Benchmark: Remote Access (AC-17)
Description
Authorize remote access systems prior to connection. Enforce remote connection requirements to information systems.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-azure-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select Remote Access (AC-17).
Run this benchmark in your terminal:
powerpipe benchmark run azure_compliance.benchmark.fedramp_high_ac_17Snapshot and share results via Turbot Pipes:
powerpipe benchmark run azure_compliance.benchmark.fedramp_high_ac_17 --shareBenchmarks
Controls
- App Configuration should use private link
- App Service apps should have remote debugging turned off
- Function apps should have remote debugging turned off
- Cognitive Services should use private link
- Disk access resources should use private link
- Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
- Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs
- Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
- Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
- Audit Linux machines that allow remote connections from accounts without passwords
- Container registries should use private link
- CosmosDB accounts should use private link
- Azure Data Factory should use private link
- Azure Event Grid domains should use private link
- Azure Event Grid topics should use private link
- Event Hub namespaces should use private link
- Azure API for FHIR should use private link
- IoT Hub device provisioning service instances should use private link
- Azure Key Vaults should use private link
- Private endpoint should be enabled for MariaDB servers
- Private endpoint should be enabled for MySQL servers
- Private endpoint should be enabled for PostgreSQL servers
- Azure Cache for Redis should use private link
- Azure Cognitive Search services should use private link
- Azure Cognitive Search service should use a SKU that supports private link
- Azure Service Bus namespaces should use private link
- Azure SignalR Service should use private link
- Azure Spring Cloud should use network injection
- Private endpoint connections on Azure SQL Database should be enabled
- Storage accounts should restrict network access
- Storage accounts should use private link
- Azure File Sync should use private link
- Azure Synapse workspaces should use private link