Control: 6.1.5 Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads)
Description
The use of Basic or Free SKUs in Azure whilst cost effective have significant limitations in terms of what can be monitored and what support can be realized from Microsoft. Typically, these SKUs do not have a service SLA and Microsoft may refuse to provide support for them. Consequently Basic/Free SKUs should never be used for production workloads.
While an automated assessment procedure exists for this recommendation, the assessment status remains manual. Determining appropriate SKUs depends on the context and requirements of each organization and environment.
Remediation
Each resource has its own process for upgrading from basic to standard SKUs that should be followed if required.'
- Public IP Address: https://learn.microsoft.com/en-us/azure/virtual-network/ipservices/public-ip-upgrade.
- Basic Load Balancer: https://learn.microsoft.com/en-us/azure/load-balancer/loadbalancer-basic-upgrade-guidance.
- Azure Cache for Redis: https://learn.microsoft.com/en-us/azure/azure-cache-forredis/cache-how-to-scale.
- Azure SQL Database: https://learn.microsoft.com/en-us/azure/azuresql/database/scale-resources.
- VPN Gateway: https://learn.microsoft.com/en-us/azure/vpn-gateway/gatewaysku-resize.
Default Value
Policy should enforce standard SKUs for the following artifacts:
- Public IP Addresses
- Network Load Balancers
- REDIS Cache
- SQL PaaS Databases
- VPN Gateways
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.cis_v500_6_1_5Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.cis_v500_6_1_5 --shareSQL
This control uses a named query:
select id as resource, 'info' as status, 'Manual verification required.' as reason, display_name as subscriptionfrom azure_subscription;