# Managed Security Review for Azure This page explains _managed_ security reviews for Azure provided by Flatt Security. Note that Flatt Security may provide more policies than ones described here, depending on your support plans. ## To use managed security reviews By applying Shisho Cloud workflows to your organization, you'll see security review results soon: - [Workflows for CIS Azure Foundations Benchmark v3.0.0](https://github.com/flatt-security/shisho-cloud-managed-workflows/tree/main/workflows/cis-benchmark/azure-v3.0.0) - [More Workflows for Azure by Flatt Security](https://github.com/flatt-security/shisho-cloud-managed-workflows/tree/main/workflows/flatt/azure) ## All managed review items | Title | Related Standards | Default Severity | ID in Shisho Cloud | | ------------------------------------------------------------------------------------------------ | ------------------------ | ---------------- | --------------------------------------------------------------------------------------- | | Ensure that connections to Azure Application Gateway are forced to use secure SSL/TLS versions | | Medium | `decision.api.shisho.dev/v1beta:azure_appgateway_min_tls_version` | | Ensure that connections to Azure Application Gateway are forced to use HTTPS | | Medium | `decision.api.shisho.dev/v1beta:azure_appgateway_transport` | | Ensure that FTP is not allowed during deployment of Azure Web Apps | 9.3 (CIS Azure v3.0.0) | Medium | `decision.api.shisho.dev/v1beta:azure_appservices_webapp_disallow_ftp` | | Ensure that connections to Azure Web Apps are forced to use HTTPS | 9.1 (CIS Azure v3.0.0) | Medium | `decision.api.shisho.dev/v1beta:azure_appservices_webapp_disallow_http` | | Ensure that connections to Azure App Services are forced to use secure SSL/TLS versions | 9.4 (CIS Azure v3.0.0) | Medium | `decision.api.shisho.dev/v1beta:azure_appservices_webapp_min_tls_version` | | Ensure to disable Web Apps remote debugging | 9.12 (CIS Azure v3.0.0) | High | `decision.api.shisho.dev/v1beta:azure_appservices_webapp_remote_debugging` | | Ensure to not publish images to Azure Compute Gallery | | Critical | `decision.api.shisho.dev/v1beta:azure_compute_community_gallery` | | Ensure to not make Azure managed disks publicly accessible | 8.5 (CIS Azure v3.0.0) | High | `decision.api.shisho.dev/v1beta:azure_compute_disk_public_access` | | Ensure to not make Azure managed disk snapshots publicly accessible | | High | `decision.api.shisho.dev/v1beta:azure_compute_snapshot_public_access` | | Ensure no CosmosDB allows traffic from 0.0.0.0/0 | 5.4.1 (CIS Azure v3.0.0) | Critical | `decision.api.shisho.dev/v1beta:azure_cosmosdb_public_access` | | Ensure to restrict non-administrator users from consenting to Entra applications | 2.12 (CIS Azure v3.0.0) | Medium | `decision.api.shisho.dev/v1beta:azure_entraid_app_consent` | | Entra ID should have a Custom Bad Password List | 2.8 (CIS Azure v3.0.0) | Low | `decision.api.shisho.dev/v1beta:azure_entraid_banned_password_list` | | Ensure to restrict Entra ID non-administrator users from creating applications | 2.14 (CIS Azure v3.0.0) | Medium | `decision.api.shisho.dev/v1beta:azure_entraid_default_create_app_permission` | | Ensure to restrict Entra ID non-administrator users from creating security groups | 2.19 (CIS Azure v3.0.0) | Low | `decision.api.shisho.dev/v1beta:azure_entraid_default_create_security_group_permission` | | Ensure