App Service - oWretch/policy GitHub Wiki
| Category | Policy | Platform | Landing Zones | Production | Decommissioned | Management | Corp | Connectivity | Sandbox | Identity |
|---|---|---|---|---|---|---|---|---|---|---|
| App Service |
API App should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |
Audit Deny Disabled |
||||||||
| App Service |
App Service app slots should disable public network access Disabling public network access improves security by ensuring that the App Service is not exposed on the public internet. Creating private endpoints can limit exposure of an App Service. Learn more at: https://aka.ms/app-service-private-endpoint. |
Deny Disabled Audit |
||||||||
| App Service |
App Service app slots should enable configuration routing to Azure Virtual Network By default, app configuration such as pulling container images and mounting content storage will not be routed through the regional virtual network integration. Using the API to set routing options to true enables configuration traffic through the Azure Virtual Network. These settings allow features like network security groups and user defined routes to be used, and service endpoints to be private. For more information, visit https://aka.ms/appservice-vnet-configuration-routing. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| App Service |
App Service app slots should enable outbound non-RFC 1918 traffic to Azure Virtual Network By default, if one uses regional Azure Virtual Network (VNET) integration, the app only routes RFC1918 traffic into that respective virtual network. Using the API to set 'vnetRouteAllEnabled' to true enables all outbound traffic into the Azure Virtual Network. This setting allows features like network security groups and user defined routes to be used for all outbound traffic from the App Service app. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| App Service |
App Service app slots should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |
Deny Disabled Audit |
||||||||
| App Service |
App Service apps should disable public network access Disabling public network access improves security by ensuring that the App Service is not exposed on the public internet. Creating private endpoints can limit exposure of an App Service. Learn more at: https://aka.ms/app-service-private-endpoint. |
Deny Disabled Audit |
||||||||
| App Service |
App Service apps should enable configuration routing to Azure Virtual Network By default, app configuration such as pulling container images and mounting content storage will not be routed through the regional virtual network integration. Using the API to set routing options to true enables configuration traffic through the Azure Virtual Network. These settings allow features like network security groups and user defined routes to be used, and service endpoints to be private. For more information, visit https://aka.ms/appservice-vnet-configuration-routing. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| App Service |
App Service apps should enable outbound non-RFC 1918 traffic to Azure Virtual Network By default, if one uses regional Azure Virtual Network (VNET) integration, the app only routes RFC1918 traffic into that respective virtual network. Using the API to set 'vnetRouteAllEnabled' to true enables all outbound traffic into the Azure Virtual Network. This setting allows features like network security groups and user defined routes to be used for all outbound traffic from the App Service app. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| App Service |
App Service apps should have Client Certificates (Incoming client certificates) enabled Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. This policy applies to apps with Http version set to 1.1. |
AuditIfNotExists Disabled |
||||||||
| App Service |
App Service apps should have remote debugging turned off Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off. |
AuditIfNotExists Disabled |
||||||||
| App Service |
App Service apps should have resource logs enabled Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. |
AuditIfNotExists Disabled |
||||||||
| App Service |
App Service apps should not have CORS configured to allow every resource to access your apps Cross-Origin Resource Sharing (CORS) should not allow all domains to access your app. Allow only required domains to interact with your app. |
AuditIfNotExists Disabled |
||||||||
| App Service |
App Service apps should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |
Deny Disabled Audit |
Audit Deny Disabled |
|||||||
| App Service |
App Service apps should require FTPS only Enable FTPS enforcement for enhanced security. |
AuditIfNotExists Disabled |
||||||||
| App Service |
App Service apps should use a SKU that supports private link With supported SKUs, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to apps, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/private-link. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| App Service |
App Service apps should use managed identity Use a managed identity for enhanced authentication security |
AuditIfNotExists Disabled |
||||||||
| App Service |
App Service apps should use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |
AuditIfNotExists Disabled |
AuditIfNotExists Disabled |
|||||||
| App Service |
App Service certificates must be stored in Key Vault App Service (including Logic apps and Function apps) must use certificates stored in Key Vault |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| App Service |
App Service Environment apps should not be reachable over public internet To ensure apps deployed in an App Service Environment are not accessible over public internet, one should deploy App Service Environment with an IP address in virtual network. To set the IP address to a virtual network IP, the App Service Environment must be deployed with an internal load balancer. |
Deny Disabled Audit |
||||||||
| App Service |
App Service Environment should be provisioned with latest versions Only allow App Service Environment version 2 or version 3 to be provisioned. Older versions of App Service Environment require manual management of Azure resources and have greater scaling limitations. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| App Service |
App Service Environment should have TLS 1.0 and 1.1 disabled TLS 1.0 and 1.1 are out-of-date protocols that do not support modern cryptographic algorithms. Disabling inbound TLS 1.0 and 1.1 traffic helps secure apps in an App Service Environment. |
Deny Disabled Audit |
||||||||
| App Service |
AppService append enable https only setting to enforce https setting. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny. |
Append Disabled |
||||||||
| App Service |
AppService append sites with minimum TLS version to enforce. Append the AppService sites object to ensure that min Tls version is set to required minimum TLS version. Please note Append does not enforce compliance use then deny. |
