| ecc-azure-002-cis_iam_owner_roles |
Custom role with Owner privileges on a subscription scope is created |
Identity and Access Management |
Access control |
| ecc-azure-004-cis_sec_auto_provisioning |
Automatic provisioning is set to "Off" in Security Center (Microsoft Defender for Cloud) |
Microsoft Defender for Cloud |
Detection services |
| ecc-azure-005-cis_sec_email |
'Additional email addresses' is not configured in Microsoft Defender for Cloud |
Microsoft Defender for Cloud |
Detection services |
| ecc-azure-006-cis_sec_high_sev_notifications |
Notification alerts are disabled in Security Center (Microsoft Defender for Cloud) |
Microsoft Defender for Cloud |
Detection services |
| ecc-azure-007-cis_sec_owners_email_notifications |
Notification alerts to admins or subscription owners are disabled in Microsoft Defender for Cloud |
Microsoft Defender for Cloud |
Detection services |
| ecc-azure-008-cis_sa_sec_transfer_req |
Storage account that allows http traffic |
Storage |
Encryption of data in transit |
| ecc-azure-009-cis_sa_private |
Storage Account with publicly accessed blobs |
Storage |
Resources not publicly accessible |
| ecc-azure-010-cis_sa_net_defaultAction |
Storage Account accepted connections from public network |
Storage |
Resources not publicly accessible |
| ecc-azure-011-cis_sa_soft_del |
Soft delete for Azure Storage Blobs is disabled |
Storage |
Backups enabled |
| ecc-azure-012-cis_sa_enc |
Azure Storage account data is encrypted with Microsoft Managed Key |
Storage |
Encryption of data at rest |
| ecc-azure-013-cis_db_auditing_on |
Azure SQL Database Auditing is set to "Off" |
Databases |
Logging |
| ecc-azure-014-cis_db_sql_db_encryption_on |
Transparent Data Encryption is disabled on SQL Database |
Databases |
Encryption of data at rest |
| ecc-azure-015-cis_db_auditing_90d |
Azure SQL Database Auditing retention policy set to less than 90 days |
Databases |
Logging |
| ecc-azure-016-cis_db_sql_ads_atp |
Advanced Threat Protection is disabled on SQL server |
Databases |
Monitoring |
| ecc-azure-024-cis_db_postgresql_ssl |
SSL connection is disabled on PostgreSQL servers |
Databases |
Encryption of data in transit |
| ecc-azure-025-cis_db_mysql_ssl |
SSL connection is disabled on MySQL servers |
Databases |
Encryption of data in transit |
| ecc-azure-026-cis_db_postgresql_log_checkpoints |
PostgreSQL instance with server parameter 'log_checkpoints' disabled |
Databases |
Logging |
| ecc-azure-027-cis_db_postgresql_log_connections |
PostgreSQL instance with server parameter 'log_connections' disabled |
Databases |
Logging |
| ecc-azure-028-cis_db_postgresql_log_disconnections |
PostgreSQL instance with server parameter 'log_disconnections' disabled |
Databases |
Logging |
| ecc-azure-030-cis_db_postgresql_connection_throttling |
PostgreSQL instance with server parameter 'connection_throttling' disabled |
Databases |
Logging |
| ecc-azure-031-cis_db_postgresql_log_retention_days |
PostgreSQL instance with server parameter 'log_retention_days' is set to less than 4 days |
Databases |
Logging |
| ecc-azure-032-cis_db_aad_admin |
Azure Active Directory admin is not configured for Azure SQL |
Databases |
Root user access restrictions |
| ecc-azure-033-cis_db_sql_tde_protector |
Transparent Data Encryption protector is not encrypted with Customer Managed key |
Databases |
Encryption of data at rest |
| ecc-azure-036-cis_log_storage_cont_access |
Monitor Log Profile has storage account that stores activity logs where allowed public access for containers. |
Logging and Monitoring |
Resources not publicly accessible |
| ecc-azure-037-cis_log_sa_activ_logs |
Monitor Log Profile has storage account that contains a container with activity logs not encrypted with Customer Managed Key |
Logging and Monitoring |
Encryption of data at rest |
| ecc-azure-038-cis_log_keyvaults |
Key Vault with logging disabled |
Cryptography & PKI |
Logging |
| ecc-azure-039-cis_log_create_policy |
Subscription where Activity Log Alert does not exist for Create Policy Assignment |
Logging and Monitoring |
Monitoring |
| ecc-azure-042-cis_log_create_upd_nsg |
Subscription does not contain Activity Log Alert with appropriate scope for Create or Update Network Security Group Rule |
Logging and Monitoring |
Monitoring |
| ecc-azure-043-cis_log_del_nsg |
Subscription does not contain Activity Log Alert with appropriate scope for Delete Network Security Group Rule |
Logging and Monitoring |
Monitoring |
| ecc-azure-044-cis_log_create_upd_solutions |
Subscription does not contain Activity Log Alert with appropriate scope for Create or Update Security Solution |
Logging and Monitoring |
Monitoring |
| ecc-azure-045-cis_log_del_solutions |
Subscription does not contain Activity Log Alert with appropriate scope for Delete Security Solution |
Logging and Monitoring |
Monitoring |
| ecc-azure-046-cis_log_create_update_sql |
Subscription does not contain Activity Log Alert with appropriate scope for Create or Update or Delete SQL Server Firewall Rule |
Logging and Monitoring |
Monitoring |
| ecc-azure-048-cis_net_rdp |
Network Security Group with inbound rule that allows RDP traffic from the Internet |
Networking & Content Delivery |
Security group configuration |
| ecc-azure-049-cis_net_ssh |
Network Security Group with inbound rule that allows SSH traffic from the Internet |
Networking & Content Delivery |
Security group configuration |
| ecc-azure-050-cis_net_db_firewall |
SQL instances accessible from the Internet or Azure services |
Networking & Content Delivery |
Security group configuration |
| ecc-azure-052-cis_net_udp |
Network Security Group with inbound rule that allows UDP traffic from the Internet |
Networking & Content Delivery |
Security group configuration |
| ecc-azure-053-cis_vm_attached_disks |
Managed disk attached to a VM that is not encrypted with Customer Managed Key |
Storage |
Encryption of data at rest |
| ecc-azure-054-cis_vm_unattached_disks |
