Governance Policies Security Data Protection - Azure/az-prototype GitHub Wiki
Governance policies for Data Protection
Domain: security
| Name | Description |
|---|---|
| Key Vault reference in Container Apps | Reference a Key Vault secret from Container App environment variable |
| Description | Instead |
|---|---|
| Do not hardcode secrets, API keys, or connection strings in application code or config files | Use Key Vault references or managed identity for credential-free access |
| Do not disable TDE or encryption at rest on any data service | Leave default encryption settings enabled; use customer-managed keys only if required |
| Check | Severity | Description |
|---|---|---|
| WAF-SEC-DP-001 | Required | Enable encryption at rest for all data services (TDE, SSE, or service-managed keys) |
| WAF-SEC-DP-002 | Required | Enforce TLS 1.2+ for all data-in-transit connections |
| WAF-SEC-DP-003 | Recommended | Store application secrets and connection configuration in Azure Key Vault, not in code or environment variables |
| WAF-SEC-DP-004 | Recommended | Use Azure Key Vault references in App Service and Container Apps configuration instead of plaintext secrets |
Enable encryption at rest for all data services (TDE, SSE, or service-managed keys)
Severity: Required
Rationale: Encryption at rest is enabled by default on most Azure services; ensure it is not disabled
Agents: cloud-architect, terraform-agent, bicep-agent, biz-analyst
- Microsoft.Sql/servers/databases
- Microsoft.DocumentDB/databaseAccounts
- Microsoft.Storage/storageAccounts
- Microsoft.KeyVault/vaults
- Microsoft.Cache/redis
- Microsoft.DBforPostgreSQL/flexibleServers
- Microsoft.DBforMySQL/flexibleServers
- Microsoft.ServiceBus/namespaces
- Microsoft.EventHub/namespaces
- Microsoft.Search/searchServices
- Microsoft.CognitiveServices/accounts
Enforce TLS 1.2+ for all data-in-transit connections
Severity: Required
Rationale: Older TLS versions have known vulnerabilities
Agents: cloud-architect, terraform-agent, bicep-agent
- Microsoft.Sql/servers/databases
- Microsoft.DocumentDB/databaseAccounts
- Microsoft.Storage/storageAccounts
- Microsoft.KeyVault/vaults
- Microsoft.App/containerApps
- Microsoft.Web/sites
- Microsoft.Cache/redis
- Microsoft.DBforPostgreSQL/flexibleServers
- Microsoft.DBforMySQL/flexibleServers
- Microsoft.ServiceBus/namespaces
- Microsoft.EventHub/namespaces
- Microsoft.Search/searchServices
- Microsoft.CognitiveServices/accounts
- Microsoft.ContainerRegistry/registries
Store application secrets and connection configuration in Azure Key Vault, not in code or environment variables
Severity: Recommended
Rationale: Key Vault provides auditing, rotation support, and access control for secrets
Agents: cloud-architect, app-developer, csharp-developer, python-developer, biz-analyst
- Microsoft.Sql/servers/databases
- Microsoft.DocumentDB/databaseAccounts
- Microsoft.Storage/storageAccounts
- Microsoft.KeyVault/vaults
- Microsoft.App/containerApps
- Microsoft.Web/sites
- Microsoft.Cache/redis
- Microsoft.DBforPostgreSQL/flexibleServers
- Microsoft.DBforMySQL/flexibleServers
- Microsoft.ServiceBus/namespaces
- Microsoft.EventHub/namespaces
- Microsoft.CognitiveServices/accounts
Use Azure Key Vault references in App Service and Container Apps configuration instead of plaintext secrets
Severity: Recommended
Rationale: Key Vault references are resolved at runtime, avoiding secret sprawl
Agents: cloud-architect, terraform-agent, bicep-agent, app-developer, csharp-developer, python-developer
- Microsoft.App/containerApps
- Microsoft.Web/sites
- Microsoft.KeyVault/vaults
- Microsoft.Sql/servers/databases
- Microsoft.DocumentDB/databaseAccounts
- Microsoft.Storage/storageAccounts
- Microsoft.Cache/redis
- Microsoft.ServiceBus/namespaces
- Microsoft.EventHub/namespaces
- Microsoft.CognitiveServices/accounts