-
Notifications
You must be signed in to change notification settings - Fork 327
/
Copy pathappsvc_checklist.en.json
562 lines (562 loc) · 26.9 KB
/
appsvc_checklist.en.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
{
"items": [
{
"category": "BC and DR",
"subcategory": "High Availability",
"text": "Refer to baseline highly available zone-redundant web application architecture for best practices",
"waf": "Reliability",
"service": "App Services",
"guid": "b32e1aa1-4813-4602-88fe-27ca2891f421",
"id": "01.01.01",
"cost": 1,
"severity": "Low",
"link": "https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/app-service-web-app/zone-redundant?source=recommendations"
},
{
"category": "BC and DR",
"subcategory": "High Availability",
"text": "Use Premium and Standard tiers. These tiers support staging slots and automated backups.",
"waf": "Reliability",
"service": "App Services",
"guid": "e4b31c6a-2e3f-4df1-8e8b-9c3aa5a27820",
"id": "01.01.02",
"cost": 1,
"severity": "Medium",
"link": "https://learn.microsoft.com/en-us/azure/app-service/overview-hosting-plans"
},
{
"category": "BC and DR",
"subcategory": "High Availability",
"text": "Leverage Availability Zones where regionally applicable (requires Premium v2 or v3 tier)",
"waf": "Reliability",
"service": "App Services",
"guid": "a7e2e6c2-491f-4fa4-a82b-521d0bc3b202",
"id": "01.01.03",
"cost": 1,
"severity": "High",
"link": "https://learn.microsoft.com/en-us/azure/reliability/migrate-app-service"
},
{
"category": "Operations",
"subcategory": "Monitoring",
"text": "Implement health checks",
"waf": "Reliability",
"service": "App Services",
"guid": "1275e4a9-7b6a-43c3-a9cd-5ee18d8995ad",
"id": "01.01.04",
"cost": 1,
"severity": "Medium",
"link": "https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check"
},
{
"category": "Operations",
"subcategory": "Multi-tenant service",
"text": "Refer to backup and restore best practices for Azure App Service",
"waf": "Reliability",
"service": "App Services",
"guid": "35a91c5d-4ad6-4d9b-8e0f-c47db9e6d1e7",
"id": "01.01.05",
"cost": 1,
"severity": "High",
"link": "https://learn.microsoft.com/en-us/azure/app-service/manage-backup"
},
{
"category": "BC and DR",
"subcategory": "High Availability",
"text": "Implement Azure App Service reliability best practices",
"waf": "Reliability",
"service": "App Services",
"guid": "e68cd0ec-afc6-4bd8-a27f-7860ad9a0db2",
"id": "01.01.06",
"cost": 1,
"severity": "High",
"link": "https://learn.microsoft.com/en-us/azure/architecture/framework/services/compute/azure-app-service/reliability"
},
{
"category": "BC and DR",
"subcategory": "High Availability",
"text": "Familiarize with how to move an App Service app to another region During a disaster",
"waf": "Reliability",
"service": "App Services",
"guid": "bd2a865c-0835-4418-bb58-4df91a5a9b3f",
"id": "01.01.07",
"cost": 1,
"severity": "Low",
"link": "https://learn.microsoft.com/en-us/azure/app-service/manage-disaster-recovery#recover-app-content-only"
},
{
"category": "BC and DR",
"subcategory": "High Availability",
"text": "Familiarize with reliability support in Azure App Service",
"waf": "Reliability",
"service": "App Services",
"guid": "f3d2f1e4-e6d4-4b7a-a5a5-e2a9b2c6f293",
"id": "01.02.02",
"cost": 1,
"severity": "High",
"link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-app-service"
},
{
"category": "BC and DR",
"subcategory": "High Availability",
"text": "Ensure \"Always On\" is enabled for Function Apps running on a app service plan",
"waf": "Reliability",
"service": "App Services",
"guid": "c7b5f3d1-0569-4fd2-9f32-c0b64e9c0c5e",
"id": "01.02.03",
"cost": 1,
"severity": "Medium",
"link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on"
},
{
"category": "Operations",
"subcategory": "Monitoring",
"text": "Monitor App Service instances using Health checks",
"waf": "Reliability",
"service": "App Services",
"guid": "a3b4d5f6-758c-4f9d-9e1a-d7c6b7e8f9ab",
"id": "01.02.04",
"cost": 1,
"severity": "Medium",
"link": "https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check"
},
{
"category": "Operations",
"subcategory": "Monitoring",
"text": "Monitor availability and responsiveness of web app or website using Application Insights availability tests",
"waf": "Reliability",