Unattached managed disks not encrypted with Customer Managed Key |
Storage |
Encryption of data at rest |
| ecc-azure-055-cis_key_exp_on |
Key without expiration date set |
Cryptography & PKI |
Key, Secrets, and Certificate management |
| ecc-azure-056-cis_secret_exp |
Secret without expiration date set |
Cryptography & PKI |
Key, Secrets, and Certificate management |
| ecc-azure-057-cis_key_recoverable |
Key vault without Soft Delete or Purge Protection enabled |
Cryptography & PKI |
Secure configuration |
| ecc-azure-058-cis_aks_rbac |
Kubernetes cluster without RBAC enabled |
Kubernetes Engine |
Access control |
| ecc-azure-059-cis_app_auth_set |
App Service without App Service Authentication enabled |
AppService |
Access control |
| ecc-azure-060-cis_app_https |
App Service that allows http traffic |
AppService |
Encryption of data in transit |
| ecc-azure-061-11_cis_app_last_tls |
App Service that uses TLS version before 1.3 |
AppService |
Vulnerability, patch, and version management |
| ecc-azure-061-51_cis_app_last_tls |
App Service that uses TLS version before 1.3 |
AppService |
Protocols |
| ecc-azure-064-cis_app_ftp_disabled |
App Service that allows FTP deployments |
AppService |
Secure configuration |
| ecc-azure-065-11_cis_app_last_http |
App Service without HTTP 2.0 is enabled |
AppService |
Vulnerability, patch, and version management |
| ecc-azure-065-51_cis_app_last_http |
App Service without HTTP 2.0 is enabled |
AppService |
Protocols |
| ecc-azure-066-cis_log_delete_policy |
Subscription does not contain Activity Log Alert with appropriate scope for Delete Policy Assignment |
Logging and Monitoring |
Monitoring |
| ecc-azure-067-cis_log_create_upd_nsg_rule |
Subscription does not contain Activity Log Alert with appropriate scope for Create or Update Network Security Group Rule (securityRules) |
Logging and Monitoring |
Monitoring |
| ecc-azure-068-cis_log_del_nsg_rule |
Subscription does not contain Activity Log Alert with appropriate scope for the Delete Network Security Group Rule |
Logging and Monitoring |
Monitoring |
| ecc-azure-069-11_cis_app_last_java |
App Service with outdated Java version |
AppService |
Vulnerability, patch, and version management |
| ecc-azure-069-51_cis_app_last_java |
App Service with outdated Java version |
AppService |
Runtime version |
| ecc-azure-070-11_cis_app_last_python |
App Service with outdated Python version |
AppService |
Vulnerability, patch, and version management |
| ecc-azure-070-51_cis_app_last_python |
App Service with outdated Python version |
AppService |
Runtime version |
| ecc-azure-071-11_cis_app_last_php |
App Service with outdated PHP version |
AppService |
Vulnerability, patch, and version management |
| ecc-azure-071-51_cis_app_last_php |
App Service with outdated PHP version |
AppService |
Runtime version |
| ecc-azure-072-cis-app-keyvaults |
Azure Web App without Key Vault reference configured |
AppService |
Credentials not hardcoded |
| ecc-azure-094-cis_sec_defender_servers |
Azure Defender for Servers is set to "Off" |
Microsoft Defender for Cloud |
Monitoring |
| ecc-azure-095-cis_sec_defender_app |
Azure Defender for App Service is set to "Off" |
Microsoft Defender for Cloud |
Monitoring |
| ecc-azure-096-cis_sec_defender_azure_sql |
Azure Defender for SQL database servers is set to "Off" |
Microsoft Defender for Cloud |
Monitoring |
| ecc-azure-097-cis_sec_defender_sql_machines |
Azure Defender for SQL servers on machines is set to "Off" |
Microsoft Defender for Cloud |
Monitoring |
| ecc-azure-098-cis_sec_defender_storages |
Azure Defender for Storage is set to "Off" |
Microsoft Defender for Cloud |
Monitoring |
| ecc-azure-099-cis_sec_defender_aks |
Azure Defender for Kubernetes is set to "Off" |
Microsoft Defender for Cloud |
Monitoring |
| ecc-azure-100-cis_sec_defender_acr |
Azure Defender for Container Registries is set to "Off" |
Microsoft Defender for Cloud |
Monitoring |
| ecc-azure-101-cis_sec_defender_keyvaults |
Azure Defender for Key Vault is set to "Off" |
Microsoft Defender for Cloud |
Detection services |
| ecc-azure-102-cis_sec_defender_wdatp |
WDATP integration is disabled in Microsoft Defender for Cloud |
Microsoft Defender for Cloud |
Detection services |
| ecc-azure-103-cis_sec_mcas |
MCAS integration is disabled in Security Center (Microsoft Defender for Cloud) |
Microsoft Defender for Cloud |
Detection services |
| ecc-azure-105-cis_sa_keys_regen |
Storage account without recently regenerated access keys |
Storage |
Inventory |
| ecc-azure-106-cis_sa_logging_queue |
Storage account without logging enabled for Queues |
Storage |
Logging |
| ecc-azure-108-cis_sa_tms |
Storage account without access from/to "Trusted Microsoft Services" |
Storage |
Access control |
| ecc-azure-109-cis_sa_logging_blob |
Storage account without logging enabled for Blobs |
Storage |
Logging |
| ecc-azure-110-cis_sa_logging_table |
Storage account without logging enabled for Tables |
Storage |
Logging |
| ecc-azure-111-cis_db_postgre_access |
PostgreSQL Database Server with 'Allow access to Azure services' enabled |
Databases |
Access control |
| ecc-azure-112-cis_net_netwatcher |
Network Watcher is disabled across the subscription |
Networking & Content Delivery |
Detection services |
| ecc-azure-113-cis_vm_utilizing_managed_disks |
Virtual machine that utilizes unmanaged disks |
Compute |
Encryption of data at rest |
| ecc-azure-116-cis_vm_endpoint_protection |
Virtual machine without endpoint protection installed |
Compute |
Vulnerability, patch, and version management |
| ecc-azure-117-cis_vm_vhd_encrypted |
[Legacy] Virtual machine utilizes unmanaged disks without encryption |
Compute |
Encryption of data at rest |
| ecc-azure-119-nsg_all |
Network Security Group with inbound rule that allows all traffic from the Internet |
Networking & Content Delivery |
Security group configuration |
| ecc-azure-120-nsg_dns |
Network Security Group with inbound rule that allows DNS traffic from the Internet |
