Governance Policies Waf Security - Azure/az-prototype GitHub Wiki
4 services, 16 rules
File: authentication.policy.yaml
Services: container-apps, app-service, functions, api-management, sql-database, cosmos-db
| Policy ID | Description | Agents |
|---|---|---|
| WAF-SEC-AUTH-001 | [required] Never hardcode credentials, API keys, or secrets in source code, config files, or environment variables |
cloud-architect, app-developer, terraform-agent, bicep-agent, biz-analyst
|
| WAF-SEC-AUTH-002 | [recommended] Assign least-privilege RBAC roles for all service principals and user accounts |
cloud-architect, terraform-agent, bicep-agent, biz-analyst
|
| WAF-SEC-AUTH-003 | [recommended] Prefer app registrations with scoped permissions over shared API keys for client authentication |
cloud-architect, app-developer, biz-analyst
|
- Don't: Do not embed API keys or passwords in application source code Instead: Use managed identity for Azure services or Key Vault for external secrets
- Don't: Do not assign Owner or Contributor roles at subscription or resource group scope Instead: Use the most specific built-in role at the narrowest scope possible
File: data-protection.policy.yaml
Services: sql-database, cosmos-db, storage, key-vault
| Policy ID | Description | Agents |
|---|---|---|
| WAF-SEC-DP-001 | [required] Enable encryption at rest for all data services (TDE, SSE, or service-managed keys) |
cloud-architect, terraform-agent, bicep-agent, biz-analyst
|
| WAF-SEC-DP-002 | [required] Enforce TLS 1.2+ for all data-in-transit connections |
cloud-architect, terraform-agent, bicep-agent
|
| WAF-SEC-DP-003 | [recommended] Store application secrets and connection configuration in Azure Key Vault, not in code or environment variables |
cloud-architect, app-developer, biz-analyst
|
| WAF-SEC-DP-004 | [recommended] Use Azure Key Vault references in App Service and Container Apps configuration instead of plaintext secrets |
cloud-architect, terraform-agent, bicep-agent, app-developer
|
- Don't: Do not hardcode secrets, API keys, or connection strings in application code or config files Instead: Use Key Vault references or managed identity for credential-free access
- Don't: Do not disable TDE or encryption at rest on any data service Instead: Leave default encryption settings enabled; use customer-managed keys only if required
File: managed-identity.policy.yaml
Services: container-apps, app-service, functions, key-vault, sql-database, cosmos-db, storage
| Policy ID | Description | Agents |
|---|---|---|
| WAF-SEC-MI-001 | [required] Use system-assigned managed identity for single-service resources |
cloud-architect, terraform-agent, bicep-agent, biz-analyst
|
| WAF-SEC-MI-002 | [required] Use user-assigned managed identity when identity is shared across resources |
cloud-architect, terraform-agent, bicep-agent
|
| WAF-SEC-MI-003 | [required] Never use service principal client secrets for service-to-service auth |
cloud-architect, terraform-agent, bicep-agent, app-developer, biz-analyst
|
| WAF-SEC-MI-004 | [recommended] Assign least-privilege RBAC roles, never Owner or Contributor at resource group scope |
cloud-architect, terraform-agent, bicep-agent, biz-analyst
|
- Don't: Do not store client secrets or certificates in application config Instead: Use managed identity; the Azure SDK handles token acquisition automatically
References
File: network-isolation.policy.yaml
Services: container-apps, app-service, key-vault, sql-database, cosmos-db, storage
| Policy ID | Description | Agents |
|---|---|---|
| WAF-SEC-NET-001 | [required] Disable public network access AND use private endpoints for all PaaS data services. Set publicNetworkAccess to Disabled (or public_network_access_enabled to false) on every PaaS resource. NEVER generate public_network_access_enabled = true or publicNetworkAccess = Enabled. |
cloud-architect, terraform-agent, bicep-agent, biz-analyst
|
| WAF-SEC-NET-002 | [required] Deploy workloads in a dedicated subnet within the landing zone VNET |
cloud-architect, terraform-agent, bicep-agent, biz-analyst
|
| WAF-SEC-NET-005 | [required] Every Azure PaaS resource that supports publicNetworkAccess MUST explicitly set it to Disabled — including publicNetworkAccessForIngestion and publicNetworkAccessForQuery on Log Analytics and Application Insights. This applies to ALL environments including POC and development. There are NO exceptions — POC environments MUST be secure. In Terraform azapi_resource body blocks, set publicNetworkAccess = "Disabled". In Bicep, set properties.publicNetworkAccess = 'Disabled'. |
terraform-agent, bicep-agent
|
| WAF-SEC-NET-003 | [recommended] Use NSGs to restrict traffic between subnets to only required ports |
cloud-architect, terraform-agent, bicep-agent
|
| WAF-SEC-NET-004 | [recommended] Enable diagnostic logging on NSGs for traffic auditing |
cloud-architect, terraform-agent, bicep-agent
|
- Don't: Do not allow 0.0.0.0/0 in any NSG or firewall rule Instead: Use specific IP ranges or service tags
- Don't: Do not rely solely on service firewalls without VNET integration Instead: Use private endpoints + VNET integration for defense in depth