Benchmark: 3.1.1 Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems)
Description
Access control policies (e.g., identity or role-based policies, control matrices, and cryptography) control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (e.g., devices, files, records, and domains) in systems. Access enforcement mechanisms can be employed at the application and service level to provide increased information security. Other systems include systems internal and external to the organization. This requirement focuses on account management for systems and applications. The definition of and enforcement of access authorizations, other than those determined by account type (e.g., privileged verses non-privileged) are addressed in requirement 3.1.2.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-azure-compliance
Start the Powerpipe server:
steampipe service startpowerpipe server
Open http://localhost:9033 in your browser and select 3.1.1 Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems).
Run this benchmark in your terminal:
powerpipe benchmark run azure_compliance.benchmark.nist_sp_800_171_rev_2_3_1_1
Snapshot and share results via Turbot Pipes:
powerpipe benchmark run azure_compliance.benchmark.nist_sp_800_171_rev_2_3_1_1 --share
Controls
- App Configuration should use private link
- App Service apps should have remote debugging turned off
- Function apps should have remote debugging turned off
- Function apps should use managed identity
- App Service apps should use managed identity
- Cognitive Services should use private link
- Cognitive Services accounts should have local authentication methods disabled
- Disk access resources should use private link
- Audit Linux machines that have accounts without passwords
- Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
- Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
- Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
- Audit Linux machines that allow remote connections from accounts without passwords
- Authentication to Linux machines should require SSH keys
- Virtual machines should be migrated to new Azure Resource Manager resources
- Container registries should use private link
- CosmosDB accounts should use private link
- Azure Data Factory should use private link
- Azure Event Grid domains should use private link
- Azure Event Grid topics should use private link
- Event Hub namespaces should use private link
- Azure API for FHIR should use private link
- Blocked accounts with owner permissions on Azure resources should be removed
- Blocked accounts with read and write permissions on Azure resources should be removed
- Guest accounts with owner permissions on Azure resources should be removed
- Guest accounts with read permissions on Azure resources should be removed
- Guest accounts with write permissions on Azure resources should be removed
- Audit usage of custom RBAC roles
- A maximum of 3 owners should be designated for your subscription
- IoT Hub device provisioning service instances should use private link
- Azure Key Vaults should use private link
- Private endpoint should be enabled for MariaDB servers
- Private endpoint should be enabled for MySQL servers
- Private endpoint should be enabled for PostgreSQL servers
- Azure Cache for Redis should use private link
- Azure Cognitive Search services should use private link
- Azure Cognitive Search service should use a SKU that supports private link
- Azure Service Bus namespaces should use private link
- Service Fabric clusters should only use Azure Active Directory for client authentication
- Azure SignalR Service should use private link
- Azure Spring Cloud should use network injection
- An Azure Active Directory administrator should be provisioned for SQL servers
- Private endpoint connections on Azure SQL Database should be enabled
- Storage accounts should restrict network access
- Storage accounts should be migrated to new Azure Resource Manager resources
- Storage accounts should use private link
- Azure File Sync should use private link
- Azure Synapse workspaces should use private link