Networking & Content Delivery |
Security group configuration |
| ecc-azure-121-nsg_ftp |
Network Security Group with inbound rule that allows FTP traffic from the Internet |
Networking & Content Delivery |
Security group configuration |
| ecc-azure-122-cis_nsg_http |
Network Security Group with inbound rule that allows HTTP traffic from the Internet |
Networking & Content Delivery |
Security group configuration |
| ecc-azure-123-nsg_microsoft_ds |
Network Security Group with inbound rule that allows SMB traffic from the Internet |
Networking & Content Delivery |
Security group configuration |
| ecc-azure-124-nsg_mongo_db |
Network Security Group with inbound rule that allows MySQL traffic from the Internet |
Networking & Content Delivery |
Security group configuration |
| ecc-azure-125-nsg_mysql |
Network Security Group with inbound rule that allows MongoDB traffic from the Internet |
Networking & Content Delivery |
Security group configuration |
| ecc-azure-126-nsg_netbios |
Network Security Group with inbound rule that allows NetBIOS traffic from the Internet |
Networking & Content Delivery |
Security group configuration |
| ecc-azure-127-nsg_oracle_db |
Network Security Group with inbound rule that allows OracleDB traffic from the Internet |
Networking & Content Delivery |
Security group configuration |
| ecc-azure-128-nsg_pop3 |
Network Security Group with inbound rule that allows POP3 traffic from the Internet |
Networking & Content Delivery |
Security group configuration |
| ecc-azure-129-nsg_postgresql |
Network Security Group with inbound rule that allows PostgreSQL traffic from the Internet |
Networking & Content Delivery |
Security group configuration |
| ecc-azure-130-nsg_smtp |
Network Security Group with inbound rule that allows SMTP traffic from the Internet |
Networking & Content Delivery |
Security group configuration |
| ecc-azure-131-nsg_telnet |
Network Security Group with inbound rule that allows Telnet traffic from the Internet |
Networking & Content Delivery |
Security group configuration |
| ecc-azure-132-vm_wo_del_lock |
Instance without deletion protection |
Security & Compliance |
Data deletion protection |
| ecc-azure-133-vm_wo_tags |
Instance Without Any Tags |
Security & Compliance |
Tagging |
| ecc-azure-137-storage_replication |
Storage account without replication enabled |
Storage |
High availability |
| ecc-azure-142-asb_vm_net_ports_restrict |
Network Security Group assigned to network interface or subnet with inbound rule that allows all traffic from the Internet |
Networking & Content Delivery |
Security group configuration |
| ecc-azure-143-asb_api_mgmt_vnet |
API Management service without virtual network configured |
Networking & Content Delivery |
Resources within VPC |
| ecc-azure-144-asb_aks_auth_ip_ranges |
Kubernetes cluster without authorized IP access or/and exposed to the public Internet |
Kubernetes Engine |
Security group configuration |
| ecc-azure-145-asb_cosmosdb_fw_rules |
Cosmos DB accounts without firewall rules |
Databases |
Security group configuration |
| ecc-azure-146-asb_keyvault_disable_public_access |
Key Vault with enabled public access |
Cryptography & PKI |
Resources not publicly accessible |
| ecc-azure-147-asb_cognitive_disable_public_access |
Cognitive service with enabled public access |
Networking & Content Delivery |
Resources not publicly accessible |
| ecc-azure-148-asb_cognitive_disable_net_access |
Cognitive service with defaultAction set to "Allow" |
Networking & Content Delivery |
Resources not publicly accessible |
| ecc-azure-149-asb_acs_not_allow_unrestr_access |
Azure Container Registry which accepts connections over the Internet from hosts on any network. |
Containers |
Resources not publicly accessible |
| ecc-azure-150-asb_vm_net_access_protected_by_nsg |
Primary virtual machine network interface with public ip assigned without Network Security Group assignment |
Compute |
Security group configuration |
| ecc-azure-151-asb_vm_disable_ip_forward |
Virtual machine network interface with IP Forwarding enabled |
Compute |
Secure network configuration |
| ecc-azure-152-asb_vm_jit_port_protection |
VM without JIT policy enabled for SSH or RDP ports |
Compute |
Access control |
| ecc-azure-155-asb_mssql_public_access_disabled |
Azure SQL instance with public access enabled |
Databases |
Resources not publicly accessible |
| ecc-azure-157-asb_mysql_public_access_disabled |
MySQL instance with public access enabled |
Databases |
Resources not publicly accessible |
| ecc-azure-158-asb_postgresql_public_access_disabled |
PostgreSQL instance with public access enabled |
Databases |
Resources not publicly accessible |
| ecc-azure-159-asb_sa_restrict_net_access_vnet_rules |
Storage accounts without virtual network IP rules |
Storage |
Resources within VPC |
| ecc-azure-160-asb_nsg_assoc_subnet |
Virtual network with network security groups not assigned to subnets |
Networking & Content Delivery |
Security group configuration |
| ecc-azure-161-asb_appconfig_private_link |
App Configuration service without Private Endpoint connection configured |
Networking & Content Delivery |
Resources within VPC |
| ecc-azure-162-asb_redis_cache_reside_vnet |
Redis cache that does not reside in a subnet |
Databases |
Resources within VPC |
| ecc-azure-163-asb_eg_domains_private_link |
Event Grid Domains service without Private Endpoint connection configured |
Networking & Content Delivery |
Resources within VPC |
| ecc-azure-164-asb_eg_topics_private_link |
Event Grid Topics service without Private Endpoint connection configured |
Networking & Content Delivery |
Resources within VPC |
| ecc-azure-165-asb_ml_workspaces_private_link |
Machine Learning workspace without Private Endpoint connection configured |
Machine Learning |
Resources within VPC |
| ecc-azure-166-asb_signalr_private_link |
SignalR service without Private Endpoint connection configured |
