managedEnvironments', parameters('name'))]", + "template": { + "containers": "[variables('containers')]" + }, + "workloadProfileName": "[parameters('workloadProfileName')]", + "configuration": { + "replicaTimeout": 300, + "triggerType": "Manual", + "manualTriggerConfig": {} + } + } + } + ] +} +``` + +## NOTES + +This rule does not check if Container App Job resource names are unique. + + + +### Rule configuration + + + +To configure this rule set the `AZURE_CONTAINER_APP_JOB_NAME_FORMAT` configuration value to a regular expression +that matches the required format. + +For example: + +```yaml +configuration: + AZURE_CONTAINER_APP_JOB_NAME_FORMAT: '^caj-' +``` + +## LINKS + +- [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) +- [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) +- [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) +- [Bicep functions](https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.app/jobs) diff --git a/docs/en/rules/Azure.ContainerApp.Name.md b/docs/en/rules/Azure.ContainerApp.Name.md index 33f29f8dc6e..cc4bc501175 100644 --- a/docs/en/rules/Azure.ContainerApp.Name.md +++ b/docs/en/rules/Azure.ContainerApp.Name.md @@ -1,4 +1,5 @@ --- +reviewed: 2025-10-26 severity: Awareness pillar: Operational Excellence category: OE:04 Continuous integration @@ -21,6 +22,7 @@ The requirements for container app names are: - Between 2 and 32 characters long. - Lowercase letters, numbers, and hyphens. - Start with letter and end with alphanumeric. +- Can not contain consecutive hyphens. ## RECOMMENDATION @@ -29,12 +31,57 @@ Additionally consider naming resources with a standard naming convention. ## EXAMPLES +### Configure with Bicep + +To deploy Container Apps that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```bicep +@minLength(2) +@maxLength(32) +@description('The name of the container app.') +param appName string + +resource containerApp 'Microsoft.App/containerApps@2025-01-01' = { + name: appName + location: location + identity: { + type: 'SystemAssigned' + } + properties: { + environmentId: containerEnv.id + template: { + revisionSuffix: revision + containers: containers + scale: { + minReplicas: 2 + } + } + configuration: { + ingress: { + allowInsecure: false + external: false + stickySessions: { + affinity: 'none' + } + } + } + } +} +``` + + + ### Configure with Azure template To deploy Container Apps that pass this rule: -- Configuring a `minLength` and `maxLength` constraint for the resource name parameter. -- Optionally, you could also use a `uniqueString()` function to generate a unique name. +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. For example: @@ -98,7 +145,7 @@ For example: "resources": [ { "type": "Microsoft.App/containerApps", - "apiVersion": "2023-05-01", + "apiVersion": "2025-01-01", "name": "[parameters('appName')]", "location": "[parameters('location')]", "identity": { @@ -116,6 +163,7 @@ For example: "configuration": { "ingress": { "allowInsecure": false, + "external": false, "stickySessions": { "affinity": "none" } @@ -127,50 +175,6 @@ For example: } ``` -### Configure with Bicep - -To deploy Container Apps that pass this rule: - -- Configuring a `minLength` and `maxLength` constraint for the resource name parameter. -- Optionally, you could also use a `uniqueString()` function to generate a unique name. - -For example: - -```bicep -@minLength(2) -@maxLength(32) -@description('The name of the container app.') -param appName string - -resource containerApp 'Microsoft.App/containerApps@2023-05-01' = { - name: appName - location: location - identity: { - type: 'SystemAssigned' - } - properties: { - environmentId: containerEnv.id - template: { - revisionSuffix: revision - containers: containers - scale: { - minReplicas: 2 - } - } - configuration: { - ingress: { - allowInsecure: false - stickySessions: { - affinity: 'none' - } - } - } - } -} -``` - - - ## NOTES This rule does not check if container app names are unique. @@ -178,5 +182,8 @@ This rule does not check if container app names are unique. ## LINKS - [OE:04 Continuous integration](https://learn.microsoft.com/azure/well-architected/operational-excellence/release-engineering-continuous-integration) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) - [Naming rules and restrictions for container app resource](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules#microsoftapp) +- [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) +- [Bicep functions](https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.app/containerapps) diff --git a/docs/en/rules/Azure.ContainerApp.Naming.md b/docs/en/rules/Azure.ContainerApp.Naming.md new file mode 100644 index 00000000000..a5e21871e00 --- /dev/null +++ b/docs/en/rules/Azure.ContainerApp.Naming.md @@ -0,0 +1,221 @@ +--- +reviewed: 2025-10-26 +severity: Awareness +pillar: Operational Excellence +category: OE:04 Tools and processes +resource: Container App +resourceType: Microsoft.App/containerApps +online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.ContainerApp.Naming/ +--- + +# Container App resources must use standard naming + +## SYNOPSIS + +Container App resources without a standard naming convention may be difficult to identify and manage. + +## DESCRIPTION + +An effective naming convention allows operators to quickly identify resources, related systems, and their purpose. +Identifying resources easily is important to improve operational efficiency, reduce the time to respond to incidents, +and minimize the risk of human error. + +Some of the benefits of using standardized tagging and naming conventions are: + +- They provide consistency and clarity for resource identification and discovery across the Azure Portal, CLIs, and APIs. +- They enable filtering and grouping of resources for billing, monitoring, security, and compliance purposes. +- They support resource lifecycle management, such as provisioning, decommissioning, backup, and recovery. + +For example, if you come upon a security incident, it's critical to quickly identify affected systems, +the functions that those systems support, and the potential business impact. + +For Container App, the Cloud Adoption Framework (CAF) recommends using the `ca-` prefix. + +Requirements for Container App resource names: + +- Between 2 and 32 characters long. +- Lowercase letters, numbers, and hyphens. +- Start with letter and end with alphanumeric. +- Can not contain consecutive hyphens. + +## RECOMMENDATION + +Consider creating Container App resources with a standard name. +Additionally consider using Azure Policy to only permit creation using a standard naming convention. + +## EXAMPLES + +### Configure with Bicep + +To deploy Container Apps that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```bicep +@minLength(2) +@maxLength(32) +@description('The name of the container app.') +param appName string + +resource containerApp 'Microsoft.App/containerApps@2025-01-01' = { + name: appName + location: location + identity: { + type: 'SystemAssigned' + } + properties: { + environmentId: containerEnv.id + template: { + revisionSuffix: revision + containers: containers + scale: { + minReplicas: 2 + } + } + configuration: { + ingress: { + allowInsecure: false + external: false + stickySessions: { + affinity: 'none' + } + } + } + } +} +``` + + + +### Configure with Azure template + +To deploy Container Apps that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "envName": { + "type": "string", + "metadata": { + "description": "The name of the app environment." + } + }, + "appName": { + "type": "string", + "minLength": 2, + "maxLength": 32, + "metadata": { + "description": "The name of the container app." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The location resources will be deployed." + } + }, + "workspaceId": { + "type": "string", + "metadata": { + "description": "The name of a Log Analytics workspace" + } + }, + "subnetId": { + "type": "string", + "metadata": { + "description": "The resource ID of a VNET subnet." + } + }, + "revision": { + "type": "string", + "metadata": { + "description": "The revision of the container app." + } + } + }, + "variables": { + "containers": [ + { + "name": "simple-hello-world-container", + "image": "mcr.microsoft.com/azuredocs/containerapps-helloworld:latest", + "resources": { + "cpu": "[json('0.25')]", + "memory": ".5Gi" + } + } + ] + }, + "resources": [ + { + "type": "Microsoft.App/containerApps", + "apiVersion": "2025-01-01", + "name": "[parameters('appName')]", + "location": "[parameters('location')]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "environmentId": "[resourceId('Microsoft.App/managedEnvironments', parameters('envName'))]", + "template": { + "revisionSuffix": "[parameters('revision')]", + "containers": "[variables('containers')]", + "scale": { + "minReplicas": 2 + } + }, + "configuration": { + "ingress": { + "allowInsecure": false, + "external": false, + "stickySessions": { + "affinity": "none" + } + } + } + } + } + ] +} +``` + +## NOTES + +This rule does not check if Container App resource names are unique. + + + +### Rule configuration + + + +To configure this rule set the `AZURE_CONTAINER_APP_NAME_FORMAT` configuration value to a regular expression +that matches the required format. + +For example: + +```yaml +configuration: + AZURE_CONTAINER_APP_NAME_FORMAT: '^ca-' +``` + +## LINKS + +- [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) +- [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) +- [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) +- [Bicep functions](https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.app/containerapps) diff --git a/docs/en/rules/Azure.Cosmos.AccountName.md b/docs/en/rules/Azure.Cosmos.AccountName.md index be45d54d511..fc58e35c62d 100644 --- a/docs/en/rules/Azure.Cosmos.AccountName.md +++ b/docs/en/rules/Azure.Cosmos.AccountName.md @@ -1,7 +1,8 @@ --- +reviewed: 2025-11-01 severity: Awareness pillar: Operational Excellence -category: Repeatable infrastructure +category: OE:04 Continuous integration resource: Cosmos DB resourceType: Microsoft.DocumentDB/databaseAccounts online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Cosmos.AccountName/ @@ -28,13 +29,110 @@ The requirements for Cosmos DB account names are: Consider using names that meet Cosmos DB account naming requirements. Additionally consider naming resources with a standard naming convention. +## EXAMPLES + +### Configure with Bicep + +To deploy accounts that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```bicep +@minLength(3) +@maxLength(44) +@description('The name of the resource.') +param name string + +@description('The location resources will be deployed.') +param location string = resourceGroup().location + +resource account 'Microsoft.DocumentDB/databaseAccounts@2025-04-15' = { + name: name + location: location + properties: { + enableFreeTier: false + consistencyPolicy: { + defaultConsistencyLevel: 'Session' + } + databaseAccountOfferType: 'Standard' + locations: [ + { + locationName: location + failoverPriority: 0 + isZoneRedundant: true + } + ] + disableKeyBasedMetadataWriteAccess: true + minimalTlsVersion: 'Tls12' + } +} +``` + + + +### Configure with Azure template + +To deploy accounts that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "type": "string", + "minLength": 3, + "maxLength": 44, + "metadata": { + "description": "The name of the resource." + } + } + }, + "resources": [ + { + "type": "Microsoft.DocumentDB/databaseAccounts", + "apiVersion": "2025-04-15", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "properties": { + "enableFreeTier": false, + "consistencyPolicy": { + "defaultConsistencyLevel": "Session" + }, + "databaseAccountOfferType": "Standard", + "locations": [ + { + "locationName": "[parameters('location')]", + "failoverPriority": 0, + "isZoneRedundant": true + } + ], + "disableKeyBasedMetadataWriteAccess": true, + "minimalTlsVersion": "Tls12" + } + } + ] +} +``` + ## NOTES This rule does not check if Cosmos DB account names are unique. ## LINKS -- [Repeatable infrastructure](https://learn.microsoft.com/azure/architecture/framework/devops/automation-infrastructure) -- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules#microsoftdocumentdb) -- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.documentdb/databaseaccounts) +- [OE:04 Continuous integration](https://learn.microsoft.com/azure/well-architected/operational-excellence/release-engineering-continuous-integration) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +- [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) +- [Bicep functions](https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.documentdb/databaseaccounts) diff --git a/docs/en/rules/Azure.Cosmos.CassandraNaming.md b/docs/en/rules/Azure.Cosmos.CassandraNaming.md new file mode 100644 index 00000000000..6632cc919b9 --- /dev/null +++ b/docs/en/rules/Azure.Cosmos.CassandraNaming.md @@ -0,0 +1,101 @@ +--- +reviewed: 2025-10-10 +severity: Awareness +pillar: Operational Excellence +category: OE:04 Tools and processes +resource: Cosmos DB for Apache Cassandra account +resourceType: Microsoft.DocumentDb/databaseAccounts +online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Cosmos.CassandraNaming/ +--- + +# Cosmos DB for Apache Cassandra account resources must use standard naming + +## SYNOPSIS + +Cosmos DB for Apache Cassandra account resources without a standard naming convention may be difficult to identify and manage. + +## DESCRIPTION + +An effective naming convention allows operators to quickly identify resources, related systems, and their purpose. +Identifying resources easily is important to improve operational efficiency, reduce the time to respond to incidents, +and minimize the risk of human error. + +Some of the benefits of using standardized tagging and naming conventions are: + +- They provide consistency and clarity for resource identification and discovery across the Azure Portal, CLIs, and APIs. +- They enable filtering and grouping of resources for billing, monitoring, security, and compliance purposes. +- They support resource lifecycle management, such as provisioning, decommissioning, backup, and recovery. + +For example, if you come upon a security incident, it's critical to quickly identify affected systems, +the functions that those systems support, and the potential business impact. + +For Cosmos DB for Apache Cassandra account, the Cloud Adoption Framework (CAF) recommends using the `coscas-` prefix. + +Requirements for Cosmos DB for Apache Cassandra account resource names: + +- Between 3 and 44 characters long. +- Can include alphanumeric characters, hyphens, underscores, and periods (restrictions vary by resource type). +- Resource names must be unique within their scope. + +## RECOMMENDATION + +Consider creating Cosmos DB for Apache Cassandra account resources with a standard name. +Additionally consider using Azure Policy to only permit creation using a standard naming convention. + +## EXAMPLES + +### Configure with Bicep + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```bicep +@minLength(3) +@maxLength(44) +@description('The name of the resource.') +param name string + +@description('The location resources will be deployed.') +param location string = resourceGroup().location + +// Example resource deployment +``` + +### Configure with Azure template + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +## NOTES + +This rule does not check if Cosmos DB for Apache Cassandra account resource names are unique. + + + +### Rule configuration + + + +To configure this rule set the `AZURE_COSMOS_CASSANDRA_NAME_FORMAT` configuration value to a regular expression +that matches the required format. + +For example: + +```yaml +configuration: + AZURE_COSMOS_CASSANDRA_NAME_FORMAT: '^coscas-' +``` + +## LINKS + +- [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) +- [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) diff --git a/docs/en/rules/Azure.Cosmos.DatabaseNaming.md b/docs/en/rules/Azure.Cosmos.DatabaseNaming.md new file mode 100644 index 00000000000..bddaf116cec --- /dev/null +++ b/docs/en/rules/Azure.Cosmos.DatabaseNaming.md @@ -0,0 +1,101 @@ +--- +reviewed: 2025-10-10 +severity: Awareness +pillar: Operational Excellence +category: OE:04 Tools and processes +resource: Cosmos DB database +resourceType: Microsoft.DocumentDB/databaseAccounts/sqlDatabases +online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Cosmos.DatabaseNaming/ +--- + +# Cosmos DB database resources must use standard naming + +## SYNOPSIS + +Cosmos DB database resources without a standard naming convention may be difficult to identify and manage. + +## DESCRIPTION + +An effective naming convention allows operators to quickly identify resources, related systems, and their purpose. +Identifying resources easily is important to improve operational efficiency, reduce the time to respond to incidents, +and minimize the risk of human error. + +Some of the benefits of using standardized tagging and naming conventions are: + +- They provide consistency and clarity for resource identification and discovery across the Azure Portal, CLIs, and APIs. +- They enable filtering and grouping of resources for billing, monitoring, security, and compliance purposes. +- They support resource lifecycle management, such as provisioning, decommissioning, backup, and recovery. + +For example, if you come upon a security incident, it's critical to quickly identify affected systems, +the functions that those systems support, and the potential business impact. + +For Cosmos DB database, the Cloud Adoption Framework (CAF) recommends using the `cosmos-` prefix. + +Requirements for Cosmos DB database resource names: + +- Between 1 and 255 characters long. +- Can include alphanumeric characters, hyphens, underscores, and periods (restrictions vary by resource type). +- Resource names must be unique within their scope. + +## RECOMMENDATION + +Consider creating Cosmos DB database resources with a standard name. +Additionally consider using Azure Policy to only permit creation using a standard naming convention. + +## EXAMPLES + +### Configure with Bicep + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```bicep +@minLength(1) +@maxLength(255) +@description('The name of the resource.') +param name string + +@description('The location resources will be deployed.') +param location string = resourceGroup().location + +// Example resource deployment +``` + +### Configure with Azure template + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +## NOTES + +This rule does not check if Cosmos DB database resource names are unique. + + + +### Rule configuration + + + +To configure this rule set the `AZURE_COSMOS_DATABASE_NAME_FORMAT` configuration value to a regular expression +that matches the required format. + +For example: + +```yaml +configuration: + AZURE_COSMOS_DATABASE_NAME_FORMAT: '^cosmos-' +``` + +## LINKS + +- [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) +- [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) diff --git a/docs/en/rules/Azure.Cosmos.GremlinNaming.md b/docs/en/rules/Azure.Cosmos.GremlinNaming.md new file mode 100644 index 00000000000..326c07aef4c --- /dev/null +++ b/docs/en/rules/Azure.Cosmos.GremlinNaming.md @@ -0,0 +1,101 @@ +--- +reviewed: 2025-10-10 +severity: Awareness +pillar: Operational Excellence +category: OE:04 Tools and processes +resource: Cosmos DB for Apache Gremlin account +resourceType: Microsoft.DocumentDb/databaseAccounts +online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Cosmos.GremlinNaming/ +--- + +# Cosmos DB for Apache Gremlin account resources must use standard naming + +## SYNOPSIS + +Cosmos DB for Apache Gremlin account resources without a standard naming convention may be difficult to identify and manage. + +## DESCRIPTION + +An effective naming convention allows operators to quickly identify resources, related systems, and their purpose. +Identifying resources easily is important to improve operational efficiency, reduce the time to respond to incidents, +and minimize the risk of human error. + +Some of the benefits of using standardized tagging and naming conventions are: + +- They provide consistency and clarity for resource identification and discovery across the Azure Portal, CLIs, and APIs. +- They enable filtering and grouping of resources for billing, monitoring, security, and compliance purposes. +- They support resource lifecycle management, such as provisioning, decommissioning, backup, and recovery. + +For example, if you come upon a security incident, it's critical to quickly identify affected systems, +the functions that those systems support, and the potential business impact. + +For Cosmos DB for Apache Gremlin account, the Cloud Adoption Framework (CAF) recommends using the `cosgrm-` prefix. + +Requirements for Cosmos DB for Apache Gremlin account resource names: + +- Between 3 and 44 characters long. +- Can include alphanumeric characters, hyphens, underscores, and periods (restrictions vary by resource type). +- Resource names must be unique within their scope. + +## RECOMMENDATION + +Consider creating Cosmos DB for Apache Gremlin account resources with a standard name. +Additionally consider using Azure Policy to only permit creation using a standard naming convention. + +## EXAMPLES + +### Configure with Bicep + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```bicep +@minLength(3) +@maxLength(44) +@description('The name of the resource.') +param name string + +@description('The location resources will be deployed.') +param location string = resourceGroup().location + +// Example resource deployment +``` + +### Configure with Azure template + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +## NOTES + +This rule does not check if Cosmos DB for Apache Gremlin account resource names are unique. + + + +### Rule configuration + + + +To configure this rule set the `AZURE_COSMOS_GREMLIN_NAME_FORMAT` configuration value to a regular expression +that matches the required format. + +For example: + +```yaml +configuration: + AZURE_COSMOS_GREMLIN_NAME_FORMAT: '^cosgrm-' +``` + +## LINKS + +- [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) +- [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) diff --git a/docs/en/rules/Azure.Cosmos.MongoNaming.md b/docs/en/rules/Azure.Cosmos.MongoNaming.md new file mode 100644 index 00000000000..94730f97bbc --- /dev/null +++ b/docs/en/rules/Azure.Cosmos.MongoNaming.md @@ -0,0 +1,101 @@ +--- +reviewed: 2025-10-10 +severity: Awareness +pillar: Operational Excellence +category: OE:04 Tools and processes +resource: Cosmos DB for MongoDB account +resourceType: Microsoft.DocumentDb/databaseAccounts +online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Cosmos.MongoNaming/ +--- + +# Cosmos DB for MongoDB account resources must use standard naming + +## SYNOPSIS + +Cosmos DB for MongoDB account resources without a standard naming convention may be difficult to identify and manage. + +## DESCRIPTION + +An effective naming convention allows operators to quickly identify resources, related systems, and their purpose. +Identifying resources easily is important to improve operational efficiency, reduce the time to respond to incidents, +and minimize the risk of human error. + +Some of the benefits of using standardized tagging and naming conventions are: + +- They provide consistency and clarity for resource identification and discovery across the Azure Portal, CLIs, and APIs. +- They enable filtering and grouping of resources for billing, monitoring, security, and compliance purposes. +- They support resource lifecycle management, such as provisioning, decommissioning, backup, and recovery. + +For example, if you come upon a security incident, it's critical to quickly identify affected systems, +the functions that those systems support, and the potential business impact. + +For Cosmos DB for MongoDB account, the Cloud Adoption Framework (CAF) recommends using the `cosmon-` prefix. + +Requirements for Cosmos DB for MongoDB account resource names: + +- Between 3 and 44 characters long. +- Can include alphanumeric characters, hyphens, underscores, and periods (restrictions vary by resource type). +- Resource names must be unique within their scope. + +## RECOMMENDATION + +Consider creating Cosmos DB for MongoDB account resources with a standard name. +Additionally consider using Azure Policy to only permit creation using a standard naming convention. + +## EXAMPLES + +### Configure with Bicep + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```bicep +@minLength(3) +@maxLength(44) +@description('The name of the resource.') +param name string + +@description('The location resources will be deployed.') +param location string = resourceGroup().location + +// Example resource deployment +``` + +### Configure with Azure template + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +## NOTES + +This rule does not check if Cosmos DB for MongoDB account resource names are unique. + + + +### Rule configuration + + + +To configure this rule set the `AZURE_COSMOS_MONGO_NAME_FORMAT` configuration value to a regular expression +that matches the required format. + +For example: + +```yaml +configuration: + AZURE_COSMOS_MONGO_NAME_FORMAT: '^cosmon-' +``` + +## LINKS + +- [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) +- [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) diff --git a/docs/en/rules/Azure.Cosmos.NoSQLNaming.md b/docs/en/rules/Azure.Cosmos.NoSQLNaming.md new file mode 100644 index 00000000000..4df6ea941a0 --- /dev/null +++ b/docs/en/rules/Azure.Cosmos.NoSQLNaming.md @@ -0,0 +1,101 @@ +--- +reviewed: 2025-10-10 +severity: Awareness +pillar: Operational Excellence +category: OE:04 Tools and processes +resource: Cosmos DB for NoSQL account +resourceType: Microsoft.DocumentDb/databaseAccounts +online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Cosmos.NoSQLNaming/ +--- + +# Cosmos DB for NoSQL account resources must use standard naming + +## SYNOPSIS + +Cosmos DB for NoSQL account resources without a standard naming convention may be difficult to identify and manage. + +## DESCRIPTION + +An effective naming convention allows operators to quickly identify resources, related systems, and their purpose. +Identifying resources easily is important to improve operational efficiency, reduce the time to respond to incidents, +and minimize the risk of human error. + +Some of the benefits of using standardized tagging and naming conventions are: + +- They provide consistency and clarity for resource identification and discovery across the Azure Portal, CLIs, and APIs. +- They enable filtering and grouping of resources for billing, monitoring, security, and compliance purposes. +- They support resource lifecycle management, such as provisioning, decommissioning, backup, and recovery. + +For example, if you come upon a security incident, it's critical to quickly identify affected systems, +the functions that those systems support, and the potential business impact. + +For Cosmos DB for NoSQL account, the Cloud Adoption Framework (CAF) recommends using the `cosno-` prefix. + +Requirements for Cosmos DB for NoSQL account resource names: + +- Between 3 and 44 characters long. +- Can include alphanumeric characters, hyphens, underscores, and periods (restrictions vary by resource type). +- Resource names must be unique within their scope. + +## RECOMMENDATION + +Consider creating Cosmos DB for NoSQL account resources with a standard name. +Additionally consider using Azure Policy to only permit creation using a standard naming convention. + +## EXAMPLES + +### Configure with Bicep + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```bicep +@minLength(3) +@maxLength(44) +@description('The name of the resource.') +param name string + +@description('The location resources will be deployed.') +param location string = resourceGroup().location + +// Example resource deployment +``` + +### Configure with Azure template + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +## NOTES + +This rule does not check if Cosmos DB for NoSQL account resource names are unique. + + + +### Rule configuration + + + +To configure this rule set the `AZURE_COSMOS_NOSQL_NAME_FORMAT` configuration value to a regular expression +that matches the required format. + +For example: + +```yaml +configuration: + AZURE_COSMOS_NOSQL_NAME_FORMAT: '^cosno-' +``` + +## LINKS + +- [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) +- [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) diff --git a/docs/en/rules/Azure.Cosmos.PostgreSQLNaming.md b/docs/en/rules/Azure.Cosmos.PostgreSQLNaming.md new file mode 100644 index 00000000000..c36a92abbdf --- /dev/null +++ b/docs/en/rules/Azure.Cosmos.PostgreSQLNaming.md @@ -0,0 +1,101 @@ +--- +reviewed: 2025-10-10 +severity: Awareness +pillar: Operational Excellence +category: OE:04 Tools and processes +resource: Cosmos DB PostgreSQL cluster +resourceType: Microsoft.DBforPostgreSQL/serverGroupsv2 +online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Cosmos.PostgreSQLNaming/ +--- + +# Cosmos DB PostgreSQL cluster resources must use standard naming + +## SYNOPSIS + +Cosmos DB PostgreSQL cluster resources without a standard naming convention may be difficult to identify and manage. + +## DESCRIPTION + +An effective naming convention allows operators to quickly identify resources, related systems, and their purpose. +Identifying resources easily is important to improve operational efficiency, reduce the time to respond to incidents, +and minimize the risk of human error. + +Some of the benefits of using standardized tagging and naming conventions are: + +- They provide consistency and clarity for resource identification and discovery across the Azure Portal, CLIs, and APIs. +- They enable filtering and grouping of resources for billing, monitoring, security, and compliance purposes. +- They support resource lifecycle management, such as provisioning, decommissioning, backup, and recovery. + +For example, if you come upon a security incident, it's critical to quickly identify affected systems, +the functions that those systems support, and the potential business impact. + +For Cosmos DB PostgreSQL cluster, the Cloud Adoption Framework (CAF) recommends using the `cospos-` prefix. + +Requirements for Cosmos DB PostgreSQL cluster resource names: + +- Between 3 and 63 characters long. +- Can include alphanumeric characters, hyphens, underscores, and periods (restrictions vary by resource type). +- Resource names must be unique within their scope. + +## RECOMMENDATION + +Consider creating Cosmos DB PostgreSQL cluster resources with a standard name. +Additionally consider using Azure Policy to only permit creation using a standard naming convention. + +## EXAMPLES + +### Configure with Bicep + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```bicep +@minLength(3) +@maxLength(63) +@description('The name of the resource.') +param name string + +@description('The location resources will be deployed.') +param location string = resourceGroup().location + +// Example resource deployment +``` + +### Configure with Azure template + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +## NOTES + +This rule does not check if Cosmos DB PostgreSQL cluster resource names are unique. + + + +### Rule configuration + + + +To configure this rule set the `AZURE_COSMOS_POSTGRESQL_NAME_FORMAT` configuration value to a regular expression +that matches the required format. + +For example: + +```yaml +configuration: + AZURE_COSMOS_POSTGRESQL_NAME_FORMAT: '^cospos-' +``` + +## LINKS + +- [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) +- [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) diff --git a/docs/en/rules/Azure.Cosmos.TableNaming.md b/docs/en/rules/Azure.Cosmos.TableNaming.md new file mode 100644 index 00000000000..b2901d3b647 --- /dev/null +++ b/docs/en/rules/Azure.Cosmos.TableNaming.md @@ -0,0 +1,101 @@ +--- +reviewed: 2025-10-10 +severity: Awareness +pillar: Operational Excellence +category: OE:04 Tools and processes +resource: Cosmos DB for Table account +resourceType: Microsoft.DocumentDb/databaseAccounts +online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Cosmos.TableNaming/ +--- + +# Cosmos DB for Table account resources must use standard naming + +## SYNOPSIS + +Cosmos DB for Table account resources without a standard naming convention may be difficult to identify and manage. + +## DESCRIPTION + +An effective naming convention allows operators to quickly identify resources, related systems, and their purpose. +Identifying resources easily is important to improve operational efficiency, reduce the time to respond to incidents, +and minimize the risk of human error. + +Some of the benefits of using standardized tagging and naming conventions are: + +- They provide consistency and clarity for resource identification and discovery across the Azure Portal, CLIs, and APIs. +- They enable filtering and grouping of resources for billing, monitoring, security, and compliance purposes. +- They support resource lifecycle management, such as provisioning, decommissioning, backup, and recovery. + +For example, if you come upon a security incident, it's critical to quickly identify affected systems, +the functions that those systems support, and the potential business impact. + +For Cosmos DB for Table account, the Cloud Adoption Framework (CAF) recommends using the `costab-` prefix. + +Requirements for Cosmos DB for Table account resource names: + +- Between 3 and 44 characters long. +- Can include alphanumeric characters, hyphens, underscores, and periods (restrictions vary by resource type). +- Resource names must be unique within their scope. + +## RECOMMENDATION + +Consider creating Cosmos DB for Table account resources with a standard name. +Additionally consider using Azure Policy to only permit creation using a standard naming convention. + +## EXAMPLES + +### Configure with Bicep + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```bicep +@minLength(3) +@maxLength(44) +@description('The name of the resource.') +param name string + +@description('The location resources will be deployed.') +param location string = resourceGroup().location + +// Example resource deployment +``` + +### Configure with Azure template + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +## NOTES + +This rule does not check if Cosmos DB for Table account resource names are unique. + + + +### Rule configuration + + + +To configure this rule set the `AZURE_COSMOS_TABLE_NAME_FORMAT` configuration value to a regular expression +that matches the required format. + +For example: + +```yaml +configuration: + AZURE_COSMOS_TABLE_NAME_FORMAT: '^costab-' +``` + +## LINKS + +- [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) +- [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) diff --git a/docs/en/rules/Azure.LB.Name.md b/docs/en/rules/Azure.LB.Name.md index e4b5cf5a8b5..3cc183ce830 100644 --- a/docs/en/rules/Azure.LB.Name.md +++ b/docs/en/rules/Azure.LB.Name.md @@ -1,5 +1,5 @@ --- -reviewed: 2025-04-11 +reviewed: 2025-10-25 severity: Awareness pillar: Operational Excellence category: OE:04 Continuous integration @@ -93,13 +93,6 @@ For example: { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.34.44.8038", - "templateHash": "15799925094518670850" - } - }, "parameters": { "name": { "type": "string", @@ -115,18 +108,6 @@ For example: "metadata": { "description": "The location resources will be deployed." } - }, - "subnetId": { - "type": "string", - "metadata": { - "description": "The resource ID of the virtual network subnet." - } - }, - "pipId": { - "type": "string", - "metadata": { - "description": "The resource ID of the public IP address." - } } }, "resources": [ @@ -169,6 +150,7 @@ This rule does not check if Load Balancer names are unique. ## LINKS - [OE:04 Continuous integration](https://learn.microsoft.com/azure/well-architected/operational-excellence/release-engineering-continuous-integration) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) diff --git a/docs/en/rules/Azure.MySQL.ServerName.md b/docs/en/rules/Azure.MySQL.ServerName.md index 56ff0eca7b8..b47a267344b 100644 --- a/docs/en/rules/Azure.MySQL.ServerName.md +++ b/docs/en/rules/Azure.MySQL.ServerName.md @@ -1,7 +1,7 @@ --- severity: Awareness pillar: Operational Excellence -category: Repeatable infrastructure +category: OE:04 Continuous integration resource: Azure Database for MySQL resourceType: Microsoft.DBforMySQL/servers online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.MySQL.ServerName/ @@ -34,5 +34,10 @@ This rule does not check if Azure MySQL DB server names are unique. ## LINKS -- [Repeatable infrastructure](https://learn.microsoft.com/azure/architecture/framework/devops/automation-infrastructure) -- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules#microsoftdbformysql) +- [OE:04 Continuous integration](https://learn.microsoft.com/azure/well-architected/operational-excellence/release-engineering-continuous-integration) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) +- [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +- [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) +- [Bicep functions](https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.dbformysql/servers) diff --git a/docs/en/rules/Azure.MySQL.ServerNaming.md b/docs/en/rules/Azure.MySQL.ServerNaming.md new file mode 100644 index 00000000000..9e4fff43a56 --- /dev/null +++ b/docs/en/rules/Azure.MySQL.ServerNaming.md @@ -0,0 +1,177 @@ +--- +reviewed: 2025-11-01 +severity: Awareness +pillar: Operational Excellence +category: OE:04 Tools and processes +resource: Azure Database for MySQL +resourceType: Microsoft.DBforMySQL/flexibleServers,Microsoft.DBforMySQL/servers +online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.MySQL.ServerNaming/ +--- + +# MySQL database server resources must use standard naming + +## SYNOPSIS + +MySQL database server resources without a standard naming convention may be difficult to identify and manage. + +## DESCRIPTION + +An effective naming convention allows operators to quickly identify resources, related systems, and their purpose. +Identifying resources easily is important to improve operational efficiency, reduce the time to respond to incidents, +and minimize the risk of human error. + +Some of the benefits of using standardized tagging and naming conventions are: + +- They provide consistency and clarity for resource identification and discovery across the Azure Portal, CLIs, and APIs. +- They enable filtering and grouping of resources for billing, monitoring, security, and compliance purposes. +- They support resource lifecycle management, such as provisioning, decommissioning, backup, and recovery. + +For example, if you come upon a security incident, it's critical to quickly identify affected systems, +the functions that those systems support, and the potential business impact. + +For MySQL database server, the Cloud Adoption Framework (CAF) recommends using the `mysql-` prefix. + +Requirements for MySQL database server resource names: + +- Between 3 and 63 characters long. +- Can include alphanumeric characters, hyphens, underscores, and periods (restrictions vary by resource type). +- Resource names must be unique within their scope. + +## RECOMMENDATION + +Consider creating MySQL database server resources with a standard name. +Additionally consider using Azure Policy to only permit creation using a standard naming convention. + +## EXAMPLES + +### Configure with Bicep + +To deploy servers that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```bicep +@minLength(3) +@maxLength(63) +@description('The name of the resource.') +param name string + +@description('The location resources will be deployed.') +param location string = resourceGroup().location + +resource flexible 'Microsoft.DBforMySQL/flexibleServers@2024-12-30' = { + name: name + location: location + sku: { + name: 'Standard_D16as' + tier: 'GeneralPurpose' + } + properties: { + createMode: 'Default' + version: '8.0.21' + administratorLogin: administratorLogin + administratorLoginPassword: administratorLoginPassword + highAvailability: { + mode: 'ZoneRedundant' + } + maintenanceWindow: { + customWindow: 'Enabled' + dayOfWeek: 0 + startHour: 1 + startMinute: 0 + } + } +} +``` + +### Configure with Azure template + +To deploy servers that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "type": "string", + "minLength": 3, + "maxLength": 63, + "metadata": { + "description": "The name of the resource." