Benchmark: Compute
Description
This section contains recommendations for configuring Compute resources.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-azure-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select Compute.
Run this benchmark in your terminal:
powerpipe benchmark run azure_compliance.benchmark.all_controls_computeSnapshot and share results via Turbot Pipes:
powerpipe benchmark run azure_compliance.benchmark.all_controls_compute --shareControls
- Log Analytics extension should be installed on your Linux Azure Arc machines
- Log Analytics extension should be installed on your Windows Azure Arc machines
- Disk access resources should use private link
- Ensure that 'Enable Data Access Authentication Mode' is 'Checked'
- Ensure that 'Disk Network Access' is NOT set to 'Enable public access from all networks'
- Unattached Compute disks should be encrypted with ADE/CMK
- OS and data disks should be encrypted with a customer-managed key
- Managed disks should be double encrypted with both platform-managed and customer-managed keys
- Ensure that 'Unattached disks' are encrypted with 'Customer Managed Key' (CMK)
- Audit Linux machines that have accounts without passwords
- Virtual machines and virtual machine scale sets should have encryption at host enabled
- Virtual machines should be connected to an approved virtual network
- Compute virtual machines should use managed disk for OS and data disk
- Audit virtual machines without disaster recovery configured
- Guest Configuration extension should be installed on your machines
- Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
- Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs
- Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
- Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
- Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
- Management ports of virtual machines should be protected with just-in-time network access control
- Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
- Audit Windows machines on which the Log Analytics agent is not connected as expected
- Microsoft Antimalware for Azure should be configured to automatically update protection signatures
- Deploy default Microsoft IaaSAntimalware extension for Windows Server
- Audit Windows machines that do not have a maximum password age of 70 days
- Linux machines should meet requirements for the Azure compute security baseline
- Windows machines should meet requirements of the Azure compute security baseline
- Audit Windows machines that do not have a minimum password age of 1 day
- Audit Windows machines that do not restrict the minimum password length to 14 characters
- Network traffic data collection agent should be installed on Linux virtual machines
- Network traffic data collection agent should be installed on Windows virtual machines
- Audit Windows machines that do not have the password complexity setting enabled
- Audit Windows machines that do not store passwords using reversible encryption
- All network ports should be restricted on network security groups associated to your virtual machine
- Audit Windows machines that allow re-use of the previous 24 passwords
- Audit Linux machines that allow remote connections from accounts without passwords
- Compute virtual machine scale sets should have automatic OS image patching enabled
- Virtual Machine scale sets boot diagnostics should be enabled
- Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring
- Resource logs in Virtual Machine Scale Sets should be enabled
- Compute virtual machine scale sets with linux OS should have SSH key authentication enabled
- Virtual machine scale sets should use managed disks
- Windows web servers should be configured to use secure communication protocols
- Authentication to Linux machines should require SSH keys
- System updates should be installed on your machines
- Internet-facing virtual machines should be protected with network security groups
- Virtual machines should be migrated to new Azure Resource Manager resources
- Ensure Virtual Machines are utilizing Managed Disks
- A vulnerability assessment solution should be enabled on your virtual machines
- Windows Defender Exploit Guard should be enabled on your machines
- IP Forwarding on your virtual machine should be disabled