Networking & Content Delivery |
Resources within VPC |
| ecc-azure-167-asb_spring_cloud_net_injection |
Spring Cloud service without runtime subnet configured |
Networking & Content Delivery |
Resources within VPC |
| ecc-azure-168-asb_acs_private_link |
Container Registry without Private Endpoint connection configured |
Containers |
Resources within VPC |
| ecc-azure-170-asb_keyvault_private_endpoint |
Key Vault without Private Endpoint connection configured |
Cryptography & PKI |
Resources within VPC |
| ecc-azure-172-asb_mysql_private_endpoint |
MySQL instance without Private Endpoint connection configured |
Databases |
Resources within VPC |
| ecc-azure-173-asb_postgresql_private_endpoint |
PostgreSQL instance without Private Endpoint connection configured |
Databases |
Resources within VPC |
| ecc-azure-174-asb_sa_private_link |
Storage Account without Private Endpoint connection configured |
Storage |
Resources within VPC |
| ecc-azure-176-asb_ddos_protection_enabled |
Virtual network without DDoS protection enabled which contains application gateway subnet |
Networking & Content Delivery |
Detection services |
| ecc-azure-177-asb_waf_enabled_for_app_gateway |
Application Gateway without Web Application Firewall enabled |
Networking & Content Delivery |
Protective services |
| ecc-azure-178-asb_waf_enabled_for_front_door |
Azure Front Door service without Web Application Firewall enabled |
Networking & Content Delivery |
Protective services |
| ecc-azure-180-asb_func_app_managed_identity |
Function app without Managed identity configured (both SystemAssigned and UserAssigned) |
AppService |
Access control |
| ecc-azure-181-asb_web_app_managed_identity |
Web app without Managed identity configured (both SystemAssigned and UserAssigned) |
AppService |
Access control |
| ecc-azure-182-asb_service_fabric_aad_auth |
Service Frabric clusters without AAD client authentication |
Identity and Access Management |
Access control |
| ecc-azure-184-asb_vm_linux_ssh_auth_req |
Linux virtual machine without SSH authentication method as primary configured (Allows password authentication) |
Compute |
Passwordless authentication |
| ecc-azure-197-asb_vm_disk_encryption_on |
Virtual machine without Azure Disk Encryption configured |
Compute |
Encryption of data at rest |
| ecc-azure-199-asb_redis_ssl |
SSL connection is disabled on Redis Cache |
Databases |
Encryption of data in transit |
| ecc-azure-200-asb_auto_acc_encrypted |
Automation account with unencrypted variable |
Security & Compliance |
Encryption of data at rest |
| ecc-azure-201-asb_cosmosdb_encrypt_cmk |
Cosmos DB accounts without CMK encryption configured |
Databases |
Encryption of data at rest |
| ecc-azure-202-asb_azl_encrypt_cmk |
Machine Learning workspace without CMK encryption configured |
Security & Compliance |
Encryption of data at rest |
| ecc-azure-203-asb_postgresql_encrypt_cmk |
PostgreSQL instance without CMK encryption configured |
Databases |
Encryption of data at rest |
| ecc-azure-204-asb_cognitive_sa_encrypt_cmk |
Cognitive Services without CMK encryption configured |
Security & Compliance |
Encryption of data at rest |
| ecc-azure-205-asb_acs_ecnrypted_cmk |
Container Registry without CMK encryption configured |
Containers |
Encryption of data at rest |
| ecc-azure-206-asb_service_fabric_property |
Service Fabric cluster without configured ClusterProtectionLevel property set to EncryptAndSign |
Security & Compliance |
Encryption of data in transit |
| ecc-azure-213-asb_lt_defender_dns |
Azure Defender for DNS is set to "Off" |
Microsoft Defender for Cloud |
Monitoring |
| ecc-azure-214-asb_defender_arm |
Azure Defender for Resource Manager is set to "Off" |
Microsoft Defender for Cloud |
Monitoring |
| ecc-azure-215-asb_networktraffic_linuxvm |
Linux virtual machines without Dependency Agent installed |
Compute |
Detection services |
| ecc-azure-216-asb_networktraffic_winvm |
Windows virtual machines without Dependency Agent installed |
Compute |
Logging |
| ecc-azure-218-asb_reslogs_stream |
Azure Stream with logging disabled |
Logging and Monitoring |
Logging |
| ecc-azure-219-asb_reslogs_batch |
Batch account with logging disabled |
Logging and Monitoring |
Logging |
| ecc-azure-220-asb_reslogs_synapseanalytics |
Azure Synapse Analytics with logging disabled |
Logging and Monitoring |
Logging |
| ecc-azure-222-asb_reslogs_iot |
IoT Hub with logging disabled |
Logging and Monitoring |
Logging |
| ecc-azure-224-asb_reslogs_logicapps |
Logic Apps service with logging disabled |
Logging and Monitoring |
Logging |
| ecc-azure-225-asb_reslogs_search |
Azure Search with logging disabled |
Logging and Monitoring |
Logging |
| ecc-azure-226-asb_reslogs_servicebus |
Service Bus with logging disabled |
Logging and Monitoring |
Logging |
| ecc-azure-227-asb_reslogs_vmss |
Virtual machine scale sets without LinuxDiagnostic or IaaSDiangostics extension installed |
Compute |
Logging |
| ecc-azure-228-asb_guest_extension |
Virtual machine without Guest Configuration extension installed |
Compute |
Secure configuration |
| ecc-azure-231-asb_vm_wo_ama |
Virtual machine without AzureMonitorWindowsAgent or AzureMonitorLinuxAgent extension installed |
Compute |
Logging |
| ecc-azure-232-asb_vmss_wo_ama |
Virtual machine scale sets without AzureMonitorWindowsAgent or AzureMonitorLinuxAgent extension installed |
Compute |
Logging |
| ecc-azure-234-asb_guest_extension_mi |
Virtual machine with Guest Configuration extension installed without utilizing Managed Identity (SystemAssigned) |
Compute |
Secure configuration |
| ecc-azure-235-asb_k8s_policy |
Kubernetes cluster with Azure Policy for AKS disabled |
Kubernetes Engine |
Secure configuration |
| ecc-azure-237-asb_cors_func |
Function app with CORS rule that allows every resource to access the service |
AppService |
Secure access management |
| ecc-azure-238-asb_cors_web |
Web app with CORS rule that allows every resource to access the service |
AppService |