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The location resources will be deployed." + } + } + }, + "resources": [ + { + "type": "Microsoft.DBforMySQL/flexibleServers", + "apiVersion": "2024-12-30", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "sku": { + "name": "Standard_D16as", + "tier": "GeneralPurpose" + }, + "properties": { + "createMode": "Default", + "version": "8.0.21", + "administratorLogin": "[parameters('administratorLogin')]", + "administratorLoginPassword": "[parameters('administratorLoginPassword')]", + "highAvailability": { + "mode": "ZoneRedundant" + }, + "maintenanceWindow": { + "customWindow": "Enabled", + "dayOfWeek": 0, + "startHour": 1, + "startMinute": 0 + } + } + } + ] +} +``` + +## NOTES + +This rule does not check if MySQL database server resource names are unique. + + + +### Rule configuration + + + +To configure this rule set the `AZURE_MYSQL_SERVER_NAME_FORMAT` configuration value to a regular expression +that matches the required format. + +For example: + +```yaml +configuration: + AZURE_MYSQL_SERVER_NAME_FORMAT: '^mysql-' +``` + +## LINKS + +- [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) +- [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.dbformysql/flexibleservers) diff --git a/docs/en/rules/Azure.PostgreSQL.ServerName.md b/docs/en/rules/Azure.PostgreSQL.ServerName.md index fc85a23fc3a..ba7bf20a9e2 100644 --- a/docs/en/rules/Azure.PostgreSQL.ServerName.md +++ b/docs/en/rules/Azure.PostgreSQL.ServerName.md @@ -1,7 +1,7 @@ --- severity: Awareness pillar: Operational Excellence -category: Repeatable infrastructure +category: OE:04 Continuous integration resource: Azure Database for PostgreSQL resourceType: Microsoft.DBforPostgreSQL/servers online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.PostgreSQL.ServerName/ @@ -34,5 +34,10 @@ This rule does not check if Azure PostgreSQL DB server names are unique. ## LINKS -- [Repeatable infrastructure](https://learn.microsoft.com/azure/architecture/framework/devops/automation-infrastructure) -- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules#microsoftdbforpostgresql) +- [OE:04 Continuous integration](https://learn.microsoft.com/azure/well-architected/operational-excellence/release-engineering-continuous-integration) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) +- [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +- [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) +- [Bicep functions](https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.dbforpostgresql/servers) diff --git a/docs/en/rules/Azure.PostgreSQL.ServerNaming.md b/docs/en/rules/Azure.PostgreSQL.ServerNaming.md new file mode 100644 index 00000000000..534882d9393 --- /dev/null +++ b/docs/en/rules/Azure.PostgreSQL.ServerNaming.md @@ -0,0 +1,185 @@ +--- +reviewed: 2025-11-01 +severity: Awareness +pillar: Operational Excellence +category: OE:04 Tools and processes +resource: Azure Database for PostgreSQL +resourceType: Microsoft.DBforPostgreSQL/flexibleServers,Microsoft.DBforPostgreSQL/servers +online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.PostgreSQL.ServerNaming/ +--- + +# PostgreSQL database server resources must use standard naming + +## SYNOPSIS + +PostgreSQL database server resources without a standard naming convention may be difficult to identify and manage. + +## DESCRIPTION + +An effective naming convention allows operators to quickly identify resources, related systems, and their purpose. +Identifying resources easily is important to improve operational efficiency, reduce the time to respond to incidents, +and minimize the risk of human error. + +Some of the benefits of using standardized tagging and naming conventions are: + +- They provide consistency and clarity for resource identification and discovery across the Azure Portal, CLIs, and APIs. +- They enable filtering and grouping of resources for billing, monitoring, security, and compliance purposes. +- They support resource lifecycle management, such as provisioning, decommissioning, backup, and recovery. + +For example, if you come upon a security incident, it's critical to quickly identify affected systems, +the functions that those systems support, and the potential business impact. + +For PostgreSQL database server, the Cloud Adoption Framework (CAF) recommends using the `psql-` prefix. + +Requirements for PostgreSQL database server resource names: + +- Between 3 and 63 characters long. +- Can include alphanumeric characters, hyphens, underscores, and periods (restrictions vary by resource type). +- Resource names must be unique within their scope. + +## RECOMMENDATION + +Consider creating PostgreSQL database server resources with a standard name. +Additionally consider using Azure Policy to only permit creation using a standard naming convention. + +## EXAMPLES + +### Configure with Bicep + +To deploy servers that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```bicep +@minLength(3) +@maxLength(63) +@description('The name of the resource.') +param name string + +@description('The location resources will be deployed.') +param location string = resourceGroup().location + +resource flexible 'Microsoft.DBforPostgreSQL/flexibleServers@2024-08-01' = { + name: name + location: location + sku: { + name: 'Standard_D2ds_v4' + tier: 'GeneralPurpose' + } + properties: { + createMode: 'Default' + authConfig: { + activeDirectoryAuth: 'Enabled' + passwordAuth: 'Disabled' + tenantId: tenant().tenantId + } + version: '14' + storage: { + storageSizeGB: 32 + } + backup: { + backupRetentionDays: 7 + geoRedundantBackup: 'Enabled' + } + highAvailability: { + mode: 'ZoneRedundant' + } + } +} +``` + +### Configure with Azure template + +To deploy servers that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "type": "string", + "minLength": 3, + "maxLength": 63, + "metadata": { + "description": "The name of the resource." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The location resources will be deployed." + } + } + }, + "resources": [ + { + "type": "Microsoft.DBforPostgreSQL/flexibleServers", + "apiVersion": "2024-08-01", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "sku": { + "name": "Standard_D2ds_v4", + "tier": "GeneralPurpose" + }, + "properties": { + "createMode": "Default", + "authConfig": { + "activeDirectoryAuth": "Enabled", + "passwordAuth": "Disabled", + "tenantId": "[tenant().tenantId]" + }, + "version": "14", + "storage": { + "storageSizeGB": 32 + }, + "backup": { + "backupRetentionDays": 7, + "geoRedundantBackup": "Enabled" + }, + "highAvailability": { + "mode": "ZoneRedundant" + } + } + } + ] +} +``` + +## NOTES + +This rule does not check if PostgreSQL database server resource names are unique. + + + +### Rule configuration + + + +To configure this rule set the `AZURE_POSTGRESQL_SERVER_NAME_FORMAT` configuration value to a regular expression +that matches the required format. + +For example: + +```yaml +configuration: + AZURE_POSTGRESQL_SERVER_NAME_FORMAT: '^psql-' +``` + +## LINKS + +- [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) +- [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.dbforpostgresql/flexibleservers) diff --git a/docs/en/rules/Azure.Redis.Naming.md b/docs/en/rules/Azure.Redis.Naming.md new file mode 100644 index 00000000000..e277643fcc7 --- /dev/null +++ b/docs/en/rules/Azure.Redis.Naming.md @@ -0,0 +1,184 @@ +--- +reviewed: 2025-10-26 +severity: Awareness +pillar: Operational Excellence +category: OE:04 Tools and processes +resource: Azure Cache for Redis +resourceType: Microsoft.Cache/Redis +online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Redis.Naming/ +--- + +# Azure Cache for Redis resources must use standard naming + +## SYNOPSIS + +Azure Cache for Redis resources without a standard naming convention may be difficult to identify and manage. + +## DESCRIPTION + +An effective naming convention allows operators to quickly identify resources, related systems, and their purpose. +Identifying resources easily is important to improve operational efficiency, reduce the time to respond to incidents, +and minimize the risk of human error. + +Some of the benefits of using standardized tagging and naming conventions are: + +- They provide consistency and clarity for resource identification and discovery across the Azure Portal, CLIs, and APIs. +- They enable filtering and grouping of resources for billing, monitoring, security, and compliance purposes. +- They support resource lifecycle management, such as provisioning, decommissioning, backup, and recovery. + +For example, if you come upon a security incident, it's critical to quickly identify affected systems, +the functions that those systems support, and the potential business impact. + +For Azure Cache for Redis, the Cloud Adoption Framework (CAF) recommends using the `redis-` prefix. + +Requirements for Azure Cache for Redis resource names: + +- Between 1 and 63 characters long. +- Can include alphanumeric, and hyphen characters. +- Can only start and end with a letter or number. +- Cache names must be globally unique. + +## RECOMMENDATION + +Consider creating Azure Cache for Redis resources with a standard name. +Additionally consider using Azure Policy to only permit creation using a standard naming convention. + +## EXAMPLES + +### Configure with Bicep + +To deploy caches that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```bicep +@minLength(1) +@maxLength(63) +@description('The name of the resource.') +param name string + +@description('The location resources will be deployed.') +param location string = resourceGroup().location + +resource cache 'Microsoft.Cache/redis@2024-11-01' = { + name: name + location: location + properties: { + redisVersion: '6' + sku: { + name: 'Premium' + family: 'P' + capacity: 1 + } + redisConfiguration: { + 'aad-enabled': 'True' + 'maxmemory-reserved': '615' + } + enableNonSslPort: false + publicNetworkAccess: 'Disabled' + disableAccessKeyAuthentication: true + } + zones: [ + '1' + '2' + '3' + ] +} +``` + + + +### Configure with Azure template + +To deploy caches that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "type": "string", + "minLength": 1, + "maxLength": 63, + "metadata": { + "description": "The name of the resource." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The location resources will be deployed." + } + } + }, + "resources": [ + { + "type": "Microsoft.Cache/redis", + "apiVersion": "2024-11-01", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "properties": { + "redisVersion": "6", + "sku": { + "name": "Premium", + "family": "P", + "capacity": 1 + }, + "redisConfiguration": { + "aad-enabled": "True", + "maxmemory-reserved": "615" + }, + "enableNonSslPort": false, + "publicNetworkAccess": "Disabled", + "disableAccessKeyAuthentication": true + }, + "zones": [ + "1", + "2", + "3" + ] + } + ] +} +``` + +## NOTES + +This rule does not check if Azure Cache for Redis resource names are unique. + + + +### Rule configuration + + + +To configure this rule set the `AZURE_REDIS_CACHE_NAME_FORMAT` configuration value to a regular expression +that matches the required format. + +For example: + +```yaml +configuration: + AZURE_REDIS_CACHE_NAME_FORMAT: '^redis-' +``` + +## LINKS + +- [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) +- [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) +- [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) +- [Bicep functions](https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.cache/redis) diff --git a/docs/en/rules/Azure.RedisEnterprise.Naming.md b/docs/en/rules/Azure.RedisEnterprise.Naming.md new file mode 100644 index 00000000000..bee08c9ce18 --- /dev/null +++ b/docs/en/rules/Azure.RedisEnterprise.Naming.md @@ -0,0 +1,168 @@ +--- +reviewed: 2025-11-16 +severity: Awareness +pillar: Operational Excellence +category: OE:04 Tools and processes +resource: Azure Cache for Redis Enterprise +resourceType: Microsoft.Cache/redisEnterprise +online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.RedisEnterprise.Naming/ +--- + +# Azure Cache for Redis Enterprise resources must use standard naming + +## SYNOPSIS + +Azure Cache for Redis Enterprise resources without a standard naming convention may be difficult to identify and manage. + +## DESCRIPTION + +An effective naming convention allows operators to quickly identify resources, related systems, and their purpose. +Identifying resources easily is important to improve operational efficiency, reduce the time to respond to incidents, +and minimize the risk of human error. + +Some of the benefits of using standardized tagging and naming conventions are: + +- They provide consistency and clarity for resource identification and discovery across the Azure Portal, CLIs, and APIs. +- They enable filtering and grouping of resources for billing, monitoring, security, and compliance purposes. +- They support resource lifecycle management, such as provisioning, decommissioning, backup, and recovery. + +For example, if you come upon a security incident, it's critical to quickly identify affected systems, +the functions that those systems support, and the potential business impact. + +For Azure Cache for Redis Enterprise, the Cloud Adoption Framework (CAF) recommends using the `redis-` prefix. + +Requirements for Azure Cache for Redis Enterprise resource names: + +- Between 1 and 63 characters long. +- Can include alphanumeric, and hyphen characters. +- Can only start and end with a letter or number. +- Cache names must be globally unique. + +## RECOMMENDATION + +Consider creating Azure Cache for Redis Enterprise resources with a standard name. +Additionally consider using Azure Policy to only permit creation using a standard naming convention. + +## EXAMPLES + +### Configure with Bicep + +To deploy enterprise caches that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```bicep +@minLength(1) +@maxLength(63) +@description('The name of the resource.') +param name string + +@description('The location resources will be deployed.') +param location string = resourceGroup().location + +resource cache 'Microsoft.Cache/redisEnterprise@2025-04-01' = { + name: name + location: location + sku: { + name: 'Enterprise_E10' + } + properties: { + minimumTlsVersion: '1.2' + } +} +``` + + + +### Configure with Azure template + +To deploy enterprise caches that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "type": "string", + "minLength": 2, + "maxLength": 64, + "metadata": { + "description": "The name of the resource." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The location resources will be deployed." + } + } + }, + "resources": [ + { + "type": "Microsoft.Cache/redis", + "apiVersion": "2024-11-01", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "properties": { + "redisVersion": "6", + "sku": { + "name": "Premium", + "family": "P", + "capacity": 1 + }, + "redisConfiguration": { + "aad-enabled": "True", + "maxmemory-reserved": "615" + }, + "enableNonSslPort": false, + "publicNetworkAccess": "Disabled", + "disableAccessKeyAuthentication": true + }, + "zones": [ + "1", + "2", + "3" + ] + } + ] +} +``` + +## NOTES + +This rule does not check if Azure Cache for Redis resource names are unique. + + + +### Rule configuration + + + +To configure this rule set the `AZURE_REDIS_ENTERPRISE_NAME_FORMAT` configuration value to a regular expression +that matches the required format. + +For example: + +```yaml +configuration: + AZURE_REDIS_ENTERPRISE_NAME_FORMAT: '^redis-' +``` + +## LINKS + +- [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) +- [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) +- [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) +- [Bicep functions](https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.cache/redisenterprise) diff --git a/docs/en/rules/Azure.RedisEnterprise.Zones.md b/docs/en/rules/Azure.RedisEnterprise.Zones.md index c6100f576c1..ccc09c465eb 100644 --- a/docs/en/rules/Azure.RedisEnterprise.Zones.md +++ b/docs/en/rules/Azure.RedisEnterprise.Zones.md @@ -138,6 +138,8 @@ resource testrediscache_default 'Microsoft.Cache/redisEnterprise/databases@2021- } ``` + + ## NOTES This rule fails when cache is not zone redundant(1, 2 and 3) when there are availability zones for the given region. @@ -155,4 +157,4 @@ configuration: - [RE:05 Regions and availability zones](https://learn.microsoft.com/azure/well-architected/reliability/regions-availability-zones) - [Enable zone redundancy for Azure Cache for Redis](https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-zone-redundancy) - [High availability for Azure Cache for Redis](https://learn.microsoft.com/azure/azure-cache-for-redis/cache-high-availability) -- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.cache/redisenterprise?tabs=json) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.cache/redisenterprise) diff --git a/docs/en/rules/Azure.SQL.DBName.md b/docs/en/rules/Azure.SQL.DBName.md index c73e1a93ba2..a6dc0dbb248 100644 --- a/docs/en/rules/Azure.SQL.DBName.md +++ b/docs/en/rules/Azure.SQL.DBName.md @@ -1,7 +1,8 @@ --- +reviewed: 2025-10-26 severity: Awareness pillar: Operational Excellence -category: Repeatable infrastructure +category: OE:04 Continuous integration resource: SQL Database resourceType: Microsoft.Sql/servers/databases online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.SQL.DBName/ @@ -21,7 +22,7 @@ The requirements for SQL Database names are: - Between 1 and 128 characters long. - Letters, numbers, and special characters except: `<>*%&:\/?` - Can't end with period or a space. -- Azure SQL Database names must be unique for each logical server. +- Must be unique for each logical server. The following reserved database names can not be used: @@ -34,11 +35,97 @@ The following reserved database names can not be used: Consider using names that meet Azure SQL Database naming requirements. Additionally consider naming resources with a standard naming convention. +## EXAMPLES + +### Configure with Bicep + +To deploy databases that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```bicep +@minLength(1) +@maxLength(128) +@description('The name of the resource.') +param name string + +@description('The location resources will be deployed.') +param location string = resourceGroup().location + +resource database 'Microsoft.Sql/servers/databases@2024-05-01-preview' = { + parent: server + name: name + location: location + properties: { + collation: 'SQL_Latin1_General_CP1_CI_AS' + maxSizeBytes: maxSize + catalogCollation: 'SQL_Latin1_General_CP1_CI_AS' + readScale: 'Disabled' + zoneRedundant: true + } +} +``` + +### Configure with Azure template + +To deploy databases that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "type": "string", + "minLength": 1, + "maxLength": 128, + "metadata": { + "description": "The name of the resource." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The location resources will be deployed." + } + } + }, + "resources": [ + { + "type": "Microsoft.Sql/servers/databases", + "apiVersion": "2024-05-01-preview", + "name": "[format('{0}/{1}', parameters('name'), parameters('name'))]", + "location": "[parameters('location')]", + "properties": { + "collation": "SQL_Latin1_General_CP1_CI_AS", + "maxSizeBytes": "[variables('maxSize')]", + "catalogCollation": "SQL_Latin1_General_CP1_CI_AS", + "readScale": "Disabled", + "zoneRedundant": true + } + } + ] +} +``` + ## NOTES This rule does not check if Azure SQL Database names are unique. ## LINKS -- [Repeatable infrastructure](https://learn.microsoft.com/azure/architecture/framework/devops/automation-infrastructure) -- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules#microsoftsql) +- [OE:04 Continuous integration](https://learn.microsoft.com/azure/well-architected/operational-excellence/release-engineering-continuous-integration) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) +- [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) +- [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) +- [Bicep functions](https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.sql/servers/databases) diff --git a/docs/en/rules/Azure.SQL.DBNaming.md b/docs/en/rules/Azure.SQL.DBNaming.md new file mode 100644 index 00000000000..4295d51cec4 --- /dev/null +++ b/docs/en/rules/Azure.SQL.DBNaming.md @@ -0,0 +1,155 @@ +--- +reviewed: 2025-10-26 +severity: Awareness +pillar: Operational Excellence +category: OE:04 Tools and processes +resource: Azure SQL database +resourceType: Microsoft.Sql/servers/databases +online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.SQL.DBNaming/ +--- + +# Azure SQL database resources must use standard naming + +## SYNOPSIS + +Azure SQL database resources without a standard naming convention may be difficult to identify and manage. + +## DESCRIPTION + +An effective naming convention allows operators to quickly identify resources, related systems, and their purpose. +Identifying resources easily is important to improve operational efficiency, reduce the time to respond to incidents, +and minimize the risk of human error. + +Some of the benefits of using standardized tagging and naming conventions are: + +- They provide consistency and clarity for resource identification and discovery across the Azure Portal, CLIs, and APIs. +- They enable filtering and grouping of resources for billing, monitoring, security, and compliance purposes. +- They support resource lifecycle management, such as provisioning, decommissioning, backup, and recovery. + +For example, if you come upon a security incident, it's critical to quickly identify affected systems, +the functions that those systems support, and the potential business impact. + +For Azure SQL database, the Cloud Adoption Framework (CAF) recommends using the `sqldb-` prefix. + +Requirements for Azure SQL database resource names: + +- Between 1 and 128 characters long. +- Letters, numbers, and special characters except: `<>*%&:\/?` +- Can't end with period or a space. +- Must be unique for each logical server. + +## RECOMMENDATION + +Consider creating Azure SQL database resources with a standard name. +Additionally consider using Azure Policy to only permit creation using a standard naming convention. + +## EXAMPLES + +### Configure with Bicep + +To deploy databases that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```bicep +@minLength(1) +@maxLength(128) +@description('The name of the resource.') +param name string + +@description('The location resources will be deployed.') +param location string = resourceGroup().location + +resource database 'Microsoft.Sql/servers/databases@2024-05-01-preview' = { + parent: server + name: name + location: location + properties: { + collation: 'SQL_Latin1_General_CP1_CI_AS' + maxSizeBytes: maxSize + catalogCollation: 'SQL_Latin1_General_CP1_CI_AS' + readScale: 'Disabled' + zoneRedundant: true + } +} +``` + +### Configure with Azure template + +To deploy databases that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "type": "string", + "minLength": 1, + "maxLength": 128, + "metadata": { + "description": "The name of the resource." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The location resources will be deployed." + } + } + }, + "resources": [ + { + "type": "Microsoft.Sql/servers/databases", + "apiVersion": "2024-05-01-preview", + "name": "[format('{0}/{1}', parameters('name'), parameters('name'))]", + "location": "[parameters('location')]", + "properties": { + "collation": "SQL_Latin1_General_CP1_CI_AS", + "maxSizeBytes": "[variables('maxSize')]", + "catalogCollation": "SQL_Latin1_General_CP1_CI_AS", + "readScale": "Disabled", + "zoneRedundant": true + } + } + ] +} +``` + +## NOTES + +This rule does not check if Azure SQL database resource names are unique. + + + +### Rule configuration + + + +To configure this rule set the `AZURE_SQL_DATABASE_NAME_FORMAT` configuration value to a regular expression +that matches the required format. + +For example: + +```yaml +configuration: + AZURE_SQL_DATABASE_NAME_FORMAT: '^sqldb-' +``` + +## LINKS + +- [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) +- [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) +- [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) +- [Bicep functions](https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.sql/servers/databases) diff --git a/docs/en/rules/Azure.SQL.ElasticPoolNaming.md b/docs/en/rules/Azure.SQL.ElasticPoolNaming.md new file mode 100644 index 00000000000..0b5977d997f --- /dev/null +++ b/docs/en/rules/Azure.SQL.ElasticPoolNaming.md @@ -0,0 +1,163 @@ +--- +reviewed: 2025-10-26 +severity: Awareness +pillar: Operational Excellence +category: OE:04 Tools and processes +resource: Azure SQL Elastic Pool +resourceType: Microsoft.Sql/servers/elasticPools +online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.SQL.ElasticPoolNaming/ +--- + +# Azure SQL Elastic Pool resources must use standard naming + +## SYNOPSIS + +Azure SQL Elastic Pool resources without a standard naming convention may be difficult to identify and manage. + +## DESCRIPTION + +An effective naming convention allows operators to quickly identify resources, related systems, and their purpose. +Identifying resources easily is important to improve operational efficiency, reduce the time to respond to incidents, +and minimize the risk of human error. + +Some of the benefits of using standardized tagging and naming conventions are: + +- They provide consistency and clarity for resource identification and discovery across the Azure Portal, CLIs, and APIs. +- They enable filtering and grouping of resources for billing, monitoring, security, and compliance purposes. +- They support resource lifecycle management, such as provisioning, decommissioning, backup, and recovery. + +For example, if you come upon a security incident, it's critical to quickly identify affected systems, +the functions that those systems support, and the potential business impact. + +For Azure SQL Elastic Pool, the Cloud Adoption Framework (CAF) recommends using the `sqlep-` prefix. + +Requirements for Azure SQL Elastic Pool resource names: + +- Between 1 and 128 characters long. +- Letters, numbers, and special characters except: `<>*%&:\/?` +- Can't end with period or a space. +- Must be unique for each logical server. + +## RECOMMENDATION + +Consider creating Azure SQL Elastic Pool resources with a standard name. +Additionally consider using Azure Policy to only permit creation using a standard naming convention. + +## EXAMPLES + +### Configure with Bicep + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```bicep +@minLength(1) +@maxLength(128) +@description('The name of the resource.') +param name string + +@description('The location resources will be deployed.') +param location string = resourceGroup().location + +resource pool 'Microsoft.Sql/servers/elasticPools@2024-05-01-preview' = { + parent: server + name: name + location: location + properties: { + perDatabaseSettings: { + minCapacity: 0 + maxCapacity: 2 + } + maxSizeBytes: 34359738368 + zoneRedundant: true + licenseType: 'BasePrice' + maintenanceConfigurationId: maintenanceConfigurationId + } +} +``` + +### Configure with Azure template + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "type": "string", + "minLength": 1, + "maxLength": 128, + "metadata": { + "description": "The name of the resource." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The location resources will be deployed." + } + } + }, + "resources": [ + { + "type": "Microsoft.Sql/servers/elasticPools", + "apiVersion": "2024-05-01-preview", + "name": "[format('{0}/{1}', parameters('name'), parameters('name'))]", + "location": "[parameters('location')]", + "properties": { + "perDatabaseSettings": { + "minCapacity": 0, + "maxCapacity": 2 + }, + "maxSizeBytes": 34359738368, + "zoneRedundant": true, + "licenseType": "BasePrice", + "maintenanceConfigurationId": "[parameters('maintenanceConfigurationId')]" + } + } + ] +} +``` + +## NOTES + +This rule does not check if Azure SQL Elastic Pool resource names are unique. + + + +### Rule configuration + + + +To configure this rule set the `AZURE_SQL_ELASTIC_POOL_NAME_FORMAT` configuration value to a regular expression +that matches the required format. + +For example: + +```yaml +configuration: + AZURE_SQL_ELASTIC_POOL_NAME_FORMAT: '^sqlep-' +``` + +## LINKS + +- [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) +- [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) +- [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) +- [Bicep functions](https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.sql/servers/elasticpools) diff --git a/docs/en/rules/Azure.SQL.JobAgentNaming.md b/docs/en/rules/Azure.SQL.JobAgentNaming.md new file mode 100644 index 00000000000..6126c1278c2 --- /dev/null +++ b/docs/en/rules/Azure.SQL.JobAgentNaming.md @@ -0,0 +1,149 @@ +--- +reviewed: 2025-10-26 +severity: Awareness +pillar: Operational Excellence +category: OE:04 Tools and processes +resource: Azure SQL Elastic Job agent +resourceType: Microsoft.Sql/servers/jobAgents +online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.SQL.JobAgentNaming/ +--- + +# Azure SQL Elastic Job agent resources must use standard naming + +## SYNOPSIS + +Azure SQL Elastic Job agent resources without a standard naming convention may be difficult to identify and manage. + +## DESCRIPTION + +An effective naming convention allows operators to quickly identify resources, related systems, and their purpose. +Identifying resources easily is important to improve operational efficiency, reduce the time to respond to incidents, +and minimize the risk of human error. + +Some of the benefits of using standardized tagging and naming conventions are: + +- They provide consistency and clarity for resource identification and discovery across the Azure Portal, CLIs, and APIs. +- They enable filtering and grouping of resources for billing, monitoring, security, and compliance purposes. +- They support resource lifecycle management, such as provisioning, decommissioning, backup, and recovery. + +For example, if you come upon a security incident, it's critical to quickly identify affected systems, +the functions that those systems support, and the potential business impact. + +For Azure SQL Elastic Job agent, the Cloud Adoption Framework (CAF) recommends using the `sqlja-` prefix. + +Requirements for Azure SQL Elastic Job agent resource names: + +- Between 1 and 128 characters long. +- Letters, numbers, and special characters except: `<>*%&:\/?` +- Can't end with period or a space. +- Must be unique for each logical server. + +## RECOMMENDATION + +Consider creating Azure SQL Elastic Job agent resources with a standard name. +Additionally consider using Azure Policy to only permit creation using a standard naming convention. + +## EXAMPLES + +### Configure with Bicep + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```bicep +@minLength(1) +@maxLength(128) +@description('The name of the resource.') +param name string + +@description('The location resources will be deployed.') +param location string = resourceGroup().location + +resource agent 'Microsoft.Sql/servers/jobAgents@2024-05-01-preview' = { + parent: server + name: name + location: location + properties: { + databaseId: database.id + } +} +``` + +### Configure with Azure template + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "type": "string", + "minLength": 1, + "maxLength": 128, + "metadata": { + "description": "The name of the resource." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The location resources will be deployed." + } + } + }, + "resources": [ + { + "type": "Microsoft.Sql/servers/jobAgents", + "apiVersion": "2024-05-01-preview", + "name": "[format('{0}/{1}', parameters('name'), parameters('name'))]", + "location": "[parameters('location')]", + "properties": { + "databaseId": "[resourceId('Microsoft.Sql/servers/databases', parameters('name'), parameters('name'))]" + } + } + ] +} +``` + +## NOTES + +This rule does not check if Azure SQL Elastic Job agent resource names are unique. + + + +### Rule configuration + + + +To configure this rule set the `AZURE_SQL_JOB_AGENT_NAME_FORMAT` configuration value to a regular expression +that matches the required format. + +For example: + +```yaml +configuration: + AZURE_SQL_JOB_AGENT_NAME_FORMAT: '^sqlja-' +``` + +## LINKS + +- [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) +- [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) +- [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) +- [Bicep functions](https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.sql/servers/jobagents) diff --git a/docs/en/rules/Azure.SQL.ServerName.md b/docs/en/rules/Azure.SQL.ServerName.md index 76fb09da852..4a6b48c127a 100644 --- a/docs/en/rules/Azure.SQL.ServerName.md +++ b/docs/en/rules/Azure.SQL.ServerName.md @@ -1,7 +1,8 @@ --- +reviewed: 2025-10-26 severity: Awareness pillar: Operational Excellence -category: Repeatable infrastructure +category: OE:04 Continuous integration resource: SQL Database resourceType: Microsoft.Sql/servers online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.SQL.ServerName/ @@ -28,11 +29,114 @@ The requirements for SQL logical server names are: Consider using names that meet Azure SQL logical server naming requirements. Additionally consider naming resources with a standard naming convention. +## EXAMPLES + +### Configure with Bicep + +To deploy servers that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```bicep +@minLength(1) +@maxLength(63) +@description('The name of the resource.') +param name string + +@description('The location resources will be deployed.') +param location string = resourceGroup().location + +resource server 'Microsoft.Sql/servers@2024-05-01-preview' = { + name: name + location: location + identity: { + type: 'SystemAssigned' + } + properties: { + publicNetworkAccess: 'Disabled' + minimalTlsVersion: '1.3' + administrators: { + azureADOnlyAuthentication: true + administratorType: 'ActiveDirectory' + login: adminLogin + principalType: 'Group' + sid: adminPrincipalId + tenantId: tenant().tenantId + } + } +} +``` + + + +### Configure with Azure template + +To deploy servers that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "type": "string", + "minLength": 1, + "maxLength": 63, + "metadata": { + "description": "The name of the resource." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The location resources will be deployed." + } + } + }, + "resources": [ + { + "type": "Microsoft.Sql/servers", + "apiVersion": "2024-05-01-preview", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "publicNetworkAccess": "Disabled", + "minimalTlsVersion": "1.3", + "administrators": { + "azureADOnlyAuthentication": true, + "administratorType": "ActiveDirectory", + "login": "[parameters('adminLogin')]", + "principalType": "Group", + "sid": "[parameters('adminPrincipalId')]", + "tenantId": "[tenant().tenantId]" + } + } + } + ] +} +``` + ## NOTES This rule does not check if Azure SQL logical server names are unique. ## LINKS -- [Repeatable infrastructure](https://learn.microsoft.com/azure/architecture/framework/devops/automation-infrastructure) -- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules#microsoftsql) +- [OE:04 Continuous integration](https://learn.microsoft.com/azure/well-architected/operational-excellence/release-engineering-continuous-integration) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) +- [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) +- [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) +- [Bicep functions](https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.sql/servers) diff --git a/docs/en/rules/Azure.SQL.ServerNaming.md b/docs/en/rules/Azure.SQL.ServerNaming.md new file mode 100644 index 00000000000..71980651b38 --- /dev/null +++ b/docs/en/rules/Azure.SQL.ServerNaming.md @@ -0,0 +1,171 @@ +--- +reviewed: 2025-10-26 +severity: Awareness +pillar: Operational Excellence +category: OE:04 Tools and processes +resource: Azure SQL Database server +resourceType: Microsoft.Sql/servers +online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.SQL.ServerNaming/ +--- + +# Azure SQL Database server resources must use standard naming + +## SYNOPSIS + +Azure SQL Database server resources without a standard naming convention may be difficult to identify and manage. + +## DESCRIPTION + +An effective naming convention allows operators to quickly identify resources, related systems, and their purpose. +Identifying resources easily is important to improve operational efficiency, reduce the time to respond to incidents, +and minimize the risk of human error. + +Some of the benefits of using standardized tagging and naming conventions are: + +- They provide consistency and clarity for resource identification and discovery across the Azure Portal, CLIs, and APIs. +- They enable filtering and grouping of resources for billing, monitoring, security, and compliance purposes. +- They support resource lifecycle management, such as provisioning, decommissioning, backup, and recovery. + +For example, if you come upon a security incident, it's critical to quickly identify affected systems, +the functions that those systems support, and the potential business impact. + +For Azure SQL Database server, the Cloud Adoption Framework (CAF) recommends using the `sql-` prefix. + +Requirements for Azure SQL Database server resource names: + +- Between 1 and 63 characters long. +- Can include alphanumeric characters, hyphens, underscores, and periods (restrictions vary by resource type). +- Resource names must be unique within their scope. + +## RECOMMENDATION + +Consider creating Azure SQL Database server resources with a standard name. +Additionally consider using Azure Policy to only permit creation using a standard naming convention. + +## EXAMPLES + +### Configure with Bicep + +To deploy servers that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```bicep +@minLength(1) +@maxLength(63) +@description('The name of the resource.') +param name string + +@description('The location resources will be deployed.') +param location string = resourceGroup().location + +resource server 'Microsoft.Sql/servers@2024-05-01-preview' = { + name: name + location: location + identity: { + type: 'SystemAssigned' + } + properties: { + publicNetworkAccess: 'Disabled' + minimalTlsVersion: '1.3' + administrators: { + azureADOnlyAuthentication: true + administratorType: 'ActiveDirectory' + login: adminLogin + principalType: 'Group' + sid: adminPrincipalId + tenantId: tenant().tenantId + } + } +} +``` + + + +### Configure with Azure template + +To deploy servers that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "type": "string", + "minLength": 1, + "maxLength": 128, + "metadata": { + "description": "The name of the resource." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The location resources will be deployed." + } + } + }, + "resources": [ + { + "type": "Microsoft.Sql/servers", + "apiVersion": "2024-05-01-preview", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "publicNetworkAccess": "Disabled", + "minimalTlsVersion": "1.3", + "administrators": { + "azureADOnlyAuthentication": true, + "administratorType": "ActiveDirectory", + "login": "[parameters('adminLogin')]", + "principalType": "Group", + "sid": "[parameters('adminPrincipalId')]", + "tenantId": "[tenant().tenantId]" + } + } + } + ] +} +``` + +## NOTES + +This rule does not check if Azure SQL Database server resource names are unique. + + + +### Rule configuration + + + +To configure this rule set the `AZURE_SQL_SERVER_NAME_FORMAT` configuration value to a regular expression +that matches the required format. + +For example: + +```yaml +configuration: + AZURE_SQL_SERVER_NAME_FORMAT: '^sql-' +``` + +## LINKS + +- [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) +- [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) +- [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) +- [Bicep functions](https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.sql/servers) diff --git a/docs/en/rules/Azure.SQLMI.ManagedIdentity.md b/docs/en/rules/Azure.SQLMI.ManagedIdentity.md index 0dc49ddd0e4..8ba99bbc703 100644 --- a/docs/en/rules/Azure.SQLMI.ManagedIdentity.md +++ b/docs/en/rules/Azure.SQLMI.ManagedIdentity.md @@ -27,7 +27,7 @@ Consider configure a managed identity to allow support for Azure AD authenticati ## EXAMPLES -### Configure with Azure template +### Configure with Bicep To deploy SQL Managed Instances that pass this rule: @@ -36,21 +36,31 @@ To deploy SQL Managed Instances that pass this rule: For example: -```json -{ - "type": "Microsoft.Sql/managedInstances", - "apiVersion": "2022-05-01-preview", - "name": "[parameters('managedInstanceName')]", - "location": "[parameters('location')]", - "identity": { - "type": "SystemAssigned", - "userAssignedIdentities": {} - }, - "properties": {} +```bicep +resource managedInstance 'Microsoft.Sql/managedInstances@2023-08-01' = { + name: name + location: location + identity: { + type: 'SystemAssigned' + } + sku: { + name: 'GP_Gen5' + } + properties: { + administrators: { + administratorType: 'ActiveDirectory' + azureADOnlyAuthentication: true + login: login + sid: sid + principalType: 'Group' + tenantId: tenant().tenantId + } + maintenanceConfigurationId: maintenanceWindow.id + } } ``` - -### Configure with Bicep + +### Configure with Azure template To deploy SQL Managed Instances that pass this rule: @@ -59,17 +69,29 @@ To deploy SQL Managed Instances that pass this rule: For example: -```bicep -resource managedInstance 'Microsoft.Sql/managedInstances@2022-05-01-preview' = { - name: appName - location: location - name: managedInstanceName - location: location - identity: { - type: 'SystemAssigned' - userAssignedIdentities: {} +```json +{ + "type": "Microsoft.Sql/managedInstances", + "apiVersion": "2023-08-01", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "identity": { + "type": "SystemAssigned" + }, + "sku": { + "name": "GP_Gen5" + }, + "properties": { + "administrators": { + "administratorType": "ActiveDirectory", + "azureADOnlyAuthentication": true, + "login": "[parameters('login')]", + "sid": "[parameters('sid')]", + "principalType": "Group", + "tenantId": "[tenant().tenantId]" + }, + "maintenanceConfigurationId": "[subscriptionResourceId('Microsoft.Maintenance/publicMaintenanceConfigurations', 'SQL_WestEurope_MI_1')]" } - properties: {} } ``` diff --git a/docs/en/rules/Azure.SQLMI.Naming.md b/docs/en/rules/Azure.SQLMI.Naming.md new file mode 100644 index 00000000000..ec6273d1885 --- /dev/null +++ b/docs/en/rules/Azure.SQLMI.Naming.md @@ -0,0 +1,176 @@ +--- +reviewed: 2025-11-16 +severity: Awareness +pillar: Operational Excellence +category: OE:04 Tools and processes +resource: SQL Managed Instance +resourceType: Microsoft.Sql/managedInstances +online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.SQLMI.Naming/ +--- + +# SQL Managed Instance resources must use standard naming + +## SYNOPSIS + +SQL Managed Instance resources without a standard naming convention may be difficult to identify and manage. + +## DESCRIPTION + +An effective naming convention allows operators to quickly identify resources, related systems, and their purpose. +Identifying resources easily is important to improve operational efficiency, reduce the time to respond to incidents, +and minimize the risk of human error. + +Some of the benefits of using standardized tagging and naming conventions are: + +- They provide consistency and clarity for resource identification and discovery across the Azure Portal, CLIs, and APIs. +- They enable filtering and grouping of resources for billing, monitoring, security, and compliance purposes. +- They support resource lifecycle management, such as provisioning, decommissioning, backup, and recovery. + +For example, if you come upon a security incident, it's critical to quickly identify affected systems, +the functions that those systems support, and the potential business impact. + +For SQL Managed Instance, the Cloud Adoption Framework (CAF) recommends using the `sqlmi-` prefix. + +Requirements for SQL Managed Instance resource names: + +- Between 1 and 63 characters long. +- Lowercase letters, numbers, and hyphens. +- Can't start or end with a hyphen. +- SQL Managed Instance names must be globally unique. + +## RECOMMENDATION + +Consider creating SQL Managed Instance resources with a standard name. +Additionally consider using Azure Policy to only permit creation using a standard naming convention. + +## EXAMPLES + +### Configure with Bicep + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```bicep +@minLength(1) +@maxLength(63) +@description('The name of the resource.') +param name string + +@description('The location resources will be deployed.') +param location string = resourceGroup().location + +resource managedInstance 'Microsoft.Sql/managedInstances@2023-08-01' = { + name: name + location: location + identity: { + type: 'SystemAssigned' + } + sku: { + name: 'GP_Gen5' + } + properties: { + administrators: { + administratorType: 'ActiveDirectory' + azureADOnlyAuthentication: true + login: login + sid: sid + principalType: 'Group' + tenantId: tenant().tenantId + } + maintenanceConfigurationId: maintenanceWindow.id + } +} +``` + + + +### Configure with Azure template + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "type": "string", + "minLength": 1, + "maxLength": 63, + "metadata": { + "description": "The name of the resource." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The location resources will be deployed." + } + } + }, + "resources": [ + { + "type": "Microsoft.Sql/managedInstances", + "apiVersion": "2023-08-01", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "identity": { + "type": "SystemAssigned" + }, + "sku": { + "name": "GP_Gen5" + }, + "properties": { + "administrators": { + "administratorType": "ActiveDirectory", + "azureADOnlyAuthentication": true, + "login": "[parameters('login')]", + "sid": "[parameters('sid')]", + "principalType": "Group", + "tenantId": "[tenant().tenantId]" + }, + "maintenanceConfigurationId": "[subscriptionResourceId('Microsoft.Maintenance/publicMaintenanceConfigurations', 'SQL_WestEurope_MI_1')]" + } + } + ] +} +``` + +## NOTES + +This rule does not check if SQL Managed Instance resource names are unique. + + + +### Rule configuration + + + +To configure this rule set the `AZURE_SQL_MI_NAME_FORMAT` configuration value to a regular expression +that matches the required format. + +For example: + +```yaml +configuration: + AZURE_SQL_MI_NAME_FORMAT: '^sqlmi-' +``` + +## LINKS + +- [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) +- [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) +- [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) +- [Bicep functions](https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.sql/managedinstances) diff --git a/docs/en/rules/Azure.ServiceFabric.ManagedNaming.md b/docs/en/rules/Azure.ServiceFabric.ManagedNaming.md new file mode 100644 index 00000000000..783371bd9bf --- /dev/null +++ b/docs/en/rules/Azure.ServiceFabric.ManagedNaming.md @@ -0,0 +1,196 @@ +--- +reviewed: 2025-11-16 +severity: Awareness +pillar: Operational Excellence +category: OE:04 Tools and processes +resource: Service Fabric +resourceType: Microsoft.ServiceFabric/managedClusters +online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.ServiceFabric.ManagedNaming/ +--- + +# Service Fabric managed cluster resources must use standard naming + +## SYNOPSIS + +Service Fabric managed cluster resources without a standard naming convention may be difficult to identify and manage. + +## DESCRIPTION + +An effective naming convention allows operators to quickly identify resources, related systems, and their purpose. +Identifying resources easily is important to improve operational efficiency, reduce the time to respond to incidents, +and minimize the risk of human error. + +Some of the benefits of using standardized tagging and naming conventions are: + +- They provide consistency and clarity for resource identification and discovery across the Azure Portal, CLIs, and APIs. +- They enable filtering and grouping of resources for billing, monitoring, security, and compliance purposes. +- They support resource lifecycle management, such as provisioning, decommissioning, backup, and recovery. + +For example, if you come upon a security incident, it's critical to quickly identify affected systems, +the functions that those systems support, and the potential business impact. + +For Service Fabric managed cluster, the Cloud Adoption Framework (CAF) recommends using the `sfmc-` prefix. + +Requirements for Service Fabric managed cluster resource names: + +- Between 4 and 23 characters long. +- Can include alphanumeric characters, hyphens, underscores, and periods (restrictions vary by resource type). +- Resource names must be unique within their scope. + +## RECOMMENDATION + +Consider creating Service Fabric managed cluster resources with a standard name. +Additionally consider using Azure Policy to only permit creation using a standard naming convention. + +## EXAMPLES + +### Configure with Bicep + +To deploy managed clusters that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```bicep +@minLength(4) +@maxLength(23) +@description('The name of the resource.') +param name string + +@description('The location resources will be deployed.') +param location string = resourceGroup().location + +resource managed 'Microsoft.ServiceFabric/managedClusters@2024-04-01' = { + name: name + location: location + sku: { + name: 'Standard' + } + properties: { + azureActiveDirectory: { + clientApplication: clientApplication + clusterApplication: clusterApplication + tenantId: tenantId + } + dnsName: toLower(name) + adminUserName: adminUsername + clientConnectionPort: 19000 + httpGatewayConnectionPort: 19080 + clients: [ + { + isAdmin: true + thumbprint: certificateThumbprint + } + ] + loadBalancingRules: [ + { + frontendPort: 8080 + backendPort: 8080 + protocol: 'tcp' + probeProtocol: 'https' + } + ] + } +} + +``` + +### Configure with Azure template + +To deploy managed clusters that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "type": "string", + "minLength": 4, + "maxLength": 23, + "metadata": { + "description": "The name of the resource." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The location resources will be deployed." + } + } + }, + "resources": [ + { + "type": "Microsoft.ServiceFabric/managedClusters", + "apiVersion": "2024-04-01", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "sku": { + "name": "Standard" + }, + "properties": { + "azureActiveDirectory": { + "clientApplication": "[parameters('clientApplication')]", + "clusterApplication": "[parameters('clusterApplication')]", + "tenantId": "[parameters('tenantId')]" + }, + "dnsName": "[toLower(parameters('name'))]", + "adminUserName": "[parameters('adminUsername')]", + "clientConnectionPort": 19000, + "httpGatewayConnectionPort": 19080, + "clients": [ + { + "isAdmin": true, + "thumbprint": "[parameters('certificateThumbprint')]" + } + ], + "loadBalancingRules": [ + { + "frontendPort": 8080, + "backendPort": 8080, + "protocol": "tcp", + "probeProtocol": "https" + } + ] + } + } + ] +} +``` + +## NOTES + +This rule does not check if Service Fabric managed cluster resource names are unique. + + + +### Rule configuration + + + +To configure this rule set the `AZURE_SERVICE_FABRIC_MANAGED_CLUSTER_NAME_FORMAT` configuration value to a regular expression +that matches the required format. + +For example: + +```yaml +configuration: + AZURE_SERVICE_FABRIC_MANAGED_CLUSTER_NAME_FORMAT: '^sfmc-' +``` + +## LINKS + +- [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) +- [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) +- [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) +- [Bicep functions](https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.servicefabric/managedclusters) diff --git a/docs/en/rules/Azure.ServiceFabric.Naming.md b/docs/en/rules/Azure.ServiceFabric.Naming.md new file mode 100644 index 00000000000..9796688b9e7 --- /dev/null +++ b/docs/en/rules/Azure.ServiceFabric.Naming.md @@ -0,0 +1,209 @@ +--- +reviewed: 2025-11-16 +severity: Awareness +pillar: Operational Excellence +category: OE:04 Tools and processes +resource: Service Fabric +resourceType: Microsoft.ServiceFabric/clusters +online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.ServiceFabric.Naming/ +--- + +# Service Fabric cluster resources must use standard naming + +## SYNOPSIS + +Service Fabric cluster resources without a standard naming convention may be difficult to identify and manage. + +## DESCRIPTION + +An effective naming convention allows operators to quickly identify resources, related systems, and their purpose. +Identifying resources easily is important to improve operational efficiency, reduce the time to respond to incidents, +and minimize the risk of human error. + +Some of the benefits of using standardized tagging and naming conventions are: + +- They provide consistency and clarity for resource identification and discovery across the Azure Portal, CLIs, and APIs. +- They enable filtering and grouping of resources for billing, monitoring, security, and compliance purposes. +- They support resource lifecycle management, such as provisioning, decommissioning, backup, and recovery. + +For example, if you come upon a security incident, it's critical to quickly identify affected systems, +the functions that those systems support, and the potential business impact. + +For Service Fabric cluster, the Cloud Adoption Framework (CAF) recommends using the `sf-` prefix. + +Requirements for Service Fabric cluster resource names: + +- Between 4 and 23 characters long. +- Can include alphanumeric characters, hyphens, underscores, and periods (restrictions vary by resource type). +- Resource names must be unique within their scope. + +## RECOMMENDATION + +Consider creating Service Fabric cluster resources with a standard name. +Additionally consider using Azure Policy to only permit creation using a standard naming convention. + +## EXAMPLES + +### Configure with Bicep + +To deploy clusters that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```bicep +@minLength(4) +@maxLength(23) +@description('The name of the resource.') +param name string + +@description('The location resources will be deployed.') +param location string = resourceGroup().location + +resource cluster 'Microsoft.ServiceFabric/clusters@2023-11-01-preview' = { + name: name + location: location + properties: { + azureActiveDirectory: { + clientApplication: clientApplication + clusterApplication: clusterApplication + tenantId: tenantId + } + certificate: { + thumbprint: certificateThumbprint + x509StoreName: 'My' + } + diagnosticsStorageAccountConfig: { + blobEndpoint: storageAccount.properties.primaryEndpoints.blob + protectedAccountKeyName: 'StorageAccountKey1' + queueEndpoint: storageAccount.properties.primaryEndpoints.queue + storageAccountName: storageAccount.name + tableEndpoint: storageAccount.properties.primaryEndpoints.table + } + fabricSettings: [ + { + parameters: [ + { + name: 'ClusterProtectionLevel' + value: 'EncryptAndSign' + } + ] + name: 'Security' + } + ] + managementEndpoint: endpointUri + nodeTypes: [] + reliabilityLevel: 'Silver' + upgradeMode: 'Automatic' + vmImage: 'Windows' + } +} +``` + + + +### Configure with Azure template + +To deploy clusters that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "type": "string", + "minLength": 4, + "maxLength": 23, + "metadata": { + "description": "The name of the resource." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The location resources will be deployed." + } + } + }, + "resources": [ + { + "type": "Microsoft.ServiceFabric/clusters", + "apiVersion": "2023-11-01-preview", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "properties": { + "azureActiveDirectory": { + "clientApplication": "[parameters('clientApplication')]", + "clusterApplication": "[parameters('clusterApplication')]", + "tenantId": "[parameters('tenantId')]" + }, + "certificate": { + "thumbprint": "[parameters('certificateThumbprint')]", + "x509StoreName": "My" + }, + "diagnosticsStorageAccountConfig": { + "blobEndpoint": "[reference(resourceId('Microsoft.Storage/storageAccounts', 'storage1'), '2021-01-01').primaryEndpoints.blob]", + "protectedAccountKeyName": "StorageAccountKey1", + "queueEndpoint": "[reference(resourceId('Microsoft.Storage/storageAccounts', 'storage1'), '2021-01-01').primaryEndpoints.queue]", + "storageAccountName": "storage1", + "tableEndpoint": "[reference(resourceId('Microsoft.Storage/storageAccounts', 'storage1'), '2021-01-01').primaryEndpoints.table]" + }, + "fabricSettings": [ + { + "parameters": [ + { + "name": "ClusterProtectionLevel", + "value": "EncryptAndSign" + } + ], + "name": "Security" + } + ], + "managementEndpoint": "[parameters('endpointUri')]", + "nodeTypes": [], + "reliabilityLevel": "Silver", + "upgradeMode": "Automatic", + "vmImage": "Windows" + } + } + ] +} +``` + +## NOTES + +This rule does not check if Service Fabric cluster resource names are unique. + + + +### Rule configuration + + + +To configure this rule set the `AZURE_SERVICE_FABRIC_CLUSTER_NAME_FORMAT` configuration value to a regular expression +that matches the required format. + +For example: + +```yaml +configuration: + AZURE_SERVICE_FABRIC_CLUSTER_NAME_FORMAT: '^sf-' +``` + +## LINKS + +- [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) +- [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) +- [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) +- [Bicep functions](https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.servicefabric/clusters) diff --git a/docs/en/rules/Azure.VM.Name.md b/docs/en/rules/Azure.VM.Name.md index 543134193f7..84655ae86f8 100644 --- a/docs/en/rules/Azure.VM.Name.md +++ b/docs/en/rules/Azure.VM.Name.md @@ -263,5 +263,8 @@ See `Azure.VM.ComputerName` for details. ## LINKS - [OE:04 Continuous integration](https://learn.microsoft.com/azure/well-architected/operational-excellence/release-engineering-continuous-integration) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) +- [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) +- [Bicep functions](https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.compute/virtualmachines) diff --git a/docs/en/rules/Azure.VM.Naming.md b/docs/en/rules/Azure.VM.Naming.md index 698295470b9..3400ac661cf 100644 --- a/docs/en/rules/Azure.VM.Naming.md +++ b/docs/en/rules/Azure.VM.Naming.md @@ -1,5 +1,5 @@ --- -reviewed: 2025-04-25 +reviewed: 2025-11-01 severity: Awareness pillar: Operational Excellence category: OE:04 Tools and processes @@ -292,7 +292,10 @@ configuration: ## LINKS - [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) +- [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) +- [Bicep functions](https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.compute/virtualmachines) diff --git a/docs/en/rules/index.md b/docs/en/rules/index.md index fd59c161b6a..3edf92b5092 100644 --- a/docs/en/rules/index.md +++ b/docs/en/rules/index.md @@ -324,7 +324,7 @@ AZR-000300 | [Azure.Redis.FirewallIPRange](Azure.Redis.FirewallIPRange.md) | Det AZR-000301 | [Azure.RedisEnterprise.MinTLS](Azure.RedisEnterprise.MinTLS.md) | Redis Cache should reject TLS versions older than 1.2. | GA AZR-000302 | [Azure.AppGwWAF.PreventionMode](Azure.AppGwWAF.PreventionMode.md) | Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | GA AZR-000303 | [Azure.AppGwWAF.Exclusions](Azure.AppGwWAF.Exclusions.md) | Application Gateway Web Application Firewall (WAF) should have all rules enabled. | GA -AZR-000304 | [Azure.AppGwWAF.RuleGroups](Azure.AppGwWAF.RuleGroups.md) | Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | GA +AZR-000304 | [Azure.AppGwWAF.RuleGroups](Azure.AppGwWAF.RuleGroups.md) | Application Gateway WAF policies should include both Microsoft Default Rule Set and Bot Manager Rule Set to provide comprehensive protection against web application threats and malicious bot traffic. | GA AZR-000305 | [Azure.FrontDoorWAF.Enabled](Azure.FrontDoorWAF.Enabled.md) | Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. | GA AZR-000306 | [Azure.FrontDoorWAF.PreventionMode](Azure.FrontDoorWAF.PreventionMode.md) | Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. | GA AZR-000307 | [Azure.FrontDoorWAF.Exclusions](Azure.FrontDoorWAF.Exclusions.md) | Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions. | GA @@ -518,5 +518,37 @@ AZR-000495 | [Azure.ACR.ExportPolicy](Azure.ACR.ExportPolicy.md) | Export policy AZR-000496 | [Azure.Redis.LocalAuth](Azure.Redis.LocalAuth.md) | Access keys allow depersonalized access to Azure Cache for Redis using a shared secret. | GA AZR-000497 | [Azure.Storage.LocalAuth](Azure.Storage.LocalAuth.md) | Access keys allow depersonalized access to Storage Accounts using a shared secret. | GA AZR-000498 | [Azure.AppConfig.ReplicaLocation](Azure.AppConfig.ReplicaLocation.md) | The replication location determines the country or region where configuration data is stored and processed. | GA +AZR-000499 | [Azure.Cosmos.MongoEntraID](Azure.Cosmos.MongoEntraID.md) | MongoDB vCore clusters should have Microsoft Entra ID authentication enabled. | GA +AZR-000500 | [Azure.ADX.PublicAccess](Azure.ADX.PublicAccess.md) | Azure Data Explorer (ADX) clusters should have public network access disabled. | GA +AZR-000501 | [Azure.Grafana.AvailabilityZone](Azure.Grafana.AvailabilityZone.md) | Use zone redundant Grafana workspaces in supported regions to improve reliability. | GA +AZR-000502 | [Azure.Cosmos.AvailabilityZone](Azure.Cosmos.AvailabilityZone.md) | Use zone redundant Cosmos DB accounts in supported regions to improve reliability. | GA +AZR-000503 | [Azure.Cosmos.MongoAvailabilityZone](Azure.Cosmos.MongoAvailabilityZone.md) | Use zone redundant Cosmos DB vCore clusters in supported regions to improve reliability. | GA +AZR-000504 | [Azure.MICassandra.AvailabilityZone](Azure.MICassandra.AvailabilityZone.md) | Use zone redundant Managed Instance for Apache Cassandra clusters in supported regions to improve reliability. | GA +AZR-000505 | [Azure.ACI.Naming](Azure.ACI.Naming.md) | Container Instance resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000506 | [Azure.ACR.Naming](Azure.ACR.Naming.md) | Container Registry resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000507 | [Azure.AKS.Naming](Azure.AKS.Naming.md) | AKS cluster resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000508 | [Azure.AKS.SystemPoolNaming](Azure.AKS.SystemPoolNaming.md) | AKS system node pool resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000509 | [Azure.AKS.UserPoolNaming](Azure.AKS.UserPoolNaming.md) | AKS user node pool resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000510 | [Azure.ContainerApp.Naming](Azure.ContainerApp.Naming.md) | Container App resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000511 | [Azure.ContainerApp.EnvNaming](Azure.ContainerApp.EnvNaming.md) | Container App Environment resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000512 | [Azure.ContainerApp.JobNaming](Azure.ContainerApp.JobNaming.md) | Container App Job resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000513 | [Azure.Cosmos.CassandraNaming](Azure.Cosmos.CassandraNaming.md) | Cosmos DB for Apache Cassandra account resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000514 | [Azure.Cosmos.MongoNaming](Azure.Cosmos.MongoNaming.md) | Cosmos DB for MongoDB account resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000515 | [Azure.Cosmos.NoSQLNaming](Azure.Cosmos.NoSQLNaming.md) | Cosmos DB for NoSQL account resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000516 | [Azure.Cosmos.TableNaming](Azure.Cosmos.TableNaming.md) | Cosmos DB for Table account resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000517 | [Azure.Cosmos.GremlinNaming](Azure.Cosmos.GremlinNaming.md) | Cosmos DB for Apache Gremlin account resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000518 | [Azure.Cosmos.PostgreSQLNaming](Azure.Cosmos.PostgreSQLNaming.md) | Cosmos DB PostgreSQL cluster resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000519 | [Azure.Cosmos.DatabaseNaming](Azure.Cosmos.DatabaseNaming.md) | Cosmos DB database resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000521 | [Azure.MySQL.ServerNaming](Azure.MySQL.ServerNaming.md) | MySQL database server resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000522 | [Azure.PostgreSQL.ServerNaming](Azure.PostgreSQL.ServerNaming.md) | PostgreSQL database server resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000523 | [Azure.Redis.Naming](Azure.Redis.Naming.md) | Azure Cache for Redis resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000524 | [Azure.RedisEnterprise.Naming](Azure.RedisEnterprise.Naming.md) | Azure Cache for Redis Enterprise resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000525 | [Azure.SQL.ServerNaming](Azure.SQL.ServerNaming.md) | Azure SQL Database server resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000526 | [Azure.SQL.DBNaming](Azure.SQL.DBNaming.md) | Azure SQL database resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000527 | [Azure.SQL.JobAgentNaming](Azure.SQL.JobAgentNaming.md) | Azure SQL Elastic Job agent resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000528 | [Azure.SQL.ElasticPoolNaming](Azure.SQL.ElasticPoolNaming.md) | Azure SQL Elastic Pool resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000529 | [Azure.SQLMI.Naming](Azure.SQLMI.Naming.md) | SQL Managed Instance resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000530 | [Azure.ServiceFabric.Naming](Azure.ServiceFabric.Naming.md) | Service Fabric cluster resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000531 | [Azure.ServiceFabric.ManagedNaming](Azure.ServiceFabric.ManagedNaming.md) | Service Fabric managed cluster resources without a standard naming convention may be difficult to identify and manage. | GA *[GA]: Generally Available — Rules related to a generally available Azure features. diff --git a/docs/en/rules/module.md b/docs/en/rules/module.md index be476d19615..a87daa0a714 100644 --- a/docs/en/rules/module.md +++ b/docs/en/rules/module.md @@ -113,17 +113,22 @@ Name | Synopsis | Severity | Level [Azure.AppGw.Name](Azure.AppGw.Name.md) | Application Gateways should meet naming requirements. | Awareness | Error [Azure.AppInsights.Name](Azure.AppInsights.Name.md) | Azure Resource Manager (ARM) has requirements for Application Insights resource names. | Awareness | Error [Azure.ContainerApp.Name](Azure.ContainerApp.Name.md) | Container Apps should meet naming requirements. | Awareness | Error +[Azure.Cosmos.AccountName](Azure.Cosmos.AccountName.md) | Cosmos DB account names should meet naming requirements. | Awareness | Error [Azure.Group.Name](Azure.Group.Name.md) | Azure Resource Manager (ARM) has requirements for Resource Groups names. | Awareness | Error [Azure.KeyVault.KeyName](Azure.KeyVault.KeyName.md) | Key Vault Key names should meet naming requirements. | Awareness | Error [Azure.KeyVault.SecretName](Azure.KeyVault.SecretName.md) | Key Vault Secret names should meet naming requirements. | Awareness | Error [Azure.LB.Name](Azure.LB.Name.md) | Load Balancer names should meet naming requirements. | Awareness | Error [Azure.Log.Name](Azure.Log.Name.md) | Azure Resource Manager (ARM) has requirements for Azure Monitor Log workspace names. | Awareness | Error [Azure.MariaDB.DatabaseName](Azure.MariaDB.DatabaseName.md) | Azure Database for MariaDB databases should meet naming requirements. | Awareness | Error +[Azure.MySQL.ServerName](Azure.MySQL.ServerName.md) | Azure MySQL DB server names should meet naming requirements. | Awareness | Error [Azure.NIC.Name](Azure.NIC.Name.md) | Network Interface (NIC) names should meet naming requirements. | Awareness | Error [Azure.NSG.Name](Azure.NSG.Name.md) | Azure Resource Manager (ARM) has requirements for Network Security Group (NSG) names. | Awareness | Error +[Azure.PostgreSQL.ServerName](Azure.PostgreSQL.ServerName.md) | Azure PostgreSQL DB server names should meet naming requirements. | Awareness | Error [Azure.PublicIP.Name](Azure.PublicIP.Name.md) | Azure Resource Manager (ARM) has requirements for Public IP address names. | Awareness | Error [Azure.Route.Name](Azure.Route.Name.md) | Azure Resource Manager (ARM) has requirements for Route table names. | Awareness | Error [Azure.Search.Name](Azure.Search.Name.md) | Azure Resource Manager (ARM) has requirements for AI Search service names. | Awareness | Error +[Azure.SQL.DBName](Azure.SQL.DBName.md) | Azure SQL Database names should meet naming requirements. | Awareness | Error +[Azure.SQL.ServerName](Azure.SQL.ServerName.md) | Azure SQL logical server names should meet naming requirements. | Awareness | Error [Azure.Storage.Name](Azure.Storage.Name.md) | Azure Resource Manager (ARM) has requirements for Storage Account names. | Awareness | Error [Azure.VM.ComputerName](Azure.VM.ComputerName.md) | Virtual Machine (VM) computer name should meet naming requirements. | Awareness | Error [Azure.VM.Name](Azure.VM.Name.md) | Virtual Machine (VM) names should meet naming requirements. | Awareness | Error @@ -137,11 +142,26 @@ Name | Synopsis | Severity | Level Name | Synopsis | Severity | Level ---- | -------- | -------- | ----- +[Azure.ACI.Naming](Azure.ACI.Naming.md) | Container Instance resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.ACR.Naming](Azure.ACR.Naming.md) | Container Registry resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.AI.FoundryNaming](Azure.AI.FoundryNaming.md) | Azure AI Foundry accounts without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.AKS.Naming](Azure.AKS.Naming.md) | AKS cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.AKS.SystemPoolNaming](Azure.AKS.SystemPoolNaming.md) | AKS system node pool resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.AKS.UserPoolNaming](Azure.AKS.UserPoolNaming.md) | AKS user node pool resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.APIM.APIDescriptors](Azure.APIM.APIDescriptors.md) | APIs should have a display name and description. | Awareness | Warning [Azure.APIM.ProductDescriptors](Azure.APIM.ProductDescriptors.md) | API Management products should have a display name and description. | Awareness | Warning [Azure.AppInsights.Naming](Azure.AppInsights.Naming.md) | Application Insights resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.ContainerApp.APIVersion](Azure.ContainerApp.APIVersion.md) | Migrate from retired API version to a supported version. | Important | Error +[Azure.ContainerApp.EnvNaming](Azure.ContainerApp.EnvNaming.md) | Container App Environment resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.ContainerApp.JobNaming](Azure.ContainerApp.JobNaming.md) | Container App Job resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.ContainerApp.Naming](Azure.ContainerApp.Naming.md) | Container App resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.Cosmos.CassandraNaming](Azure.Cosmos.CassandraNaming.md) | Cosmos DB for Apache Cassandra account resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.Cosmos.DatabaseNaming](Azure.Cosmos.DatabaseNaming.md) | Cosmos DB database resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.Cosmos.GremlinNaming](Azure.Cosmos.GremlinNaming.md) | Cosmos DB for Apache Gremlin account resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.Cosmos.MongoNaming](Azure.Cosmos.MongoNaming.md) | Cosmos DB for MongoDB account resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.Cosmos.NoSQLNaming](Azure.Cosmos.NoSQLNaming.md) | Cosmos DB for NoSQL account resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.Cosmos.PostgreSQLNaming](Azure.Cosmos.PostgreSQLNaming.md) | Cosmos DB PostgreSQL cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.Cosmos.TableNaming](Azure.Cosmos.TableNaming.md) | Cosmos DB for Table account resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.EventGrid.DomainNaming](Azure.EventGrid.DomainNaming.md) | Event Grid domains without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.EventGrid.SystemTopicNaming](Azure.EventGrid.SystemTopicNaming.md) | Event Grid system topics without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.EventGrid.TopicNaming](Azure.EventGrid.TopicNaming.md) | Event Grid topics without a standard naming convention may be difficult to identify and manage. | Awareness | Error @@ -149,14 +169,25 @@ Name | Synopsis | Severity | Level [Azure.Group.RequiredTags](Azure.Group.RequiredTags.md) | Resource groups without a standard tagging convention may be difficult to identify and manage. | Awareness | Error [Azure.LB.Naming](Azure.LB.Naming.md) | Load balancer names should use a standard prefix. | Awareness | Error [Azure.Log.Naming](Azure.Log.Naming.md) | Azure Monitor Log workspaces without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.MySQL.ServerNaming](Azure.MySQL.ServerNaming.md) | MySQL database server resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.NSG.Naming](Azure.NSG.Naming.md) | Network security group (NSG) without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.Policy.AssignmentDescriptors](Azure.Policy.AssignmentDescriptors.md) | Policy assignments should use a display name and description. | Awareness | Error [Azure.Policy.Descriptors](Azure.Policy.Descriptors.md) | Policy and initiative definitions should use a display name, description, and category. | Awareness | Error [Azure.Policy.ExemptionDescriptors](Azure.Policy.ExemptionDescriptors.md) | Policy exemptions should use a display name and description. | Awareness | Error +[Azure.PostgreSQL.ServerNaming](Azure.PostgreSQL.ServerNaming.md) | PostgreSQL database server resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.PublicIP.Naming](Azure.PublicIP.Naming.md) | Public IP addresses without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.Redis.Naming](Azure.Redis.Naming.md) | Azure Cache for Redis resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.RedisEnterprise.Naming](Azure.RedisEnterprise.Naming.md) | Azure Cache for Redis Enterprise resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.Resource.RequiredTags](Azure.Resource.RequiredTags.md) | Resources without a standard tagging convention may be difficult to identify and manage. | Awareness | Error [Azure.Route.Naming](Azure.Route.Naming.md) | Route tables without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.Search.Naming](Azure.Search.Naming.md) | Azure AI Search services without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.ServiceFabric.ManagedNaming](Azure.ServiceFabric.ManagedNaming.md) | Service Fabric managed cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.ServiceFabric.Naming](Azure.ServiceFabric.Naming.md) | Service Fabric cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.SQL.DBNaming](Azure.SQL.DBNaming.md) | Azure SQL database resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.SQL.ElasticPoolNaming](Azure.SQL.ElasticPoolNaming.md) | Azure SQL Elastic Pool resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.SQL.JobAgentNaming](Azure.SQL.JobAgentNaming.md) | Azure SQL Elastic Job agent resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.SQL.ServerNaming](Azure.SQL.ServerNaming.md) | Azure SQL Database server resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.SQLMI.Naming](Azure.SQLMI.Naming.md) | SQL Managed Instance resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.Storage.Naming](Azure.Storage.Naming.md) | Storage Accounts without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.Subscription.RequiredTags](Azure.Subscription.RequiredTags.md) | Subscriptions without a standard tagging convention may be difficult to identify and manage. | Awareness | Error [Azure.VM.Naming](Azure.VM.Naming.md) | Virtual machines without a standard naming convention may be difficult to identify and manage. | Awareness | Error @@ -219,7 +250,6 @@ Name | Synopsis | Severity | Level [Azure.ASG.Name](Azure.ASG.Name.md) | Application Security Group (ASG) names should meet naming requirements. | Awareness | Error [Azure.Bastion.Name](Azure.Bastion.Name.md) | Bastion hosts should meet naming requirements. | Awareness | Error [Azure.CDN.EndpointName](Azure.CDN.EndpointName.md) | Azure CDN Endpoint names should meet naming requirements. | Awareness | Error -[Azure.Cosmos.AccountName](Azure.Cosmos.AccountName.md) | Cosmos DB account names should meet naming requirements. | Awareness | Error [Azure.Deployment.Name](Azure.Deployment.Name.md) | Nested deployments should meet naming requirements of deployments. | Awareness | Error [Azure.Firewall.Name](Azure.Firewall.Name.md) | Firewall names should meet naming requirements. | Awareness | Error [Azure.Firewall.PolicyName](Azure.Firewall.PolicyName.md) | Firewall policy names should meet naming requirements. | Awareness | Error @@ -230,18 +260,14 @@ Name | Synopsis | Severity | Level [Azure.MariaDB.FirewallRuleName](Azure.MariaDB.FirewallRuleName.md) | Azure Database for MariaDB firewall rules should meet naming requirements. | Awareness | Error [Azure.MariaDB.ServerName](Azure.MariaDB.ServerName.md) | Azure Database for MariaDB servers should meet naming requirements. | Awareness | Error [Azure.MariaDB.VNETRuleName](Azure.MariaDB.VNETRuleName.md) | Azure Database for MariaDB VNET rules should meet naming requirements. | Awareness | Error -[Azure.MySQL.ServerName](Azure.MySQL.ServerName.md) | Azure MySQL DB server names should meet naming requirements. | Awareness | Error [Azure.NSG.AKSRules](Azure.NSG.AKSRules.md) | AKS Network Security Group (NSG) should not have custom rules. | Awareness | Error [Azure.Policy.AssignmentAssignedBy](Azure.Policy.AssignmentAssignedBy.md) | Policy assignments should use assignedBy metadata. | Awareness | Error -[Azure.PostgreSQL.ServerName](Azure.PostgreSQL.ServerName.md) | Azure PostgreSQL DB server names should meet naming requirements. | Awareness | Error [Azure.PrivateEndpoint.Name](Azure.PrivateEndpoint.Name.md) | Private Endpoint names should meet naming requirements. | Awareness | Error [Azure.PublicIP.DNSLabel](Azure.PublicIP.DNSLabel.md) | Public IP domain name labels should meet naming requirements. | Awareness | Error [Azure.PublicIP.MigrateStandard](Azure.PublicIP.MigrateStandard.md) | Use the Standard SKU for Public IP addresses as the Basic SKU will be retired. | Important | Error [Azure.RSV.Name](Azure.RSV.Name.md) | Recovery Services vaults should meet naming requirements. | Awareness | Error [Azure.SignalR.Name](Azure.SignalR.Name.md) | SignalR service instance names should meet naming requirements. | Awareness | Error -[Azure.SQL.DBName](Azure.SQL.DBName.md) | Azure SQL Database names should meet naming requirements. | Awareness | Error [Azure.SQL.FGName](Azure.SQL.FGName.md) | Azure SQL failover group names should meet naming requirements. | Awareness | Error -[Azure.SQL.ServerName](Azure.SQL.ServerName.md) | Azure SQL logical server names should meet naming requirements. | Awareness | Error [Azure.SQLMI.Name](Azure.SQLMI.Name.md) | SQL Managed Instance names should meet naming requirements. | Awareness | Error [Azure.Template.ExpressionLength](Azure.Template.ExpressionLength.md) | Template expressions should not exceed the maximum length. | Awareness | Error [Azure.Template.ParameterFile](Azure.Template.ParameterFile.md) | Use ARM template parameter files that are valid. | Important | Error @@ -431,7 +457,10 @@ Name | Synopsis | Severity | Level [Azure.AppConfig.GeoReplica](Azure.AppConfig.GeoReplica.md) | Replicate app configuration store across all points of presence for an application. | Important | Error [Azure.ContainerApp.MinReplicas](Azure.ContainerApp.MinReplicas.md) | Use multiple replicas to remove a single point of failure. | Important | Error [Azure.ContainerApp.Storage](Azure.ContainerApp.Storage.md) | Use of Azure Files volume mounts to persistent storage container data. | Awareness | Error +[Azure.Cosmos.AvailabilityZone](Azure.Cosmos.AvailabilityZone.md) | Use zone redundant Cosmos DB accounts in supported regions to improve reliability. | Important | Error +[Azure.Cosmos.MongoAvailabilityZone](Azure.Cosmos.MongoAvailabilityZone.md) | Use zone redundant Cosmos DB vCore clusters in supported regions to improve reliability. | Important | Error [Azure.LB.Probe](Azure.LB.Probe.md) | Use a specific probe for web protocols. | Important | Error +[Azure.MICassandra.AvailabilityZone](Azure.MICassandra.AvailabilityZone.md) | Use zone redundant Managed Instance for Apache Cassandra clusters in supported regions to improve reliability. | Important | Error [Azure.MySQL.UseFlexible](Azure.MySQL.UseFlexible.md) | Use Azure Database for MySQL Flexible Server deployment model. | Important | Warning [Azure.ServiceBus.GeoReplica](Azure.ServiceBus.GeoReplica.md) | Enhance resilience to regional outages by replicating namespaces. | Important | Error [Azure.TrafficManager.Endpoints](Azure.TrafficManager.Endpoints.md) | Traffic Manager should use at lest two enabled endpoints. | Important | Error @@ -453,6 +482,7 @@ Name | Synopsis | Severity | Level [Azure.ASE.AvailabilityZone](Azure.ASE.AvailabilityZone.md) | Deploy app service environments using availability zones in supported regions to ensure high availability and resilience. | Important | Error [Azure.ContainerApp.AvailabilityZone](Azure.ContainerApp.AvailabilityZone.md) | Use Container Apps environments that are zone redundant to improve reliability. | Important | Error [Azure.Firewall.AvailabilityZone](Azure.Firewall.AvailabilityZone.md) | Deploy firewall instances using availability zones in supported regions to ensure high availability and resilience. | Important | Error +[Azure.Grafana.AvailabilityZone](Azure.Grafana.AvailabilityZone.md) | Use zone redundant Grafana workspaces in supported regions to improve reliability. | Important | Error [Azure.LB.AvailabilityZone](Azure.LB.AvailabilityZone.md) | Load balancers deployed with Standard SKU should be zone-redundant for high availability. | Important | Error [Azure.Log.Replication](Azure.Log.Replication.md) | Log Analytics workspaces should have workspace replication enabled to improve service availability. | Important | Error [Azure.MySQL.ZoneRedundantHA](Azure.MySQL.ZoneRedundantHA.md) | Deploy Azure Database for MySQL servers using zone-redundant high availability (HA) in supported regions to ensure high availability and resilience. | Important | Error @@ -600,7 +630,6 @@ Name | Synopsis | Severity | Level [Azure.AppGwWAF.Enabled](Azure.AppGwWAF.Enabled.md) | Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. | Critical | Error [Azure.AppGwWAF.Exclusions](Azure.AppGwWAF.Exclusions.md) | Application Gateway Web Application Firewall (WAF) should have all rules enabled. | Critical | Error [Azure.AppGwWAF.PreventionMode](Azure.AppGwWAF.PreventionMode.md) | Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical | Error -[Azure.AppGwWAF.RuleGroups](Azure.AppGwWAF.RuleGroups.md) | Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical | Error [Azure.MariaDB.AllowAzureAccess](Azure.MariaDB.AllowAzureAccess.md) | Determine if access from Azure services is required. | Important | Error ### Network segmentation @@ -670,6 +699,7 @@ Name | Synopsis | Severity | Level [Azure.ContainerApp.ManagedIdentity](Azure.ContainerApp.ManagedIdentity.md) | Ensure managed identity is used for authentication. | Important | Error [Azure.Cosmos.DisableLocalAuth](Azure.Cosmos.DisableLocalAuth.md) | Access keys allow depersonalized access to Cosmos DB accounts using a shared secret. | Critical | Error [Azure.Cosmos.DisableMetadataWrite](Azure.Cosmos.DisableMetadataWrite.md) | Use Entra ID identities for management place operations in Azure Cosmos DB. | Important | Error +[Azure.Cosmos.MongoEntraID](Azure.Cosmos.MongoEntraID.md) | MongoDB vCore clusters should have Microsoft Entra ID authentication enabled. | Critical | Error [Azure.EventGrid.DisableLocalAuth](Azure.EventGrid.DisableLocalAuth.md) | Authenticate publishing clients with Azure AD identities. | Important | Error [Azure.EventGrid.ManagedIdentity](Azure.EventGrid.ManagedIdentity.md) | Use managed identities to deliver Event Grid Topic events. | Important | Error [Azure.EventHub.DisableLocalAuth](Azure.EventHub.DisableLocalAuth.md) | Authenticate Event Hub publishers and consumers with Entra ID identities. | Important | Error @@ -695,12 +725,14 @@ Name | Synopsis | Severity | Level Name | Synopsis | Severity | Level ---- | -------- | -------- | ----- [Azure.ACR.Firewall](Azure.ACR.Firewall.md) | Container Registry without restrictions can be accessed from any network location including the Internet. | Important | Error +[Azure.ADX.PublicAccess](Azure.ADX.PublicAccess.md) | Azure Data Explorer (ADX) clusters should have public network access disabled. | Critical | Error [Azure.AI.PrivateEndpoints](Azure.AI.PrivateEndpoints.md) | Use Private Endpoints to access Azure AI services accounts. | Important | Error [Azure.AI.PublicAccess](Azure.AI.PublicAccess.md) | Restrict access of Azure AI services to authorized virtual networks. | Important | Error [Azure.AKS.AuthorizedIPs](Azure.AKS.AuthorizedIPs.md) | Restrict access to API server endpoints to authorized IP addresses. | Important | Error [Azure.AKS.HttpAppRouting](Azure.AKS.HttpAppRouting.md) | Disable HTTP application routing add-on in AKS clusters. | Important | Error [Azure.AppGw.UseWAF](Azure.AppGw.UseWAF.md) | Internet accessible Application Gateways should use protect endpoints with WAF. | Critical | Error [Azure.AppGw.WAFEnabled](Azure.AppGw.WAFEnabled.md) | Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. | Critical | Error +[Azure.AppGwWAF.RuleGroups](Azure.AppGwWAF.RuleGroups.md) | Application Gateway WAF policies should include both Microsoft Default Rule Set and Bot Manager Rule Set to provide comprehensive protection against web application threats and malicious bot traffic. | Critical | Error [Azure.ContainerApp.ExternalIngress](Azure.ContainerApp.ExternalIngress.md) | Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment. | Important | Error [Azure.ContainerApp.PublicAccess](Azure.ContainerApp.PublicAccess.md) | Ensure public network access for Container Apps environment is disabled. | Important | Error [Azure.ContainerApp.RestrictIngress](Azure.ContainerApp.RestrictIngress.md) | IP ingress restrictions mode should be set to allow action for all rules defined. | Important | Error diff --git a/docs/en/rules/resource.md b/docs/en/rules/resource.md index ec6dc6053b0..82eadab68b4 100644 --- a/docs/en/rules/resource.md +++ b/docs/en/rules/resource.md @@ -147,7 +147,7 @@ Name | Synopsis | Severity | Level [Azure.AppGwWAF.Enabled](Azure.AppGwWAF.Enabled.md) | Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. | Critical | Error [Azure.AppGwWAF.Exclusions](Azure.AppGwWAF.Exclusions.md) | Application Gateway Web Application Firewall (WAF) should have all rules enabled. | Critical | Error [Azure.AppGwWAF.PreventionMode](Azure.AppGwWAF.PreventionMode.md) | Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical | Error -[Azure.AppGwWAF.RuleGroups](Azure.AppGwWAF.RuleGroups.md) | Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical | Error +[Azure.AppGwWAF.RuleGroups](Azure.AppGwWAF.RuleGroups.md) | Application Gateway WAF policies should include both Microsoft Default Rule Set and Bot Manager Rule Set to provide comprehensive protection against web application threats and malicious bot traffic. | Critical | Error ## Application Insights @@ -193,6 +193,7 @@ Name | Synopsis | Severity | Level [Azure.Redis.MaxMemoryReserved](Azure.Redis.MaxMemoryReserved.md) | Configure maxmemory-reserved to reserve memory for non-cache operations. | Important | Error [Azure.Redis.MinSKU](Azure.Redis.MinSKU.md) | Use Azure Cache for Redis instances of at least Standard C1. | Important | Error [Azure.Redis.MinTLS](Azure.Redis.MinTLS.md) | Redis Cache should reject TLS versions older than 1.2. | Critical | Error +[Azure.Redis.Naming](Azure.Redis.Naming.md) | Azure Cache for Redis resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.Redis.NonSslPort](Azure.Redis.NonSslPort.md) | Azure Cache for Redis should only accept secure connections. | Critical | Error [Azure.Redis.PublicNetworkAccess](Azure.Redis.PublicNetworkAccess.md) | Redis cache should disable public network access. | Critical | Error [Azure.Redis.Version](Azure.Redis.Version.md) | Azure Cache for Redis should use the latest supported version of Redis. | Important | Error @@ -202,6 +203,7 @@ Name | Synopsis | Severity | Level Name | Synopsis | Severity | Level ---- | -------- | -------- | ----- [Azure.RedisEnterprise.MinTLS](Azure.RedisEnterprise.MinTLS.md) | Redis Cache should reject TLS versions older than 1.2. | Critical | Error +[Azure.RedisEnterprise.Naming](Azure.RedisEnterprise.Naming.md) | Azure Cache for Redis Enterprise resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.RedisEnterprise.Zones](Azure.RedisEnterprise.Zones.md) | Enterprise Redis cache should be zone-redundant for high availability. | Important | Error ## Azure Database @@ -240,6 +242,7 @@ Name | Synopsis | Severity | Level [Azure.MySQL.MaintenanceWindow](Azure.MySQL.MaintenanceWindow.md) | Configure a customer-controlled maintenance window for Azure Database for MySQL servers. | Important | Error [Azure.MySQL.MinTLS](Azure.MySQL.MinTLS.md) | MySQL DB servers should reject TLS versions older than 1.2. | Critical | Error [Azure.MySQL.ServerName](Azure.MySQL.ServerName.md) | Azure MySQL DB server names should meet naming requirements. | Awareness | Error +[Azure.MySQL.ServerNaming](Azure.MySQL.ServerNaming.md) | MySQL database server resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.MySQL.UseFlexible](Azure.MySQL.UseFlexible.md) | Use Azure Database for MySQL Flexible Server deployment model. | Important | Warning [Azure.MySQL.UseSSL](Azure.MySQL.UseSSL.md) | Enforce encrypted MySQL connections. | Critical | Error [Azure.MySQL.ZoneRedundantHA](Azure.MySQL.ZoneRedundantHA.md) | Deploy Azure Database for MySQL servers using zone-redundant high availability (HA) in supported regions to ensure high availability and resilience. | Important | Error @@ -258,6 +261,7 @@ Name | Synopsis | Severity | Level [Azure.PostgreSQL.MaintenanceWindow](Azure.PostgreSQL.MaintenanceWindow.md) | Configure a customer-controlled maintenance window for Azure Database for PostgreSQL servers. | Important | Error [Azure.PostgreSQL.MinTLS](Azure.PostgreSQL.MinTLS.md) | PostgreSQL DB servers should reject TLS versions older than 1.2. | Critical | Error [Azure.PostgreSQL.ServerName](Azure.PostgreSQL.ServerName.md) | Azure PostgreSQL DB server names should meet naming requirements. | Awareness | Error +[Azure.PostgreSQL.ServerNaming](Azure.PostgreSQL.ServerNaming.md) | PostgreSQL database server resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.PostgreSQL.UseSSL](Azure.PostgreSQL.UseSSL.md) | Enforce encrypted PostgreSQL connections. | Critical | Error [Azure.PostgreSQL.ZoneRedundantHA](Azure.PostgreSQL.ZoneRedundantHA.md) | Deploy Azure Database for PostgreSQL servers using zone-redundant high availability (HA) in supported regions to ensure high availability and resilience. | Important | Error @@ -292,6 +296,7 @@ Name | Synopsis | Severity | Level [Azure.AKS.MinNodeCount](Azure.AKS.MinNodeCount.md) | AKS clusters should have minimum number of system nodes for failover and updates. | Important | Error [Azure.AKS.MinUserPoolNodes](Azure.AKS.MinUserPoolNodes.md) | User node pools in an AKS cluster should have a minimum number of nodes for failover and updates. | Important | Error [Azure.AKS.Name](Azure.AKS.Name.md) | Azure Kubernetes Service (AKS) cluster names should meet naming requirements. | Awareness | Error +[Azure.AKS.Naming](Azure.AKS.Naming.md) | AKS cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.AKS.NetworkPolicy](Azure.AKS.NetworkPolicy.md) | AKS clusters without inter-pod network restrictions may be permit unauthorized lateral movement. | Important | Error [Azure.AKS.NodeAutoUpgrade](Azure.AKS.NodeAutoUpgrade.md) | Operating system (OS) security updates should be applied to AKS nodes and rebooted as required to address security vulnerabilities. | Important | Error [Azure.AKS.NodeMinPods](Azure.AKS.NodeMinPods.md) | Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. | Important | Error @@ -301,8 +306,10 @@ Name | Synopsis | Severity | Level [Azure.AKS.SecretStore](Azure.AKS.SecretStore.md) | Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. | Important | Error [Azure.AKS.SecretStoreRotation](Azure.AKS.SecretStoreRotation.md) | Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. | Important | Error [Azure.AKS.StandardLB](Azure.AKS.StandardLB.md) | Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. | Important | Error +[Azure.AKS.SystemPoolNaming](Azure.AKS.SystemPoolNaming.md) | AKS system node pool resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.AKS.UptimeSLA](Azure.AKS.UptimeSLA.md) | AKS clusters should have Uptime SLA enabled for a financially backed SLA. | Important | Error [Azure.AKS.UseRBAC](Azure.AKS.UseRBAC.md) | Deploy AKS cluster with role-based access control (RBAC) enabled. | Important | Error +[Azure.AKS.UserPoolNaming](Azure.AKS.UserPoolNaming.md) | AKS user node pool resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.AKS.Version](Azure.AKS.Version.md) | Older versions of Kubernetes may have known bugs or security vulnerabilities, and may have limited support. | Important | Error ## Azure Managed Grafana @@ -327,6 +334,30 @@ Name | Synopsis | Severity | Level [Azure.Log.ReplicaLocation](Azure.Log.ReplicaLocation.md) | The replication location determines the country or region where the data is stored and processed. | Important | Error [Azure.Log.Replication](Azure.Log.Replication.md) | Log Analytics workspaces should have workspace replication enabled to improve service availability. | Important | Error +## Azure SQL database + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.SQL.DBNaming](Azure.SQL.DBNaming.md) | Azure SQL database resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error + +## Azure SQL Database server + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.SQL.ServerNaming](Azure.SQL.ServerNaming.md) | Azure SQL Database server resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error + +## Azure SQL Elastic Job agent + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.SQL.JobAgentNaming](Azure.SQL.JobAgentNaming.md) | Azure SQL Elastic Job agent resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error + +## Azure SQL Elastic Pool + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.SQL.ElasticPoolNaming](Azure.SQL.ElasticPoolNaming.md) | Azure SQL Elastic Pool resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error + ## Azure Virtual Desktop Name | Synopsis | Severity | Level @@ -357,10 +388,29 @@ Name | Synopsis | Severity | Level [Azure.ContainerApp.ManagedIdentity](Azure.ContainerApp.ManagedIdentity.md) | Ensure managed identity is used for authentication. | Important | Error [Azure.ContainerApp.MinReplicas](Azure.ContainerApp.MinReplicas.md) | Use multiple replicas to remove a single point of failure. | Important | Error [Azure.ContainerApp.Name](Azure.ContainerApp.Name.md) | Container Apps should meet naming requirements. | Awareness | Error +[Azure.ContainerApp.Naming](Azure.ContainerApp.Naming.md) | Container App resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.ContainerApp.PublicAccess](Azure.ContainerApp.PublicAccess.md) | Ensure public network access for Container Apps environment is disabled. | Important | Error [Azure.ContainerApp.RestrictIngress](Azure.ContainerApp.RestrictIngress.md) | IP ingress restrictions mode should be set to allow action for all rules defined. | Important | Error [Azure.ContainerApp.Storage](Azure.ContainerApp.Storage.md) | Use of Azure Files volume mounts to persistent storage container data. | Awareness | Error +## Container App Environment + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.ContainerApp.EnvNaming](Azure.ContainerApp.EnvNaming.md) | Container App Environment resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error + +## Container App Job + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.ContainerApp.JobNaming](Azure.ContainerApp.JobNaming.md) | Container App Job resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error + +## Container Instance + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.ACI.Naming](Azure.ACI.Naming.md) | Container Instance resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error + ## Container Registry Name | Synopsis | Severity | Level @@ -375,6 +425,7 @@ Name | Synopsis | Severity | Level [Azure.ACR.ImageHealth](Azure.ACR.ImageHealth.md) | Remove container images with known vulnerabilities. | Critical | Error [Azure.ACR.MinSku](Azure.ACR.MinSku.md) | The Basic SKU provides limited performance and features for production container registry workloads. | Important | Error [Azure.ACR.Name](Azure.ACR.Name.md) | Container registry names should meet naming requirements. | Awareness | Error +[Azure.ACR.Naming](Azure.ACR.Naming.md) | Container Registry resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.ACR.Quarantine](Azure.ACR.Quarantine.md) | Enable container image quarantine, scan, and mark images as verified. | Important | Error [Azure.ACR.ReplicaLocation](Azure.ACR.ReplicaLocation.md) | The replication location determines the country or region where container images and metadata are stored and processed. | Important | Error [Azure.ACR.Retention](Azure.ACR.Retention.md) | Use a retention policy to cleanup untagged manifests. | Important | Error @@ -394,20 +445,66 @@ Name | Synopsis | Severity | Level Name | Synopsis | Severity | Level ---- | -------- | -------- | ----- [Azure.Cosmos.AccountName](Azure.Cosmos.AccountName.md) | Cosmos DB account names should meet naming requirements. | Awareness | Error +[Azure.Cosmos.AvailabilityZone](Azure.Cosmos.AvailabilityZone.md) | Use zone redundant Cosmos DB accounts in supported regions to improve reliability. | Important | Error [Azure.Cosmos.ContinuousBackup](Azure.Cosmos.ContinuousBackup.md) | Enable continuous backup on Cosmos DB accounts. | Important | Error [Azure.Cosmos.DefenderCloud](Azure.Cosmos.DefenderCloud.md) | Enable Microsoft Defender for Azure Cosmos DB. | Critical | Error [Azure.Cosmos.DisableLocalAuth](Azure.Cosmos.DisableLocalAuth.md) | Access keys allow depersonalized access to Cosmos DB accounts using a shared secret. | Critical | Error [Azure.Cosmos.DisableMetadataWrite](Azure.Cosmos.DisableMetadataWrite.md) | Use Entra ID identities for management place operations in Azure Cosmos DB. | Important | Error [Azure.Cosmos.MinTLS](Azure.Cosmos.MinTLS.md) | Cosmos DB accounts should reject TLS versions older than 1.2. | Critical | Error +[Azure.Cosmos.MongoAvailabilityZone](Azure.Cosmos.MongoAvailabilityZone.md) | Use zone redundant Cosmos DB vCore clusters in supported regions to improve reliability. | Important | Error +[Azure.Cosmos.MongoEntraID](Azure.Cosmos.MongoEntraID.md) | MongoDB vCore clusters should have Microsoft Entra ID authentication enabled. | Critical | Error [Azure.Cosmos.PublicAccess](Azure.Cosmos.PublicAccess.md) | Azure Cosmos DB should have public network access disabled. | Critical | Error [Azure.Cosmos.SLA](Azure.Cosmos.SLA.md) | Use a paid tier to qualify for a Service Level Agreement (SLA). | Important | Error +## Cosmos DB database + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.Cosmos.DatabaseNaming](Azure.Cosmos.DatabaseNaming.md) | Cosmos DB database resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error + +## Cosmos DB for Apache Cassandra account + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.Cosmos.CassandraNaming](Azure.Cosmos.CassandraNaming.md) | Cosmos DB for Apache Cassandra account resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error + +## Cosmos DB for Apache Gremlin account + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.Cosmos.GremlinNaming](Azure.Cosmos.GremlinNaming.md) | Cosmos DB for Apache Gremlin account resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error + +## Cosmos DB for MongoDB account + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.Cosmos.MongoNaming](Azure.Cosmos.MongoNaming.md) | Cosmos DB for MongoDB account resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error + +## Cosmos DB for NoSQL account + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.Cosmos.NoSQLNaming](Azure.Cosmos.NoSQLNaming.md) | Cosmos DB for NoSQL account resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error + +## Cosmos DB for Table account + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.Cosmos.TableNaming](Azure.Cosmos.TableNaming.md) | Cosmos DB for Table account resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error + +## Cosmos DB PostgreSQL cluster + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.Cosmos.PostgreSQLNaming](Azure.Cosmos.PostgreSQLNaming.md) | Cosmos DB PostgreSQL cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error + ## Data Explorer Name | Synopsis | Severity | Level ---- | -------- | -------- | ----- [Azure.ADX.DiskEncryption](Azure.ADX.DiskEncryption.md) | Use disk encryption for Azure Data Explorer (ADX) clusters. | Important | Error [Azure.ADX.ManagedIdentity](Azure.ADX.ManagedIdentity.md) | Configure Data Explorer clusters to use managed identities to access Azure resources securely. | Important | Error +[Azure.ADX.PublicAccess](Azure.ADX.PublicAccess.md) | Azure Data Explorer (ADX) clusters should have public network access disabled. | Critical | Error [Azure.ADX.SLA](Azure.ADX.SLA.md) | Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters. | Important | Error [Azure.ADX.Usage](Azure.ADX.Usage.md) | Regularly remove unused resources to reduce costs. | Important | Error @@ -572,6 +669,18 @@ Name | Synopsis | Severity | Level [Azure.ML.PublicAccess](Azure.ML.PublicAccess.md) | Disable public network access from a Azure Machine Learning workspace. | Critical | Error [Azure.ML.UserManagedIdentity](Azure.ML.UserManagedIdentity.md) | ML workspaces should use user-assigned managed identity, rather than the default system-assigned managed identity. | Important | Error +## Managed Grafana + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.Grafana.AvailabilityZone](Azure.Grafana.AvailabilityZone.md) | Use zone redundant Grafana workspaces in supported regions to improve reliability. | Important | Error + +## Managed Instance for Apache Cassandra + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.MICassandra.AvailabilityZone](Azure.MICassandra.AvailabilityZone.md) | Use zone redundant Managed Instance for Apache Cassandra clusters in supported regions to improve reliability. | Important | Error + ## Microsoft Defender for Cloud Name | Synopsis | Severity | Level @@ -688,6 +797,8 @@ Name | Synopsis | Severity | Level Name | Synopsis | Severity | Level ---- | -------- | -------- | ----- [Azure.ServiceFabric.AAD](Azure.ServiceFabric.AAD.md) | Use Entra ID client authentication for Service Fabric clusters. | Critical | Error +[Azure.ServiceFabric.ManagedNaming](Azure.ServiceFabric.ManagedNaming.md) | Service Fabric managed cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.ServiceFabric.Naming](Azure.ServiceFabric.Naming.md) | Service Fabric cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.ServiceFabric.ProtectionLevel](Azure.ServiceFabric.ProtectionLevel.md) | Node to node communication that is not signed and encrypted may be susceptible to man-in-the-middle attacks. | Important | Error ## SignalR Service @@ -725,6 +836,7 @@ Name | Synopsis | Severity | Level [Azure.SQLMI.MaintenanceWindow](Azure.SQLMI.MaintenanceWindow.md) | Configure a customer-controlled maintenance window for Azure SQL Managed Instances. | Important | Error [Azure.SQLMI.ManagedIdentity](Azure.SQLMI.ManagedIdentity.md) | Ensure managed identity is used to allow support for Azure AD authentication. | Important | Error [Azure.SQLMI.Name](Azure.SQLMI.Name.md) | SQL Managed Instance names should meet naming requirements. | Awareness | Error +[Azure.SQLMI.Naming](Azure.SQLMI.Naming.md) | SQL Managed Instance resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error ## Storage Account diff --git a/docs/es/rules/index.md b/docs/es/rules/index.md index 78137a7fdb2..fd1d8f09359 100644 --- a/docs/es/rules/index.md +++ b/docs/es/rules/index.md @@ -324,7 +324,7 @@ AZR-000300 | [Azure.Redis.FirewallIPRange](Azure.Redis.FirewallIPRange.md) | Det AZR-000301 | [Azure.RedisEnterprise.MinTLS](Azure.RedisEnterprise.MinTLS.md) | Redis Cache should reject TLS versions older than 1.2. | GA AZR-000302 | [Azure.AppGwWAF.PreventionMode](Azure.AppGwWAF.PreventionMode.md) | Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | GA AZR-000303 | [Azure.AppGwWAF.Exclusions](Azure.AppGwWAF.Exclusions.md) | Application Gateway Web Application Firewall (WAF) should have all rules enabled. | GA -AZR-000304 | [Azure.AppGwWAF.RuleGroups](Azure.AppGwWAF.RuleGroups.md) | Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | GA +AZR-000304 | [Azure.AppGwWAF.RuleGroups](Azure.AppGwWAF.RuleGroups.md) | Application Gateway WAF policies should include both Microsoft Default Rule Set and Bot Manager Rule Set to provide comprehensive protection against web application threats and malicious bot traffic. | GA AZR-000305 | [Azure.FrontDoorWAF.Enabled](Azure.FrontDoorWAF.Enabled.md) | Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. | GA AZR-000306 | [Azure.FrontDoorWAF.PreventionMode](Azure.FrontDoorWAF.PreventionMode.md) | Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. | GA AZR-000307 | [Azure.FrontDoorWAF.Exclusions](Azure.FrontDoorWAF.Exclusions.md) | Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions. | GA @@ -518,5 +518,37 @@ AZR-000495 | [Azure.ACR.ExportPolicy](Azure.ACR.ExportPolicy.md) | Export policy AZR-000496 | [Azure.Redis.LocalAuth](Azure.Redis.LocalAuth.md) | Access keys allow depersonalized access to Azure Cache for Redis using a shared secret. | GA AZR-000497 | [Azure.Storage.LocalAuth](Azure.Storage.LocalAuth.md) | Access keys allow depersonalized access to Storage Accounts using a shared secret. | GA AZR-000498 | [Azure.AppConfig.ReplicaLocation](Azure.AppConfig.ReplicaLocation.md) | The replication location determines the country or region where configuration data is stored and processed. | GA +AZR-000499 | [Azure.Cosmos.MongoEntraID](Azure.Cosmos.MongoEntraID.md) | MongoDB vCore clusters should have Microsoft Entra ID authentication enabled. | GA +AZR-000500 | [Azure.ADX.PublicAccess](Azure.ADX.PublicAccess.md) | Azure Data Explorer (ADX) clusters should have public network access disabled. | GA +AZR-000501 | [Azure.Grafana.AvailabilityZone](Azure.Grafana.AvailabilityZone.md) | Use zone redundant Grafana workspaces in supported regions to improve reliability. | GA +AZR-000502 | [Azure.Cosmos.AvailabilityZone](Azure.Cosmos.AvailabilityZone.md) | Use zone redundant Cosmos DB accounts in supported regions to improve reliability. | GA +AZR-000503 | [Azure.Cosmos.MongoAvailabilityZone](Azure.Cosmos.MongoAvailabilityZone.md) | Use zone redundant Cosmos DB vCore clusters in supported regions to improve reliability. | GA +AZR-000504 | [Azure.MICassandra.AvailabilityZone](Azure.MICassandra.AvailabilityZone.md) | Use zone redundant Managed Instance for Apache Cassandra clusters in supported regions to improve reliability. | GA +AZR-000505 | [Azure.ACI.Naming](Azure.ACI.Naming.md) | Container Instance resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000506 | [Azure.ACR.Naming](Azure.ACR.Naming.md) | Container Registry resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000507 | [Azure.AKS.Naming](Azure.AKS.Naming.md) | AKS cluster resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000508 | [Azure.AKS.SystemPoolNaming](Azure.AKS.SystemPoolNaming.md) | AKS system node pool resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000509 | [Azure.AKS.UserPoolNaming](Azure.AKS.UserPoolNaming.md) | AKS user node pool resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000510 | [Azure.ContainerApp.Naming](Azure.ContainerApp.Naming.md) | Container App resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000511 | [Azure.ContainerApp.EnvNaming](Azure.ContainerApp.EnvNaming.md) | Container App Environment resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000512 | [Azure.ContainerApp.JobNaming](Azure.ContainerApp.JobNaming.md) | Container App Job resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000513 | [Azure.Cosmos.CassandraNaming](Azure.Cosmos.CassandraNaming.md) | Cosmos DB for Apache Cassandra account resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000514 | [Azure.Cosmos.MongoNaming](Azure.Cosmos.MongoNaming.md) | Cosmos DB for MongoDB account resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000515 | [Azure.Cosmos.NoSQLNaming](Azure.Cosmos.NoSQLNaming.md) | Cosmos DB for NoSQL account resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000516 | [Azure.Cosmos.TableNaming](Azure.Cosmos.TableNaming.md) | Cosmos DB for Table account resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000517 | [Azure.Cosmos.GremlinNaming](Azure.Cosmos.GremlinNaming.md) | Cosmos DB for Apache Gremlin account resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000518 | [Azure.Cosmos.PostgreSQLNaming](Azure.Cosmos.PostgreSQLNaming.md) | Cosmos DB PostgreSQL cluster resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000519 | [Azure.Cosmos.DatabaseNaming](Azure.Cosmos.DatabaseNaming.md) | Cosmos DB database resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000521 | [Azure.MySQL.ServerNaming](Azure.MySQL.ServerNaming.md) | MySQL database server resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000522 | [Azure.PostgreSQL.ServerNaming](Azure.PostgreSQL.ServerNaming.md) | PostgreSQL database server resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000523 | [Azure.Redis.Naming](Azure.Redis.Naming.md) | Azure Cache for Redis resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000524 | [Azure.RedisEnterprise.Naming](Azure.RedisEnterprise.Naming.md) | Azure Cache for Redis Enterprise resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000525 | [Azure.SQL.ServerNaming](Azure.SQL.ServerNaming.md) | Azure SQL Database server resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000526 | [Azure.SQL.DBNaming](Azure.SQL.DBNaming.md) | Azure SQL database resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000527 | [Azure.SQL.JobAgentNaming](Azure.SQL.JobAgentNaming.md) | Azure SQL Elastic Job agent resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000528 | [Azure.SQL.ElasticPoolNaming](Azure.SQL.ElasticPoolNaming.md) | Azure SQL Elastic Pool resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000529 | [Azure.SQLMI.Naming](Azure.SQLMI.Naming.md) | SQL Managed Instance resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000530 | [Azure.ServiceFabric.Naming](Azure.ServiceFabric.Naming.md) | Service Fabric cluster resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000531 | [Azure.ServiceFabric.ManagedNaming](Azure.ServiceFabric.ManagedNaming.md) | Service Fabric managed cluster resources without a standard naming convention may be difficult to identify and manage. | GA *[GA]: Generally Available — Rules related to a generally available Azure features. diff --git a/docs/es/rules/module.md b/docs/es/rules/module.md index be476d19615..a87daa0a714 100644 --- a/docs/es/rules/module.md +++ b/docs/es/rules/module.md @@ -113,17 +113,22 @@ Name | Synopsis | Severity | Level [Azure.AppGw.Name](Azure.AppGw.Name.md) | Application Gateways should meet naming requirements. | Awareness | Error [Azure.AppInsights.Name](Azure.AppInsights.Name.md) | Azure Resource Manager (ARM) has requirements for Application Insights resource names. | Awareness | Error [Azure.ContainerApp.Name](Azure.ContainerApp.Name.md) | Container Apps should meet naming requirements. | Awareness | Error +[Azure.Cosmos.AccountName](Azure.Cosmos.AccountName.md) | Cosmos DB account names should meet naming requirements. | Awareness | Error [Azure.Group.Name](Azure.Group.Name.md) | Azure Resource Manager (ARM) has requirements for Resource Groups names. | Awareness | Error [Azure.KeyVault.KeyName](Azure.KeyVault.KeyName.md) | Key Vault Key names should meet naming requirements. | Awareness | Error [Azure.KeyVault.SecretName](Azure.KeyVault.SecretName.md) | Key Vault Secret names should meet naming requirements. | Awareness | Error [Azure.LB.Name](Azure.LB.Name.md) | Load Balancer names should meet naming requirements. | Awareness | Error [Azure.Log.Name](Azure.Log.Name.md) | Azure Resource Manager (ARM) has requirements for Azure Monitor Log workspace names. | Awareness | Error [Azure.MariaDB.DatabaseName](Azure.MariaDB.DatabaseName.md) | Azure Database for MariaDB databases should meet naming requirements. | Awareness | Error +[Azure.MySQL.ServerName](Azure.MySQL.ServerName.md) | Azure MySQL DB server names should meet naming requirements. | Awareness | Error [Azure.NIC.Name](Azure.NIC.Name.md) | Network Interface (NIC) names should meet naming requirements. | Awareness | Error [Azure.NSG.Name](Azure.NSG.Name.md) | Azure Resource Manager (ARM) has requirements for Network Security Group (NSG) names. | Awareness | Error +[Azure.PostgreSQL.ServerName](Azure.PostgreSQL.ServerName.md) | Azure PostgreSQL DB server names should meet naming requirements. | Awareness | Error [Azure.PublicIP.Name](Azure.PublicIP.Name.md) | Azure Resource Manager (ARM) has requirements for Public IP address names. | Awareness | Error [Azure.Route.Name](Azure.Route.Name.md) | Azure Resource Manager (ARM) has requirements for Route table names. | Awareness | Error [Azure.Search.Name](Azure.Search.Name.md) | Azure Resource Manager (ARM) has requirements for AI Search service names. | Awareness | Error +[Azure.SQL.DBName](Azure.SQL.DBName.md) | Azure SQL Database names should meet naming requirements. | Awareness | Error +[Azure.SQL.ServerName](Azure.SQL.ServerName.md) | Azure SQL logical server names should meet naming requirements. | Awareness | Error [Azure.Storage.Name](Azure.Storage.Name.md) | Azure Resource Manager (ARM) has requirements for Storage Account names. | Awareness | Error [Azure.VM.ComputerName](Azure.VM.ComputerName.md) | Virtual Machine (VM) computer name should meet naming requirements. | Awareness | Error [Azure.VM.Name](Azure.VM.Name.md) | Virtual Machine (VM) names should meet naming requirements. | Awareness | Error @@ -137,11 +142,26 @@ Name | Synopsis | Severity | Level Name | Synopsis | Severity | Level ---- | -------- | -------- | ----- +[Azure.ACI.Naming](Azure.ACI.Naming.md) | Container Instance resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.ACR.Naming](Azure.ACR.Naming.md) | Container Registry resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.AI.FoundryNaming](Azure.AI.FoundryNaming.md) | Azure AI Foundry accounts without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.AKS.Naming](Azure.AKS.Naming.md) | AKS cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.AKS.SystemPoolNaming](Azure.AKS.SystemPoolNaming.md) | AKS system node pool resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.AKS.UserPoolNaming](Azure.AKS.UserPoolNaming.md) | AKS user node pool resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.APIM.APIDescriptors](Azure.APIM.APIDescriptors.md) | APIs should have a display name and description. | Awareness | Warning [Azure.APIM.ProductDescriptors](Azure.APIM.ProductDescriptors.md) | API Management products should have a display name and description. | Awareness | Warning [Azure.AppInsights.Naming](Azure.AppInsights.Naming.md) | Application Insights resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.ContainerApp.APIVersion](Azure.ContainerApp.APIVersion.md) | Migrate from retired API version to a supported version. | Important | Error +[Azure.ContainerApp.EnvNaming](Azure.ContainerApp.EnvNaming.md) | Container App Environment resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.ContainerApp.JobNaming](Azure.ContainerApp.JobNaming.md) | Container App Job resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.ContainerApp.Naming](Azure.ContainerApp.Naming.md) | Container App resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.Cosmos.CassandraNaming](Azure.Cosmos.CassandraNaming.md) | Cosmos DB for Apache Cassandra account resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.Cosmos.DatabaseNaming](Azure.Cosmos.DatabaseNaming.md) | Cosmos DB database resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.Cosmos.GremlinNaming](Azure.Cosmos.GremlinNaming.md) | Cosmos DB for Apache Gremlin account resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.Cosmos.MongoNaming](Azure.Cosmos.MongoNaming.md) | Cosmos DB for MongoDB account resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.Cosmos.NoSQLNaming](Azure.Cosmos.NoSQLNaming.md) | Cosmos DB for NoSQL account resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.Cosmos.PostgreSQLNaming](Azure.Cosmos.PostgreSQLNaming.md) | Cosmos DB PostgreSQL cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.Cosmos.TableNaming](Azure.Cosmos.TableNaming.md) | Cosmos DB for Table account resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.EventGrid.DomainNaming](Azure.EventGrid.DomainNaming.md) | Event Grid domains without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.EventGrid.SystemTopicNaming](Azure.EventGrid.SystemTopicNaming.md) | Event Grid system topics without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.EventGrid.TopicNaming](Azure.EventGrid.TopicNaming.md) | Event Grid topics without a standard naming convention may be difficult to identify and manage. | Awareness | Error @@ -149,14 +169,25 @@ Name | Synopsis | Severity | Level [Azure.Group.RequiredTags](Azure.Group.RequiredTags.md) | Resource groups without a standard tagging convention may be difficult to identify and manage. | Awareness | Error [Azure.LB.Naming](Azure.LB.Naming.md) | Load balancer names should use a standard prefix. | Awareness | Error [Azure.Log.Naming](Azure.Log.Naming.md) | Azure Monitor Log workspaces without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.MySQL.ServerNaming](Azure.MySQL.ServerNaming.md) | MySQL database server resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.NSG.Naming](Azure.NSG.Naming.md) | Network security group (NSG) without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.Policy.AssignmentDescriptors](Azure.Policy.AssignmentDescriptors.md) | Policy assignments should use a display name and description. | Awareness | Error [Azure.Policy.Descriptors](Azure.Policy.Descriptors.md) | Policy and initiative definitions should use a display name, description, and category. | Awareness | Error [Azure.Policy.ExemptionDescriptors](Azure.Policy.ExemptionDescriptors.md) | Policy exemptions should use a display name and description. | Awareness | Error +[Azure.PostgreSQL.ServerNaming](Azure.PostgreSQL.ServerNaming.md) | PostgreSQL database server resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.PublicIP.Naming](Azure.PublicIP.Naming.md) | Public IP addresses without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.Redis.Naming](Azure.Redis.Naming.md) | Azure Cache for Redis resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.RedisEnterprise.Naming](Azure.RedisEnterprise.Naming.md) | Azure Cache for Redis Enterprise resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.Resource.RequiredTags](Azure.Resource.RequiredTags.md) | Resources without a standard tagging convention may be difficult to identify and manage. | Awareness | Error [Azure.Route.Naming](Azure.Route.Naming.md) | Route tables without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.Search.Naming](Azure.Search.Naming.md) | Azure AI Search services without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.ServiceFabric.ManagedNaming](Azure.ServiceFabric.ManagedNaming.md) | Service Fabric managed cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.ServiceFabric.Naming](Azure.ServiceFabric.Naming.md) | Service Fabric cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.SQL.DBNaming](Azure.SQL.DBNaming.md) | Azure SQL database resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.SQL.ElasticPoolNaming](Azure.SQL.ElasticPoolNaming.md) | Azure SQL Elastic Pool resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.SQL.JobAgentNaming](Azure.SQL.JobAgentNaming.md) | Azure SQL Elastic Job agent resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.SQL.ServerNaming](Azure.SQL.ServerNaming.md) | Azure SQL Database server resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.SQLMI.Naming](Azure.SQLMI.Naming.md) | SQL Managed Instance resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.Storage.Naming](Azure.Storage.Naming.md) | Storage Accounts without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.Subscription.RequiredTags](Azure.Subscription.RequiredTags.md) | Subscriptions without a standard tagging convention may be difficult to identify and manage. | Awareness | Error [Azure.VM.Naming](Azure.VM.Naming.md) | Virtual machines without a standard naming convention may be difficult to identify and manage. | Awareness | Error @@ -219,7 +250,6 @@ Name | Synopsis | Severity | Level [Azure.ASG.Name](Azure.ASG.Name.md) | Application Security Group (ASG) names should meet naming requirements. | Awareness | Error [Azure.Bastion.Name](Azure.Bastion.Name.md) | Bastion hosts should meet naming requirements. | Awareness | Error [Azure.CDN.EndpointName](Azure.CDN.EndpointName.md) | Azure CDN Endpoint names should meet naming requirements. | Awareness | Error -[Azure.Cosmos.AccountName](Azure.Cosmos.AccountName.md) | Cosmos DB account names should meet naming requirements. | Awareness | Error [Azure.Deployment.Name](Azure.Deployment.Name.md) | Nested deployments should meet naming requirements of deployments. | Awareness | Error [Azure.Firewall.Name](Azure.Firewall.Name.md) | Firewall names should meet naming requirements. | Awareness | Error [Azure.Firewall.PolicyName](Azure.Firewall.PolicyName.md) | Firewall policy names should meet naming requirements. | Awareness | Error @@ -230,18 +260,14 @@ Name | Synopsis | Severity | Level [Azure.MariaDB.FirewallRuleName](Azure.MariaDB.FirewallRuleName.md) | Azure Database for MariaDB firewall rules should meet naming requirements. | Awareness | Error [Azure.MariaDB.ServerName](Azure.MariaDB.ServerName.md) | Azure Database for MariaDB servers should meet naming requirements. | Awareness | Error [Azure.MariaDB.VNETRuleName](Azure.MariaDB.VNETRuleName.md) | Azure Database for MariaDB VNET rules should meet naming requirements. | Awareness | Error -[Azure.MySQL.ServerName](Azure.MySQL.ServerName.md) | Azure MySQL DB server names should meet naming requirements. | Awareness | Error [Azure.NSG.AKSRules](Azure.NSG.AKSRules.md) | AKS Network Security Group (NSG) should not have custom rules. | Awareness | Error [Azure.Policy.AssignmentAssignedBy](Azure.Policy.AssignmentAssignedBy.md) | Policy assignments should use assignedBy metadata. | Awareness | Error -[Azure.PostgreSQL.ServerName](Azure.PostgreSQL.ServerName.md) | Azure PostgreSQL DB server names should meet naming requirements. | Awareness | Error [Azure.PrivateEndpoint.Name](Azure.PrivateEndpoint.Name.md) | Private Endpoint names should meet naming requirements. | Awareness | Error [Azure.PublicIP.DNSLabel](Azure.PublicIP.DNSLabel.md) | Public IP domain name labels should meet naming requirements. | Awareness | Error [Azure.PublicIP.MigrateStandard](Azure.PublicIP.MigrateStandard.md) | Use the Standard SKU for Public IP addresses as the Basic SKU will be retired. | Important | Error [Azure.RSV.Name](Azure.RSV.Name.md) | Recovery Services vaults should meet naming requirements. | Awareness | Error [Azure.SignalR.Name](Azure.SignalR.Name.md) | SignalR service instance names should meet naming requirements. | Awareness | Error -[Azure.SQL.DBName](Azure.SQL.DBName.md) | Azure SQL Database names should meet naming requirements. | Awareness | Error [Azure.SQL.FGName](Azure.SQL.FGName.md) | Azure SQL failover group names should meet naming requirements. | Awareness | Error -[Azure.SQL.ServerName](Azure.SQL.ServerName.md) | Azure SQL logical server names should meet naming requirements. | Awareness | Error [Azure.SQLMI.Name](Azure.SQLMI.Name.md) | SQL Managed Instance names should meet naming requirements. | Awareness | Error [Azure.Template.ExpressionLength](Azure.Template.ExpressionLength.md) | Template expressions should not exceed the maximum length. | Awareness | Error [Azure.Template.ParameterFile](Azure.Template.ParameterFile.md) | Use ARM template parameter files that are valid. | Important | Error @@ -431,7 +457,10 @@ Name | Synopsis | Severity | Level [Azure.AppConfig.GeoReplica](Azure.AppConfig.GeoReplica.md) | Replicate app configuration store across all points of presence for an application. | Important | Error [Azure.ContainerApp.MinReplicas](Azure.ContainerApp.MinReplicas.md) | Use multiple replicas to remove a single point of failure. | Important | Error [Azure.ContainerApp.Storage](Azure.ContainerApp.Storage.md) | Use of Azure Files volume mounts to persistent storage container data. | Awareness | Error +[Azure.Cosmos.AvailabilityZone](Azure.Cosmos.AvailabilityZone.md) | Use zone redundant Cosmos DB accounts in supported regions to improve reliability. | Important | Error +[Azure.Cosmos.MongoAvailabilityZone](Azure.Cosmos.MongoAvailabilityZone.md) | Use zone redundant Cosmos DB vCore clusters in supported regions to improve reliability. | Important | Error [Azure.LB.Probe](Azure.LB.Probe.md) | Use a specific probe for web protocols. | Important | Error +[Azure.MICassandra.AvailabilityZone](Azure.MICassandra.AvailabilityZone.md) | Use zone redundant Managed Instance for Apache Cassandra clusters in supported regions to improve reliability. | Important | Error [Azure.MySQL.UseFlexible](Azure.MySQL.UseFlexible.md) | Use Azure Database for MySQL Flexible Server deployment model. | Important | Warning [Azure.ServiceBus.GeoReplica](Azure.ServiceBus.GeoReplica.md) | Enhance resilience to regional outages by replicating namespaces. | Important | Error [Azure.TrafficManager.Endpoints](Azure.TrafficManager.Endpoints.md) | Traffic Manager should use at lest two enabled endpoints. | Important | Error @@ -453,6 +482,7 @@ Name | Synopsis | Severity | Level [Azure.ASE.AvailabilityZone](Azure.ASE.AvailabilityZone.md) | Deploy app service environments using availability zones in supported regions to ensure high availability and resilience. | Important | Error [Azure.ContainerApp.AvailabilityZone](Azure.ContainerApp.AvailabilityZone.md) | Use Container Apps environments that are zone redundant to improve reliability. | Important | Error [Azure.Firewall.AvailabilityZone](Azure.Firewall.AvailabilityZone.md) | Deploy firewall instances using availability zones in supported regions to ensure high availability and resilience. | Important | Error +[Azure.Grafana.AvailabilityZone](Azure.Grafana.AvailabilityZone.md) | Use zone redundant Grafana workspaces in supported regions to improve reliability. | Important | Error [Azure.LB.AvailabilityZone](Azure.LB.AvailabilityZone.md) | Load balancers deployed with Standard SKU should be zone-redundant for high availability. | Important | Error [Azure.Log.Replication](Azure.Log.Replication.md) | Log Analytics workspaces should have workspace replication enabled to improve service availability. | Important | Error [Azure.MySQL.ZoneRedundantHA](Azure.MySQL.ZoneRedundantHA.md) | Deploy Azure Database for MySQL servers using zone-redundant high availability (HA) in supported regions to ensure high availability and resilience. | Important | Error @@ -600,7 +630,6 @@ Name | Synopsis | Severity | Level [Azure.AppGwWAF.Enabled](Azure.AppGwWAF.Enabled.md) | Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. | Critical | Error [Azure.AppGwWAF.Exclusions](Azure.AppGwWAF.Exclusions.md) | Application Gateway Web Application Firewall (WAF) should have all rules enabled. | Critical | Error [Azure.AppGwWAF.PreventionMode](Azure.AppGwWAF.PreventionMode.md) | Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical | Error -[Azure.AppGwWAF.RuleGroups](Azure.AppGwWAF.RuleGroups.md) | Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical | Error [Azure.MariaDB.AllowAzureAccess](Azure.MariaDB.AllowAzureAccess.md) | Determine if access from Azure services is required. | Important | Error ### Network segmentation @@ -670,6 +699,7 @@ Name | Synopsis | Severity | Level [Azure.ContainerApp.ManagedIdentity](Azure.ContainerApp.ManagedIdentity.md) | Ensure managed identity is used for authentication. | Important | Error [Azure.Cosmos.DisableLocalAuth](Azure.Cosmos.DisableLocalAuth.md) | Access keys allow depersonalized access to Cosmos DB accounts using a shared secret. | Critical | Error [Azure.Cosmos.DisableMetadataWrite](Azure.Cosmos.DisableMetadataWrite.md) | Use Entra ID identities for management place operations in Azure Cosmos DB. | Important | Error +[Azure.Cosmos.MongoEntraID](Azure.Cosmos.MongoEntraID.md) | MongoDB vCore clusters should have Microsoft Entra ID authentication enabled. | Critical | Error [Azure.EventGrid.DisableLocalAuth](Azure.EventGrid.DisableLocalAuth.md) | Authenticate publishing clients with Azure AD identities. | Important | Error [Azure.EventGrid.ManagedIdentity](Azure.EventGrid.ManagedIdentity.md) | Use managed identities to deliver Event Grid Topic events. | Important | Error [Azure.EventHub.DisableLocalAuth](Azure.EventHub.DisableLocalAuth.md) | Authenticate Event Hub publishers and consumers with Entra ID identities. | Important | Error @@ -695,12 +725,14 @@ Name | Synopsis | Severity | Level Name | Synopsis | Severity | Level ---- | -------- | -------- | ----- [Azure.ACR.Firewall](Azure.ACR.Firewall.md) | Container Registry without restrictions can be accessed from any network location including the Internet. | Important | Error +[Azure.ADX.PublicAccess](Azure.ADX.PublicAccess.md) | Azure Data Explorer (ADX) clusters should have public network access disabled. | Critical | Error [Azure.AI.PrivateEndpoints](Azure.AI.PrivateEndpoints.md) | Use Private Endpoints to access Azure AI services accounts. | Important | Error [Azure.AI.PublicAccess](Azure.AI.PublicAccess.md) | Restrict access of Azure AI services to authorized virtual networks. | Important | Error [Azure.AKS.AuthorizedIPs](Azure.AKS.AuthorizedIPs.md) | Restrict access to API server endpoints to authorized IP addresses. | Important | Error [Azure.AKS.HttpAppRouting](Azure.AKS.HttpAppRouting.md) | Disable HTTP application routing add-on in AKS clusters. | Important | Error [Azure.AppGw.UseWAF](Azure.AppGw.UseWAF.md) | Internet accessible Application Gateways should use protect endpoints with WAF. | Critical | Error [Azure.AppGw.WAFEnabled](Azure.AppGw.WAFEnabled.md) | Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. | Critical | Error +[Azure.AppGwWAF.RuleGroups](Azure.AppGwWAF.RuleGroups.md) | Application Gateway WAF policies should include both Microsoft Default Rule Set and Bot Manager Rule Set to provide comprehensive protection against web application threats and malicious bot traffic. | Critical | Error [Azure.ContainerApp.ExternalIngress](Azure.ContainerApp.ExternalIngress.md) | Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment. | Important | Error [Azure.ContainerApp.PublicAccess](Azure.ContainerApp.PublicAccess.md) | Ensure public network access for Container Apps environment is disabled. | Important | Error [Azure.ContainerApp.RestrictIngress](Azure.ContainerApp.RestrictIngress.md) | IP ingress restrictions mode should be set to allow action for all rules defined. | Important | Error diff --git a/docs/es/rules/resource.md b/docs/es/rules/resource.md index ec6dc6053b0..82eadab68b4 100644 --- a/docs/es/rules/resource.md +++ b/docs/es/rules/resource.md @@ -147,7 +147,7 @@ Name | Synopsis | Severity | Level [Azure.AppGwWAF.Enabled](Azure.AppGwWAF.Enabled.md) | Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. | Critical | Error [Azure.AppGwWAF.Exclusions](Azure.AppGwWAF.Exclusions.md) | Application Gateway Web Application Firewall (WAF) should have all rules enabled. | Critical | Error [Azure.AppGwWAF.PreventionMode](Azure.AppGwWAF.PreventionMode.md) | Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical | Error -[Azure.AppGwWAF.RuleGroups](Azure.AppGwWAF.RuleGroups.md) | Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical | Error +[Azure.AppGwWAF.RuleGroups](Azure.AppGwWAF.RuleGroups.md) | Application Gateway WAF policies should include both Microsoft Default Rule Set and Bot Manager Rule Set to provide comprehensive protection against web application threats and malicious bot traffic. | Critical | Error ## Application Insights @@ -193,6 +193,7 @@ Name | Synopsis | Severity | Level [Azure.Redis.MaxMemoryReserved](Azure.Redis.MaxMemoryReserved.md) | Configure maxmemory-reserved to reserve memory for non-cache operations. | Important | Error [Azure.Redis.MinSKU](Azure.Redis.MinSKU.md) | Use Azure Cache for Redis instances of at least Standard C1. | Important | Error [Azure.Redis.MinTLS](Azure.Redis.MinTLS.md) | Redis Cache should reject TLS versions older than 1.2. | Critical | Error +[Azure.Redis.Naming](Azure.Redis.Naming.md) | Azure Cache for Redis resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.Redis.NonSslPort](Azure.Redis.NonSslPort.md) | Azure Cache for Redis should only accept secure connections. | Critical | Error [Azure.Redis.PublicNetworkAccess](Azure.Redis.PublicNetworkAccess.md) | Redis cache should disable public network access. | Critical | Error [Azure.Redis.Version](Azure.Redis.Version.md) | Azure Cache for Redis should use the latest supported version of Redis. | Important | Error @@ -202,6 +203,7 @@ Name | Synopsis | Severity | Level Name | Synopsis | Severity | Level ---- | -------- | -------- | ----- [Azure.RedisEnterprise.MinTLS](Azure.RedisEnterprise.MinTLS.md) | Redis Cache should reject TLS versions older than 1.2. | Critical | Error +[Azure.RedisEnterprise.Naming](Azure.RedisEnterprise.Naming.md) | Azure Cache for Redis Enterprise resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.RedisEnterprise.Zones](Azure.RedisEnterprise.Zones.md) | Enterprise Redis cache should be zone-redundant for high availability. | Important | Error ## Azure Database @@ -240,6 +242,7 @@ Name | Synopsis | Severity | Level [Azure.MySQL.MaintenanceWindow](Azure.MySQL.MaintenanceWindow.md) | Configure a customer-controlled maintenance window for Azure Database for MySQL servers. | Important | Error [Azure.MySQL.MinTLS](Azure.MySQL.MinTLS.md) | MySQL DB servers should reject TLS versions older than 1.2. | Critical | Error [Azure.MySQL.ServerName](Azure.MySQL.ServerName.md) | Azure MySQL DB server names should meet naming requirements. | Awareness | Error +[Azure.MySQL.ServerNaming](Azure.MySQL.ServerNaming.md) | MySQL database server resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.MySQL.UseFlexible](Azure.MySQL.UseFlexible.md) | Use Azure Database for MySQL Flexible Server deployment model. | Important | Warning [Azure.MySQL.UseSSL](Azure.MySQL.UseSSL.md) | Enforce encrypted MySQL connections. | Critical | Error [Azure.MySQL.ZoneRedundantHA](Azure.MySQL.ZoneRedundantHA.md) | Deploy Azure Database for MySQL servers using zone-redundant high availability (HA) in supported regions to ensure high availability and resilience. | Important | Error @@ -258,6 +261,7 @@ Name | Synopsis | Severity | Level [Azure.PostgreSQL.MaintenanceWindow](Azure.PostgreSQL.MaintenanceWindow.md) | Configure a customer-controlled maintenance window for Azure Database for PostgreSQL servers. | Important | Error [Azure.PostgreSQL.MinTLS](Azure.PostgreSQL.MinTLS.md) | PostgreSQL DB servers should reject TLS versions older than 1.2. | Critical | Error [Azure.PostgreSQL.ServerName](Azure.PostgreSQL.ServerName.md) | Azure PostgreSQL DB server names should meet naming requirements. | Awareness | Error +[Azure.PostgreSQL.ServerNaming](Azure.PostgreSQL.ServerNaming.md) | PostgreSQL database server resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.PostgreSQL.UseSSL](Azure.PostgreSQL.UseSSL.md) | Enforce encrypted PostgreSQL connections. | Critical | Error [Azure.PostgreSQL.ZoneRedundantHA](Azure.PostgreSQL.ZoneRedundantHA.md) | Deploy Azure Database for PostgreSQL servers using zone-redundant high availability (HA) in supported regions to ensure high availability and resilience. | Important | Error @@ -292,6 +296,7 @@ Name | Synopsis | Severity | Level [Azure.AKS.MinNodeCount](Azure.AKS.MinNodeCount.md) | AKS clusters should have minimum number of system nodes for failover and updates. | Important | Error [Azure.AKS.MinUserPoolNodes](Azure.AKS.MinUserPoolNodes.md) | User node pools in an AKS cluster should have a minimum number of nodes for failover and updates. | Important | Error [Azure.AKS.Name](Azure.AKS.Name.md) | Azure Kubernetes Service (AKS) cluster names should meet naming requirements. | Awareness | Error +[Azure.AKS.Naming](Azure.AKS.Naming.md) | AKS cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.AKS.NetworkPolicy](Azure.AKS.NetworkPolicy.md) | AKS clusters without inter-pod network restrictions may be permit unauthorized lateral movement. | Important | Error [Azure.AKS.NodeAutoUpgrade](Azure.AKS.NodeAutoUpgrade.md) | Operating system (OS) security updates should be applied to AKS nodes and rebooted as required to address security vulnerabilities. | Important | Error [Azure.AKS.NodeMinPods](Azure.AKS.NodeMinPods.md) | Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. | Important | Error @@ -301,8 +306,10 @@ Name | Synopsis | Severity | Level [Azure.AKS.SecretStore](Azure.AKS.SecretStore.md) | Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. | Important | Error [Azure.AKS.SecretStoreRotation](Azure.AKS.SecretStoreRotation.md) | Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. | Important | Error [Azure.AKS.StandardLB](Azure.AKS.StandardLB.md) | Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. | Important | Error +[Azure.AKS.SystemPoolNaming](Azure.AKS.SystemPoolNaming.md) | AKS system node pool resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.AKS.UptimeSLA](Azure.AKS.UptimeSLA.md) | AKS clusters should have Uptime SLA enabled for a financially backed SLA. | Important | Error [Azure.AKS.UseRBAC](Azure.AKS.UseRBAC.md) | Deploy AKS cluster with role-based access control (RBAC) enabled. | Important | Error +[Azure.AKS.UserPoolNaming](Azure.AKS.UserPoolNaming.md) | AKS user node pool resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.AKS.Version](Azure.AKS.Version.md) | Older versions of Kubernetes may have known bugs or security vulnerabilities, and may have limited support. | Important | Error ## Azure Managed Grafana @@ -327,6 +334,30 @@ Name | Synopsis | Severity | Level [Azure.Log.ReplicaLocation](Azure.Log.ReplicaLocation.md) | The replication location determines the country or region where the data is stored and processed. | Important | Error [Azure.Log.Replication](Azure.Log.Replication.md) | Log Analytics workspaces should have workspace replication enabled to improve service availability. | Important | Error +## Azure