Benchmark: 5.5 Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads)
Description
The use of Basic or Free SKUs in Azure whilst cost effective have significant limitations in terms of what can be monitored and what support can be realized from Microsoft. Typically, these SKU’s do not have a service SLA and Microsoft will usually refuse to provide support for them. Consequently Basic/Free SKUs should never be used for production workloads.
Typically, production workloads need to be monitored and should have an SLA with Microsoft, using Basic SKUs for any deployed product will mean that that these capabilities do not exist.
The following resource types should use standard SKUs as a minimum.
- Public IP Addresses
- Network Load Balancers
- REDIS Cache
- SQL PaaS Databases
- VPN Gateways
Remediation
Each artifact has its own process for upgrading from basic to standard SKU's and this should be followed if required.
Default Value
Policy should enforce standard SKUs for the following artifacts:
- Public IP Addresses
- Network Load Balancers
- REDIS Cache
- SQL PaaS Databases
- VPN Gateways
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-azure-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select 5.5 Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads).
Run this benchmark in your terminal:
powerpipe benchmark run azure_compliance.benchmark.cis_v210_5_5Snapshot and share results via Turbot Pipes:
powerpipe benchmark run azure_compliance.benchmark.cis_v210_5_5 --shareControls
- Network load balancers should use standard SKUs as a minimum
- Network public IPs should use standard SKUs as a minimum
- Virtual network gateways should use standard SKUs as a minimum
- Azure Cache for Redis should use standard SKUs as a minimum