Secure access management |
| ecc-azure-240-asb_certif_web |
Web app with 'Incoming client certificates' disabled |
AppService |
Secure configuration |
| ecc-azure-241-asb_certif_func |
Function app with 'Incoming client certificates' disabled |
AppService |
Secure configuration |
| ecc-azure-257-asb_remotedebug_func |
Function app with Remote debugging enabled |
AppService |
Secure access management |
| ecc-azure-258-asb_remotedebug_web |
Web app with Remote debugging enabled |
AppService |
Secure access management |
| ecc-azure-267-11_asb_java_funcapp |
Function app has an outdated Java version |
AppService |
Vulnerability, patch, and version management |
| ecc-azure-267-51_asb_java_funcapp |
Function app has an outdated Java version |
AppService |
Runtime version |
| ecc-azure-270-11_asb_python_funcapp |
Function app has an outdated Python version |
AppService |
Vulnerability, patch, and version management |
| ecc-azure-270-51_asb_python_funcapp |
Function app has an outdated Python version |
AppService |
Runtime version |
| ecc-azure-272-asb_scaleset |
Virtual machine scale sets without endpoint protection installed |
Compute |
Secure configuration |
| ecc-azure-275-asb_vm_backup |
Virtual machine without Backup configured |
Compute |
Backups enabled |
| ecc-azure-277-asb_geo_mysql |
MySQL instance without Geo-redundant backup |
Databases |
High availability |
| ecc-azure-278-asb_geo_postgresql |
PostgreSQL instance without Geo-redundant backup |
Databases |
High availability |
| ecc-azure-279-aks_local_auth_disabled |
Kubernetes cluster with local authentication methods enabled |
Kubernetes Engine |
Access control |
| ecc-azure-280-aks_private_clusters |
Kubernetes cluster with private cluster feature disabled |
Kubernetes Engine |
API private access |
| ecc-azure-281-11_aks_non_vulnerable_version |
Kubernetes cluster that utilizes one of the vulnerable k8s versions |
Kubernetes Engine |
Vulnerability, patch, and version management |
| ecc-azure-281-51_aks_non_vulnerable_version |
Kubernetes cluster that utilizes one of the vulnerable k8s versions |
Kubernetes Engine |
Engine version |
| ecc-azure-282-aks_temp_disks_and_cache_encryptedathost |
Kubernetes cluster without EncryptionAtHost enabled |
Kubernetes Engine |
Encryption of data at rest |
| ecc-azure-283-aks_reslogs_aks |
Kubernetes cluster with logging disabled |
Kubernetes Engine |
Logging |
| ecc-azure-284-aks_disks_encrypted |
Kubernetes cluster without OS and Data disks CMK encryption configured |
Kubernetes Engine |
Encryption of data at rest |
| ecc-azure-286-aks_network_policy |
A network policy is not in place to secure traffic between pods |
Kubernetes Engine |
Secure configuration |
| ecc-azure-287-aks_azure_cni_networking |
Azure CNI Networking is disabled |
Kubernetes Engine |
Resource configuration |
| ecc-azure-288-aks_cluster_pool_contains_nodes |
Cluster Pool contains less than 3 Nodes |
Kubernetes Engine |
High availability |
| ecc-azure-289-acr_admin_user_disabled |
Admin user is enabled for Container Registry |
Containers |
Root user access restrictions |
| ecc-azure-290-acr_resource_locks |
Container Registry has no locks |
Containers |
Data deletion protection |
| ecc-azure-291-storage_accounts_regions |
Storage Accounts outside Europe |
Storage |
Resource configuration |
| ecc-azure-293-sql_data_replication_failover_groups |
Azure SQL Server data replication with Failover groups |
Databases |
High availability |
| ecc-azure-294-vm_availability_set |
Azure Virtual Machine is not assigned to an availability set |
Compute |
High availability |
| ecc-azure-295-sql_avoid_ad_admin_name |
Name like 'Admin' for an Azure SQL Server Active Directory Administrator account is found |
Databases |
Secure configuration |
| ecc-azure-296-sql_avoid_local_admin_name |
Name like 'Admin' for an Azure SQL Server Administrator account is found |
Databases |
Secure configuration |
| ecc-azure-298-function_app_service_logging |
Application Service Logs are Disabled for Containerized Function Apps |
AppService |
Logging |
| ecc-azure-299-function_app_health_check |
Health Check is disabled for your Function App |
AppService |
Resource configuration |
| ecc-azure-300-11_app_gateway_tls_version |
Application Gateway with vulnerable and outdated TLS version |
Networking & Content Delivery |
Vulnerability, patch, and version management |
| ecc-azure-300-51_app_gateway_tls_version |
Application Gateway with vulnerable and outdated TLS version |
Networking & Content Delivery |
Protocols |
| ecc-azure-301-redis_cache_fw_rules |
Redis Cache without exposed to the public Internet |
Databases |
Security group configuration |
| ecc-azure-302-redis_cache_disabled_public_access |
Redis Cache with enabled public access |
Databases |
Resources not publicly accessible |
| ecc-azure-304-app_gateway_https |
Application Gateway is using Http protocol |
Networking & Content Delivery |
Encryption of data in transit |
| ecc-azure-305-11_cis_storage_account_minimum_tls |
Storage account with vulnerable and outdated TLS version |
Storage |
Vulnerability, patch, and version management |
| ecc-azure-305-51_cis_storage_account_minimum_tls |
Storage account with vulnerable and outdated TLS version |
Storage |
Protocols |
| ecc-azure-306-cis_postgresql_infrastructure_double_enc |
PostgreSQL instance with disabled Infrastructure double encryption |
Databases |
Encryption of data at rest |
| ecc-azure-310-asb_defender_open_source_rds |
Azure Defender for OpenSource Relational Databases is set to "Off" |
Microsoft Defender for Cloud |
Monitoring |
| ecc-azure-311-cis_postgresql_logging_collector |
PostgreSQL instance with server parameter 'logging collector' disabled |
Databases |
Logging |
| ecc-azure-313-cis_postgresql_log_min_messages |
PostgreSQL instance without server parameter 'log_min_messages' set to WARNING |
Databases |
Logging |
| ecc-azure-314-cis_postgresql_debug_print_plan_disabled |
