Governance Policies Security Authentication - Azure/az-prototype GitHub Wiki
Governance policies for Authentication
Domain: security
| Name | Description |
|---|---|
| Managed identity for service-to-service | Use managed identity to avoid storing credentials |
| Key Vault for external secrets | Store third-party API keys or connection strings in Key Vault |
| Description | Instead |
|---|---|
| Do not embed API keys or passwords in application source code | Use managed identity for Azure services or Key Vault for external secrets |
| Do not assign Owner or Contributor roles at subscription or resource group scope | Use the most specific built-in role at the narrowest scope possible |
| Check | Severity | Description |
|---|---|---|
| WAF-SEC-AUTH-001 | Required | Never hardcode credentials, API keys, or secrets in source code, config files, or environment variables |
| WAF-SEC-AUTH-002 | Recommended | Assign least-privilege RBAC roles for all service principals and user accounts |
| WAF-SEC-AUTH-003 | Recommended | Prefer app registrations with scoped permissions over shared API keys for client authentication |
Never hardcode credentials, API keys, or secrets in source code, config files, or environment variables
Severity: Required
Rationale: Hardcoded secrets leak through source control, logs, and error messages
Agents: cloud-architect, app-developer, csharp-developer, python-developer, terraform-agent, bicep-agent, biz-analyst
- Microsoft.App/containerApps
- Microsoft.Web/sites
- Microsoft.ApiManagement/service
- Microsoft.Sql/servers/databases
- Microsoft.DocumentDB/databaseAccounts
- Microsoft.Storage/storageAccounts
- Microsoft.KeyVault/vaults
- Microsoft.Cache/redis
- Microsoft.DBforPostgreSQL/flexibleServers
- Microsoft.DBforMySQL/flexibleServers
- Microsoft.ServiceBus/namespaces
- Microsoft.EventHub/namespaces
- Microsoft.CognitiveServices/accounts
- Microsoft.Search/searchServices
- Microsoft.ContainerRegistry/registries
- Microsoft.ContainerService/managedClusters
Assign least-privilege RBAC roles for all service principals and user accounts
Severity: Recommended
Rationale: Principle of least privilege limits blast radius of compromised credentials
Agents: cloud-architect, terraform-agent, bicep-agent, biz-analyst
- Microsoft.App/containerApps
- Microsoft.Web/sites
- Microsoft.ApiManagement/service
- Microsoft.Sql/servers/databases
- Microsoft.DocumentDB/databaseAccounts
- Microsoft.Storage/storageAccounts
- Microsoft.KeyVault/vaults
- Microsoft.Cache/redis
- Microsoft.DBforPostgreSQL/flexibleServers
- Microsoft.DBforMySQL/flexibleServers
- Microsoft.ServiceBus/namespaces
- Microsoft.EventHub/namespaces
- Microsoft.CognitiveServices/accounts
- Microsoft.Search/searchServices
- Microsoft.ContainerRegistry/registries
- Microsoft.ContainerService/managedClusters
Prefer app registrations with scoped permissions over shared API keys for client authentication
Severity: Recommended
Rationale: App registrations support scoped permissions, token expiry, and audit logging
Agents: cloud-architect, app-developer, csharp-developer, python-developer, biz-analyst
- Microsoft.App/containerApps
- Microsoft.Web/sites
- Microsoft.ApiManagement/service
- Microsoft.Sql/servers/databases
- Microsoft.DocumentDB/databaseAccounts
- Microsoft.Storage/storageAccounts
- Microsoft.KeyVault/vaults
- Microsoft.Cache/redis
- Microsoft.ServiceBus/namespaces
- Microsoft.EventHub/namespaces
- Microsoft.CognitiveServices/accounts
- Microsoft.Search/searchServices