Benchmark: App Service
Description
This section contains recommendations for configuring App Service resources.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-azure-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select App Service.
Run this benchmark in your terminal:
powerpipe benchmark run azure_compliance.benchmark.all_controls_appserviceSnapshot and share results via Turbot Pipes:
powerpipe benchmark run azure_compliance.benchmark.all_controls_appservice --shareControls
- App Service Environment should enable internal encryption
- App Service apps should have Client Certificates (Incoming client certificates) enabled
- App Service apps should not have CORS configured to allow every resource to access your apps
- FTPS only should be required in your API App
- App Service apps should use the latest TLS version
- App Service apps should have remote debugging turned off
- App Service API apps should only be accessible over HTTPS
- Managed identity should be used in your API App
- Ensure App Service authentication is set up for apps in Azure App Service
- Ensure FTP deployments are Disabled
- Ensure App Service authentication is set up for function apps in Azure App Service
- Function apps should have 'Client Certificates (Incoming client certificates)' enabled
- Function apps should not have CORS configured to allow every resource to access your apps
- FTPS only should be required in your Function App
- Ensure that 'HTTP Version' is the latest, if used to run the Function app
- Ensure that 'Java version' is the latest, if used as a part of the Function app
- Ensure that 'Python version' is the latest, if used as a part of the Function app
- Function apps should use the latest TLS version
- Function apps should only be accessible over HTTPS
- Function apps should have remote debugging turned off
- App Service function apps public access should be restricted
- Function apps should use managed identity
- Appservice plan should not use free, shared or basic SKU
- Web apps should be configured to always be on
- App Service apps should have 'Client Certificates (Incoming client certificates)' enabled
- App Service apps should not have CORS configured to allow every resource to access your apps
- Ensure that logging for Azure AppService 'HTTP logs' is enabled
- App Service apps should have resource logs enabled
- Web app failed request tracing should be enabled
- FTPS should be required in your Web App
- Web apps should have health check enabled
- Web app HTTP logs should be enabled
- Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On'
- Web app should use the latest 'Net Framework' version
- Ensure that 'HTTP Version' is the latest, if used to run the Web app
- Ensure that 'Java version' is the latest, if used as a part of the Web app
- Ensure that 'PHP version' is the latest, if used as a part of the WEB app
- Ensure that 'Python version' is the latest, if used as a part of the Web app
- Latest TLS version should be used in your Web App
- Ensure that Register with Azure Active Directory is enabled on App Service
- Remote debugging should be turned off for Web Applications
- Web app slot should only be accessible over HTTPS
- Web Application should only be accessible over HTTPS
- App Service apps should use a virtual network service endpoint
- App Service apps should use managed identity
- Web app should have more than one worker