PostgreSQL instance with server parameter 'debug_print_plan' enabled |
Databases |
Logging |
| ecc-azure-317-cis_postgresql_log_error_verbosity_set_correctly |
PostgreSQL instance without server parameter 'log_error_verbosity' set to VERBOSE |
Databases |
Logging |
| ecc-azure-318-cis_postgresql_log_line_prefix_set_correctly |
PostgreSQL instance with server parameter 'log_line_prefix' set incorrectly |
Databases |
Logging |
| ecc-azure-319-cis_postgresql_log_min_error_statement |
PostgreSQL instance without server parameter 'log_min_error_statement' set to ERROR |
Databases |
Logging |
| ecc-azure-321-cis_postgresql_log_statement_set_correctly |
PostgreSQL instance with server parameter 'log_statement' set incorrectly |
Databases |
Logging |
| ecc-azure-323-linux_vmss_ssh |
Azure Linux virtual machines scale set doesn't use an SSH key |
Compute |
Passwordless authentication |
| ecc-azure-324-data_explorer_double_encryption |
Azure Kusto cluster without double encryption enabled |
Analytics |
Encryption of data at rest |
| ecc-azure-325-data_explorer_disc_encryption |
Azure Kusto cluster without disk encryption |
Analytics |
Encryption of data at rest |
| ecc-azure-326-data_explorer_cmk |
Azure Kusto cluster without CMK configured |
Analytics |
Encryption of data at rest |
| ecc-azure-327-data_factory_git_repo |
Azure Data Factory doesn't use Git repository for source control |
Analytics |
Resource configuration |
| ecc-azure-328-data_factory_cmk |
Azure data factories are not encrypted with a customer-managed key |
Analytics |
Encryption of data at rest |
| ecc-azure-329-batch_cmk |
Azure Batch account doesn't use key vault to encrypt data |
Security & Compliance |
Encryption of data at rest |
| ecc-azure-331-app_service_detailed_error_messages |
App service with disabled detailed logging of error messages |
AppService |
Logging |
| ecc-azure-332-app_service_request_tracing |
App service without configured failed requests tracings |
AppService |
Logging |
| ecc-azure-333-iot_hub_public_access |
Public network access enabled for Azure IoT Hub |
Networking & Content Delivery |
Resources not publicly accessible |
| ecc-azure-334-cosmosdb_priveleged_escalation |
Cosmos DB account with unrestricted write access to the management plane |
Databases |
Access control |
| ecc-azure-336-vmss_encryption_at_host |
Virtual machine scale sets without EncryptionAtHost enabled |
Compute |
Encryption of data at rest |
| ecc-azure-337-vm_antimalware_auto_updates |
Microsoft Antimalware is not configured to automatically update Virtual Machines |
Compute |
Vulnerability, patch, and version management |
| ecc-azure-339-kv_secrets_content_type |
Secret without 'content_type' set |
Cryptography & PKI |
Tagging |
| ecc-azure-340-appgw_waf_log4j |
Application Gateway without Log4j WAF rule enabled or applied Ruleset version 3.0 or above |
Networking & Content Delivery |
Protective services |
| ecc-azure-341-front_door_waf_log4j |
Azure Front Door without Log4j WAF rule enabled |
Networking & Content Delivery |
Protective services |
| ecc-azure-342-11_mssql_latest_tls |
Azure SQL instance with vulnerable and outdated TLS version |
Databases |
Vulnerability, patch, and version management |
| ecc-azure-342-51_mssql_latest_tls |
Azure SQL instance with vulnerable and outdated TLS version |
Databases |
Protocols |
| ecc-azure-343-postgresql_threat_detection_policy |
Advanced Threat Protection is disabled on PostgreSQL server |
Databases |
Monitoring |
| ecc-azure-344-mysql_threat_detection_policy |
Advanced Threat Protection is disabled on MySQL server |
Databases |
Monitoring |
| ecc-azure-345-mysql_infrastructure_encryption |
MySQL instance with disabled Infrastructure double encryption |
Databases |
Encryption of data at rest |
| ecc-azure-346-11_mysql_latest_tls |
MySQL instance with vulnerable and outdated TLS version |
Databases |
Vulnerability, patch, and version management |
| ecc-azure-346-51_mysql_latest_tls |
MySQL instance with vulnerable and outdated TLS version |
Databases |
Protocols |
| ecc-azure-347-mysql_cmk |
MySQL instance without CMK encryption configured |
Databases |
Encryption of data at rest |
| ecc-azure-348-mysql_harden_usage_for_local_infile |
MySQL instance with server parameter 'local_infile' enabled |
Databases |
Resource configuration |
| ecc-azure-349-mysql_max_user_connections |
MySQL instance without server setting "max_user_connections" limits |
Databases |
Resource configuration |
| ecc-azure-350-mysql_slow_query_log_permissions |
MySQL instance with server parameter 'slow_query_log' disabled |
Databases |
Logging |
| ecc-azure-351-sql_mode |
MySQL instance without sql_mode parameter set to "STRICT_ALL_TABLES" value |
Databases |
Resource configuration |
| ecc-azure-353-vmss_auto_image_patching |
Virtual machine scale sets without OS image autoupgrade enabled |
Compute |
Vulnerability, patch, and version management |
| ecc-azure-354-acr_anonymous_pull |
Container registry with anonymous pull enabled |
Containers |
Access control |
| ecc-azure-355-ml_min_cluster_nodes |
Azure Machine Learning Compute cluster have minNodeCount property not equal to 0 |
Security & Compliance |
Autoscaling |
| ecc-azure-356-api_mgmt_client_cert |
API Management service without configured client certificates |
Security & Compliance |
Key, Secrets, and Certificate management |
| ecc-azure-357-databricks_public_access |
Azure Databricks workspace with enabled public access |
Analytics |
Resources not publicly accessible |
| ecc-azure-358-synapse_workspace_managed_vnet |
Azure Synapse workspace without managed virtual network |
Analytics |
Resources within VPC |
| ecc-azure-359-synapse_workspace_data_exfiltration_protection |
Azure Synapse workspace without data exfiltration enabled |
Analytics |
Secure configuration |
| ecc-azure-362-vm_without_va_extension |
Azure Virtual Machines without Vulnerability Assessment solution |
Compute |
Secure configuration |
| ecc-azure-364-resource_tag_activity_log_alert |
