Managed Security Review for Azure
info
The English user guide is currently in beta preview. Most of the documents have been automatically translated from the Japanese version. Should you find any inaccuracies, please reach out to Flatt Security.
This page explains managed security reviews for Azure provided by Flatt Security. Note that Flatt Security may provide more policies than ones described here, depending on your support plans.
To use managed security reviews
By applying Shisho Cloud workflows to your organization, you'll see security review results soon:
All managed review items
Title | Related Standards | Default Severity | ID in Shisho Cloud |
---|---|---|---|
Ensure that connections to Azure Application Gateway are forced to use secure SSL/TLS versions | Medium | decision.api.shisho.dev/v1beta:azure_appgateway_min_tls_version | |
Ensure that connections to Azure Application Gateway are forced to use HTTPS | Medium | decision.api.shisho.dev/v1beta:azure_appgateway_transport | |
Ensure that FTP is not allowed during deployment of Azure Web Apps | 9.3 (CIS Azure v3.0.0) | Medium | decision.api.shisho.dev/v1beta:azure_appservices_webapp_disallow_ftp |
Ensure that connections to Azure Web Apps are forced to use HTTPS | 9.1 (CIS Azure v3.0.0) | Medium | decision.api.shisho.dev/v1beta:azure_appservices_webapp_disallow_http |
Ensure that connections to Azure App Services are forced to use secure SSL/TLS versions | 9.4 (CIS Azure v3.0.0) | Medium | decision.api.shisho.dev/v1beta:azure_appservices_webapp_min_tls_version |
Ensure to disable Web Apps remote debugging | 9.12 (CIS Azure v3.0.0) | High | decision.api.shisho.dev/v1beta:azure_appservices_webapp_remote_debugging |
Ensure to not publish images to Azure Compute Gallery | Critical | decision.api.shisho.dev/v1beta:azure_compute_community_gallery | |
Ensure to not make Azure managed disks publicly accessible | 8.5 (CIS Azure v3.0.0) | High | decision.api.shisho.dev/v1beta:azure_compute_disk_public_access |
Ensure to not make Azure managed disk snapshots publicly accessible | High | decision.api.shisho.dev/v1beta:azure_compute_snapshot_public_access | |
Ensure no CosmosDB allows traffic from 0.0.0.0/0 | 5.4.1 (CIS Azure v3.0.0) | Critical | decision.api.shisho.dev/v1beta:azure_cosmosdb_public_access |
Ensure to restrict non-administrator users from consenting to Entra applications | 2.12 (CIS Azure v3.0.0) | Medium | decision.api.shisho.dev/v1beta:azure_entraid_app_consent |
Entra ID should have a Custom Bad Password List | 2.8 (CIS Azure v3.0.0) | Low | decision.api.shisho.dev/v1beta:azure_entraid_banned_password_list |
Ensure to restrict Entra ID non-administrator users from creating applications | 2.14 (CIS Azure v3.0.0) | Medium | decision.api.shisho.dev/v1beta:azure_entraid_default_create_app_permission |
Ensure to restrict Entra ID non-administrator users from creating security groups | 2.19 (CIS Azure v3.0.0) | Low | decision.api.shisho.dev/v1beta:azure_entraid_default_create_security_group_permission |
Ensure to restrict Entra ID non-administrator users from creating tenants | 2.3 (CIS Azure v3.0.0) | Low | decision.api.shisho.dev/v1beta:azure_entraid_default_create_tenant_permission |
Ensure to require MFA for new device registration to Entra ID | 2.22 (CIS Azure v3.0.0) | Medium | decision.api.shisho.dev/v1beta:azure_entraid_device_registration |
Ensure to minimize the number of Entra ID global admins | 2.26 (CIS Azure v3.0.0) | High | decision.api.shisho.dev/v1beta:azure_entraid_global_admin |
Ensure that Entra ID guest users have limited access to tenant information | 2.15 (CIS Azure v3.0.0) | Low | decision.api.shisho.dev/v1beta:azure_entraid_guest_baseline |
Ensure to restrict non-administrator users from inviting users to Entra ID | 2.16 (CIS Azure v3.0.0) | High | decision.api.shisho.dev/v1beta:azure_entraid_invitation_permission |
Ensure to require MFA in Entra ID Conditional Access Policy | 2.2.5 (CIS Azure v3.0.0) | Medium | decision.api.shisho.dev/v1beta:azure_entraid_mfa_cap |
Ensure to prevent unintended sign-ins by multi-tenant Entra applications | High | decision.api.shisho.dev/v1beta:azure_entraid_multi_tenant | |
Ensure to enable per-user MFA for Entra ID | 2.1.2 (CIS Azure v3.0.0) | Medium | decision.api.shisho.dev/v1beta:azure_entraid_per_user_mfa |
Ensure to enable Entra ID Security Defaults | 2.1.1 (CIS Azure v3.0.0) | Medium | decision.api.shisho.dev/v1beta:azure_entraid_security_default |
Ensure that tenant-to-tenant transfer is not allowed in Azure subscription | 2.15 (CIS Azure v3.0.0) | High | decision.api.shisho.dev/v1beta:azure_entraid_subscription_policy |
Ensure to use location-based Conditional Access Policy in Entra ID | 2.2.2 (CIS Azure v3.0.0) | Medium | decision.api.shisho.dev/v1beta:azure_entraid_trusted_location_cap |