to restrict Entra ID non-administrator users from creating tenants | 2.3 (CIS Azure v3.0.0) | Low | `decision.api.shisho.dev/v1beta:azure_entraid_default_create_tenant_permission` | | Ensure to require MFA for new device registration to Entra ID | 2.22 (CIS Azure v3.0.0) | Medium | `decision.api.shisho.dev/v1beta:azure_entraid_device_registration` | | Ensure to minimize the number of Entra ID global admins | 2.26 (CIS Azure v3.0.0) | High | `decision.api.shisho.dev/v1beta:azure_entraid_global_admin` | | Ensure that Entra ID guest users have limited access to tenant information | 2.15 (CIS Azure v3.0.0) | Low | `decision.api.shisho.dev/v1beta:azure_entraid_guest_baseline` | | Ensure to restrict non-administrator users from inviting users to Entra ID | 2.16 (CIS Azure v3.0.0) | High | `decision.api.shisho.dev/v1beta:azure_entraid_invitation_permission` | | Ensure to require MFA in Entra ID Conditional Access Policy | 2.2.5 (CIS Azure v3.0.0) | Medium | `decision.api.shisho.dev/v1beta:azure_entraid_mfa_cap` | | Ensure to prevent unintended sign-ins by multi-tenant Entra applications | | High | `decision.api.shisho.dev/v1beta:azure_entraid_multi_tenant` | | Ensure to enable per-user MFA for Entra ID | 2.1.2 (CIS Azure v3.0.0) | Medium | `decision.api.shisho.dev/v1beta:azure_entraid_per_user_mfa` | | Ensure to enable Entra ID Security Defaults | 2.1.1 (CIS Azure v3.0.0) | Medium | `decision.api.shisho.dev/v1beta:azure_entraid_security_default` | | Ensure that tenant-to-tenant transfer is not allowed in Azure subscription | 2.15 (CIS Azure v3.0.0) | High | `decision.api.shisho.dev/v1beta:azure_entraid_subscription_policy` | | Ensure to use location-based Conditional Access Policy in Entra ID | 2.2.2 (CIS Azure v3.0.0) | Medium | `decision.api.shisho.dev/v1beta:azure_entraid_trusted_location_cap` | | Ensure to define trusted locations in Entra ID | 2.2.1 (CIS Azure v3.0.0) | Low | `decision.api.shisho.dev/v1beta:azure_entraid_trusted_location_usage` | | Ensure that connections to Azure Front Door are forced to use secure SSL/TLS versions | | Medium | `decision.api.shisho.dev/v1beta:azure_frontdoor_min_tls_version` | | Ensure that connections to Azure Front Door are forced to use HTTPS | | Medium | `decision.api.shisho.dev/v1beta:azure_frontdoor_transport` | | Ensure that audit logging is enabled for Azure Database for MySQL/MariaDB | 4.4.3 (CIS Azure v3.0.0) | Medium | `decision.api.shisho.dev/v1beta:azure_mysql_audit` | | Ensure that connection logging is enabled for Azure Database for MySQL/MariaDB | 5.3.4 (CIS Azure v3.0.0) | Low | `decision.api.shisho.dev/v1beta:azure_mysql_audit_connection` | | Ensure no Azure Database for MySQL allows traffic from 0.0.0.0/0 | 5.3.3 (CIS Azure v3.0.0) | Critical | `decision.api.shisho.dev/v1beta:azure_mysql_public_access` | | Ensure Azure Network Security Group flow logs are retained for a sufficient period | 7.5 (CIS Azure v3.0.0) | Low | `decision.api.shisho.dev/v1beta:azure_networksecuritygroup_flow_log_retention` | | Ensure no Azure Network Security Group allows traffic from 0.0.0.0/0 | 7.1 (CIS Azure v3.0.0) | Critical | `decision.api.shisho.dev/v1beta:azure_networksecuritygroup_public_access` | | Ensure Azure Network Watcher is enabled | 7.6 (CIS Azure v3.0.0) | High | `decision.api.shisho.dev/v1beta:azure_networkwatcher_usage` | | Ensure that audit logging is enabled for