Activity Log Alert without tags |
Security & Compliance |
Tagging |
| ecc-azure-365-resource_tag_api_management |
API Management without tags |
Security & Compliance |
Tagging |
| ecc-azure-367-vm_omi_vulnerability |
Linux virtual machine affected to OMI vulnerability (CVE-2021-38645) |
Compute |
Vulnerability, patch, and version management |
| ecc-azure-368-vmss_omi_vulnerability |
Linux virtual machine scale set affected to OMI vulnerability (CVE-2021-38645) |
Compute |
Vulnerability, patch, and version management |
| ecc-azure-369-cis_sa_infrastructure_encryption |
Storage Account without Infrastructure Encryption enabled |
Storage |
Encryption of data at rest |
| ecc-azure-370-cis_cosmosdb_private_endpoint |
CosmosDB account without Private Endpoint connection configured |
Networking & Content Delivery |
Resources within VPC |
| ecc-azure-371-cis_mysql_audit_log_enabled |
MySQL instance with server setting "audit_log_enabled" set to "off" |
Databases |
Logging |
| ecc-azure-372-cis_mysql_audit_log_events |
MySQL instance with server setting "audit_log_events" set to "off" |
Databases |
Logging |
| ecc-azure-373-cis_activity_log_alert_create_or_update_pip |
Subscription where Activity Log Alert does not exist for Create or Update Public IP Address rule |
Logging and Monitoring |
Monitoring |
| ecc-azure-374-cis_activity_log_alert_delete_pip |
Subscription where Activity Log Alert does not exist for Delete Public IP Address rule |
Logging and Monitoring |
Monitoring |
| ecc-azure-376-cis_defender_cosmodb |
Azure Defender for Cosmos DB service is set to "Off" |
Microsoft Defender for Cloud |
Monitoring |
| ecc-azure-378-vnet_flow_log_analytics |
Virtual network Flow Log Analytics disabled |
Networking & Content Delivery |
Logging |
| ecc-azure-379-cis_appservice_http_logs |
App Service with web requests logging disabled |
Logging and Monitoring |
Logging |
| ecc-azure-412-cis_tpm_and_secure_boot |
Azure virtual machine with Trusted Launch disabled |
Compute |
Secure configuration |
| ecc-azure-413-dep_vm_w_mma |
Virtual machine with deprecated MicrosoftMonitoringAgent or OmsAgentForLinux extension installed |
Compute |
Other |
| ecc-azure-414-dep_vmss_w_mma |
Virtual machine scale sets with deprecated MicrosoftMonitoringAgent or OmsAgentForLinux extension installed |
Compute |
Other |
| ecc-azure-415-dep_depr_mysql_instance |
Deprecated Azure Database for MySQL - Single Server exist in subscription |
Databases |
Service |
| ecc-azure-416-dep_depr_postgresql_instance |
Deprecated Azure Database for PostgreSQL - Single Server exist in subscription |
Databases |
Service |
| ecc-azure-417-cis_app_deprecated_java |
App Service with deprecated Java version |
AppService |
Runtime version |
| ecc-azure-418-cis_app_deprecated_python |
App Service with deprecated Python version |
AppService |
Runtime version |
| ecc-azure-419-cis_app_deprecated_php |
App Service with deprecated PHP version |
AppService |
Runtime version |
| ecc-azure-420-asb_deprecated_java_funcapp |
Function app has an deprecated Java version |
AppService |
Runtime version |
| ecc-azure-421-asb_deprecated_python_funcapp |
Function app has an deprecated Python version |
AppService |
Runtime version |
| ecc-azure-422-dep_depr_mariadb_instance |
Deprecated Azure Database for MariaDB exist in subscription |
Databases |
Service |
| ecc-azure-423-dep_retired_spring_instance |
Deprecated Azure Spring Apps instance exist in subscription |
AppService |
Service |
| ecc-azure-424-dep_vm_w_diag_ext |
Virtual machine with deprecated LinuxDiagnostic or IaaSDiangostics extension installed |
Compute |
Other |
| ecc-azure-425-dep_vmss_w_diag_ext |
Virtual machine scale sets with deprecated LinuxDiagnostic or IaaSDiangostics extension installed |
Compute |
Other |
| ecc-azure-426-dep_nsg_w_flow_logs |
Network security group with retired flow logs feature |
Networking & Content Delivery |
Feature |
| ecc-azure-427-dep_powershell_funcapp |
Function app has an deprecated PowerShell version |
AppService |
Runtime version |
| ecc-azure-428-11_dep_eventgrid_latest_tls |
Event Grid Domains service has an deprecated TLS version |
Networking & Content Delivery |
Vulnerability, patch, and version management |
| ecc-azure-428-51_dep_eventgrid_latest_tls |
Event Grid Domains service has an deprecated TLS version |
Networking & Content Delivery |
Protocols |
| ecc-azure-429-dep_retired_vm_skus |
Azure Virtual Machine is using retired VM size |
Compute |
Instance generation |
| ecc-azure-430-dep_dotNet_funcapp |
Function app has an deprecated .NET version |
AppService |
Runtime version |
| ecc-azure-431-dep_retired_frontdoor_classic |
Retired Azure Front Door (classic) instance exist in subscription |
Networking & Content Delivery |
Service |
| ecc-azure-432-dep_frontdoor_latest_tls |
Azure Front Door instance with outdated TLS version |
Networking & Content Delivery |
Protocols |
| ecc-azure-433-11_dep_appenv_latest_tls |
App Service Environment that uses TLS version before 1.2 |
AppService |
Vulnerability, patch, and version management |
| ecc-azure-433-51_dep_appenv_latest_tls |
App Service Environment that uses TLS version before 1.2 |
AppService |
Protocols |
| ecc-azure-434-dep_retired_storage_classic |
Retired classic storage account instance exist in subscription |
Storage |
Service |
| ecc-azure-435-dep_retired_appgw_conf |
Application Gateway with retired Web Application Firewall V2 Configuration enabled |
Networking & Content Delivery |
Feature |
| ecc-azure-436-dep_retired_unmanaged_disk |
Azure Virtual Machine is using retired unmanaged disk |
Compute |
Feature |
| ecc-azure-437-11_dep_redis_latest_tls |
Redis cache with deprecated TLS version |
Databases |
Vulnerability, patch, and version management |
| ecc-azure-437-51_dep_redis_latest_tls |
Redis cache with deprecated TLS version |
Databases |
Protocols |
| ecc-azure-439-disable_premium_ssd |
Virtual machine with Premium SSD volumes |
