Skip to main content

Managed Security Review for Azure

info

The English user guide is currently in beta preview. Most of the documents have been automatically translated from the Japanese version. Should you find any inaccuracies, please reach out to Flatt Security.

This page explains managed security reviews for Azure provided by Flatt Security. Note that Flatt Security may provide more policies than ones described here, depending on your support plans.

To use managed security reviews

By applying Shisho Cloud workflows to your organization, you'll see security review results soon:

All managed review items

TitleRelated StandardsDefault SeverityID in Shisho Cloud
Ensure that connections to Azure Application Gateway are forced to use secure SSL/TLS versionsMediumdecision.api.shisho.dev/v1beta:azure_appgateway_min_tls_version
Ensure that connections to Azure Application Gateway are forced to use HTTPSMediumdecision.api.shisho.dev/v1beta:azure_appgateway_transport
Ensure that FTP is not allowed during deployment of Azure Web Apps9.3 (CIS Azure v3.0.0)Mediumdecision.api.shisho.dev/v1beta:azure_appservices_webapp_disallow_ftp
Ensure that connections to Azure Web Apps are forced to use HTTPS9.1 (CIS Azure v3.0.0)Mediumdecision.api.shisho.dev/v1beta:azure_appservices_webapp_disallow_http
Ensure that connections to Azure App Services are forced to use secure SSL/TLS versions9.4 (CIS Azure v3.0.0)Mediumdecision.api.shisho.dev/v1beta:azure_appservices_webapp_min_tls_version
Ensure to disable Web Apps remote debugging9.12 (CIS Azure v3.0.0)Highdecision.api.shisho.dev/v1beta:azure_appservices_webapp_remote_debugging
Ensure to not publish images to Azure Compute GalleryCriticaldecision.api.shisho.dev/v1beta:azure_compute_community_gallery
Ensure to not make Azure managed disks publicly accessible8.5 (CIS Azure v3.0.0)Highdecision.api.shisho.dev/v1beta:azure_compute_disk_public_access
Ensure to not make Azure managed disk snapshots publicly accessibleHighdecision.api.shisho.dev/v1beta:azure_compute_snapshot_public_access
Ensure no CosmosDB allows traffic from 0.0.0.0/05.4.1 (CIS Azure v3.0.0)Criticaldecision.api.shisho.dev/v1beta:azure_cosmosdb_public_access
Ensure to restrict non-administrator users from consenting to Entra applications2.12 (CIS Azure v3.0.0)Mediumdecision.api.shisho.dev/v1beta:azure_entraid_app_consent
Entra ID should have a Custom Bad Password List2.8 (CIS Azure v3.0.0)Lowdecision.api.shisho.dev/v1beta:azure_entraid_banned_password_list
Ensure to restrict Entra ID non-administrator users from creating applications2.14 (CIS Azure v3.0.0)Mediumdecision.api.shisho.dev/v1beta:azure_entraid_default_create_app_permission
Ensure to restrict Entra ID non-administrator users from creating security groups2.19 (CIS Azure v3.0.0)Lowdecision.api.shisho.dev/v1beta:azure_entraid_default_create_security_group_permission
Ensure to restrict Entra ID non-administrator users from creating tenants2.3 (CIS Azure v3.0.0)Lowdecision.api.shisho.dev/v1beta:azure_entraid_default_create_tenant_permission
Ensure to require MFA for new device registration to Entra ID2.22 (CIS Azure v3.0.0)Mediumdecision.api.shisho.dev/v1beta:azure_entraid_device_registration
Ensure to minimize the number of Entra ID global admins2.26 (CIS Azure v3.0.0)Highdecision.api.shisho.dev/v1beta:azure_entraid_global_admin
Ensure that Entra ID guest users have limited access to tenant information2.15 (CIS Azure v3.0.0)Lowdecision.api.shisho.dev/v1beta:azure_entraid_guest_baseline
Ensure to restrict non-administrator users from inviting users to Entra ID2.16 (CIS Azure v3.0.0)Highdecision.api.shisho.dev/v1beta:azure_entraid_invitation_permission
Ensure to require MFA in Entra ID Conditional Access Policy2.2.5 (CIS Azure v3.0.0)Mediumdecision.api.shisho.dev/v1beta:azure_entraid_mfa_cap
Ensure to prevent unintended sign-ins by multi-tenant Entra applicationsHighdecision.api.shisho.dev/v1beta:azure_entraid_multi_tenant
Ensure to enable per-user MFA for Entra ID2.1.2 (CIS Azure v3.0.0)Mediumdecision.api.shisho.dev/v1beta:azure_entraid_per_user_mfa
Ensure to enable Entra ID Security Defaults2.1.1 (CIS Azure v3.0.0)Mediumdecision.api.shisho.dev/v1beta:azure_entraid_security_default
Ensure that tenant-to-tenant transfer is not allowed in Azure subscription2.15 (CIS Azure v3.0.0)Highdecision.api.shisho.dev/v1beta:azure_entraid_subscription_policy
Ensure to use location-based Conditional Access Policy in Entra ID2.2.2 (CIS Azure v3.0.0)Mediumdecision.api.shisho.dev/v1beta:azure_entraid_trusted_location_cap