SQL database + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.SQL.DBNaming](Azure.SQL.DBNaming.md) | Azure SQL database resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error + +## Azure SQL Database server + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.SQL.ServerNaming](Azure.SQL.ServerNaming.md) | Azure SQL Database server resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error + +## Azure SQL Elastic Job agent + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.SQL.JobAgentNaming](Azure.SQL.JobAgentNaming.md) | Azure SQL Elastic Job agent resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error + +## Azure SQL Elastic Pool + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.SQL.ElasticPoolNaming](Azure.SQL.ElasticPoolNaming.md) | Azure SQL Elastic Pool resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error + ## Azure Virtual Desktop Name | Synopsis | Severity | Level @@ -357,10 +388,29 @@ Name | Synopsis | Severity | Level [Azure.ContainerApp.ManagedIdentity](Azure.ContainerApp.ManagedIdentity.md) | Ensure managed identity is used for authentication. | Important | Error [Azure.ContainerApp.MinReplicas](Azure.ContainerApp.MinReplicas.md) | Use multiple replicas to remove a single point of failure. | Important | Error [Azure.ContainerApp.Name](Azure.ContainerApp.Name.md) | Container Apps should meet naming requirements. | Awareness | Error +[Azure.ContainerApp.Naming](Azure.ContainerApp.Naming.md) | Container App resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.ContainerApp.PublicAccess](Azure.ContainerApp.PublicAccess.md) | Ensure public network access for Container Apps environment is disabled. | Important | Error [Azure.ContainerApp.RestrictIngress](Azure.ContainerApp.RestrictIngress.md) | IP ingress restrictions mode should be set to allow action for all rules defined. | Important | Error [Azure.ContainerApp.Storage](Azure.ContainerApp.Storage.md) | Use of Azure Files volume mounts to persistent storage container data. | Awareness | Error +## Container App Environment + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.ContainerApp.EnvNaming](Azure.ContainerApp.EnvNaming.md) | Container App Environment resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error + +## Container App Job + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.ContainerApp.JobNaming](Azure.ContainerApp.JobNaming.md) | Container App Job resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error + +## Container Instance + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.ACI.Naming](Azure.ACI.Naming.md) | Container Instance resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error + ## Container Registry Name | Synopsis | Severity | Level @@ -375,6 +425,7 @@ Name | Synopsis | Severity | Level [Azure.ACR.ImageHealth](Azure.ACR.ImageHealth.md) | Remove container images with known vulnerabilities. | Critical | Error [Azure.ACR.MinSku](Azure.ACR.MinSku.md) | The Basic SKU provides limited performance and features for production container registry workloads. | Important | Error [Azure.ACR.Name](Azure.ACR.Name.md) | Container registry names should meet naming requirements. | Awareness | Error +[Azure.ACR.Naming](Azure.ACR.Naming.md) | Container Registry resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.ACR.Quarantine](Azure.ACR.Quarantine.md) | Enable container image quarantine, scan, and mark images as verified. | Important | Error [Azure.ACR.ReplicaLocation](Azure.ACR.ReplicaLocation.md) | The replication location determines the country or region where container images and metadata are stored and processed. | Important | Error [Azure.ACR.Retention](Azure.ACR.Retention.md) | Use a retention policy to cleanup untagged manifests. | Important | Error @@ -394,20 +445,66 @@ Name | Synopsis | Severity | Level Name | Synopsis | Severity | Level ---- | -------- | -------- | ----- [Azure.Cosmos.AccountName](Azure.Cosmos.AccountName.md) | Cosmos DB account names should meet naming requirements. | Awareness | Error +[Azure.Cosmos.AvailabilityZone](Azure.Cosmos.AvailabilityZone.md) | Use zone redundant Cosmos DB accounts in supported regions to improve reliability. | Important | Error [Azure.Cosmos.ContinuousBackup](Azure.Cosmos.ContinuousBackup.md) | Enable continuous backup on Cosmos DB accounts. | Important | Error [Azure.Cosmos.DefenderCloud](Azure.Cosmos.DefenderCloud.md) | Enable Microsoft Defender for Azure Cosmos DB. | Critical | Error [Azure.Cosmos.DisableLocalAuth](Azure.Cosmos.DisableLocalAuth.md) | Access keys allow depersonalized access to Cosmos DB accounts using a shared secret. | Critical | Error [Azure.Cosmos.DisableMetadataWrite](Azure.Cosmos.DisableMetadataWrite.md) | Use Entra ID identities for management place operations in Azure Cosmos DB. | Important | Error [Azure.Cosmos.MinTLS](Azure.Cosmos.MinTLS.md) | Cosmos DB accounts should reject TLS versions older than 1.2. | Critical | Error +[Azure.Cosmos.MongoAvailabilityZone](Azure.Cosmos.MongoAvailabilityZone.md) | Use zone redundant Cosmos DB vCore clusters in supported regions to improve reliability. | Important | Error +[Azure.Cosmos.MongoEntraID](Azure.Cosmos.MongoEntraID.md) | MongoDB vCore clusters should have Microsoft Entra ID authentication enabled. | Critical | Error [Azure.Cosmos.PublicAccess](Azure.Cosmos.PublicAccess.md) | Azure Cosmos DB should have public network access disabled. | Critical | Error [Azure.Cosmos.SLA](Azure.Cosmos.SLA.md) | Use a paid tier to qualify for a Service Level Agreement (SLA). | Important | Error +## Cosmos DB database + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.Cosmos.DatabaseNaming](Azure.Cosmos.DatabaseNaming.md) | Cosmos DB database resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error + +## Cosmos DB for Apache Cassandra account + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.Cosmos.CassandraNaming](Azure.Cosmos.CassandraNaming.md) | Cosmos DB for Apache Cassandra account resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error + +## Cosmos DB for Apache Gremlin account + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.Cosmos.GremlinNaming](Azure.Cosmos.GremlinNaming.md) | Cosmos DB for Apache Gremlin account resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error + +## Cosmos DB for MongoDB account + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.Cosmos.MongoNaming](Azure.Cosmos.MongoNaming.md) | Cosmos DB for MongoDB account resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error + +## Cosmos DB for NoSQL account + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.Cosmos.NoSQLNaming](Azure.Cosmos.NoSQLNaming.md) | Cosmos DB for NoSQL account resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error + +## Cosmos DB for Table account + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.Cosmos.TableNaming](Azure.Cosmos.TableNaming.md) | Cosmos DB for Table account resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error + +## Cosmos DB PostgreSQL cluster + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.Cosmos.PostgreSQLNaming](Azure.Cosmos.PostgreSQLNaming.md) | Cosmos DB PostgreSQL cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error + ## Data Explorer Name | Synopsis | Severity | Level ---- | -------- | -------- | ----- [Azure.ADX.DiskEncryption](Azure.ADX.DiskEncryption.md) | Use disk encryption for Azure Data Explorer (ADX) clusters. | Important | Error [Azure.ADX.ManagedIdentity](Azure.ADX.ManagedIdentity.md) | Configure Data Explorer clusters to use managed identities to access Azure resources securely. | Important | Error +[Azure.ADX.PublicAccess](Azure.ADX.PublicAccess.md) | Azure Data Explorer (ADX) clusters should have public network access disabled. | Critical | Error [Azure.ADX.SLA](Azure.ADX.SLA.md) | Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters. | Important | Error [Azure.ADX.Usage](Azure.ADX.Usage.md) | Regularly remove unused resources to reduce costs. | Important | Error @@ -572,6 +669,18 @@ Name | Synopsis | Severity | Level [Azure.ML.PublicAccess](Azure.ML.PublicAccess.md) | Disable public network access from a Azure Machine Learning workspace. | Critical | Error [Azure.ML.UserManagedIdentity](Azure.ML.UserManagedIdentity.md) | ML workspaces should use user-assigned managed identity, rather than the default system-assigned managed identity. | Important | Error +## Managed Grafana + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.Grafana.AvailabilityZone](Azure.Grafana.AvailabilityZone.md) | Use zone redundant Grafana workspaces in supported regions to improve reliability. | Important | Error + +## Managed Instance for Apache Cassandra + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.MICassandra.AvailabilityZone](Azure.MICassandra.AvailabilityZone.md) | Use zone redundant Managed Instance for Apache Cassandra clusters in supported regions to improve reliability. | Important | Error + ## Microsoft Defender for Cloud Name | Synopsis | Severity | Level @@ -688,6 +797,8 @@ Name | Synopsis | Severity | Level Name | Synopsis | Severity | Level ---- | -------- | -------- | ----- [Azure.ServiceFabric.AAD](Azure.ServiceFabric.AAD.md) | Use Entra ID client authentication for Service Fabric clusters. | Critical | Error +[Azure.ServiceFabric.ManagedNaming](Azure.ServiceFabric.ManagedNaming.md) | Service Fabric managed cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.ServiceFabric.Naming](Azure.ServiceFabric.Naming.md) | Service Fabric cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.ServiceFabric.ProtectionLevel](Azure.ServiceFabric.ProtectionLevel.md) | Node to node communication that is not signed and encrypted may be susceptible to man-in-the-middle attacks. | Important | Error ## SignalR Service @@ -725,6 +836,7 @@ Name | Synopsis | Severity | Level [Azure.SQLMI.MaintenanceWindow](Azure.SQLMI.MaintenanceWindow.md) | Configure a customer-controlled maintenance window for Azure SQL Managed Instances. | Important | Error [Azure.SQLMI.ManagedIdentity](Azure.SQLMI.ManagedIdentity.md) | Ensure managed identity is used to allow support for Azure AD authentication. | Important | Error [Azure.SQLMI.Name](Azure.SQLMI.Name.md) | SQL Managed Instance names should meet naming requirements. | Awareness | Error +[Azure.SQLMI.Naming](Azure.SQLMI.Naming.md) | SQL Managed Instance resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error ## Storage Account diff --git a/docs/examples/resources/aci.bicep b/docs/examples/resources/aci.bicep new file mode 100644 index 00000000000..4b070ea4c95 --- /dev/null +++ b/docs/examples/resources/aci.bicep @@ -0,0 +1,62 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. + +// Bicep documentation examples + +@minLength(1) +@maxLength(63) +@description('The name of the resource.') +param name string + +@description('The location resources will be deployed.') +param location string = resourceGroup().location + +@description('The resource subnet ID.') +param subnetId string + +var containers = [ + { + name: 'mycontainer' + properties: { + image: 'mcr.microsoft.com/azuredocs/aci-helloworld:latest' + ports: [ + { + port: 80 + protocol: 'TCP' + } + ] + resources: { + requests: { + cpu: 1 + memoryInGB: 2 + } + } + } + } +] + +// An example Azure Container Instance with a network profile. +resource containerGroup 'Microsoft.ContainerInstance/containerGroups@2025-09-01' = { + name: name + location: location + properties: { + containers: containers + osType: 'Linux' + sku: 'Standard' + restartPolicy: 'Always' + ipAddress: { + ports: [ + { + port: 80 + protocol: 'TCP' + } + ] + type: 'Private' + } + subnetIds: [ + { + id: subnetId + } + ] + } +} diff --git a/docs/examples/resources/aci.json b/docs/examples/resources/aci.json new file mode 100644 index 00000000000..321b91bd4c6 --- /dev/null +++ b/docs/examples/resources/aci.json @@ -0,0 +1,84 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.38.33.27573", + "templateHash": "14594933783337124860" + } + }, + "parameters": { + "name": { + "type": "string", + "minLength": 1, + "maxLength": 63, + "metadata": { + "description": "The name of the resource." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The location resources will be deployed." + } + }, + "subnetId": { + "type": "string", + "metadata": { + "description": "The resource subnet ID." + } + } + }, + "variables": { + "containers": [ + { + "name": "mycontainer", + "properties": { + "image": "mcr.microsoft.com/azuredocs/aci-helloworld:latest", + "ports": [ + { + "port": 80, + "protocol": "TCP" + } + ], + "resources": { + "requests": { + "cpu": 1, + "memoryInGB": 2 + } + } + } + } + ] + }, + "resources": [ + { + "type": "Microsoft.ContainerInstance/containerGroups", + "apiVersion": "2025-09-01", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "properties": { + "containers": "[variables('containers')]", + "osType": "Linux", + "sku": "Standard", + "restartPolicy": "Always", + "ipAddress": { + "ports": [ + { + "port": 80, + "protocol": "TCP" + } + ], + "type": "Private" + }, + "subnetIds": [ + { + "id": "[parameters('subnetId')]" + } + ] + } + } + ] +} \ No newline at end of file diff --git a/docs/examples/resources/aks.bicep b/docs/examples/resources/aks.bicep index 68a479954dc..b9893700150 100644 --- a/docs/examples/resources/aks.bicep +++ b/docs/examples/resources/aks.bicep @@ -5,11 +5,11 @@ // Define parameters -@description('The name of the AKS cluster.') +@description('The name of the resource.') param name string @metadata({ - description: 'Optional. The Azure region to deploy to.' + description: 'The location resources will be deployed.' strongType: 'location' example: 'EastUS' ignore: true @@ -126,13 +126,13 @@ var userPools = [ // Define resources // Cluster managed identity -resource identity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = { +resource identity 'Microsoft.ManagedIdentity/userAssignedIdentities@2024-11-30' = { name: identityName location: location } // An example AKS cluster -resource cluster 'Microsoft.ContainerService/managedClusters@2024-10-01' = { +resource cluster 'Microsoft.ContainerService/managedClusters@2025-07-01' = { location: location name: name identity: { @@ -219,7 +219,7 @@ resource auditLogs 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = } // An example AKS cluster with pools defined. -resource clusterWithPools 'Microsoft.ContainerService/managedClusters@2024-02-01' = { +resource clusterWithPools 'Microsoft.ContainerService/managedClusters@2025-07-01' = { location: location name: name identity: { @@ -306,7 +306,7 @@ resource clusterWithPools 'Microsoft.ContainerService/managedClusters@2024-02-01 } // An example private AKS cluster with pools defined. -resource privateCluster 'Microsoft.ContainerService/managedClusters@2024-02-01' = { +resource privateCluster 'Microsoft.ContainerService/managedClusters@2025-07-01' = { location: location name: name identity: { @@ -390,3 +390,43 @@ resource privateCluster 'Microsoft.ContainerService/managedClusters@2024-02-01' } } } + +// An example system node pool. +resource system 'Microsoft.ContainerService/managedClusters/agentPools@2025-07-01' = { + parent: cluster + name: 'system' + properties: { + osDiskSizeGB: osDiskSizeGB + minCount: 3 + maxCount: 7 + enableAutoScaling: true + maxPods: systemPoolMaxPods + vmSize: 'Standard_D16ds_v6' + osType: 'Linux' + type: 'VirtualMachineScaleSets' + vnetSubnetID: clusterSubnetId + mode: 'System' + osDiskType: 'Ephemeral' + scaleSetPriority: 'Regular' + } +} + +// An example user node pool. +resource user 'Microsoft.ContainerService/managedClusters/agentPools@2025-07-01' = { + parent: cluster + name: 'user' + properties: { + osDiskSizeGB: osDiskSizeGB + minCount: 3 + maxCount: 20 + enableAutoScaling: true + maxPods: 150 + vmSize: 'Standard_D16ds_v6' + osType: 'Linux' + type: 'VirtualMachineScaleSets' + vnetSubnetID: clusterSubnetId + mode: 'User' + osDiskType: 'Ephemeral' + scaleSetPriority: 'Regular' + } +} diff --git a/docs/examples/resources/aks.json b/docs/examples/resources/aks.json index c1438dd5507..ff8e5ef2f41 100644 --- a/docs/examples/resources/aks.json +++ b/docs/examples/resources/aks.json @@ -4,22 +4,22 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.31.92.45157", - "templateHash": "6019742219031876579" + "version": "0.38.33.27573", + "templateHash": "6176874005941688917" } }, "parameters": { "name": { "type": "string", "metadata": { - "description": "The name of the AKS cluster." + "description": "The name of the resource." } }, "location": { "type": "string", "defaultValue": "[resourceGroup().location]", "metadata": { - "description": "Optional. The Azure region to deploy to.", + "description": "The location resources will be deployed.", "strongType": "location", "example": "EastUS", "ignore": true @@ -172,13 +172,13 @@ "resources": [ { "type": "Microsoft.ManagedIdentity/userAssignedIdentities", - "apiVersion": "2023-01-31", + "apiVersion": "2024-11-30", "name": "[parameters('identityName')]", "location": "[parameters('location')]" }, { "type": "Microsoft.ContainerService/managedClusters", - "apiVersion": "2024-02-01", + "apiVersion": "2025-07-01", "name": "[parameters('name')]", "location": "[parameters('location')]", "identity": { @@ -272,7 +272,7 @@ }, { "type": "Microsoft.ContainerService/managedClusters", - "apiVersion": "2024-02-01", + "apiVersion": "2025-07-01", "name": "[parameters('name')]", "location": "[parameters('location')]", "identity": { @@ -362,7 +362,7 @@ }, { "type": "Microsoft.ContainerService/managedClusters", - "apiVersion": "2024-02-01", + "apiVersion": "2025-07-01", "name": "[parameters('name')]", "location": "[parameters('location')]", "identity": { @@ -448,6 +448,50 @@ "dependsOn": [ "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]" ] + }, + { + "type": "Microsoft.ContainerService/managedClusters/agentPools", + "apiVersion": "2025-07-01", + "name": "[format('{0}/{1}', parameters('name'), 'system')]", + "properties": { + "osDiskSizeGB": "[parameters('osDiskSizeGB')]", + "minCount": 3, + "maxCount": 7, + "enableAutoScaling": true, + "maxPods": "[parameters('systemPoolMaxPods')]", + "vmSize": "Standard_D16ds_v6", + "osType": "Linux", + "type": "VirtualMachineScaleSets", + "vnetSubnetID": "[parameters('clusterSubnetId')]", + "mode": "System", + "osDiskType": "Ephemeral", + "scaleSetPriority": "Regular" + }, + "dependsOn": [ + "[resourceId('Microsoft.ContainerService/managedClusters', parameters('name'))]" + ] + }, + { + "type": "Microsoft.ContainerService/managedClusters/agentPools", + "apiVersion": "2025-07-01", + "name": "[format('{0}/{1}', parameters('name'), 'user')]", + "properties": { + "osDiskSizeGB": "[parameters('osDiskSizeGB')]", + "minCount": 3, + "maxCount": 20, + "enableAutoScaling": true, + "maxPods": 150, + "vmSize": "Standard_D16ds_v6", + "osType": "Linux", + "type": "VirtualMachineScaleSets", + "vnetSubnetID": "[parameters('clusterSubnetId')]", + "mode": "User", + "osDiskType": "Ephemeral", + "scaleSetPriority": "Regular" + }, + "dependsOn": [ + "[resourceId('Microsoft.ContainerService/managedClusters', parameters('name'))]" + ] } ] -} +} \ No newline at end of file diff --git a/docs/examples/resources/containerapp.bicep b/docs/examples/resources/containerapp.bicep index 5ce3e29fdf3..4446a9c8cf4 100644 --- a/docs/examples/resources/containerapp.bicep +++ b/docs/examples/resources/containerapp.bicep @@ -3,13 +3,10 @@ // Bicep documentation examples -@description('The name of the app environment.') -param envName string - @minLength(2) @maxLength(32) -@description('The name of the container app.') -param appName string +@description('The name of the resource.') +param name string @description('The location resources will be deployed.') param location string = resourceGroup().location @@ -23,6 +20,9 @@ param subnetId string @description('The revision of the container app.') param revision string +@description('The name of the workload profile to use for the job.') +param workloadProfileName string + resource workspace 'Microsoft.OperationalInsights/workspaces@2022-10-01' existing = { name: split(workspaceId, '/')[8] } @@ -54,8 +54,8 @@ var ipSecurityRestrictions = [ ] // An example App Environment configured with a consumption workload profile. -resource containerEnv 'Microsoft.App/managedEnvironments@2024-03-01' = { - name: envName +resource containerEnv 'Microsoft.App/managedEnvironments@2025-01-01' = { + name: name location: location properties: { appLogsConfiguration: { @@ -80,8 +80,8 @@ resource containerEnv 'Microsoft.App/managedEnvironments@2024-03-01' = { } // An example Container App using a minimum of 2 replicas. -resource containerApp 'Microsoft.App/containerApps@2024-03-01' = { - name: appName +resource containerApp 'Microsoft.App/containerApps@2025-01-01' = { + name: name location: location identity: { type: 'SystemAssigned' @@ -109,8 +109,8 @@ resource containerApp 'Microsoft.App/containerApps@2024-03-01' = { } // An example Container App with IP security restrictions. -resource containerAppWithSecurity 'Microsoft.App/containerApps@2024-03-01' = { - name: appName +resource containerAppWithSecurity 'Microsoft.App/containerApps@2025-01-01' = { + name: name location: location identity: { type: 'SystemAssigned' @@ -148,3 +148,24 @@ resource containerAppWithSecurity 'Microsoft.App/containerApps@2024-03-01' = { } } } + +// An example Container App Job using a workload profile. +resource job 'Microsoft.App/jobs@2025-01-01' = { + name: name + location: location + identity: { + type: 'SystemAssigned' + } + properties: { + environmentId: containerEnv.id + template: { + containers: containers + } + workloadProfileName: workloadProfileName + configuration: { + replicaTimeout: 300 + triggerType: 'Manual' + manualTriggerConfig: {} + } + } +} diff --git a/docs/examples/resources/containerapp.json b/docs/examples/resources/containerapp.json index d208cffef41..8fbcb6bf95f 100644 --- a/docs/examples/resources/containerapp.json +++ b/docs/examples/resources/containerapp.json @@ -4,23 +4,17 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.30.23.60470", - "templateHash": "7132667371133705541" + "version": "0.38.33.27573", + "templateHash": "2167050194923568795" } }, "parameters": { - "envName": { - "type": "string", - "metadata": { - "description": "The name of the app environment." - } - }, - "appName": { + "name": { "type": "string", "minLength": 2, "maxLength": 32, "metadata": { - "description": "The name of the container app." + "description": "The name of the resource." } }, "location": { @@ -47,6 +41,12 @@ "metadata": { "description": "The revision of the container app." } + }, + "workloadProfileName": { + "type": "string", + "metadata": { + "description": "The name of the workload profile to use for the job." + } } }, "variables": { @@ -78,8 +78,8 @@ "resources": [ { "type": "Microsoft.App/managedEnvironments", - "apiVersion": "2024-03-01", - "name": "[parameters('envName')]", + "apiVersion": "2025-01-01", + "name": "[parameters('name')]", "location": "[parameters('location')]", "properties": { "appLogsConfiguration": { @@ -104,14 +104,14 @@ }, { "type": "Microsoft.App/containerApps", - "apiVersion": "2024-03-01", - "name": "[parameters('appName')]", + "apiVersion": "2025-01-01", + "name": "[parameters('name')]", "location": "[parameters('location')]", "identity": { "type": "SystemAssigned" }, "properties": { - "environmentId": "[resourceId('Microsoft.App/managedEnvironments', parameters('envName'))]", + "environmentId": "[resourceId('Microsoft.App/managedEnvironments', parameters('name'))]", "template": { "revisionSuffix": "[parameters('revision')]", "containers": "[variables('containers')]", @@ -131,19 +131,19 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.App/managedEnvironments', parameters('envName'))]" + "[resourceId('Microsoft.App/managedEnvironments', parameters('name'))]" ] }, { "type": "Microsoft.App/containerApps", - "apiVersion": "2024-03-01", - "name": "[parameters('appName')]", + "apiVersion": "2025-01-01", + "name": "[parameters('name')]", "location": "[parameters('location')]", "identity": { "type": "SystemAssigned" }, "properties": { - "environmentId": "[resourceId('Microsoft.App/managedEnvironments', parameters('envName'))]", + "environmentId": "[resourceId('Microsoft.App/managedEnvironments', parameters('name'))]", "template": { "revisionSuffix": "[parameters('revision')]", "containers": "[variables('containers')]", @@ -175,7 +175,31 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.App/managedEnvironments', parameters('envName'))]" + "[resourceId('Microsoft.App/managedEnvironments', parameters('name'))]" + ] + }, + { + "type": "Microsoft.App/jobs", + "apiVersion": "2025-01-01", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "environmentId": "[resourceId('Microsoft.App/managedEnvironments', parameters('name'))]", + "template": { + "containers": "[variables('containers')]" + }, + "workloadProfileName": "[parameters('workloadProfileName')]", + "configuration": { + "replicaTimeout": 300, + "triggerType": "Manual", + "manualTriggerConfig": {} + } + }, + "dependsOn": [ + "[resourceId('Microsoft.App/managedEnvironments', parameters('name'))]" ] } ] diff --git a/docs/examples/resources/cosmos.bicep b/docs/examples/resources/cosmos.bicep index 529cee6dacb..db6fe798afa 100644 --- a/docs/examples/resources/cosmos.bicep +++ b/docs/examples/resources/cosmos.bicep @@ -3,13 +3,15 @@ // Bicep documentation examples -@description('The name of the Cosmos database account.') +@minLength(3) +@maxLength(44) +@description('The name of the resource.') param name string @description('The location resources will be deployed.') param location string = resourceGroup().location -@description('A Cosmos DB account using the NoSQL API.') +// An example Cosmos DB account using the NoSQL API. resource account 'Microsoft.DocumentDB/databaseAccounts@2025-04-15' = { name: name location: location @@ -31,7 +33,7 @@ resource account 'Microsoft.DocumentDB/databaseAccounts@2025-04-15' = { } } -@description('A No SQL API database in a Cosmos DB account.') +// An example No SQL API database in a Cosmos DB account. resource database 'Microsoft.DocumentDB/databaseAccounts/sqlDatabases@2025-04-15' = { name: 'sql-001' parent: account diff --git a/docs/examples/resources/cosmos.json b/docs/examples/resources/cosmos.json index 2fc47b3830f..37075a6500a 100644 --- a/docs/examples/resources/cosmos.json +++ b/docs/examples/resources/cosmos.json @@ -5,14 +5,16 @@ "_generator": { "name": "bicep", "version": "0.38.33.27573", - "templateHash": "15884156970722779622" + "templateHash": "2704156339140852790" } }, "parameters": { "name": { "type": "string", + "minLength": 3, + "maxLength": 44, "metadata": { - "description": "The name of the Cosmos database account." + "description": "The name of the resource." } }, "location": { @@ -44,9 +46,6 @@ ], "disableKeyBasedMetadataWriteAccess": true, "minimalTlsVersion": "Tls12" - }, - "metadata": { - "description": "A Cosmos DB account using the NoSQL API." } }, { @@ -60,10 +59,7 @@ }, "dependsOn": [ "[resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('name'))]" - ], - "metadata": { - "description": "A No SQL API database in a Cosmos DB account." - } + ] } ] -} \ No newline at end of file +} diff --git a/docs/examples/resources/mysql.bicep b/docs/examples/resources/mysql.bicep index 67ca9d29770..4b79cd9e86d 100644 --- a/docs/examples/resources/mysql.bicep +++ b/docs/examples/resources/mysql.bicep @@ -3,20 +3,22 @@ // Bicep documentation examples -@sys.description('The name of the resource.') +@minLength(3) +@maxLength(63) +@description('The name of the resource.') param name string -@sys.description('The location resources will be deployed.') +@description('The location resources will be deployed.') param location string = resourceGroup().location -@sys.description('The login for an administrator.') +@description('The login for an administrator.') param administratorLogin string @secure() @description('A default administrator password.') param administratorLoginPassword string -@sys.description('The object GUID for an administrator account.') +@description('The object GUID for an administrator account.') param loginObjectId string // An example Azure Database for MySQL using the single server deployment model. @@ -57,7 +59,7 @@ resource entraForSingleServer 'Microsoft.DBforMySQL/servers/administrators@2017- } } -resource flexibleServer 'Microsoft.DBforMySQL/flexibleServers@2023-12-30' = { +resource flexible 'Microsoft.DBforMySQL/flexibleServers@2024-12-30' = { name: name location: location sku: { diff --git a/docs/examples/resources/mysql.json b/docs/examples/resources/mysql.json index ee0ff17a861..9b0751df0dc 100644 --- a/docs/examples/resources/mysql.json +++ b/docs/examples/resources/mysql.json @@ -4,13 +4,15 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.28.1.47646", - "templateHash": "14190762334901930442" + "version": "0.38.33.27573", + "templateHash": "6762710448519896098" } }, "parameters": { "name": { "type": "string", + "minLength": 3, + "maxLength": 63, "metadata": { "description": "The name of the resource." } @@ -85,7 +87,7 @@ }, { "type": "Microsoft.DBforMySQL/flexibleServers", - "apiVersion": "2023-12-30", + "apiVersion": "2024-12-30", "name": "[parameters('name')]", "location": "[parameters('location')]", "sku": { diff --git a/docs/examples/resources/postgresql.bicep b/docs/examples/resources/postgresql.bicep index e40de0c226a..f3bbbf40b7a 100644 --- a/docs/examples/resources/postgresql.bicep +++ b/docs/examples/resources/postgresql.bicep @@ -3,20 +3,22 @@ // Bicep documentation examples -@sys.description('The name of the resource.') +@minLength(3) +@maxLength(63) +@description('The name of the resource.') param name string -@sys.description('The location resources will be deployed.') +@description('The location resources will be deployed.') param location string = resourceGroup().location -@sys.description('The login for an administrator.') +@description('The login for an administrator.') param localAdministrator string @secure() @description('A default administrator password.') param localAdministratorPassword string -@sys.description('The object GUID for an administrator account.') +@description('The object GUID for an administrator account.') param loginObjectId string // An example PostgreSQL server. @@ -47,7 +49,7 @@ resource single_admin 'Microsoft.DBforPostgreSQL/servers/administrators@2017-12- } // An example PostgreSQL using the flexible server model. -resource flexible 'Microsoft.DBforPostgreSQL/flexibleServers@2022-12-01' = { +resource flexible 'Microsoft.DBforPostgreSQL/flexibleServers@2024-08-01' = { name: name location: location sku: { @@ -76,7 +78,7 @@ resource flexible 'Microsoft.DBforPostgreSQL/flexibleServers@2022-12-01' = { } // Configure administrators for a flexible server. -resource flexible_admin 'Microsoft.DBforPostgreSQL/flexibleServers/administrators@2022-12-01' = { +resource flexible_admin 'Microsoft.DBforPostgreSQL/flexibleServers/administrators@2024-08-01' = { parent: flexible name: loginObjectId properties: { diff --git a/docs/examples/resources/postgresql.json b/docs/examples/resources/postgresql.json index 0c295b4c2bf..acfa973d40d 100644 --- a/docs/examples/resources/postgresql.json +++ b/docs/examples/resources/postgresql.json @@ -4,13 +4,15 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.25.53.49325", - "templateHash": "1186622257126358354" + "version": "0.38.33.27573", + "templateHash": "7375294002453194062" } }, "parameters": { "name": { "type": "string", + "minLength": 3, + "maxLength": 63, "metadata": { "description": "The name of the resource." } @@ -73,7 +75,7 @@ }, { "type": "Microsoft.DBforPostgreSQL/flexibleServers", - "apiVersion": "2022-12-01", + "apiVersion": "2024-08-01", "name": "[parameters('name')]", "location": "[parameters('location')]", "sku": { @@ -102,7 +104,7 @@ }, { "type": "Microsoft.DBforPostgreSQL/flexibleServers/administrators", - "apiVersion": "2022-12-01", + "apiVersion": "2024-08-01", "name": "[format('{0}/{1}', parameters('name'), parameters('loginObjectId'))]", "properties": { "principalType": "ServicePrincipal", diff --git a/docs/examples/resources/redisenterprise.bicep b/docs/examples/resources/redisenterprise.bicep index 08f0d7b4f4b..b1ff87388c9 100644 --- a/docs/examples/resources/redisenterprise.bicep +++ b/docs/examples/resources/redisenterprise.bicep @@ -3,6 +3,8 @@ // Bicep documentation examples +@minLength(1) +@maxLength(63) @description('The name of the resource.') param name string @@ -10,7 +12,7 @@ param name string param location string = resourceGroup().location // An example Redis Enterprise cache. -resource cache 'Microsoft.Cache/redisEnterprise@2024-02-01' = { +resource cache 'Microsoft.Cache/redisEnterprise@2025-04-01' = { name: name location: location sku: { diff --git a/docs/examples/resources/redisenterprise.json b/docs/examples/resources/redisenterprise.json index 82ebee64902..7bd4c66520d 100644 --- a/docs/examples/resources/redisenterprise.json +++ b/docs/examples/resources/redisenterprise.json @@ -4,13 +4,15 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.30.23.60470", - "templateHash": "18144616178175150817" + "version": "0.38.33.27573", + "templateHash": "17489438504009269923" } }, "parameters": { "name": { "type": "string", + "minLength": 1, + "maxLength": 63, "metadata": { "description": "The name of the resource." } @@ -26,7 +28,7 @@ "resources": [ { "type": "Microsoft.Cache/redisEnterprise", - "apiVersion": "2024-02-01", + "apiVersion": "2025-04-01", "name": "[parameters('name')]", "location": "[parameters('location')]", "sku": { diff --git a/docs/examples/resources/service-fabric.bicep b/docs/examples/resources/service-fabric.bicep index 6db7e4724e9..77b342bdf70 100644 --- a/docs/examples/resources/service-fabric.bicep +++ b/docs/examples/resources/service-fabric.bicep @@ -3,6 +3,8 @@ // Bicep documentation examples +@minLength(4) +@maxLength(23) @description('The name of the resource.') param name string @@ -13,6 +15,7 @@ param endpointUri string param tenantId string param clusterApplication string param clientApplication string +param adminUsername string @description('Certificate thumbprint.') param certificateThumbprint string @@ -21,7 +24,7 @@ resource storageAccount 'Microsoft.Storage/storageAccounts@2021-01-01' existing name: 'storage1' } -// An example of a Service Fabric cluster resource. +// An example Service Fabric cluster. resource cluster 'Microsoft.ServiceFabric/clusters@2023-11-01-preview' = { name: name location: location @@ -60,3 +63,37 @@ resource cluster 'Microsoft.ServiceFabric/clusters@2023-11-01-preview' = { vmImage: 'Windows' } } + +// An example Service Fabric managed cluster. +resource managed 'Microsoft.ServiceFabric/managedClusters@2024-04-01' = { + name: name + location: location + sku: { + name: 'Standard' + } + properties: { + azureActiveDirectory: { + clientApplication: clientApplication + clusterApplication: clusterApplication + tenantId: tenantId + } + dnsName: toLower(name) + adminUserName: adminUsername + clientConnectionPort: 19000 + httpGatewayConnectionPort: 19080 + clients: [ + { + isAdmin: true + thumbprint: certificateThumbprint + } + ] + loadBalancingRules: [ + { + frontendPort: 8080 + backendPort: 8080 + protocol: 'tcp' + probeProtocol: 'https' + } + ] + } +} diff --git a/docs/examples/resources/service-fabric.json b/docs/examples/resources/service-fabric.json index c747e91da28..2374763dfce 100644 --- a/docs/examples/resources/service-fabric.json +++ b/docs/examples/resources/service-fabric.json @@ -4,13 +4,15 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.35.1.17967", - "templateHash": "16820822623191152552" + "version": "0.38.33.27573", + "templateHash": "6378535014997672625" } }, "parameters": { "name": { "type": "string", + "minLength": 4, + "maxLength": 23, "metadata": { "description": "The name of the resource." } @@ -34,6 +36,9 @@ "clientApplication": { "type": "string" }, + "adminUsername": { + "type": "string" + }, "certificateThumbprint": { "type": "string", "metadata": { @@ -81,6 +86,40 @@ "upgradeMode": "Automatic", "vmImage": "Windows" } + }, + { + "type": "Microsoft.ServiceFabric/managedClusters", + "apiVersion": "2024-04-01", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "sku": { + "name": "Standard" + }, + "properties": { + "azureActiveDirectory": { + "clientApplication": "[parameters('clientApplication')]", + "clusterApplication": "[parameters('clusterApplication')]", + "tenantId": "[parameters('tenantId')]" + }, + "dnsName": "[toLower(parameters('name'))]", + "adminUserName": "[parameters('adminUsername')]", + "clientConnectionPort": 19000, + "httpGatewayConnectionPort": 19080, + "clients": [ + { + "isAdmin": true, + "thumbprint": "[parameters('certificateThumbprint')]" + } + ], + "loadBalancingRules": [ + { + "frontendPort": 8080, + "backendPort": 8080, + "protocol": "tcp", + "probeProtocol": "https" + } + ] + } } ] } \ No newline at end of file diff --git a/docs/examples/resources/sql.bicep b/docs/examples/resources/sql.bicep index 5b28caec6c9..c935fffe479 100644 --- a/docs/examples/resources/sql.bicep +++ b/docs/examples/resources/sql.bicep @@ -3,6 +3,8 @@ // Bicep documentation examples +@minLength(1) +@maxLength(128) @description('The name of the resource.') param name string @@ -11,6 +13,7 @@ param location string = resourceGroup().location param adminLogin string param adminPrincipalId string +param maintenanceConfigurationId string var maxSize = 32 * 1048576 @@ -23,7 +26,7 @@ resource server 'Microsoft.Sql/servers@2024-05-01-preview' = { } properties: { publicNetworkAccess: 'Disabled' - minimalTlsVersion: '1.2' + minimalTlsVersion: '1.3' administrators: { azureADOnlyAuthentication: true administratorType: 'ActiveDirectory' @@ -102,3 +105,30 @@ resource tde 'Microsoft.Sql/servers/databases/transparentDataEncryption@2024-05- state: 'Enabled' } } + +// An example Azure SQL Job Agent. +resource agent 'Microsoft.Sql/servers/jobAgents@2024-05-01-preview' = { + parent: server + name: name + location: location + properties: { + databaseId: database.id + } +} + +// An example Azure SQL Elastic Pool. +resource pool 'Microsoft.Sql/servers/elasticPools@2024-05-01-preview' = { + parent: server + name: name + location: location + properties: { + perDatabaseSettings: { + minCapacity: 0 + maxCapacity: 2 + } + maxSizeBytes: 34359738368 + zoneRedundant: true + licenseType: 'BasePrice' + maintenanceConfigurationId: maintenanceConfigurationId + } +} diff --git a/docs/examples/resources/sql.json b/docs/examples/resources/sql.json index c77850d40af..af2a1a301fe 100644 --- a/docs/examples/resources/sql.json +++ b/docs/examples/resources/sql.json @@ -4,13 +4,15 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.34.1.11899", - "templateHash": "13668357951305686306" + "version": "0.38.33.27573", + "templateHash": "5973132553936234562" } }, "parameters": { "name": { "type": "string", + "minLength": 1, + "maxLength": 128, "metadata": { "description": "The name of the resource." } @@ -27,6 +29,9 @@ }, "adminPrincipalId": { "type": "string" + }, + "maintenanceConfigurationId": { + "type": "string" } }, "variables": { @@ -43,7 +48,7 @@ }, "properties": { "publicNetworkAccess": "Disabled", - "minimalTlsVersion": "1.2", + "minimalTlsVersion": "1.3", "administrators": { "azureADOnlyAuthentication": true, "administratorType": "ActiveDirectory", @@ -133,6 +138,38 @@ "dependsOn": [ "[resourceId('Microsoft.Sql/servers/databases', parameters('name'), parameters('name'))]" ] + }, + { + "type": "Microsoft.Sql/servers/jobAgents", + "apiVersion": "2024-05-01-preview", + "name": "[format('{0}/{1}', parameters('name'), parameters('name'))]", + "location": "[parameters('location')]", + "properties": { + "databaseId": "[resourceId('Microsoft.Sql/servers/databases', parameters('name'), parameters('name'))]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers/databases', parameters('name'), parameters('name'))]", + "[resourceId('Microsoft.Sql/servers', parameters('name'))]" + ] + }, + { + "type": "Microsoft.Sql/servers/elasticPools", + "apiVersion": "2024-05-01-preview", + "name": "[format('{0}/{1}', parameters('name'), parameters('name'))]", + "location": "[parameters('location')]", + "properties": { + "perDatabaseSettings": { + "minCapacity": 0, + "maxCapacity": 2 + }, + "maxSizeBytes": 34359738368, + "zoneRedundant": true, + "licenseType": "BasePrice", + "maintenanceConfigurationId": "[parameters('maintenanceConfigurationId')]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers', parameters('name'))]" + ] } ] } \ No newline at end of file diff --git a/docs/examples/resources/sqlmi.bicep b/docs/examples/resources/sqlmi.bicep new file mode 100644 index 00000000000..c8e35e4e268 --- /dev/null +++ b/docs/examples/resources/sqlmi.bicep @@ -0,0 +1,43 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. + +// Bicep documentation examples + +@minLength(1) +@maxLength(63) +@description('The name of the resource.') +param name string + +@description('The location resources will be deployed.') +param location string = resourceGroup().location + +param login string +param sid string + +// An example SQL managed instance. +resource managedInstance 'Microsoft.Sql/managedInstances@2023-08-01' = { + name: name + location: location + identity: { + type: 'SystemAssigned' + } + sku: { + name: 'GP_Gen5' + } + properties: { + administrators: { + administratorType: 'ActiveDirectory' + azureADOnlyAuthentication: true + login: login + sid: sid + principalType: 'Group' + tenantId: tenant().tenantId + } + maintenanceConfigurationId: maintenanceWindow.id + } +} + +resource maintenanceWindow 'Microsoft.Maintenance/publicMaintenanceConfigurations@2023-04-01' existing = { + scope: subscription() + name: 'SQL_WestEurope_MI_1' +} diff --git a/docs/examples/resources/sqlmi.json b/docs/examples/resources/sqlmi.json new file mode 100644 index 00000000000..ddda1711db9 --- /dev/null +++ b/docs/examples/resources/sqlmi.json @@ -0,0 +1,59 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.38.33.27573", + "templateHash": "16665234278863375091" + } + }, + "parameters": { + "name": { + "type": "string", + "minLength": 1, + "maxLength": 63, + "metadata": { + "description": "The name of the resource." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The location resources will be deployed." + } + }, + "login": { + "type": "string" + }, + "sid": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Sql/managedInstances", + "apiVersion": "2023-08-01", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "identity": { + "type": "SystemAssigned" + }, + "sku": { + "name": "GP_Gen5" + }, + "properties": { + "administrators": { + "administratorType": "ActiveDirectory", + "azureADOnlyAuthentication": true, + "login": "[parameters('login')]", + "sid": "[parameters('sid')]", + "principalType": "Group", + "tenantId": "[tenant().tenantId]" + }, + "maintenanceConfigurationId": "[subscriptionResourceId('Microsoft.Maintenance/publicMaintenanceConfigurations', 'SQL_WestEurope_MI_1')]" + } + } + ] +} \ No newline at end of file diff --git a/docs/setup/setup-naming-and-tagging.md b/docs/setup/setup-naming-and-tagging.md index 2ffb9d01593..55b613c344c 100644 --- a/docs/setup/setup-naming-and-tagging.md +++ b/docs/setup/setup-naming-and-tagging.md @@ -225,21 +225,48 @@ To configure the rule for a resource type, set the corresponding configuration v Rule | Resource type | Configuration value ---- | ------------- | ------------------- +`Azure.ACI.Naming` | `Microsoft.ContainerInstance/containerGroups` | `AZURE_CONTAINER_INSTANCE_NAME_FORMAT` +`Azure.ACR.Naming` | `Microsoft.ContainerRegistry/registries` | `AZURE_CONTAINER_REGISTRY_NAME_FORMAT` `Azure.Search.Naming` | `Microsoft.Search/searchServices` | `AZURE_AI_SEARCH_NAME_FORMAT` `Azure.AI.FoundryNaming` | `Microsoft.CognitiveServices/accounts` with `kind` = `AIServices` | `AZURE_AI_SERVICES_NAME_FORMAT` +`Azure.AKS.Naming` | `Microsoft.ContainerService/managedClusters` | `AZURE_AKS_CLUSTER_NAME_FORMAT` +`Azure.AKS.SystemPoolNaming` | `Microsoft.ContainerService/managedClusters/agentPools` with `mode` = `System` | `AZURE_AKS_SYSTEM_POOL_NAME_FORMAT` +`Azure.AKS.UserPoolNaming` | `Microsoft.ContainerService/managedClusters/agentPools` with `mode` = `User` | `AZURE_AKS_USER_POOL_NAME_FORMAT` `Azure.AppInsights.Naming` | `Microsoft.Insights/components` | `AZURE_APP_INSIGHTS_NAME_FORMAT` +`Azure.ContainerApp.Naming` | `Microsoft.App/containerApps` | `AZURE_CONTAINER_APP_NAME_FORMAT` +`Azure.ContainerApp.EnvNaming` | `Microsoft.App/managedEnvironments` | `AZURE_CONTAINER_APP_ENVIRONMENT_NAME_FORMAT` +`Azure.ContainerApp.JobNaming` | `Microsoft.App/jobs` | `AZURE_CONTAINER_APP_JOB_NAME_FORMAT` +`Azure.Cosmos.CassandraNaming` | `Microsoft.DocumentDb/databaseAccounts` with Cassandra API | `AZURE_COSMOS_CASSANDRA_NAME_FORMAT` +`Azure.Cosmos.DatabaseNaming` | `Microsoft.DocumentDB/databaseAccounts/sqlDatabases` | `AZURE_COSMOS_DATABASE_NAME_FORMAT` +`Azure.Cosmos.GremlinNaming` | `Microsoft.DocumentDb/databaseAccounts` with Gremlin API | `AZURE_COSMOS_GREMLIN_NAME_FORMAT` +`Azure.Cosmos.MongoNaming` | `Microsoft.DocumentDb/databaseAccounts` with MongoDB API | `AZURE_COSMOS_MONGO_NAME_FORMAT` +`Azure.Cosmos.NoSQLNaming` | `Microsoft.DocumentDb/databaseAccounts` with NoSQL API | `AZURE_COSMOS_NOSQL_NAME_FORMAT` +`Azure.Cosmos.PostgreSQLNaming` | `Microsoft.DBforPostgreSQL/serverGroupsv2` | `AZURE_COSMOS_POSTGRESQL_NAME_FORMAT` +`Azure.Cosmos.TableNaming` | `Microsoft.DocumentDb/databaseAccounts` with Table API | `AZURE_COSMOS_TABLE_NAME_FORMAT` `Azure.EventGrid.DomainNaming` | `Microsoft.EventGrid/domains` | `AZURE_EVENTGRID_DOMAIN_NAME_FORMAT` `Azure.EventGrid.TopicNaming` | `Microsoft.EventGrid/topics`, `Microsoft.EventGrid/domains/topics` | `AZURE_EVENTGRID_CUSTOM_TOPIC_NAME_FORMAT` `Azure.EventGrid.SystemTopicNaming` | `Microsoft.EventGrid/systemTopics` | `AZURE_EVENTGRID_SYSTEM_TOPIC_NAME_FORMAT` `Azure.VNG.ConnectionNaming` | `Microsoft.Network/connections` | `AZURE_GATEWAY_CONNECTION_NAME_FORMAT` `Azure.LB.Naming` | `Microsoft.Network/loadBalancers` | `AZURE_LOAD_BALANCER_NAME_FORMAT` `Azure.Log.Naming` | `Microsoft.OperationalInsights/workspaces` | `AZURE_LOG_WORKSPACE_NAME_FORMAT` +`Azure.MySQL.Naming` | `Microsoft.DBforMySQL/servers`, `Microsoft.DBforMySQL/flexibleServers` | `AZURE_MYSQL_SERVER_NAME_FORMAT` `Azure.NSG.Naming` | `Microsoft.Network/networkSecurityGroups` | `AZURE_NETWORK_SECURITY_GROUP_NAME_FORMAT` +`Azure.PostgreSQL.Naming` | `Microsoft.DBforPostgreSQL/servers`, `Microsoft.DBforPostgreSQL/flexibleServers` | `AZURE_POSTGRESQL_SERVER_NAME_FORMAT` `Azure.PublicIP.Naming` | `Microsoft.Network/publicIPAddresses` | `AZURE_PUBLIC_IP_ADDRESS_NAME_FORMAT` +`Azure.Redis.Naming` | `Microsoft.Cache/Redis` | `AZURE_REDIS_CACHE_NAME_FORMAT` +`Azure.RedisEnterprise.Naming` | `Microsoft.Cache/RedisEnterprise` with Enterprise or Enterprise Flash | `AZURE_REDIS_ENTERPRISE_NAME_FORMAT` `Azure.Group.Naming` | `Microsoft.Resources/resourceGroups` | `AZURE_RESOURCE_GROUP_NAME_FORMAT` `Azure.Group.RequiredTags` | `Microsoft.Resources/resourceGroups` | `AZURE_RESOURCE_GROUP_REQUIRED_TAGS` `Azure.Resource.RequiredTags` | Applies to all types that support tags except subscription and resource groups. | `AZURE_RESOURCE_REQUIRED_TAGS` `Azure.Route.Naming` | `Microsoft.Network/routeTables` | `AZURE_ROUTE_TABLE_NAME_FORMAT` +`Azure.ServiceFabric.Naming` | `Microsoft.ServiceFabric/clusters` | `AZURE_SERVICE_FABRIC_CLUSTER_NAME_FORMAT` +`Azure.ServiceFabric.ManagedNaming` | `Microsoft.ServiceFabric/managedClusters` | `AZURE_SERVICE_FABRIC_MANAGED_CLUSTER_NAME_FORMAT` +`Azure.SQL.ServerNaming` | `Microsoft.Sql/servers` | `AZURE_SQL_SERVER_NAME_FORMAT` +`Azure.SQL.DBNaming` | `Microsoft.Sql/servers/databases` | `AZURE_SQL_DATABASE_NAME_FORMAT` +`Azure.SQL.JobAgentNaming` | `Microsoft.Sql/servers/jobAgents` | `AZURE_SQL_JOB_AGENT_NAME_FORMAT` +`Azure.SQL.ElasticPoolNaming` | `Microsoft.Sql/servers/elasticPools` | `AZURE_SQL_ELASTIC_POOL_NAME_FORMAT` +`Azure.SQL.StretchDBNaming` | `Microsoft.Sql/servers/databases` with Data Warehouse service objective | `AZURE_SQL_STRETCH_DB_NAME_FORMAT` +`Azure.SQLMI.Naming` | `Microsoft.Sql/managedInstances` | `AZURE_SQL_MI_NAME_FORMAT` `Azure.Storage.Naming` | `Microsoft.Storage/storageAccounts` | `AZURE_STORAGE_ACCOUNT_NAME_FORMAT` `Azure.Subscription.RequiredTags` | `Microsoft.Subscription/aliases` | `AZURE_SUBSCRIPTION_REQUIRED_TAGS` `Azure.VM.Naming` | `Microsoft.Compute/virtualMachines` | `AZURE_VIRTUAL_MACHINE_NAME_FORMAT` diff --git a/pipeline.build.ps1 b/pipeline.build.ps1 index 665b5f5943f..d0515f48bf5 100644 --- a/pipeline.build.ps1 +++ b/pipeline.build.ps1 @@ -402,6 +402,7 @@ task BuildRuleMetadataCache { Recommendation = $_.Info.Recommendation Pillar = $_.Tag.'Azure.WAF/pillar' Control = $_.Labels.'Azure.MCSB.v1/control' + Maturity = $_.Labels.'Azure.WAF/maturity' Source = "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/$(($_.Source.Path -split '[/\\]')[-1])" } } @@ -430,6 +431,7 @@ task BuildRuleMetadataCache { Recommendation = $_.Info.Recommendation Pillar = $_.Tag.'Azure.WAF/pillar' Control = $_.Labels.'Azure.MCSB.v1/control' + Maturity = $_.Labels.'Azure.WAF/maturity' Source = "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/$(($_.Source.Path -split '[/\\]')[-1])" } } diff --git a/src/PSRule.Rules.Azure/rules/Azure.ACI.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.ACI.Rule.ps1 new file mode 100644 index 00000000000..dc51c488eea --- /dev/null +++ b/src/PSRule.Rules.Azure/rules/Azure.ACI.Rule.ps1 @@ -0,0 +1,15 @@ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. + +# +# Validation rules for Azure Container Instances +# + +#region Rules + +# Synopsis: Container instances without a standard naming convention may be difficult to identify and manage. +Rule 'Azure.ACI.Naming' -Ref 'AZR-000505' -Type 'Microsoft.ContainerInstance/containerGroups' -If { $Configuration['AZURE_CONTAINER_INSTANCE_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { + $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_CONTAINER_INSTANCE_NAME_FORMAT, $True); +} + +#endregion Rules diff --git a/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.ps1 index a4186fb73f9..494401883dc 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.ps1 @@ -75,6 +75,11 @@ Rule 'Azure.ACR.ReplicaLocation' -Ref 'AZR-000494' -Type 'Microsoft.ContainerReg } } +# Synopsis: Container registries without a standard naming convention may be difficult to identify and manage. +Rule 'Azure.ACR.Naming' -Ref 'AZR-000506' -Type 'Microsoft.ContainerRegistry/registries' -If { $Configuration['AZURE_CONTAINER_REGISTRY_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { + $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_CONTAINER_REGISTRY_NAME_FORMAT, $True); +} + #endregion Rules #region Helper functions diff --git a/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.yaml b/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.yaml index 78accb39d98..c39bd351c3e 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.yaml +++ b/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.yaml @@ -62,6 +62,7 @@ metadata: Azure.WAF/pillar: Operational Excellence labels: Azure.CAF: naming + Azure.WAF/maturity: L2 spec: type: - Microsoft.ContainerRegistry/registries diff --git a/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1 index 67e99aa9da0..a6d9b73129e 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1 @@ -344,6 +344,33 @@ Rule 'Azure.AKS.MaintenanceWindow' -Ref 'AZR-000446' -Type 'Microsoft.ContainerS } } +# Synopsis: AKS clusters without a standard naming convention may be difficult to identify and manage. +Rule 'Azure.AKS.Naming' -Ref 'AZR-000507' -Type 'Microsoft.ContainerService/managedClusters' -If { $Configuration['AZURE_AKS_CLUSTER_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { + $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_AKS_CLUSTER_NAME_FORMAT, $True); +} + +# Synopsis: AKS system node pools without a standard naming convention may be difficult to identify and manage. +Rule 'Azure.AKS.SystemPoolNaming' -Ref 'AZR-000508' -Type 'Microsoft.ContainerService/managedClusters', 'Microsoft.ContainerService/managedClusters/agentPools' -If { $Configuration['AZURE_AKS_SYSTEM_POOL_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { + $agentPools = @(GetAgentPoolProfiles | Where-Object { $_.mode -eq 'System' }); + if ($agentPools.Length -eq 0) { + return $Assert.Pass(); + } + foreach ($agentPool in $agentPools) { + $Assert.Match($agentPool, 'name', $Configuration.AZURE_AKS_SYSTEM_POOL_NAME_FORMAT, $True); + } +} + +# Synopsis: AKS user node pools without a standard naming convention may be difficult to identify and manage. +Rule 'Azure.AKS.UserPoolNaming' -Ref 'AZR-000509' -Type 'Microsoft.ContainerService/managedClusters', 'Microsoft.ContainerService/managedClusters/agentPools' -If { $Configuration['AZURE_AKS_USER_POOL_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { + $agentPools = @(GetAgentPoolProfiles | Where-Object { $_.mode -eq 'User' }); + if ($agentPools.Length -eq 0) { + return $Assert.Pass(); + } + foreach ($agentPool in $agentPools) { + $Assert.Match($agentPool, 'name', $Configuration.AZURE_AKS_USER_POOL_NAME_FORMAT, $True); + } +} + #region Helper functions function global:GetAgentPoolProfiles { diff --git a/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml b/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml index edd49222c9d..abdd2c13780 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml +++ b/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml @@ -317,6 +317,7 @@ metadata: Azure.WAF/pillar: Operational Excellence labels: Azure.CAF: naming + Azure.WAF/maturity: L2 spec: type: - Microsoft.ContainerService/managedClusters diff --git a/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.ps1 index ef19eab818d..799a8c8f9ab 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.ps1 @@ -33,6 +33,21 @@ Rule 'Azure.ContainerApp.AvailabilityZone' -Ref 'AZR-000414' -Type 'Microsoft.Ap $Assert.HasFieldValue($TargetObject, 'properties.vnetConfiguration.infrastructureSubnetId'); } +# Synopsis: Container apps without a standard naming convention may be difficult to identify and manage. +Rule 'Azure.ContainerApp.Naming' -Ref 'AZR-000510' -Type 'Microsoft.App/containerApps' -If { $Configuration['AZURE_CONTAINER_APP_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { + $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_CONTAINER_APP_NAME_FORMAT, $True); +} + +# Synopsis: Container apps environments without a standard naming convention may be difficult to identify and manage. +Rule 'Azure.ContainerApp.EnvNaming' -Ref 'AZR-000511' -Type 'Microsoft.App/managedEnvironments' -If { $Configuration['AZURE_CONTAINER_APP_ENVIRONMENT_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { + $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_CONTAINER_APP_ENVIRONMENT_NAME_FORMAT, $True); +} + +# Synopsis: Container apps jobs without a standard naming convention may be difficult to identify and manage. +Rule 'Azure.ContainerApp.JobNaming' -Ref 'AZR-000512' -Type 'Microsoft.App/jobs' -If { $Configuration['AZURE_CONTAINER_APP_JOB_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { + $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_CONTAINER_APP_JOB_NAME_FORMAT, $True); +} + #endregion Rules #region Helper functions diff --git a/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.yaml b/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.yaml index 7cd410809db..1e69c1306b3 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.yaml +++ b/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.yaml @@ -66,6 +66,7 @@ metadata: Azure.WAF/pillar: Operational Excellence labels: Azure.CAF: naming + Azure.WAF/maturity: L2 spec: type: - Microsoft.App/containerApps diff --git a/src/PSRule.Rules.Azure/rules/Azure.Cosmos.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.Cosmos.Rule.ps1 index adae0e0410e..07755b9aaac 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.Cosmos.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.Cosmos.Rule.ps1 @@ -52,6 +52,41 @@ Rule 'Azure.Cosmos.MongoAvailabilityZone' -Ref 'AZR-000503' -Type 'Microsoft.Doc } } +# Synopsis: Azure Cosmos DB for Apache Cassandra accounts without a standard naming convention may be difficult to identify and manage. +Rule 'Azure.Cosmos.CassandraNaming' -Ref 'AZR-000513' -Type 'Microsoft.DocumentDb/databaseAccounts' -With 'Azure.Cosmos.IsCassandra' -If { $Configuration['AZURE_COSMOS_CASSANDRA_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { + $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_COSMOS_CASSANDRA_NAME_FORMAT, $True); +} + +# Synopsis: Azure Cosmos DB for MongoDB accounts without a standard naming convention may be difficult to identify and manage. +Rule 'Azure.Cosmos.MongoNaming' -Ref 'AZR-000514' -Type 'Microsoft.DocumentDb/databaseAccounts' -If { $Configuration['AZURE_COSMOS_MONGO_NAME_FORMAT'] -ne '' -and $TargetObject.kind -eq 'MongoDB' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { + $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_COSMOS_MONGO_NAME_FORMAT, $True); +} + +# Synopsis: Azure Cosmos DB for NoSQL accounts without a standard naming convention may be difficult to identify and manage. +Rule 'Azure.Cosmos.NoSQLNaming' -Ref 'AZR-000515' -Type 'Microsoft.DocumentDb/databaseAccounts' -If { $Configuration['AZURE_COSMOS_NOSQL_NAME_FORMAT'] -ne '' -and (Test-IsNoSQL) } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { + $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_COSMOS_NOSQL_NAME_FORMAT, $True); +} + +# Synopsis: Azure Cosmos DB for Table accounts without a standard naming convention may be difficult to identify and manage. +Rule 'Azure.Cosmos.TableNaming' -Ref 'AZR-000516' -Type 'Microsoft.DocumentDb/databaseAccounts' -With 'Azure.Cosmos.IsTable' -If { $Configuration['AZURE_COSMOS_TABLE_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { + $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_COSMOS_TABLE_NAME_FORMAT, $True); +} + +# Synopsis: Azure Cosmos DB for Apache Gremlin accounts without a standard naming convention may be difficult to identify and manage. +Rule 'Azure.Cosmos.GremlinNaming' -Ref 'AZR-000517' -Type 'Microsoft.DocumentDb/databaseAccounts' -With 'Azure.Cosmos.IsGremlin' -If { $Configuration['AZURE_COSMOS_GREMLIN_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { + $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_COSMOS_GREMLIN_NAME_FORMAT, $True); +} + +# Synopsis: Azure Cosmos DB PostgreSQL clusters without a standard naming convention may be difficult to identify and manage. +Rule 'Azure.Cosmos.PostgreSQLNaming' -Ref 'AZR-000518' -Type 'Microsoft.DBforPostgreSQL/serverGroupsv2' -If { $Configuration['AZURE_COSMOS_POSTGRESQL_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { + $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_COSMOS_POSTGRESQL_NAME_FORMAT, $True); +} + +# Synopsis: Azure Cosmos DB databases without a standard naming convention may be difficult to identify and manage. +Rule 'Azure.Cosmos.DatabaseNaming' -Ref 'AZR-000519' -Type 'Microsoft.DocumentDB/databaseAccounts/sqlDatabases' -If { $Configuration['AZURE_COSMOS_DATABASE_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { + $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_COSMOS_DATABASE_NAME_FORMAT, $True); +} + #endregion Rules #region Helper functions diff --git a/src/PSRule.Rules.Azure/rules/Azure.Cosmos.Rule.yaml b/src/PSRule.Rules.Azure/rules/Azure.Cosmos.Rule.yaml index 4f1b6bae42d..f44e2bb2e53 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.Cosmos.Rule.yaml +++ b/src/PSRule.Rules.Azure/rules/Azure.Cosmos.Rule.yaml @@ -40,6 +40,7 @@ metadata: Azure.WAF/pillar: Operational Excellence labels: Azure.CAF: naming + Azure.WAF/maturity: L2 spec: type: - Microsoft.DocumentDb/databaseAccounts diff --git a/src/PSRule.Rules.Azure/rules/Azure.MySQL.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.MySQL.Rule.ps1 index 3b888fc8100..146096c63bf 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.MySQL.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.MySQL.Rule.ps1 @@ -203,3 +203,12 @@ function global:MySQLSingleServerAAD { } #endregion Helper functions + +#region Naming rules + +# Synopsis: MySQL databases without a standard naming convention may be difficult to identify and manage. +Rule 'Azure.MySQL.ServerNaming' -Ref 'AZR-000521' -Type 'Microsoft.DBforMySQL/servers', 'Microsoft.DBforMySQL/flexibleServers' -If { $Configuration['AZURE_MYSQL_SERVER_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { + $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_MYSQL_SERVER_NAME_FORMAT, $True); +} + +#endregion Naming rules diff --git a/src/PSRule.Rules.Azure/rules/Azure.PostgreSQL.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.PostgreSQL.Rule.ps1 index 5fa6650169e..7f27d774adf 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.PostgreSQL.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.PostgreSQL.Rule.ps1 @@ -166,3 +166,12 @@ function global:PostgreSQLSingleServerAAD { } #endregion Helper functions + +#region Naming rules + +# Synopsis: PostgreSQL databases without a standard naming convention may be difficult to identify and manage. +Rule 'Azure.PostgreSQL.ServerNaming' -Ref 'AZR-000522' -Type 'Microsoft.DBforPostgreSQL/servers', 'Microsoft.DBforPostgreSQL/flexibleServers' -If { $Configuration['AZURE_POSTGRESQL_SERVER_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { + $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_POSTGRESQL_SERVER_NAME_FORMAT, $True); +} + +#endregion Naming rules diff --git a/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.ps1 index caba1003df9..8c5ce1619b4 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.ps1 @@ -187,3 +187,12 @@ function global:HasPublicNetworkAccess { } #endregion Helper functions + +#region Naming rules + +# Synopsis: Azure Cache for Redis instances without a standard naming convention may be difficult to identify and manage. +Rule 'Azure.Redis.Naming' -Ref 'AZR-000523' -Type 'Microsoft.Cache/Redis' -If { $Configuration['AZURE_REDIS_CACHE_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { + $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_REDIS_CACHE_NAME_FORMAT, $True); +} + +#endregion Naming rules diff --git a/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.yaml b/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.yaml index 8361a540355..0118769afea 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.yaml +++ b/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.yaml @@ -161,4 +161,40 @@ spec: - field: properties.sku.name exists: true +--- +# Synopsis: Azure Cache for Redis with Enterprise SKU. +apiVersion: github.com/microsoft/PSRule/v1 +kind: Selector +metadata: + name: Azure.Redis.IsEnterprise + annotations: + export: false +spec: + if: + allOf: + - type: '.' + equals: Microsoft.Cache/redisEnterprise + - field: sku.name + startsWith: + - 'Enterprise_' + - 'EnterpriseFlash_' + +--- +# Synopsis: Azure Managed Redis. +apiVersion: github.com/microsoft/PSRule/v1 +kind: Selector +metadata: + name: Azure.Redis.IsManaged + annotations: + export: false +spec: + if: + allOf: + - type: '.' + equals: Microsoft.Cache/redisEnterprise + - field: sku.name + notStartsWith: + - 'Enterprise_' + - 'EnterpriseFlash_' + #endregion Selectors diff --git a/src/PSRule.Rules.Azure/rules/Azure.RedisEnterprise.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.RedisEnterprise.Rule.ps1 new file mode 100644 index 00000000000..cf7d1a1fc84 --- /dev/null +++ b/src/PSRule.Rules.Azure/rules/Azure.RedisEnterprise.Rule.ps1 @@ -0,0 +1,15 @@ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. + +# +# Validation rules for Azure Managed Redis (Redis Enterprise) +# + +#region Naming rules + +# Synopsis: Azure Managed Redis instances without a standard naming convention may be difficult to identify and manage. +Rule 'Azure.RedisEnterprise.Naming' -Ref 'AZR-000524' -Type 'Microsoft.Cache/RedisEnterprise' -With 'Azure.Redis.IsEnterprise' -If { $Configuration['AZURE_REDIS_ENTERPRISE_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { + $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_REDIS_ENTERPRISE_NAME_FORMAT, $True); +} + +#endregion Naming rules diff --git a/src/PSRule.Rules.Azure/rules/Azure.RedisEnterprise.Rule.yaml b/src/PSRule.Rules.Azure/rules/Azure.RedisEnterprise.Rule.yaml index ca06cf46381..dc32adcbee9 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.RedisEnterprise.Rule.yaml +++ b/src/PSRule.Rules.Azure/rules/Azure.RedisEnterprise.Rule.yaml @@ -23,7 +23,9 @@ metadata: Azure.WAF/maturity: L1 spec: type: - - Microsoft.Cache/redisEnterprise + - Microsoft.Cache/redisEnterprise + with: + - Azure.Redis.IsEnterprise condition: field: properties.minimumTlsVersion hasDefault: '1.2' diff --git a/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1 index b5a87659912..fad5a70dbbf 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1 @@ -79,7 +79,7 @@ Rule 'Azure.SQL.AAD' -Ref 'AZR-000188' -Type 'Microsoft.Sql/servers', 'Microsoft } # Synopsis: Azure SQL logical server names should meet naming requirements. -Rule 'Azure.SQL.ServerName' -Ref 'AZR-000190' -Type 'Microsoft.Sql/servers' -Tag @{ release = 'GA'; ruleSet = '2020_12'; 'Azure.WAF/pillar' = 'Operational Excellence'; } -Labels @{ 'Azure.CAF' = 'naming' } { +Rule 'Azure.SQL.ServerName' -Ref 'AZR-000190' -Type 'Microsoft.Sql/servers' -Tag @{ release = 'GA'; ruleSet = '2020_12'; 'Azure.WAF/pillar' = 'Operational Excellence'; } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2'; } { # https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules#microsoftsql # Between 1 and 63 characters long @@ -151,7 +151,7 @@ Rule 'Azure.SQL.TDE' -Ref 'AZR-000191' -Type 'Microsoft.Sql/servers/databases', } # Synopsis: Azure SQL Database names should meet naming requirements. -Rule 'Azure.SQL.DBName' -Ref 'AZR-000192' -Type 'Microsoft.Sql/servers/databases' -If { !(IsExport) } -Tag @{ release = 'GA'; ruleSet = '2020_12'; 'Azure.WAF/pillar' = 'Operational Excellence'; } -Labels @{ 'Azure.CAF' = 'naming' } { +Rule 'Azure.SQL.DBName' -Ref 'AZR-000192' -Type 'Microsoft.Sql/servers/databases' -If { !(IsExport) } -Tag @{ release = 'GA'; ruleSet = '2020_12'; 'Azure.WAF/pillar' = 'Operational Excellence'; } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2'; } { # https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules#microsoftsql $name = $PSRule.TargetName.Split('/', 2, [System.StringSplitOptions]::RemoveEmptyEntries)[-1]; @@ -255,3 +255,27 @@ function global:IsMasterDatabase { } #endregion Helper functions + +#region Naming rules + +# Synopsis: Azure SQL Database servers without a standard naming convention may be difficult to identify and manage. +Rule 'Azure.SQL.ServerNaming' -Ref 'AZR-000525' -Type 'Microsoft.Sql/servers' -If { $Configuration['AZURE_SQL_SERVER_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { + $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_SQL_SERVER_NAME_FORMAT, $True); +} + +# Synopsis: Azure SQL databases without a standard naming convention may be difficult to identify and manage. +Rule 'Azure.SQL.DBNaming' -Ref 'AZR-000526' -Type 'Microsoft.Sql/servers/databases' -If { $Configuration['AZURE_SQL_DATABASE_NAME_FORMAT'] -ne '' -and !(IsMasterDatabase) } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { + $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_SQL_DATABASE_NAME_FORMAT, $True); +} + +# Synopsis: Azure SQL Elastic Job agents without a standard naming convention may be difficult to identify and manage. +Rule 'Azure.SQL.JobAgentNaming' -Ref 'AZR-000527' -Type 'Microsoft.Sql/servers/jobAgents' -If { $Configuration['AZURE_SQL_JOB_AGENT_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { + $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_SQL_JOB_AGENT_NAME_FORMAT, $True); +} + +# Synopsis: Azure SQL Elastic Pools without a standard naming convention may be difficult to identify and manage. +Rule 'Azure.SQL.ElasticPoolNaming' -Ref 'AZR-000528' -Type 'Microsoft.Sql/servers/elasticPools' -If { $Configuration['AZURE_SQL_ELASTIC_POOL_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { + $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_SQL_ELASTIC_POOL_NAME_FORMAT, $True); +} + +#endregion Naming rules diff --git a/src/PSRule.Rules.Azure/rules/Azure.SQLMI.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.SQLMI.Rule.ps1 index c1e7e3fc6a4..72e6b3fb016 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.SQLMI.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.SQLMI.Rule.ps1 @@ -62,4 +62,9 @@ Rule 'Azure.SQLMI.MaintenanceWindow' -Ref 'AZR-000441' -Type 'Microsoft.Sql/mana ) } +# Synopsis: SQL Managed Instances without a standard naming convention may be difficult to identify and manage. +Rule 'Azure.SQLMI.Naming' -Ref 'AZR-000529' -Type 'Microsoft.Sql/managedInstances' -If { $Configuration['AZURE_SQL_MI_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { + $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_SQL_MI_NAME_FORMAT, $True); +} + #endregion SQL Managed Instance diff --git a/src/PSRule.Rules.Azure/rules/Azure.ServiceFabric.