Storage |
Storage optimization |
| ecc-azure-440-enable_lifecycle_sa |
Storage Account lifecycle is not configured |
Storage |
Lifecycle management |
| ecc-azure-441-delete_empty_vmss |
Empty virtual machine scale sets available within your Microsoft Azure cloud account |
Compute |
Unutilized resources |
| ecc-azure-442-delete_unused_lb |
Unused load balancers available within your Azure cloud account |
Networking & Content Delivery |
Unutilized resources |
| ecc-azure-444-00_delete_old_snapshot |
Old Azure virtual machine (VM) disks snapshots exist in subscription |
Storage |
Unutilized resources |
| ecc-azure-444-11_delete_old_snapshot |
Old Azure virtual machine (VM) disks snapshots exist in subscription |
Storage |
Data protection |
| ecc-azure-445-00_delete_unattached_disk |
Unattached (unused) Microsoft Azure virtual machine disk volumes available within your subscription |
Storage |
Unutilized resources |
| ecc-azure-445-11_delete_unattached_disk |
Unattached (unused) Microsoft Azure virtual machine disk volumes available within your subscription |
Storage |
Data protection |
| ecc-azure-446-delete_unused_ip |
Unused Public IP Addresses available within your Azure cloud account |
Networking & Content Delivery |
Unutilized resources |
| ecc-azure-447-mcsb_ml_idle_shutdown |
Azure Machine Learning Compute Instance without idle shutdown configuration |
Machine Learning |
Idle and underutilized resources |
| ecc-azure-448-00_vm_stopped_instance |
Stopped Azure VM instances are not removed after a specified time period |
Compute |
Unutilized resources |
| ecc-azure-448-11_vm_stopped_instance |
Stopped Azure VM instances are not removed after a specified time period |
Compute |
Vulnerability, patch, and version management |
| ecc-azure-449-vm_idle_cpu_utilization |
Idle Azure VM instances |
Compute |
Idle and underutilized resources |
| ecc-azure-451-00_delete_unused_waf |
An Application Gateway WAF policy in disabled state |
Networking & Content Delivery |
Unutilized resources |
| ecc-azure-451-11_delete_unused_waf |
An Application Gateway WAF policy in disabled state |
Networking & Content Delivery |
Protective services |
| ecc-azure-452-delete_unused_appserviceplan |
Unused App Service Plan available within your subscription |
AppService |
Unutilized resources |
| ecc-azure-453-00_vm_deallocated_instance |
Deallocated Azure VM instances are not removed after a specified time period |
Compute |
Unutilized resources |
| ecc-azure-453-11_vm_deallocated_instance |
Deallocated Azure VM instances are not removed after a specified time period |
Compute |
Vulnerability, patch, and version management |
| ecc-azure-454-11_last_powershell_funcapp |
Function app has an outdated PowerShell version |
AppService |
Vulnerability, patch, and version management |
| ecc-azure-454-51_last_powershell_funcapp |
Function app has an outdated PowerShell version |
AppService |
Runtime version |
| ecc-azure-455-11_last_dotNet_funcapp |
Function app has an outdated .NET version |
AppService |
Vulnerability, patch, and version management |
| ecc-azure-455-51_last_dotNet_funcapp |
Function app has an outdated .NET version |
AppService |
Runtime version |
| ecc-azure-456-cis_db_postgresql_res_logs |
PostgreSQL instance with logging disabled |
Databases |
Logging |
| ecc-azure-458-cis_disk_public_access_disabled |
Managed Disk instance with public access enabled |
Storage |
Resources not publicly accessible |
| ecc-azure-459-cis_disk_access_mode |
Azure Managed Disk without Data Access Authentication Mode enabled |
Storage |
Access control |
| ecc-azure-461-cis_keyvault_rbac_enabled |
Key Vault without enabled RBAC |
Cryptography & PKI |
Access control |
| ecc-azure-462-cis_keyvault_rotation_policy |
Key Vault Key without enabled Automatic Key Rotation |
Cryptography & PKI |
Key, Secrets, and Certificate management |
| ecc-azure-463-cis_sa_cross_tenant_replication_disabled |
Storage account with enabled Cross Tenant Replication |
Storage |
Access control |
| ecc-azure-464-cis_app_insights_configured |
Subscription where Application Insights is not configured |
Logging and Monitoring |
Monitoring |
| ecc-azure-465-cis_bastion_host_exist |
Subscription where Azure Bastion Host is not configured |
Networking & Content Delivery |
Access control |
| ecc-azure-466-cis_sa_key_rotation_reminder |
Storage Account without enabled key rotation reminders |
Storage |
Key, Secrets, and Certificate management |
| ecc-azure-467-cis_subscription_activity_logs |
Subscription with logging disabled |
Logging and Monitoring |
Logging |
| ecc-azure-468-cis_sa_versioning_enabled |
Storage account with disabled 'Versioning' |
Storage |
Data deletion protection |
| ecc-azure-469-cis_sa_resource_lock |
Storage Account without CannotDelete lock |
Storage |
Data deletion protection |
| ecc-azure-470-cis_sec_agentless_scan |
Agentless scanning for machines is disabled in Microsoft Defender for Cloud |
Microsoft Defender for Cloud |
Detection services |
| ecc-azure-472-cis_sa_key_access |
Storage account with enabled 'Shared Key authorization' |
Storage |
Access control |
| ecc-azure-473-cis_databricks_vnet |
Azure Databricks workspace that is not deployed in a customer-managed virtual network (VNet) |
Analytics |
Resources within VPC |
| ecc-azure-474-cis_reslogs_databricks |
Azure Databricks instance with logging disabled |
Analytics |
Logging |
| ecc-azure-475-cis_databricks_data_cmk |
Azure Databricks workspace does not use CMK for encryption |
Analytics |
Encryption of data at rest and in transit |
| ecc-azure-477-cis_sa_key_access |
Storage account with enabled shared key access |
Storage |
Access control |
| ecc-azure-478-cis_sa_entraid_authorization |
Storage account with disabled Microsoft Entra authorization |
Storage |
Access control |
| ecc-azure-479-cis_sec_file_integrity |
File Integrity Monitoring is disabled in Microsoft Defender for Cloud |
Microsoft Defender for Cloud |
Detection services |