Ensure to define trusted locations in Entra ID | 2.2.1 (CIS Azure v3.0.0) | Low | decision.api.shisho.dev/v1beta:azure_entraid_trusted_location_usage |
Ensure that connections to Azure Front Door are forced to use secure SSL/TLS versions | Medium | decision.api.shisho.dev/v1beta:azure_frontdoor_min_tls_version | |
Ensure that connections to Azure Front Door are forced to use HTTPS | Medium | decision.api.shisho.dev/v1beta:azure_frontdoor_transport | |
Ensure that audit logging is enabled for Azure Database for MySQL/MariaDB | 4.4.3 (CIS Azure v3.0.0) | Medium | decision.api.shisho.dev/v1beta:azure_mysql_audit |
Ensure that connection logging is enabled for Azure Database for MySQL/MariaDB | 5.3.4 (CIS Azure v3.0.0) | Low | decision.api.shisho.dev/v1beta:azure_mysql_audit_connection |
Ensure no Azure Database for MySQL allows traffic from 0.0.0.0/0 | 5.3.3 (CIS Azure v3.0.0) | Critical | decision.api.shisho.dev/v1beta:azure_mysql_public_access |
Ensure Azure Network Security Group flow logs are retained for a sufficient period | 7.5 (CIS Azure v3.0.0) | Low | decision.api.shisho.dev/v1beta:azure_networksecuritygroup_flow_log_retention |
Ensure no Azure Network Security Group allows traffic from 0.0.0.0/0 | 7.1 (CIS Azure v3.0.0) | Critical | decision.api.shisho.dev/v1beta:azure_networksecuritygroup_public_access |
Ensure Azure Network Watcher is enabled | 7.6 (CIS Azure v3.0.0) | High | decision.api.shisho.dev/v1beta:azure_networkwatcher_usage |
Ensure that audit logging is enabled for Azure Database for PostgreSQL | Medium | decision.api.shisho.dev/v1beta:azure_postgresql_audit | |
Ensure that connection logging is enabled for Azure Database for PostgreSQL | 5.2.6 (CIS Azure v3.0.0) | Low | decision.api.shisho.dev/v1beta:azure_postgresql_audit_connection |
Ensure that disconnection logging is enabled for Azure Database for PostgreSQL | 5.2.7 (CIS Azure v3.0.0) | Low | decision.api.shisho.dev/v1beta:azure_postgresql_audit_disconnection |
Ensure no Azure Database for PostgreSQL allows traffic from 0.0.0.0/0 | Critical | decision.api.shisho.dev/v1beta:azure_postgresql_public_access | |
Ensure no Azure SQL Managed Database allows traffic from 0.0.0.0/0 | 5.1.7 (CIS Azure v3.0.0) | Critical | decision.api.shisho.dev/v1beta:azure_sql_public_access |
Ensure that anonymous read access to Azure Storage Account is disabled | 4.17 (CIS Azure v3.0.0) | Critical | decision.api.shisho.dev/v1beta:azure_storageaccount_anonymous_access |
Ensure that data access logging for Azure Storage Account Blob service is enabled | 4.13 (CIS Azure v3.0.0) | Medium | decision.api.shisho.dev/v1beta:azure_storageaccount_blob_logging |
Ensure that public network access to Azure Storage Account is disallowed | 4.6 (CIS Azure v3.0.0) | High | decision.api.shisho.dev/v1beta:azure_storageaccount_blob_public_access |
Ensure that soft delete is enabled for Azure Storage Account | 4.10 (CIS Azure v3.0.0) | Medium | decision.api.shisho.dev/v1beta:azure_storageaccount_blob_soft_delete |
Ensure that cross-tenant replication is disabled for Azure Storage Account | 4.16 (CIS Azure v3.0.0) | High | decision.api.shisho.dev/v1beta:azure_storageaccount_cross_tenant |
Ensure that the default network access rule for Azure Storage Account is set to deny all traffic | 4.7 (CIS Azure v3.0.0) | Medium | decision.api.shisho.dev/v1beta:azure_storageaccount_default_network_rule |
Ensure that infrastructure encryption is enabled for Azure Storage Account | 4.2 (CIS Azure v3.0.0) | Low | decision.api.shisho.dev/v1beta:azure_storageaccount_infrastructure_encryption |
Ensure that Azure services access to Azure Storage Account is allowed outside of network rules | 4.8 (CIS Azure v3.0.0) | Info | decision.api.shisho.dev/v1beta:azure_storageaccount_network_bypass |
Ensure that private endpoint is used for accessing Azure Storage Account | 4.9 (CIS Azure v3.0.0) | Info | decision.api.shisho.dev/v1beta:azure_storageaccount_private_endpoint |
Ensure that access logging for Azure Storage Account Queue Service is enabled | 4.12 (CIS Azure v3.0.0) | Low | decision.api.shisho.dev/v1beta:azure_storageaccount_queue_logging |
Ensure that connections to Azure Storage Account are forced to use HTTPS | 4.1 (CIS Azure v3.0.0) | Medium | decision.api.shisho.dev/v1beta:azure_storageaccount_secure_transfer |
Ensure that Shared Key authorization is disabled for Azure Storage Account | Medium | decision.api.shisho.dev/v1beta:azure_storageaccount_shared_key | |
Ensure that access logging for Azure Storage Account Table Service is enabled | 4.14 (CIS Azure v3.0.0) | Low | decision.api.shisho.dev/v1beta:azure_storageaccount_table_logging |
Ensure that connections to Azure Storage Account are forced to use secure SSL/TLS versions | 4.15 (CIS Azure v3.0.0) | Medium | decision.api.shisho.dev/v1beta:azure_storageaccount_tls_version |