Benchmark: App Service
Description
This benchmark provides a set of controls that detect Terraform Azure App Service resources deviating from security best practices.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-terraform-azure-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select App Service.
Run this benchmark in your terminal:
powerpipe benchmark run terraform_azure_compliance.benchmark.appserviceSnapshot and share results via Turbot Pipes:
powerpipe benchmark run terraform_azure_compliance.benchmark.appservice --shareControls
- Ensure App Service Authentication is set on Azure App Service
- Azure Defender for App Service should be enabled
- App Service Environment should enable internal encryption
- App Service environment should be zone redundant
- Ensure FTP deployments are disabled
- Function Apps builtin logging should be enabled
- Function apps should have 'Client Certificates (Incoming client certificates)' enabled
- CORS should not allow every resource to access your Function Apps
- FTPS only should be required in your Function App
- Ensure that 'HTTP Version' is the latest, if used to run the Function app
- Ensure that 'Java version' is the latest, if used as a part of the Function app
- Ensure that 'Python version' is the latest, if used as a part of the Function app
- Latest TLS version should be used in your Function App
- Function App should only be accessible over HTTPS
- Function apps should restrict public network access
- Managed identity should be used in your Function App
- App Service plans should not use free, shared or basic SKU
- App Service plans should be zone redundant
- Web apps should be configured to always be on
- Ensure WEB app has 'Client Certificates (Incoming client certificates)' set to 'On'
- CORS should not allow every resource to access your Web Applications
- Web apps detailed error messages should be enabled
- Diagnostic logs in App Services should be enabled
- Web apps failed request tracing should be enabled
- FTPS should be required in your Web App
- Web apps should have health check enabled
- Web apps HTTP logs should be enabled
- Ensure WEB app has 'Client Certificates (Incoming client certificates)' set to 'On'
- Web apps should use the latest 'Net Framework' version
- Ensure that 'HTTP Version' is the latest, if used to run the Web app
- Ensure that 'Java version' is the latest, if used as a part of the Web app
- Ensure that 'PHP version' is the latest, if used as a part of the WEB app
- Ensure that 'Python version' is the latest, if used as a part of the Web app
- Latest TLS version should be used in your Web App
- Web apps should restrict public network access
- Ensure that Register with Azure Active Directory is enabled on App Service
- Remote debugging should be turned off for Web Applications
- Web app slots should use the latest TLS version
- Web app slots remote debugging should be disabled
- Web app slots should only be accessible over HTTPS
- Web Application should only be accessible over HTTPS
- App Service should use a virtual network service endpoint
- Web apps should use Azure files
- Managed identity should be used in your Web App
- Web apps should have more than one worker