Append Disabled |
||||||||
| App Service |
Configure App Service app slots to disable local authentication for SCM sites Disabling local authentication methods for SCM sites improves security by ensuring that App Service slots exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. |
DeployIfNotExists Disabled |
DeployIfNotExists Disabled |
|||||||
| App Service |
Configure App Service app slots to disable public network access Disable public network access for your App Services so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/app-service-private-endpoint. |
Modify Disabled |
Modify Disabled |
|||||||
| App Service |
Configure App Service app slots to turn off remote debugging Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off. |
DeployIfNotExists Disabled |
DeployIfNotExists Disabled |
|||||||
| App Service |
Configure App Service app slots to use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |
DeployIfNotExists Disabled |
||||||||
| App Service |
Configure App Service apps to disable local authentication for FTP deployments Disabling local authentication methods for FTP deployments improves security by ensuring that App Services exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. |
DeployIfNotExists Disabled |
DeployIfNotExists Disabled |
|||||||
| App Service |
Configure App Service apps to disable local authentication for SCM sites Disabling local authentication methods for SCM sites improves security by ensuring that App Services exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. |
DeployIfNotExists Disabled |
DeployIfNotExists Disabled |
|||||||
| App Service |
Configure App Service apps to disable public network access Disable public network access for your App Services so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/app-service-private-endpoint. |
Modify Disabled |
Modify Disabled |
|||||||
| App Service |
Configure App Service apps to only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |
Modify Disabled |
Modify Disabled |
|||||||
| App Service |
Configure App Service apps to turn off remote debugging Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off. |
DeployIfNotExists Disabled |
DeployIfNotExists Disabled |
|||||||
| App Service |
Configure App Service apps to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links a virtual network to an App Service. Learn more at: https://docs.microsoft.com/azure/app-service/networking/private-endpoint#dns. |
DeployIfNotExists Disabled |
||||||||
| App Service |
Configure App Service apps to use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |
DeployIfNotExists Disabled |
||||||||
| App Service |
Configure Function app slots to disable public network access Disable public network access for your Function apps so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/app-service-private-endpoint. |
Modify Disabled |
Modify Disabled |
|||||||
| App Service |
Configure Function app slots to only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |
Modify Disabled |
Modify Disabled |
|||||||
| App Service |
Configure Function app slots to turn off remote debugging Remote debugging requires inbound ports to be opened on a Function app. Remote debugging should be turned off. |
DeployIfNotExists Disabled |
DeployIfNotExists Disabled |
|||||||
| App Service |
Configure Function app slots to use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |
DeployIfNotExists Disabled |
||||||||
| App Service |
Configure Function apps to turn off remote debugging Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off. |
DeployIfNotExists Disabled |
DeployIfNotExists Disabled |
|||||||
| App Service |
Configure Function apps to use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |
DeployIfNotExists Disabled |
||||||||
| App Service |
Function App should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |
Audit Deny Disabled |
||||||||
| App Service |
Function app slots should disable public network access Disabling public network access improves security by ensuring that the Function app is not exposed on the public internet. Creating private endpoints can limit exposure of a Function App. Learn more at: https://aka.ms/app-service-private-endpoint. |
Deny Disabled Audit |
||||||||
| App Service |
Function app slots should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |
Deny Disabled Audit |
||||||||
| App Service |
Function apps should disable public network access Disabling public network access improves security by ensuring that the Function app is not exposed on the public internet. Creating private endpoints can limit exposure of a Function App. Learn more at: https://aka.ms/app-service-private-endpoint. |
Deny Disabled Audit |
||||||||
| App Service |
Function apps should have Client Certificates (Incoming client certificates) enabled Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. This policy applies to apps with Http version set to 1.1. |
AuditIfNotExists Disabled |
||||||||
| App Service |
Function apps should have remote debugging turned off Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off. |
AuditIfNotExists Disabled |
||||||||
| App Service |
Function apps should not have CORS configured to allow every resource to access your apps Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app. |
AuditIfNotExists Disabled |
||||||||
| App Service |
Function apps should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |
Deny Disabled Audit |
Audit Deny Disabled |
|||||||
| App Service |
Function apps should require FTPS only Enable FTPS enforcement for enhanced security. |
AuditIfNotExists Disabled |
||||||||
| App Service |
Function apps should use managed identity Use a managed identity for enhanced authentication security |
AuditIfNotExists Disabled |
||||||||
| App Service |
Function apps should use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |
AuditIfNotExists Disabled |
AuditIfNotExists Disabled |
|||||||
| App Service |
Web Application should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |
Audit Deny Disabled |
| Category | Policy | Platform | Landing Zones | Production | Decommissioned | Management | Corp | Connectivity | Sandbox | Identity |
|---|---|---|---|---|---|---|---|---|---|---|
| App Service |
AppService append sites with minimum TLS version to enforce. Append the AppService sites object to ensure that min Tls version is set to required minimum TLS version. Please note Append does not enforce compliance use then deny. |
AppServiceminTlsVersion = 1.2
|
||||||||
| App Service |
Configure App Service apps to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links a virtual network to an App Service. Learn more at: https://docs.microsoft.com/azure/app-service/networking/private-endpoint#dns. |
azureAppServicesPrivateDnsZoneId = --DNSZonePrefix--privatelink.azurewebsi...
|