"service": "App Services",
"guid": "c7d3e5f9-a19c-4833-8ca6-1dcb0128e129",
"id": "01.03.01",
"cost": 1,
"severity": "Medium",
"link": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-overview"
},
{
"category": "Operations",
"subcategory": "Monitoring",
"text": "Use Application Insights Standard test to monitor availability and responsiveness of web app or website",
"waf": "Reliability",
"service": "App Services",
"guid": "b4e3f2d5-a5c6-4d7e-8b2f-c5d9e7a8f0ea",
"id": "01.03.01.01",
"cost": 1,
"severity": "Low",
"link": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-standard-tests"
},
{
"category": "Security",
"subcategory": "Data Protection",
"text": "Use Key Vault to store secrets",
"description": "Use Azure Key Vault to store any secrets the application needs. Key Vault provides a safe and audited environment for storing secrets and is well-integrated with App Service through the Key Vault SDK or App Service Key Vault References.",
"waf": "Security",
"service": "App Services",
"guid": "834ac932-223e-4ce8-8b12-3071a5416415",
"id": "A01.01",
"severity": "High",
"link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references"
},
{
"category": "Security",
"subcategory": "Data Protection",
"text": "Use Managed Identity to connect to Key Vault",
"description": "Use a Managed Identity to connect to Key Vault either using the Key Vault SDK or through App Service Key Vault References.",
"waf": "Security",
"service": "App Services",
"guid": "833ea3ad-2c2d-4e73-8165-c3acbef4abe1",
"id": "A01.02",
"severity": "High",
"link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references"
},
{
"category": "Security",
"subcategory": "Data Protection",
"text": "Use Key Vault to store TLS certificate.",
"description": "Store the App Service TLS certificate in Key Vault.",
"waf": "Security",
"service": "App Services",
"guid": "f8d39fda-4776-4831-9c11-5775c2ea55b4",
"id": "A01.03",
"severity": "High",
"link": "https://learn.microsoft.com/azure/app-service/configure-ssl-certificate"
},
{
"category": "Security",
"subcategory": "Data Protection",
"text": "Isolate systems that process sensitive information",
"description": "Systems that process sensitive information should be isolated. To do so, use separate App Service Plans or App Service Environments and consider the use of different subscriptions or management groups.",
"waf": "Security",
"service": "App Services",
"guid": "6ad48408-ee72-4734-a475-ba18fdbf590c",
"id": "A01.04",
"severity": "Medium",
"link": "https://learn.microsoft.com/azure/app-service/overview-hosting-plans"
},
{
"category": "Security",
"subcategory": "Data Protection",
"text": "Do not store sensitive data on local disk",
"description": "Local disks on App Service are not encrypted and sensitive data should not be stored on those. (For example: D:\\\\Local and %TMP%).",
"waf": "Security",
"service": "App Services",
"guid": "e65de8e0-3f9b-4cbd-9682-66abca264f9a",
"id": "A01.05",
"severity": "Medium",
"link": "https://learn.microsoft.com/azure/app-service/operating-system-functionality#file-access"
},
{
"category": "Security",
"subcategory": "Identity and Access Control",
"text": "Use an established Identity Provider for authentication",
"description": "For authenticated web application, use a well established Identity Provider like Azure AD or Azure AD B2C. Leverage the application framework of your choice to integrate with this provider or use the App Service Authentication / Authorization feature.",
"waf": "Security",
"service": "App Services",
"guid": "919ca0b2-c121-459e-814b-933df574eccc",
"id": "A02.01",
"severity": "Medium",
"link": "https://learn.microsoft.com/azure/app-service/overview-authentication-authorization"
},
{
"category": "Security",
"subcategory": "Identity and Access Control",
"text": "Deploy from a trusted environment",
"description": "Deploy code to App Service from a controlled and trusted environment, like a well-managed and secured DevOps deployment pipeline. This avoids code that was not version controlled and verified to be deployed from a malicious host.",
"waf": "Security",
"service": "App Services",
"guid": "3f9bcbd4-6826-46ab-aa26-4f9a19aed9c5",
"id": "A02.02",
"severity": "High",