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.ServiceFabric.Rule.ps1 new file mode 100644 index 00000000000..8d1bb086cb7 --- /dev/null +++ b/src/PSRule.Rules.Azure/rules/Azure.ServiceFabric.Rule.ps1 @@ -0,0 +1,20 @@ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. + +# +# Validation rules for Service Fabric +# + +#region Naming rules + +# Synopsis: Service Fabric clusters without a standard naming convention may be difficult to identify and manage. +Rule 'Azure.ServiceFabric.Naming' -Ref 'AZR-000530' -Type 'Microsoft.ServiceFabric/clusters' -If { $Configuration['AZURE_SERVICE_FABRIC_CLUSTER_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { + $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_SERVICE_FABRIC_CLUSTER_NAME_FORMAT, $True); +} + +# Synopsis: Service Fabric managed clusters without a standard naming convention may be difficult to identify and manage. +Rule 'Azure.ServiceFabric.ManagedNaming' -Ref 'AZR-000531' -Type 'Microsoft.ServiceFabric/managedClusters' -If { $Configuration['AZURE_SERVICE_FABRIC_MANAGED_CLUSTER_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { + $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_SERVICE_FABRIC_MANAGED_CLUSTER_NAME_FORMAT, $True); +} + +#endregion Naming rules diff --git a/src/PSRule.Rules.Azure/rules/CAF.Rule.yaml b/src/PSRule.Rules.Azure/rules/CAF.Rule.yaml index d882dd7eb16..222db8103a5 100644 --- a/src/PSRule.Rules.Azure/rules/CAF.Rule.yaml +++ b/src/PSRule.Rules.Azure/rules/CAF.Rule.yaml @@ -16,6 +16,28 @@ spec: rule: tag: release: GA + ruleSet: + - '2020_06' + - '2020_09' + - '2020_12' + - '2021_03' + - '2021_06' + - '2021_09' + - '2021_12' + - '2022_03' + - '2022_06' + - '2022_09' + - '2022_12' + - '2023_03' + - '2023_06' + - '2023_09' + - '2023_12' + - '2024_03' + - '2024_06' + - '2024_09' + - '2024_12' + - '2025_03' + - '2025_06' labels: Azure.CAF: '*' @@ -52,6 +74,28 @@ spec: rule: tag: release: GA + ruleSet: + - '2020_06' + - '2020_09' + - '2020_12' + - '2021_03' + - '2021_06' + - '2021_09' + - '2021_12' + - '2022_03' + - '2022_06' + - '2022_09' + - '2022_12' + - '2023_03' + - '2023_06' + - '2023_09' + - '2023_12' + - '2024_03' + - '2024_06' + - '2024_09' + - '2024_12' + - '2025_03' + - '2025_06' labels: Azure.CAF: '*' @@ -88,6 +132,28 @@ spec: rule: tag: release: GA + ruleSet: + - '2020_06' + - '2020_09' + - '2020_12' + - '2021_03' + - '2021_06' + - '2021_09' + - '2021_12' + - '2022_03' + - '2022_06' + - '2022_09' + - '2022_12' + - '2023_03' + - '2023_06' + - '2023_09' + - '2023_12' + - '2024_03' + - '2024_06' + - '2024_09' + - '2024_12' + - '2025_03' + - '2025_06' labels: Azure.CAF: '*' @@ -108,3 +174,65 @@ spec: AZURE_VIRTUAL_NETWORK_GATEWAY_NAME_FORMAT: 'vgw-' AZURE_VNET_NAME_FORMAT: '^vnet-' AZURE_VNET_SUBNET_NAME_FORMAT: '^snet-' + +# --- +# # Synopsis: Includes rules related to Azure CAF based on a December 2025 snapshot. +# apiVersion: github.com/microsoft/PSRule/v1 +# kind: Baseline +# metadata: +# name: Azure.CAF_2025_12 +# annotations: +# taxonomy: Azure.CAF +# export: true +# moduleVersion: v1.48.0 +# experimental: true +# spec: +# rule: +# tag: +# release: GA +# labels: +# Azure.CAF: '*' + +# configuration: +# AZURE_AI_SEARCH_NAME_FORMAT: '^srch-' +# AZURE_AI_SERVICES_NAME_FORMAT: '^aif-' +# AZURE_AKS_CLUSTER_NAME_FORMAT: '^aks-' +# AZURE_AKS_SYSTEM_POOL_NAME_FORMAT: '^npsystem' +# AZURE_AKS_USER_POOL_NAME_FORMAT: '^np' +# AZURE_CONTAINER_APP_NAME_FORMAT: '^ca-' +# AZURE_CONTAINER_APP_ENVIRONMENT_NAME_FORMAT: '^cae-' +# AZURE_CONTAINER_APP_JOB_NAME_FORMAT: '^caj-' +# AZURE_CONTAINER_REGISTRY_NAME_FORMAT: '^cr' +# AZURE_CONTAINER_INSTANCE_NAME_FORMAT: '^ci-' +# AZURE_COSMOS_CASSANDRA_NAME_FORMAT: '^coscas-' +# AZURE_COSMOS_MONGO_NAME_FORMAT: '^cosmon-' +# AZURE_COSMOS_NOSQL_NAME_FORMAT: '^cosno-' +# AZURE_COSMOS_TABLE_NAME_FORMAT: '^costab-' +# AZURE_COSMOS_GREMLIN_NAME_FORMAT: '^cosgrm-' +# AZURE_COSMOS_POSTGRESQL_NAME_FORMAT: '^cospos-' +# AZURE_COSMOS_DATABASE_NAME_FORMAT: '^cosmos-' +# AZURE_EVENTGRID_DOMAIN_NAME_FORMAT: '^evgd-' +# AZURE_EVENTGRID_CUSTOM_TOPIC_NAME_FORMAT: '^evgt-' +# AZURE_EVENTGRID_SYSTEM_TOPIC_NAME_FORMAT: '^egst-' +# AZURE_GATEWAY_CONNECTION_NAME_FORMAT: '^con-' +# AZURE_LOAD_BALANCER_NAME_FORMAT: '^(lbi|lbe)-' +# AZURE_MYSQL_SERVER_NAME_FORMAT: '^mysql-' +# AZURE_NETWORK_SECURITY_GROUP_NAME_FORMAT: '^nsg-' +# AZURE_POSTGRESQL_SERVER_NAME_FORMAT: '^psql-' +# AZURE_PUBLIC_IP_ADDRESS_NAME_FORMAT: '^pip-' +# AZURE_REDIS_CACHE_NAME_FORMAT: '^redis-' +# AZURE_REDIS_ENTERPRISE_NAME_FORMAT: '^redis-' +# AZURE_RESOURCE_GROUP_NAME_FORMAT: '^rg-' +# AZURE_ROUTE_TABLE_NAME_FORMAT: '^rt-' +# AZURE_SERVICE_FABRIC_CLUSTER_NAME_FORMAT: '^sf-' +# AZURE_SERVICE_FABRIC_MANAGED_CLUSTER_NAME_FORMAT: '^sfmc-' +# AZURE_SQL_SERVER_NAME_FORMAT: '^sql-' +# AZURE_SQL_DATABASE_NAME_FORMAT: '^sqldb-' +# AZURE_SQL_JOB_AGENT_NAME_FORMAT: '^sqlja-' +# AZURE_SQL_ELASTIC_POOL_NAME_FORMAT: '^sqlep-' +# AZURE_SQL_MI_NAME_FORMAT: '^sqlmi-' +# AZURE_STORAGE_ACCOUNT_NAME_FORMAT: '^(st|stvm)' +# AZURE_VIRTUAL_MACHINE_NAME_FORMAT: '^vm' +# AZURE_VIRTUAL_NETWORK_GATEWAY_NAME_FORMAT: 'vgw-' +# AZURE_VNET_NAME_FORMAT: '^vnet-' +# AZURE_VNET_SUBNET_NAME_FORMAT: '^snet-' diff --git a/src/PSRule.Rules.Azure/rules/Config.Rule.yaml b/src/PSRule.Rules.Azure/rules/Config.Rule.yaml index bce03e1709e..90123536ca9 100644 --- a/src/PSRule.Rules.Azure/rules/Config.Rule.yaml +++ b/src/PSRule.Rules.Azure/rules/Config.Rule.yaml @@ -91,17 +91,36 @@ spec: # Name format defaults. AZURE_AI_SEARCH_NAME_FORMAT: '' AZURE_AI_SERVICES_NAME_FORMAT: '' + AZURE_AKS_CLUSTER_NAME_FORMAT: '' + AZURE_AKS_SYSTEM_POOL_NAME_FORMAT: '' + AZURE_AKS_USER_POOL_NAME_FORMAT: '' AZURE_APP_INSIGHTS_NAME_FORMAT: '' + AZURE_CONTAINER_APP_NAME_FORMAT: '' + AZURE_CONTAINER_APP_ENVIRONMENT_NAME_FORMAT: '' + AZURE_CONTAINER_APP_JOB_NAME_FORMAT: '' + AZURE_CONTAINER_INSTANCE_NAME_FORMAT: '' + AZURE_CONTAINER_REGISTRY_NAME_FORMAT: '' AZURE_EVENTGRID_DOMAIN_NAME_FORMAT: '' AZURE_EVENTGRID_CUSTOM_TOPIC_NAME_FORMAT: '' AZURE_EVENTGRID_SYSTEM_TOPIC_NAME_FORMAT: '' AZURE_GATEWAY_CONNECTION_NAME_FORMAT: '' AZURE_LOAD_BALANCER_NAME_FORMAT: '' AZURE_LOG_WORKSPACE_NAME_FORMAT: '' + AZURE_MYSQL_SERVER_NAME_FORMAT: '' AZURE_NETWORK_SECURITY_GROUP_NAME_FORMAT: '' + AZURE_POSTGRESQL_SERVER_NAME_FORMAT: '' AZURE_PUBLIC_IP_ADDRESS_NAME_FORMAT: '' + AZURE_REDIS_CACHE_NAME_FORMAT: '' + AZURE_REDIS_ENTERPRISE_NAME_FORMAT: '' AZURE_RESOURCE_GROUP_NAME_FORMAT: '' AZURE_ROUTE_TABLE_NAME_FORMAT: '' + AZURE_SERVICE_FABRIC_CLUSTER_NAME_FORMAT: '' + AZURE_SERVICE_FABRIC_MANAGED_CLUSTER_NAME_FORMAT: '' + AZURE_SQL_DATABASE_NAME_FORMAT: '' + AZURE_SQL_ELASTIC_POOL_NAME_FORMAT: '' + AZURE_SQL_JOB_AGENT_NAME_FORMAT: '' + AZURE_SQL_MI_NAME_FORMAT: '' + AZURE_SQL_SERVER_NAME_FORMAT: '' AZURE_STORAGE_ACCOUNT_NAME_FORMAT: '' AZURE_VIRTUAL_MACHINE_NAME_FORMAT: '' AZURE_VIRTUAL_NETWORK_GATEWAY_NAME_FORMAT: '' diff --git a/tests/PSRule.Rules.Azure.Tests/Azure.ACI.Tests.ps1 b/tests/PSRule.Rules.Azure.Tests/Azure.ACI.Tests.ps1 new file mode 100644 index 00000000000..0cf2a91de96 --- /dev/null +++ b/tests/PSRule.Rules.Azure.Tests/Azure.ACI.Tests.ps1 @@ -0,0 +1,67 @@ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. + +# +# Unit tests for Container Instances +# + +[CmdletBinding()] +param () + +BeforeAll { + # Setup error handling + $ErrorActionPreference = 'Stop'; + Set-StrictMode -Version latest; + + if ($Env:SYSTEM_DEBUG -eq 'true') { + $VerbosePreference = 'Continue'; + } + + # Setup tests paths + $rootPath = $PWD; + Import-Module (Join-Path -Path $rootPath -ChildPath out/modules/PSRule.Rules.Azure) -Force; + $here = (Resolve-Path $PSScriptRoot).Path; +} + +Describe 'Azure.ACI' -Tag 'ACI' { + Context 'Resource naming' { + BeforeAll { + $invokeParams = @{ + Baseline = 'Azure.All' + Module = 'PSRule.Rules.Azure' + WarningAction = 'Ignore' + ErrorAction = 'Stop' + } + + $option = New-PSRuleOption -Configuration @{ + 'AZURE_CONTAINER_INSTANCE_NAME_FORMAT' = '^ci-' + }; + + $names = @('instance-001', 'ci-001', 'CI-001') + $items = @($names | ForEach-Object { + [PSCustomObject]@{ + Name = $_ + Type = 'Microsoft.ContainerInstance/containerGroups' + } + }); + + $result = $items | Invoke-PSRule @invokeParams -Option $option -Name 'Azure.ACI.Naming' + } + + It 'Azure.ACI.Naming' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.ACI.Naming' }; + + # Fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 2; + $ruleResult.TargetName | Should -BeIn 'instance-001', 'CI-001'; + + # Pass + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 1; + $ruleResult.TargetName | Should -Be 'ci-001'; + } + } +} diff --git a/tests/PSRule.Rules.Azure.Tests/Azure.ACR.Tests.ps1 b/tests/PSRule.Rules.Azure.Tests/Azure.ACR.Tests.ps1 index f747fbd08a0..083c8c410fc 100644 --- a/tests/PSRule.Rules.Azure.Tests/Azure.ACR.Tests.ps1 +++ b/tests/PSRule.Rules.Azure.Tests/Azure.ACR.Tests.ps1 @@ -362,4 +362,50 @@ Describe 'Azure.ACR' -Tag 'ACR' { $ruleResult.Detail.Reason.Path | Should -BeIn 'name'; } } + + Context 'Resource naming format' { + BeforeAll { + $invokeParams = @{ + Baseline = 'Azure.All' + Module = 'PSRule.Rules.Azure' + WarningAction = 'Ignore' + ErrorAction = 'Stop' + } + + $option = New-PSRuleOption -Configuration @{ + 'AZURE_CONTAINER_REGISTRY_NAME_FORMAT' = '^cr' + }; + + $names = @( + 'registry001' + 'cr001' + 'CR001' + ) + + $items = @($names | ForEach-Object { + [PSCustomObject]@{ + Name = $_ + Type = 'Microsoft.ContainerRegistry/registries' + } + }); + + $result = $items | Invoke-PSRule @invokeParams -Option $option + } + + It 'Azure.ACR.Naming' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.ACR.Naming' }; + + # Fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 2; + $ruleResult.TargetName | Should -BeIn 'registry001', 'CR001'; + + # Pass + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 1; + $ruleResult.TargetName | Should -Be 'cr001'; + } + } } diff --git a/tests/PSRule.Rules.Azure.Tests/Azure.AKS.Tests.ps1 b/tests/PSRule.Rules.Azure.Tests/Azure.AKS.Tests.ps1 index 9e507654a8e..74257c46aa9 100644 --- a/tests/PSRule.Rules.Azure.Tests/Azure.AKS.Tests.ps1 +++ b/tests/PSRule.Rules.Azure.Tests/Azure.AKS.Tests.ps1 @@ -1451,4 +1451,116 @@ Describe 'Azure.AKS' -Tag AKS { $ruleResult.TargetName | Should -BeIn 'cluster-D', 'cluster-J'; } } + + Context 'Resource name' { + BeforeAll { + $invokeParams = @{ + Baseline = 'Azure.All' + Module = 'PSRule.Rules.Azure' + WarningAction = 'Ignore' + ErrorAction = 'Stop' + } + + $option = New-PSRuleOption -Configuration @{ + 'AZURE_AKS_CLUSTER_NAME_FORMAT' = '^aks-' + 'AZURE_AKS_SYSTEM_POOL_NAME_FORMAT' = '^npsystem' + 'AZURE_AKS_USER_POOL_NAME_FORMAT' = '^np' + }; + + $clusterNames = @( + 'cluster-001' + 'aks-001' + 'AKS-001' + ) + + $systemPoolNames = @( + 'agentpool' + 'npsystem001' + 'npsystem' + ) + + $userPoolNames = @( + 'userpool' + 'np001' + 'NP001' + ) + + $clusterItems = @($clusterNames | ForEach-Object { + [PSCustomObject]@{ + Name = $_ + Type = 'Microsoft.ContainerService/managedClusters' + } + }); + + $systemPoolItems = @($systemPoolNames | ForEach-Object { + [PSCustomObject]@{ + Name = $_ + Type = 'Microsoft.ContainerService/managedClusters/agentPools' + Properties = @{ + mode = 'System' + } + } + }); + + $userPoolItems = @($userPoolNames | ForEach-Object { + [PSCustomObject]@{ + Name = $_ + Type = 'Microsoft.ContainerService/managedClusters/agentPools' + Properties = @{ + mode = 'User' + } + } + }); + + $result = @($clusterItems + $systemPoolItems + $userPoolItems) | Invoke-PSRule @invokeParams -Option $option + } + + It 'Azure.AKS.Naming' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.AKS.Naming' }; + + # Fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 2; + $ruleResult.TargetName | Should -BeIn 'cluster-001', 'AKS-001'; + + # Pass + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 1; + $ruleResult.TargetName | Should -Be 'aks-001'; + } + + It 'Azure.AKS.SystemPoolNaming' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.AKS.SystemPoolNaming' }; + + # Fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 1; + $ruleResult.TargetName | Should -Be 'agentpool'; + + # Pass + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 2; + $ruleResult.TargetName | Should -BeIn 'npsystem001', 'npsystem'; + } + + It 'Azure.AKS.UserPoolNaming' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.AKS.UserPoolNaming' }; + + # Fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 2; + $ruleResult.TargetName | Should -BeIn 'userpool', 'NP001'; + + # Pass + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 1; + $ruleResult.TargetName | Should -Be 'np001'; + } + } } diff --git a/tests/PSRule.Rules.Azure.Tests/Azure.ContainerApp.Tests.ps1 b/tests/PSRule.Rules.Azure.Tests/Azure.ContainerApp.Tests.ps1 index 02e7a0657d0..111b85531bf 100644 --- a/tests/PSRule.Rules.Azure.Tests/Azure.ContainerApp.Tests.ps1 +++ b/tests/PSRule.Rules.Azure.Tests/Azure.ContainerApp.Tests.ps1 @@ -255,4 +255,110 @@ Describe 'Azure.ContainerApp' -Tag 'ContainerApp' { $ruleResult.Outcome | Should -Be 'Fail'; } } + + Context 'Resource naming format' { + BeforeAll { + $invokeParams = @{ + Baseline = 'Azure.All' + Module = 'PSRule.Rules.Azure' + WarningAction = 'Ignore' + ErrorAction = 'Stop' + } + + $option = New-PSRuleOption -Configuration @{ + 'AZURE_CONTAINER_APP_NAME_FORMAT' = '^ca-' + 'AZURE_CONTAINER_APP_ENVIRONMENT_NAME_FORMAT' = '^cae-' + 'AZURE_CONTAINER_APP_JOB_NAME_FORMAT' = '^caj-' + }; + + $appNames = @( + 'app-001' + 'ca-001' + 'CA-001' + ) + + $envNames = @( + 'env-001' + 'cae-001' + 'CAE-001' + ) + + $jobNames = @( + 'job-001' + 'caj-001' + 'CAJ-001' + ) + + $appItems = @($appNames | ForEach-Object { + [PSCustomObject]@{ + Name = $_ + Type = 'Microsoft.App/containerApps' + } + }); + + $envItems = @($envNames | ForEach-Object { + [PSCustomObject]@{ + Name = $_ + Type = 'Microsoft.App/managedEnvironments' + } + }); + + $jobItems = @($jobNames | ForEach-Object { + [PSCustomObject]@{ + Name = $_ + Type = 'Microsoft.App/jobs' + } + }); + + $result = @($appItems + $envItems + $jobItems) | Invoke-PSRule @invokeParams -Option $option + } + + It 'Azure.ContainerApp.Naming' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.ContainerApp.Naming' }; + + # Fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 2; + $ruleResult.TargetName | Should -BeIn 'app-001', 'CA-001'; + + # Pass + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 1; + $ruleResult.TargetName | Should -Be 'ca-001'; + } + + It 'Azure.ContainerApp.EnvNaming' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.ContainerApp.EnvNaming' }; + + # Fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 2; + $ruleResult.TargetName | Should -BeIn 'env-001', 'CAE-001'; + + # Pass + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 1; + $ruleResult.TargetName | Should -Be 'cae-001'; + } + + It 'Azure.ContainerApp.JobNaming' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.ContainerApp.JobNaming' }; + + # Fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 2; + $ruleResult.TargetName | Should -BeIn 'job-001', 'CAJ-001'; + + # Pass + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 1; + $ruleResult.TargetName | Should -Be 'caj-001'; + } + } } diff --git a/tests/PSRule.Rules.Azure.Tests/Azure.Cosmos.Tests.ps1 b/tests/PSRule.Rules.Azure.Tests/Azure.Cosmos.Tests.ps1 index 0d07b4ce570..8abb18c0a2d 100644 --- a/tests/PSRule.Rules.Azure.Tests/Azure.Cosmos.Tests.ps1 +++ b/tests/PSRule.Rules.Azure.Tests/Azure.Cosmos.Tests.ps1 @@ -277,4 +277,214 @@ Describe 'Azure.Cosmos' -Tag 'Cosmos', 'CosmosDB' { $ruleResult.TargetName | Should -BeIn 'nosql-C'; } } + + Context 'Resource naming' { + BeforeAll { + $invokeParams = @{ + Baseline = 'Azure.All' + Module = 'PSRule.Rules.Azure' + WarningAction = 'Ignore' + ErrorAction = 'Stop' + } + + $option = New-PSRuleOption -Configuration @{ + 'AZURE_COSMOS_NOSQL_NAME_FORMAT' = '^cosno-' + 'AZURE_COSMOS_MONGO_NAME_FORMAT' = '^cosmon-' + 'AZURE_COSMOS_CASSANDRA_NAME_FORMAT' = '^coscas-' + 'AZURE_COSMOS_TABLE_NAME_FORMAT' = '^costab-' + 'AZURE_COSMOS_GREMLIN_NAME_FORMAT' = '^cosgrm-' + 'AZURE_COSMOS_DATABASE_NAME_FORMAT' = '^cosmos-' + 'AZURE_COSMOS_POSTGRESQL_NAME_FORMAT' = '^cospos-' + }; + + $nosqlNames = @('account-001', 'cosno-001', 'COSNO-001') + $mongoNames = @('mongo-001', 'cosmon-001', 'COSMON-001') + $cassandraNames = @('cassandra-001', 'coscas-001', 'COSCAS-001') + $tableNames = @('table-001', 'costab-001', 'COSTAB-001') + $gremlinNames = @('gremlin-001', 'cosgrm-001', 'COSGRM-001') + $dbNames = @('db-001', 'cosmos-001', 'COSMOS-001') + $postgresNames = @('postgres-001', 'cospos-001', 'COSPOS-001') + + $nosqlItems = @($nosqlNames | ForEach-Object { + [PSCustomObject]@{ + Name = $_ + Type = 'Microsoft.DocumentDb/databaseAccounts' + Kind = 'GlobalDocumentDB' + Properties = @{ + capabilities = @() + } + } + }); + + $mongoItems = @($mongoNames | ForEach-Object { + [PSCustomObject]@{ + Name = $_ + Type = 'Microsoft.DocumentDb/databaseAccounts' + Kind = 'MongoDB' + Properties = @{ } + } + }); + + $cassandraItems = @($cassandraNames | ForEach-Object { + [PSCustomObject]@{ + Name = $_ + Type = 'Microsoft.DocumentDb/databaseAccounts' + Kind = 'GlobalDocumentDB' + Properties = @{ + capabilities = @(@{ name = 'EnableCassandra' }) + } + } + }); + + $tableItems = @($tableNames | ForEach-Object { + [PSCustomObject]@{ + Name = $_ + Type = 'Microsoft.DocumentDb/databaseAccounts' + Kind = 'GlobalDocumentDB' + Properties = @{ + capabilities = @(@{ name = 'EnableTable' }) + } + } + }); + + $gremlinItems = @($gremlinNames | ForEach-Object { + [PSCustomObject]@{ + Name = $_ + Type = 'Microsoft.DocumentDb/databaseAccounts' + Kind = 'GlobalDocumentDB' + Properties = @{ + capabilities = @(@{ name = 'EnableGremlin' }) + } + } + }); + + $dbItems = @($dbNames | ForEach-Object { + [PSCustomObject]@{ + Name = $_ + Type = 'Microsoft.DocumentDB/databaseAccounts/sqlDatabases' + } + }); + + $postgresItems = @($postgresNames | ForEach-Object { + [PSCustomObject]@{ + Name = $_ + Type = 'Microsoft.DBforPostgreSQL/serverGroupsv2' + } + }); + + $result = @($nosqlItems + $mongoItems + $cassandraItems + $tableItems + $gremlinItems + $dbItems + $postgresItems) | Invoke-PSRule @invokeParams -Option $option + } + + It 'Azure.Cosmos.NoSQLNaming' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.Cosmos.NoSQLNaming' }; + + # Fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 2; + $ruleResult.TargetName | Should -BeIn 'account-001', 'COSNO-001'; + + # Pass + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 1; + $ruleResult.TargetName | Should -Be 'cosno-001'; + } + + It 'Azure.Cosmos.MongoNaming' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.Cosmos.MongoNaming' }; + + # Fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 2; + $ruleResult.TargetName | Should -BeIn 'mongo-001', 'COSMON-001'; + + # Pass + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 1; + $ruleResult.TargetName | Should -Be 'cosmon-001'; + } + + It 'Azure.Cosmos.CassandraNaming' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.Cosmos.CassandraNaming' }; + + # Fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 2; + $ruleResult.TargetName | Should -BeIn 'cassandra-001', 'COSCAS-001'; + + # Pass + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 1; + $ruleResult.TargetName | Should -Be 'coscas-001'; + } + + It 'Azure.Cosmos.TableNaming' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.Cosmos.TableNaming' }; + + # Fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 2; + $ruleResult.TargetName | Should -BeIn 'table-001', 'COSTAB-001'; + + # Pass + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 1; + $ruleResult.TargetName | Should -Be 'costab-001'; + } + + It 'Azure.Cosmos.GremlinNaming' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.Cosmos.GremlinNaming' }; + + # Fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 2; + $ruleResult.TargetName | Should -BeIn 'gremlin-001', 'COSGRM-001'; + + # Pass + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 1; + $ruleResult.TargetName | Should -Be 'cosgrm-001'; + } + + It 'Azure.Cosmos.DatabaseNaming' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.Cosmos.DatabaseNaming' }; + + # Fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 2; + $ruleResult.TargetName | Should -BeIn 'db-001', 'COSMOS-001'; + + # Pass + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 1; + $ruleResult.TargetName | Should -Be 'cosmos-001'; + } + + It 'Azure.Cosmos.PostgreSQLNaming' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.Cosmos.PostgreSQLNaming' }; + + # Fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 2; + $ruleResult.TargetName | Should -BeIn 'postgres-001', 'COSPOS-001'; + + # Pass + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 1; + $ruleResult.TargetName | Should -Be 'cospos-001'; + } + } } diff --git a/tests/PSRule.Rules.Azure.Tests/Azure.MySQL.Tests.ps1 b/tests/PSRule.Rules.Azure.Tests/Azure.MySQL.Tests.ps1 index 9acede88c88..eb0e5f43777 100644 --- a/tests/PSRule.Rules.Azure.Tests/Azure.MySQL.Tests.ps1 +++ b/tests/PSRule.Rules.Azure.Tests/Azure.MySQL.Tests.ps1 @@ -309,4 +309,45 @@ Describe 'Azure.MySQL' -Tag 'MySql' { $ruleResult.Outcome | Should -Be 'Fail'; } } + + Context 'Resource naming format' { + BeforeAll { + $invokeParams = @{ + Baseline = 'Azure.All' + Module = 'PSRule.Rules.Azure' + WarningAction = 'Ignore' + ErrorAction = 'Stop' + } + + $option = New-PSRuleOption -Configuration @{ + 'AZURE_MYSQL_SERVER_NAME_FORMAT' = '^mysql-' + }; + + $names = @('myserver-001', 'mysql-001', 'MYSQL-001') + $items = @($names | ForEach-Object { + [PSCustomObject]@{ + Name = $_ + Type = 'Microsoft.DBforMySQL/servers' + } + }); + + $result = $items | Invoke-PSRule @invokeParams -Option $option -Name 'Azure.MySQL.ServerNaming' + } + + It 'Azure.MySQL.ServerNaming' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.MySQL.ServerNaming' }; + + # Fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 2; + $ruleResult.TargetName | Should -BeIn 'myserver-001', 'MYSQL-001'; + + # Pass + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 1; + $ruleResult.TargetName | Should -Be 'mysql-001'; + } + } } diff --git a/tests/PSRule.Rules.Azure.Tests/Azure.PostgreSQL.Tests.ps1 b/tests/PSRule.Rules.Azure.Tests/Azure.PostgreSQL.Tests.ps1 index 3a3ef7ee7f6..8d9f7f3f73f 100644 --- a/tests/PSRule.Rules.Azure.Tests/Azure.PostgreSQL.Tests.ps1 +++ b/tests/PSRule.Rules.Azure.Tests/Azure.PostgreSQL.Tests.ps1 @@ -285,4 +285,45 @@ Describe 'Azure.PostgreSQL' -Tag 'PostgreSQL' { $ruleResult.Outcome | Should -Be 'Fail'; } } + + Context 'Resource naming format' { + BeforeAll { + $invokeParams = @{ + Baseline = 'Azure.All' + Module = 'PSRule.Rules.Azure' + WarningAction = 'Ignore' + ErrorAction = 'Stop' + } + + $option = New-PSRuleOption -Configuration @{ + 'AZURE_POSTGRESQL_SERVER_NAME_FORMAT' = '^psql-' + }; + + $names = @('pgserver-001', 'psql-001', 'PSQL-001') + $items = @($names | ForEach-Object { + [PSCustomObject]@{ + Name = $_ + Type = 'Microsoft.DBforPostgreSQL/servers' + } + }); + + $result = $items | Invoke-PSRule @invokeParams -Option $option -Name 'Azure.PostgreSQL.ServerNaming' + } + + It 'Azure.PostgreSQL.ServerNaming' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.PostgreSQL.ServerNaming' }; + + # Fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 2; + $ruleResult.TargetName | Should -BeIn 'pgserver-001', 'PSQL-001'; + + # Pass + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 1; + $ruleResult.TargetName | Should -Be 'psql-001'; + } + } } diff --git a/tests/PSRule.Rules.Azure.Tests/Azure.Redis.Tests.ps1 b/tests/PSRule.Rules.Azure.Tests/Azure.Redis.Tests.ps1 index 44bbcbeaac3..56cba6e2d63 100644 --- a/tests/PSRule.Rules.Azure.Tests/Azure.Redis.Tests.ps1 +++ b/tests/PSRule.Rules.Azure.Tests/Azure.Redis.Tests.ps1 @@ -522,4 +522,71 @@ Describe 'Azure.Redis' -Tag 'Redis' { $ruleResult.TargetName | Should -Be 'redis-A', 'redis-B', 'redis-C', 'redis-D', 'redis-E', 'redis-F', 'redis-G', 'redis-H', 'redis-I', 'redis-J', 'redis-Q', 'redis-R'; } } + + Context 'Resource naming' { + BeforeAll { + $invokeParams = @{ + Baseline = 'Azure.All' + Module = 'PSRule.Rules.Azure' + WarningAction = 'Ignore' + ErrorAction = 'Stop' + } + + $option = New-PSRuleOption -Configuration @{ + 'AZURE_REDIS_CACHE_NAME_FORMAT' = '^redis-' + 'AZURE_REDIS_ENTERPRISE_NAME_FORMAT' = '^redis-' + }; + + $cacheNames = @('cache-001', 'redis-001', 'REDIS-001') + + $cacheItems = @($cacheNames | ForEach-Object { + [PSCustomObject]@{ + Name = $_ + Type = 'Microsoft.Cache/Redis' + } + + [PSCustomObject]@{ + Name = $_ + Type = 'Microsoft.Cache/RedisEnterprise' + SKU = [PSCustomObject]@{ + Name = "Enterprise_E10" + } + } + }); + + $result = $cacheItems | Invoke-PSRule @invokeParams -Option $option -Name 'Azure.Redis.Naming', 'Azure.RedisEnterprise.Naming' + } + + It 'Azure.Redis.Naming' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.Redis.Naming' }; + + # Fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 2; + $ruleResult.TargetName | Should -BeIn 'cache-001', 'REDIS-001'; + + # Pass + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 1; + $ruleResult.TargetName | Should -Be 'redis-001'; + } + + It 'Azure.RedisEnterprise.Naming' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.RedisEnterprise.Naming' }; + + # Fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 2; + $ruleResult.TargetName | Should -BeIn 'enterprise-001', 'REDIS-001'; + + # Pass + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 1; + $ruleResult.TargetName | Should -Be 'redis-001'; + } + } } diff --git a/tests/PSRule.Rules.Azure.Tests/Azure.SQL.Tests.ps1 b/tests/PSRule.Rules.Azure.Tests/Azure.SQL.Tests.ps1 index bf0cbe3dcb5..f50bda0b146 100644 --- a/tests/PSRule.Rules.Azure.Tests/Azure.SQL.Tests.ps1 +++ b/tests/PSRule.Rules.Azure.Tests/Azure.SQL.Tests.ps1 @@ -457,4 +457,126 @@ Describe 'Azure.SQL' -Tag 'SQL', 'SQLDB' { $ruleResult.TargetName | Should -BeIn 'sql-sql-01/sqldb-sql-01'; } } + + Context 'Resource naming' { + BeforeAll { + $invokeParams = @{ + Baseline = 'Azure.All' + Module = 'PSRule.Rules.Azure' + WarningAction = 'Ignore' + ErrorAction = 'Stop' + } + + $option = New-PSRuleOption -Configuration @{ + 'AZURE_SQL_SERVER_NAME_FORMAT' = '^sql-' + 'AZURE_SQL_DATABASE_NAME_FORMAT' = '^sqldb-' + 'AZURE_SQL_JOB_AGENT_NAME_FORMAT' = '^sqlja-' + 'AZURE_SQL_ELASTIC_POOL_NAME_FORMAT' = '^sqlep-' + }; + + $serverNames = @('server-001', 'sql-001', 'SQL-001') + $dbNames = @('database-001', 'sqldb-001', 'SQLDB-001') + $jobAgentNames = @('agent-001', 'sqlja-001', 'SQLJA-001') + $poolNames = @('pool-001', 'sqlep-001', 'SQLEP-001') + + $serverItems = @($serverNames | ForEach-Object { + [PSCustomObject]@{ + Name = $_ + Type = 'Microsoft.Sql/servers' + } + }); + + $dbItems = @($dbNames | ForEach-Object { + [PSCustomObject]@{ + Name = $_ + Type = 'Microsoft.Sql/servers/databases' + } + }); + + $jobAgentItems = @($jobAgentNames | ForEach-Object { + [PSCustomObject]@{ + Name = $_ + Type = 'Microsoft.Sql/servers/jobAgents' + } + }); + + $poolItems = @($poolNames | ForEach-Object { + [PSCustomObject]@{ + Name = $_ + Type = 'Microsoft.Sql/servers/elasticPools' + } + }); + + $result = @($serverItems + $dbItems + $jobAgentItems + $poolItems) | Invoke-PSRule @invokeParams -Option $option -Name @( + 'Azure.SQL.ServerNaming' + 'Azure.SQL.DBNaming' + 'Azure.SQL.JobAgentNaming' + 'Azure.SQL.ElasticPoolNaming' + ) + } + + It 'Azure.SQL.ServerNaming' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.SQL.ServerNaming' }; + + # Fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 2; + $ruleResult.TargetName | Should -BeIn 'server-001', 'SQL-001'; + + # Pass + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 1; + $ruleResult.TargetName | Should -Be 'sql-001'; + } + + It 'Azure.SQL.DBNaming' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.SQL.DBNaming' }; + + # Fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 2; + $ruleResult.TargetName | Should -BeIn 'database-001', 'SQLDB-001'; + + # Pass + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 1; + $ruleResult.TargetName | Should -Be 'sqldb-001'; + } + + It 'Azure.SQL.JobAgentNaming' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.SQL.JobAgentNaming' }; + + # Fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 2; + $ruleResult.TargetName | Should -BeIn 'agent-001', 'SQLJA-001'; + + # Pass + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 1; + $ruleResult.TargetName | Should -Be 'sqlja-001'; + } + + It 'Azure.SQL.ElasticPoolNaming' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.SQL.ElasticPoolNaming' }; + + # Fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 2; + $ruleResult.TargetName | Should -BeIn 'pool-001', 'SQLEP-001'; + + # Pass + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 1; + $ruleResult.TargetName | Should -Be 'sqlep-001'; + } + } } diff --git a/tests/PSRule.Rules.Azure.Tests/Azure.SQLMI.Tests.ps1 b/tests/PSRule.Rules.Azure.Tests/Azure.SQLMI.Tests.ps1 index 4fae748c716..c79ae9abbf5 100644 --- a/tests/PSRule.Rules.Azure.Tests/Azure.SQLMI.Tests.ps1 +++ b/tests/PSRule.Rules.Azure.Tests/Azure.SQLMI.Tests.ps1 @@ -156,4 +156,45 @@ Describe 'Azure.SQLMI' -Tag 'SQLMI' { $ruleResult.Outcome | Should -Be 'Fail'; } } + + Context 'Resource naming format' { + BeforeAll { + $invokeParams = @{ + Baseline = 'Azure.All' + Module = 'PSRule.Rules.Azure' + WarningAction = 'Ignore' + ErrorAction = 'Stop' + } + + $option = New-PSRuleOption -Configuration @{ + 'AZURE_SQL_MI_NAME_FORMAT' = '^sqlmi-' + }; + + $names = @('mi-001', 'sqlmi-001', 'SQLMI-001') + $items = @($names | ForEach-Object { + [PSCustomObject]@{ + Name = $_ + Type = 'Microsoft.Sql/managedInstances' + } + }); + + $result = $items | Invoke-PSRule @invokeParams -Option $option + } + + It 'Azure.SQLMI.Naming' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.SQLMI.Naming' }; + + # Fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 2; + $ruleResult.TargetName | Should -BeIn 'mi-001', 'SQLMI-001'; + + # Pass + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 1; + $ruleResult.TargetName | Should -Be 'sqlmi-001'; + } + } } diff --git a/tests/PSRule.Rules.Azure.Tests/Azure.ServiceFabric.Tests.ps1 b/tests/PSRule.Rules.Azure.Tests/Azure.ServiceFabric.Tests.ps1 index 07e7e066ea7..02989caf099 100644 --- a/tests/PSRule.Rules.Azure.Tests/Azure.ServiceFabric.Tests.ps1 +++ b/tests/PSRule.Rules.Azure.Tests/Azure.ServiceFabric.Tests.ps1 @@ -88,4 +88,71 @@ Describe 'Azure.ServiceFabric' -Tag 'ServiceFabric' { $ruleResult.TargetName | Should -BeIn 'cluster-001'; } } + + Context 'Resource naming' { + BeforeAll { + $invokeParams = @{ + Baseline = 'Azure.All' + Module = 'PSRule.Rules.Azure' + WarningAction = 'Ignore' + ErrorAction = 'Stop' + } + + $option = New-PSRuleOption -Configuration @{ + 'AZURE_SERVICE_FABRIC_CLUSTER_NAME_FORMAT' = '^sf-' + 'AZURE_SERVICE_FABRIC_MANAGED_CLUSTER_NAME_FORMAT' = '^sfmc-' + }; + + $clusterNames = @('cluster-001', 'sf-001', 'SF-001') + $managedClusterNames = @('managed-001', 'sfmc-001', 'SFMC-001') + + $clusterItems = @($clusterNames | ForEach-Object { + [PSCustomObject]@{ + Name = $_ + Type = 'Microsoft.ServiceFabric/clusters' + } + }); + + $managedClusterItems = @($managedClusterNames | ForEach-Object { + [PSCustomObject]@{ + Name = $_ + Type = 'Microsoft.ServiceFabric/managedClusters' + } + }); + + $result = @($clusterItems + $managedClusterItems) | Invoke-PSRule @invokeParams -Option $option + } + + It 'Azure.ServiceFabric.Naming' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.ServiceFabric.Naming' }; + + # Fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 2; + $ruleResult.TargetName | Should -BeIn 'cluster-001', 'SF-001'; + + # Pass + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 1; + $ruleResult.TargetName | Should -Be 'sf-001'; + } + + It 'Azure.ServiceFabric.ManagedNaming' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.ServiceFabric.ManagedNaming' }; + + # Fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 2; + $ruleResult.TargetName | Should -BeIn 'managed-001', 'SFMC-001'; + + # Pass + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 1; + $ruleResult.TargetName | Should -Be 'sfmc-001'; + } + } } diff --git a/tests/PSRule.Rules.Azure.Tests/Resources.Redis.json b/tests/PSRule.Rules.Azure.Tests/Resources.Redis.json index 3b44284613a..fddb402eb55 100644 --- a/tests/PSRule.Rules.Azure.Tests/Resources.Redis.json +++ b/tests/PSRule.Rules.Azure.Tests/Resources.Redis.json @@ -1,9 +1,8 @@ [ { "Name": "redis-A", - "ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Cache/Redis/redis-A", - "ResourceName": "redis-A", - "ResourceType": "Microsoft.Cache/Redis", + "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Cache/Redis/redis-A", + "type": "Microsoft.Cache/Redis", "ResourceGroupName": "test-rg", "Location": "australiaeast", "SubscriptionId": "00000000-0000-0000-0000-000000000000", @@ -45,9 +44,8 @@ }, { "Name": "redis-B", - "ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Cache/Redis/redis-B", - "ResourceName": "redis-B", - "ResourceType": "Microsoft.Cache/Redis", + "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Cache/Redis/redis-B", + "type": "Microsoft.Cache/Redis", "ResourceGroupName": "test-rg", "Location": "australiaeast", "SubscriptionId": "00000000-0000-0000-0000-000000000000", @@ -375,7 +373,7 @@ ], "ResourceGroupName": "test-rg", "Type": "Microsoft.Cache/Redis", - "ResourceType": "Microsoft.Cache/Redis", + "type": "Microsoft.Cache/Redis", "ExtensionResourceType": null, "Sku": null, "Tags": null, @@ -554,7 +552,7 @@ ], "ResourceGroupName": "test-rg", "Type": "Microsoft.Cache/Redis", - "ResourceType": "Microsoft.Cache/Redis", + "type": "Microsoft.Cache/Redis", "ExtensionResourceType": null, "Sku": null, "Tags": null, @@ -567,7 +565,7 @@ "Name": "redis-E", "ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Cache/Redis/redis-E", "ResourceName": "redis-E", - "ResourceType": "Microsoft.Cache/Redis", + "type": "Microsoft.Cache/Redis", "ResourceGroupName": "test-rg", "Location": "australiaeast", "SubscriptionId": "00000000-0000-0000-0000-000000000000", @@ -737,7 +735,7 @@ "Name": "redis-F", "ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Cache/Redis/redis-F", "ResourceName": "redis-F", - "ResourceType": "Microsoft.Cache/Redis", + "type": "Microsoft.Cache/Redis", "ResourceGroupName": "test-rg", "Location": "australiaeast", "SubscriptionId": "00000000-0000-0000-0000-000000000000", @@ -772,7 +770,7 @@ "Name": "redis-G", "ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Cache/Redis/redis-G", "ResourceName": "redis-G", - "ResourceType": "Microsoft.Cache/Redis", + "type": "Microsoft.Cache/Redis", "ResourceGroupName": "test-rg", "Location": "australiaeast", "SubscriptionId": "00000000-0000-0000-0000-000000000000", @@ -808,7 +806,7 @@ "Name": "redis-H", "ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Cache/Redis/redis-H", "ResourceName": "redis-H", - "ResourceType": "Microsoft.Cache/Redis", + "type": "Microsoft.Cache/Redis", "ResourceGroupName": "test-rg", "Location": "Antarctica North", "SubscriptionId": "00000000-0000-0000-0000-000000000000", @@ -840,7 +838,7 @@ "Name": "redis-I", "ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Cache/Redis/redis-I", "ResourceName": "redis-I", - "ResourceType": "Microsoft.Cache/Redis", + "type": "Microsoft.Cache/Redis", "ResourceGroupName": "test-rg", "Location": "antarcticasouth", "SubscriptionId": "00000000-0000-0000-0000-000000000000", @@ -872,7 +870,7 @@ "Name": "redis-J", "ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Cache/Redis/redis-G", "ResourceName": "redis-J", - "ResourceType": "Microsoft.Cache/Redis", + "type": "Microsoft.Cache/Redis", "ResourceGroupName": "test-rg", "Location": "australiaeast", "SubscriptionId": "00000000-0000-0000-0000-000000000000", @@ -905,10 +903,9 @@ ] }, { - "Name": "redis-K", - "ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Cache/Microsoft.Cache/redisEnterprise/redis-K", - "ResourceName": "redis-K", - "ResourceType": "Microsoft.Cache/redisEnterprise", + "name": "redis-K", + "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Cache/Microsoft.Cache/redisEnterprise/redis-K", + "type": "Microsoft.Cache/redisEnterprise", "ResourceGroupName": "test-rg", "Location": "australiaeast", "SubscriptionId": "00000000-0000-0000-0000-000000000000", @@ -928,10 +925,9 @@ ] }, { - "Name": "redis-L", - "ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Cache/redisEnterprise/redis-L", - "ResourceName": "redis-L", - "ResourceType": "Microsoft.Cache/redisEnterprise", + "name": "redis-L", + "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Cache/redisEnterprise/redis-L", + "type": "Microsoft.Cache/redisEnterprise", "ResourceGroupName": "test-rg", "Location": "australiaeast", "SubscriptionId": "00000000-0000-0000-0000-000000000000", @@ -947,10 +943,9 @@ "zones": [] }, { - "Name": "redis-M", - "ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Cache/redisEnterprise/redis-M", - "ResourceName": "redis-M", - "ResourceType": "Microsoft.Cache/redisEnterprise", + "name": "redis-M", + "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Cache/redisEnterprise/redis-M", + "type": "Microsoft.Cache/redisEnterprise", "ResourceGroupName": "test-rg", "Location": "Antarctica North", "SubscriptionId": "00000000-0000-0000-0000-000000000000", @@ -966,10 +961,9 @@ "zones": [] }, { - "Name": "redis-N", - "ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Cache/redisEnterprise/redis-N", - "ResourceName": "redis-N", - "ResourceType": "Microsoft.Cache/redisEnterprise", + "name": "redis-N", + "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Cache/redisEnterprise/redis-N", + "type": "Microsoft.Cache/redisEnterprise", "ResourceGroupName": "test-rg", "Location": "antarcticasouth", "SubscriptionId": "00000000-0000-0000-0000-000000000000", @@ -985,10 +979,9 @@ "zones": [] }, { - "Name": "redis-O", - "ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Cache/redisEnterprise/redis-O", - "ResourceName": "redis-O", - "ResourceType": "Microsoft.Cache/redisEnterprise", + "name": "redis-O", + "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Cache/redisEnterprise/redis-O", + "type": "Microsoft.Cache/redisEnterprise", "ResourceGroupName": "test-rg", "Location": "australiaeast", "SubscriptionId": "00000000-0000-0000-0000-000000000000", @@ -1008,10 +1001,9 @@ ] }, { - "Name": "redis-P", - "ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Cache/redisEnterprise/redis-P", - "ResourceName": "redis-P", - "ResourceType": "Microsoft.Cache/redisEnterprise", + "name": "redis-P", + "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Cache/redisEnterprise/redis-P", + "type": "Microsoft.Cache/redisEnterprise", "ResourceGroupName": "test-rg", "Location": "australiaeast", "SubscriptionId": "00000000-0000-0000-0000-000000000000", @@ -1116,7 +1108,7 @@ "Name": "redis-S", "ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Cache/redisEnterprise/redis-S", "ResourceName": "redis-S", - "ResourceType": "Microsoft.Cache/redisEnterprise", + "type": "Microsoft.Cache/redisEnterprise", "ResourceGroupName": "test-rg", "Location": "australiaeast", "SubscriptionId": "00000000-0000-0000-0000-000000000000",