Azure Database for PostgreSQL | | Medium | `decision.api.shisho.dev/v1beta:azure_postgresql_audit` | | Ensure that connection logging is enabled for Azure Database for PostgreSQL | 5.2.6 (CIS Azure v3.0.0) | Low | `decision.api.shisho.dev/v1beta:azure_postgresql_audit_connection` | | Ensure that disconnection logging is enabled for Azure Database for PostgreSQL | 5.2.7 (CIS Azure v3.0.0) | Low | `decision.api.shisho.dev/v1beta:azure_postgresql_audit_disconnection` | | Ensure no Azure Database for PostgreSQL allows traffic from 0.0.0.0/0 | | Critical | `decision.api.shisho.dev/v1beta:azure_postgresql_public_access` | | Ensure no Azure SQL Managed Database allows traffic from 0.0.0.0/0 | 5.1.7 (CIS Azure v3.0.0) | Critical | `decision.api.shisho.dev/v1beta:azure_sql_public_access` | | Ensure that anonymous read access to Azure Storage Account is disabled | 4.17 (CIS Azure v3.0.0) | Critical | `decision.api.shisho.dev/v1beta:azure_storageaccount_anonymous_access` | | Ensure that data access logging for Azure Storage Account Blob service is enabled | 4.13 (CIS Azure v3.0.0) | Medium | `decision.api.shisho.dev/v1beta:azure_storageaccount_blob_logging` | | Ensure that public network access to Azure Storage Account is disallowed | 4.6 (CIS Azure v3.0.0) | High | `decision.api.shisho.dev/v1beta:azure_storageaccount_blob_public_access` | | Ensure that soft delete is enabled for Azure Storage Account | 4.10 (CIS Azure v3.0.0) | Medium | `decision.api.shisho.dev/v1beta:azure_storageaccount_blob_soft_delete` | | Ensure that cross-tenant replication is disabled for Azure Storage Account | 4.16 (CIS Azure v3.0.0) | High | `decision.api.shisho.dev/v1beta:azure_storageaccount_cross_tenant` | | Ensure that the default network access rule for Azure Storage Account is set to deny all traffic | 4.7 (CIS Azure v3.0.0) | Medium | `decision.api.shisho.dev/v1beta:azure_storageaccount_default_network_rule` | | Ensure that infrastructure encryption is enabled for Azure Storage Account | 4.2 (CIS Azure v3.0.0) | Low | `decision.api.shisho.dev/v1beta:azure_storageaccount_infrastructure_encryption` | | Ensure that Azure services access to Azure Storage Account is allowed outside of network rules | 4.8 (CIS Azure v3.0.0) | Info | `decision.api.shisho.dev/v1beta:azure_storageaccount_network_bypass` | | Ensure that private endpoint is used for accessing Azure Storage Account | 4.9 (CIS Azure v3.0.0) | Info | `decision.api.shisho.dev/v1beta:azure_storageaccount_private_endpoint` | | Ensure that access logging for Azure Storage Account Queue Service is enabled | 4.12 (CIS Azure v3.0.0) | Low | `decision.api.shisho.dev/v1beta:azure_storageaccount_queue_logging` | | Ensure that connections to Azure Storage Account are forced to use HTTPS | 4.1 (CIS Azure v3.0.0) | Medium | `decision.api.shisho.dev/v1beta:azure_storageaccount_secure_transfer` | | Ensure that Shared Key authorization is disabled for Azure Storage Account | | Medium | `decision.api.shisho.dev/v1beta:azure_storageaccount_shared_key` | | Ensure that access logging for Azure Storage Account Table Service is enabled | 4.14 (CIS Azure v3.0.0) | Low | `decision.api.shisho.dev/v1beta:azure_storageaccount_table_logging` | | Ensure that connections to Azure Storage Account are forced to use secure SSL/TLS versions | 4.15 (CIS Azure v3.0.0) | Medium | `decision.api.shisho.dev/v1beta:azure_storageaccount_tls_version` |