"link": "https://learn.microsoft.com/azure/app-service/deploy-best-practices"
},
{
"category": "Security",
"subcategory": "Identity and Access Control",
"text": "Disable basic authentication",
"description": "Disable basic authentication for both FTP/FTPS and for WebDeploy/SCM. This disables access to these services and enforces the use of Azure AD secured endpoints for deployment. Note that the SCM site can also be opened using Azure AD credentials.",
"waf": "Security",
"service": "App Services",
"guid": "5d04c2c3-919c-4a0b-8c12-159e114b933d",
"id": "A02.03",
"severity": "High",
"link": "https://learn.microsoft.com/azure/app-service/deploy-configure-credentials#disable-basic-authentication"
},
{
"category": "Security",
"subcategory": "Identity and Access Control",
"text": "Use Managed Identity to connect to resources",
"description": "Where possible use Managed Identity to connect to Azure AD secured resources. If this is not possible, store secrets in Key Vault and connect to Key Vault using a Managed Identity instead.",
"waf": "Security",
"service": "App Services",
"guid": "f574eccc-d9bd-43ba-bcda-3b54eb2eb03d",
"id": "A02.04",
"severity": "High",
"link": "https://learn.microsoft.com/azure/app-service/overview-managed-identity?tabs=portal%2Chttp"
},
{
"category": "Security",
"subcategory": "Identity and Access Control",
"text": "Pull containers using a Managed Identity",
"description": "Where using images stored in Azure Container Registry, pull these using a Managed Identity.",
"waf": "Security",
"service": "App Services",
"guid": "d9a25827-18d2-4ddb-8072-5769ee6691a4",
"id": "A02.05",
"severity": "High",
"link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-managed-identity-to-pull-image-from-azure-container-registry"
},
{
"category": "Security",
"subcategory": "Logging and Monitoring",
"text": "Send App Service runtime logs to Log Analytics",
"description": "By configuring the diagnostic settings of App Service, you can send all telemetry to Log Analytics as the central destination for logging and monitoring. This allows you to monitor runtime activity of App Service such as HTTP logs, application logs, platform logs, ...",
"waf": "Security",
"service": "App Services",
"guid": "47768314-c115-4775-a2ea-55b46ad48408",
"id": "A03.01",
"severity": "Medium",
"link": "https://learn.microsoft.com/azure/app-service/troubleshoot-diagnostic-logs"
},
{
"category": "Security",
"subcategory": "Logging and Monitoring",
"text": "Send App Service activity logs to Log Analytics",
"description": "Set up a diagnostic setting to send the activity log to Log Analytics as the central destination for logging and monitoring. This allows you to monitor control plane activity on the App Service resource itself.",
"waf": "Security",
"service": "App Services",
"guid": "ee72734b-475b-4a18-bdbf-590ce65de8e0",
"id": "A03.02",
"severity": "Medium",
"link": "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log"
},
{
"category": "Security",
"subcategory": "Network Security",
"text": "Outbound network access should be controlled",
"description": "Control outbound network access using a combination of regional VNet integration, network security groups and UDR's. Traffic should be routed to an NVA such as Azure Firewall. Ensure to monitor the Firewall's logs.",
"waf": "Security",
"service": "App Services",
"guid": "c12159e1-14b9-433d-b574-ecccd9bd3baf",
"id": "A04.01",
"severity": "Medium",
"link": "https://learn.microsoft.com/azure/app-service/overview-vnet-integration"
},
{
"category": "Security",
"subcategory": "Network Security",
"text": "Ensure a stable IP for outbound communications towards internet addresses",
"description": "You can provide a stable outbound IP by using VNet integration and using a VNet NAT Gateway or an NVA like Azure Firewall. This allows the receiving party to allow-list based on IP, should that be needed. Note that for communications towards Azure Services often there's no need to depend on the IP address and mechanics like Service Endpoints should be used instead. (Also the use of private endpoints on the receiving end avoids for SNAT to happen and provides a stable outbound IP range.)",
"waf": "Security",
"service": "App Services",
"guid": "cda3b54e-b2eb-403d-b9a2-582718d2ddb1",