Ensure to define trusted locations in Entra ID2.2.1 (CIS Azure v3.0.0)Lowdecision.api.shisho.dev/v1beta:azure_entraid_trusted_location_usage
Ensure that connections to Azure Front Door are forced to use secure SSL/TLS versionsMediumdecision.api.shisho.dev/v1beta:azure_frontdoor_min_tls_version
Ensure that connections to Azure Front Door are forced to use HTTPSMediumdecision.api.shisho.dev/v1beta:azure_frontdoor_transport
Ensure that audit logging is enabled for Azure Database for MySQL/MariaDB4.4.3 (CIS Azure v3.0.0)Mediumdecision.api.shisho.dev/v1beta:azure_mysql_audit
Ensure that connection logging is enabled for Azure Database for MySQL/MariaDB5.3.4 (CIS Azure v3.0.0)Lowdecision.api.shisho.dev/v1beta:azure_mysql_audit_connection
Ensure no Azure Database for MySQL allows traffic from 0.0.0.0/05.3.3 (CIS Azure v3.0.0)Criticaldecision.api.shisho.dev/v1beta:azure_mysql_public_access
Ensure Azure Network Security Group flow logs are retained for a sufficient period7.5 (CIS Azure v3.0.0)Lowdecision.api.shisho.dev/v1beta:azure_networksecuritygroup_flow_log_retention
Ensure no Azure Network Security Group allows traffic from 0.0.0.0/07.1 (CIS Azure v3.0.0)Criticaldecision.api.shisho.dev/v1beta:azure_networksecuritygroup_public_access
Ensure Azure Network Watcher is enabled7.6 (CIS Azure v3.0.0)Highdecision.api.shisho.dev/v1beta:azure_networkwatcher_usage
Ensure that audit logging is enabled for Azure Database for PostgreSQLMediumdecision.api.shisho.dev/v1beta:azure_postgresql_audit
Ensure that connection logging is enabled for Azure Database for PostgreSQL5.2.6 (CIS Azure v3.0.0)Lowdecision.api.shisho.dev/v1beta:azure_postgresql_audit_connection
Ensure that disconnection logging is enabled for Azure Database for PostgreSQL5.2.7 (CIS Azure v3.0.0)Lowdecision.api.shisho.dev/v1beta:azure_postgresql_audit_disconnection
Ensure no Azure Database for PostgreSQL allows traffic from 0.0.0.0/0Criticaldecision.api.shisho.dev/v1beta:azure_postgresql_public_access
Ensure no Azure SQL Managed Database allows traffic from 0.0.0.0/05.1.7 (CIS Azure v3.0.0)Criticaldecision.api.shisho.dev/v1beta:azure_sql_public_access
Ensure that anonymous read access to Azure Storage Account is disabled4.17 (CIS Azure v3.0.0)Criticaldecision.api.shisho.dev/v1beta:azure_storageaccount_anonymous_access
Ensure that data access logging for Azure Storage Account Blob service is enabled4.13 (CIS Azure v3.0.0)Mediumdecision.api.shisho.dev/v1beta:azure_storageaccount_blob_logging
Ensure that public network access to Azure Storage Account is disallowed4.6 (CIS Azure v3.0.0)Highdecision.api.shisho.dev/v1beta:azure_storageaccount_blob_public_access
Ensure that soft delete is enabled for Azure Storage Account4.10 (CIS Azure v3.0.0)Mediumdecision.api.shisho.dev/v1beta:azure_storageaccount_blob_soft_delete
Ensure that cross-tenant replication is disabled for Azure Storage Account4.16 (CIS Azure v3.0.0)Highdecision.api.shisho.dev/v1beta:azure_storageaccount_cross_tenant
Ensure that the default network access rule for Azure Storage Account is set to deny all traffic4.7 (CIS Azure v3.0.0)Mediumdecision.api.shisho.dev/v1beta:azure_storageaccount_default_network_rule
Ensure that infrastructure encryption is enabled for Azure Storage Account4.2 (CIS Azure v3.0.0)Lowdecision.api.shisho.dev/v1beta:azure_storageaccount_infrastructure_encryption
Ensure that Azure services access to Azure Storage Account is allowed outside of network rules4.8 (CIS Azure v3.0.0)Infodecision.api.shisho.dev/v1beta:azure_storageaccount_network_bypass
Ensure that private endpoint is used for accessing Azure Storage Account4.9 (CIS Azure v3.0.0)Infodecision.api.shisho.dev/v1beta:azure_storageaccount_private_endpoint
Ensure that access logging for Azure Storage Account Queue Service is enabled4.12 (CIS Azure v3.0.0)Lowdecision.api.shisho.dev/v1beta:azure_storageaccount_queue_logging
Ensure that connections to Azure Storage Account are forced to use HTTPS4.1 (CIS Azure v3.0.0)Mediumdecision.api.shisho.dev/v1beta:azure_storageaccount_secure_transfer
Ensure that Shared Key authorization is disabled for Azure Storage AccountMediumdecision.api.shisho.dev/v1beta:azure_storageaccount_shared_key
Ensure that access logging for Azure Storage Account Table Service is enabled4.14 (CIS Azure v3.0.0)Lowdecision.api.shisho.dev/v1beta:azure_storageaccount_table_logging
Ensure that connections to Azure Storage Account are forced to use secure SSL/TLS versions4.15 (CIS Azure v3.0.0)Mediumdecision.api.shisho.dev/v1beta:azure_storageaccount_tls_version