"id": "A04.02",
"severity": "Low",
"link": "https://learn.microsoft.com/azure/app-service/networking/nat-gateway-integration"
},
{
"category": "Security",
"subcategory": "Network Security",
"text": "Inbound network access should be controlled",
"description": "Control inbound network access using a combination of App Service Access Restrictions, Service Endpoints or Private Endpoints. Different access restrictions can be required and configured for the web app itself and the SCM site.",
"waf": "Security",
"service": "App Services",
"guid": "0725769e-e669-41a4-a34a-c932223ece80",
"id": "A04.03",
"severity": "High",
"link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions"
},
{
"category": "Security",
"subcategory": "Network Security",
"text": "Use a WAF in front of App Service",
"description": "Protect against malicious inbound traffic using a Web Application Firewall like Application Gateway or Azure Front Door. Make sure to monitor the WAF's logs.",
"waf": "Security",
"service": "App Services",
"guid": "b123071a-5416-4415-a33e-a3ad2c2de732",
"id": "A04.04",
"severity": "High",
"link": "https://learn.microsoft.com/azure/app-service/networking/app-gateway-with-service-endpoints"
},
{
"category": "Security",
"subcategory": "Network Security",
"text": "Avoid for WAF to be bypassed",
"description": "Make sure the WAF cannot be bypassed by locking down access to only the WAF. Use a combination of Access Restrictions, Service Endpoints and Private Endpoints.",
"waf": "Security",
"service": "App Services",
"guid": "165c3acb-ef4a-4be1-b8d3-9fda47768314",
"id": "A04.05",
"severity": "High",
"link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions"
},
{
"category": "Security",
"subcategory": "Network Security",
"text": "Set minimum TLS policy to 1.2",
"description": "Set minimum TLS policy to 1.2 in App Service configuration.",
"waf": "Security",
"service": "App Services",
"guid": "c115775c-2ea5-45b4-9ad4-8408ee72734b",
"id": "A04.06",
"severity": "Medium",
"graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.MinTlsVersion>=1.2) | distinct id,compliant",
"link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-tls-versions"
},
{
"category": "Security",
"subcategory": "Network Security",
"text": "Use HTTPS only",
"description": "Configure App Service to use HTTPS only. This causes App Service to redirect from HTTP to HTTPS. Strongly consider the use of HTTP Strict Transport Security (HSTS) in your code or from your WAF, which informs browsers that the site should only be accessed using HTTPS.",
"waf": "Security",
"service": "App Services",
"guid": "475ba18f-dbf5-490c-b65d-e8e03f9bcbd4",
"id": "A04.07",
"severity": "High",
"graph": "where (type=='microsoft.web/sites' and (kind == 'app' or kind == 'app,linux' )) | extend compliant = (properties.httpsOnly==true) | distinct id,compliant",
"link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-https"
},
{
"category": "Security",
"subcategory": "Network Security",
"text": "Wildcards must not be used for CORS",
"description": "Do not use wildcards in your CORS configuration, as this allows all origins to access the service (thereby defeating the purpose of CORS). Specifically only allow the origins that you expect to be able to access the service.",
"waf": "Security",
"service": "App Services",
"guid": "68266abc-a264-4f9a-89ae-d9c55d04c2c3",
"id": "A04.08",
"severity": "High",
"link": "https://learn.microsoft.com/azure/app-service/app-service-web-tutorial-rest-api"
},
{
"category": "Security",
"subcategory": "Network Security",
"text": "Turn off remote debugging",
"description": "Remote debugging must not be turned on in production as this opens additional ports on the service which increases the attack surface. Note that the service does turn of remote debugging automatically after 48 hours.",
"waf": "Security",
"service": "App Services",
"guid": "d9bd3baf-cda3-4b54-bb2e-b03dd9a25827",
"id": "A04.09",
"severity": "High",
"graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.RemoteDebuggingEnabled == false) | distinct id,compliant",
"link": "https://learn.microsoft.com/azure/app-service/configure-common#configure-general-settings"
},
{
"category": "Security",
"subcategory": "Network Security",
"text": "Enable Defender for Cloud - Defender for App Service",
"description": "Enable Defender for App Service. This (amongst other threats) detects communications to known malicious IP addresses. Review the recommendations from Defender for App Service as part of your operations.",
"waf": "Security",
"service": "App Services",
"guid": "18d2ddb1-0725-4769-be66-91a4834ac932",
"id": "A04.10",
"severity": "Medium",
"link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-app-service-introduction"
},
{
"category": "Security",
"subcategory": "Network Security",
"text": "Enable DDOS Protection Standard on the WAF VNet",
"description": "Azure provides DDoS Basic protection on its network, which can be improved with intelligent DDoS Standard capabilities which learns about normal traffic patterns and can detect unusual behavior. DDoS Standard applies to a Virtual Network so it must be configured for the network resource in front of the app, such as Application Gateway or an NVA.",
"waf": "Security",
"service": "App Services",
"guid": "223ece80-b123-4071-a541-6415833ea3ad",
"id": "A04.11",
"severity": "Medium",
"link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview"
},
{
"category": "Security",
"subcategory": "Network Security",
"text": "Pull containers over a Virtual Network",
"description": "Where using images stored in Azure Container Registry, pull these over a virtual network from Azure Container Registry using its private endpoint and the app setting 'WEBSITE_PULL_IMAGE_OVER_VNET'.",
"waf": "Security",
"service": "App Services",
"guid": "2c2de732-165c-43ac-aef4-abe1f8d39fda",
"id": "A04.12",
"severity": "Medium",
"link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-an-image-from-a-network-protected-registry"
},
{
"category": "Security",
"subcategory": "Penetration Testing",
"text": "Conduct a penetration test",
"description": "Conduct a penetration test on the web application following the penetration testing rules of engagement.",
"waf": "Security",
"service": "App Services",
"guid": "eb2eb03d-d9a2-4582-918d-2ddb10725769",
"id": "A05.01",
"severity": "Medium",
"link": "https://learn.microsoft.com/azure/security/fundamentals/pen-testing"
},
{
"category": "Security",
"subcategory": "Vulnerability Management",
"text": "Deploy validated code",
"description": "Deploy trusted code that was validated and scanned for vulnerabilities according to DevSecOps practices.",
"waf": "Security",
"service": "App Services",
"guid": "19aed9c5-5d04-4c2c-9919-ca0b2c12159e",
"id": "A06.01",
"severity": "Medium",
"link": "https://learn.microsoft.com/azure/architecture/solution-ideas/articles/devsecops-in-azure"
},
{
"category": "Security",
"subcategory": "Vulnerability Management",
"text": "Use up-to-date platforms, languages, protocols and frameworks",
"description": "Use the latest versions of supported platforms, programming languages, protocols, and frameworks.",
"waf": "Security",
"service": "App Services",
"guid": "114b933d-f574-4ecc-ad9b-d3bafcda3b54",
"id": "A06.02",
"severity": "High",
"link": "https://learn.microsoft.com/azure/app-service/overview-patch-os-runtime"
}
],
"categories": [
{
"name": "Security"
},
{
"name": "Network Topology and Connectivity"
},
{
"name": "BC and DR"
},
{
"name": "Governance and Security"
},
{
"name": "Cost Governance"
},
{
"name": "Operations"
},
{
"name": "Application Deployment"
}
],
"waf": [
{
"name": "Reliability"
},
{
"name": "Security"
},
{
"name": "Cost"
},
{
"name": "Operations"
},
{
"name": "Performance"
}
],
"yesno": [
{
"name": "Yes"
},
{
"name": "No"
}
],
"status": [
{
"name": "Not verified",
"description": "This check has not been looked at yet"
},
{
"name": "Open",
"description": "There is an action item associated to this check"
},
{
"name": "Fulfilled",
"description": "This check has been verified, and there are no further action items associated to it"
},
{
"name": "N/A",
"description": "Not applicable for current design"
},
{
"name": "Not required",
"description": "Not required"
}
],
"severities": [
{
"name": "High"
},
{
"name": "Medium"
},
{
"name": "Low"
}
],
"metadata": {
"name": "Azure App Service Review",
"state": "Preview",
"waf": "all",
"timestamp": "March 07, 2024"
}
}