-
Notifications
You must be signed in to change notification settings - Fork 329
/
Copy pathappsvc_checklist.en.json
638 lines (638 loc) · 36.6 KB
/
appsvc_checklist.en.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
{
"items": [
{
"category": "BC and DR",
"subcategory": "High Availability",
"text": "Implement a baseline highly available zone-redundant web application architecture. Ensure your Azure App Service is on Premium V2/V3 or Isolated v2 tiers for zone-redundant support.",
"description": "Leverage zone-redundancy to ensure high availability in the event of zone-level failures. Use Premium V2/V3 or Isolated v2 tiers, which provide support for zone-redundant deployments and ensure minimal downtime during disasters.",
"waf": "Reliability",
"service": "App Services",
"guid": "b32e1aa1-4813-4602-88fe-27ca2891f421",
"id": "01.01.01",
"cost": 1,
"severity": "Low",
"link": "https://learn.microsoft.com/azure/architecture/reference-architectures/app-service-web-app/zone-redundant?source=recommendations"
},
{
"category": "BC and DR",
"subcategory": "High Availability",
"text": "Use Premium and Standard tiers for staging slots and automated backups. Align your backup retention period with disaster recovery needs.",
"description": "Leverage staging slots for zero-downtime deployments and automated backups to ensure disaster recovery. Choose the appropriate tier (Standard or Premium) based on the number of slots and disaster recovery requirements.",
"waf": "Reliability",
"service": "App Services",
"guid": "e4b31c6a-2e3f-4df1-8e8b-9c3aa5a27820",
"id": "01.01.02",
"cost": 1,
"severity": "Medium",
"graph": "resources | where type =~ 'microsoft.web/serverfarms' | extend compliant = (sku.tier == 'Premium' or sku.tier == 'Standard') | distinct id,compliant",
"link": "https://learn.microsoft.com/azure/app-service/overview-hosting-plans"
},
{
"category": "BC and DR",
"subcategory": "High Availability",
"text": "Leverage Availability Zones where regionally applicable (Premium V2/V3 tier required). Check region support for Availability Zones.",
"description": "Availability Zones provide physical isolation across datacenters in a region, reducing downtime during outages. Verify your region supports Availability Zones and use Premium V2/V3 tiers for zone-redundant deployments.",
"waf": "Reliability",
"service": "App Services",
"guid": "a7e2e6c2-491f-4fa4-a82b-521d0bc3b202",
"id": "01.01.03",
"cost": 1,
"severity": "High",
"link": "https://learn.microsoft.com/azure/reliability/migrate-app-service"
},
{
"category": "Operations",
"subcategory": "Monitoring",
"text": "Implement health checks to monitor and detect issues with App Service instances. Health checks enable automatic instance replacement on failure.",
"description": "Enable health checks to detect unhealthy instances in real-time and automatically replace them to maintain high availability and application reliability.",
"waf": "Reliability",
"service": "App Services",
"guid": "1275e4a9-7b6a-43c3-a9cd-5ee18d8995ad",
"id": "01.01.04",
"cost": 1,
"severity": "Medium",
"graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.HealthCheckPath != '') | distinct id,compliant",
"link": "https://learn.microsoft.com/azure/app-service/monitor-instances-health-check"
},
{
"category": "Operations",
"subcategory": "Multi-tenant service",
"text": "Refer to backup and restore best practices for Azure App Service and App Service Environments (ASE) to ensure data availability and recovery.",
"description": "Follow best practices for configuring backups and restores in Azure App Service and ASE to guarantee data availability and ensure recovery during disaster scenarios.",
"waf": "Reliability",
"service": "App Services",
"guid": "35a91c5d-4ad6-4d9b-8e0f-c47db9e6d1e7",
"id": "01.01.05",
"cost": 1,
"severity": "High",
"link": "https://learn.microsoft.com/azure/app-service/manage-backup"
},
{
"category": "BC and DR",
"subcategory": "High Availability",
"text": "Implement Azure App Service reliability best practices, including auto-scaling, fault tolerance, health checks, and zone redundancy.",
"description": "Ensure high availability by incorporating scaling, fault tolerance, monitoring, and zone redundancy into your App Service architecture. Leverage health checks and availability zones to maintain uptime.",
"waf": "Reliability",
"service": "App Services",
"guid": "e68cd0ec-afc6-4bd8-a27f-7860ad9a0db2",
"id": "01.01.06",
"cost": 1,
"severity": "High",
"link": "https://learn.microsoft.com/azure/architecture/framework/services/compute/azure-app-service/reliability"
},
{
"category": "BC and DR",
"subcategory": "High Availability",
"text": "Familiarize with App Service region failover, including active-active and active-passive configurations, automated failover, and IaC deployment.",
"description": "Prepare for disaster recovery by implementing region failover strategies. Utilize active-active and active-passive configurations, automated failover, and Infrastructure as Code (IaC) for seamless failover during outages.",
"waf": "Reliability",
"service": "App Services",
"guid": "bd2a865c-0835-4418-bb58-4df91a5a9b3f",
"id": "01.01.07",
"cost": 1,
"severity": "Low",
"link": "https://learn.microsoft.com/azure/app-service/manage-disaster-recovery#recover-app-content-only"
},
{
"category": "BC and DR",
"subcategory": "High Availability",
"text": "Familiarize with reliability support in Azure App Service, including scaling options, SLAs, and automated recovery mechanisms.",
"description": "Azure App Service offers built-in reliability features, including scaling, fault tolerance, and service-level agreements (SLAs). Leverage these features to maintain consistent performance during outages.",
"waf": "Reliability",
"service": "App Services",
"guid": "f3d2f1e4-e6d4-4b7a-a5a5-e2a9b2c6f293",
"id": "01.02.02",
"cost": 1,
"severity": "High",
"link": "https://learn.microsoft.com/azure/reliability/reliability-app-service"
},
{
"category": "BC and DR",
"subcategory": "High Availability",
"text": "Ensure 'Always On' is enabled for Function Apps running on App Service plans to prevent idling and ensure continuous availability.",
"description": "Enabling 'Always On' for Function Apps ensures that the app does not go idle, maintaining its availability and responsiveness at all times.",
"waf": "Reliability",
"service": "App Services",
"guid": "c7b5f3d1-0569-4fd2-9f32-c0b64e9c0c5e",
"id": "01.02.03",
"cost": 1,
"severity": "Medium",
"link": "https://learn.microsoft.com/azure/azure-functions/dedicated-plan#always-on"
},
{
"category": "Operations",
"subcategory": "Monitoring",
"text": "Monitor App Service instances using Health checks to detect unhealthy instances and automatically replace them.",
"description": "Health checks monitor the health of App Service instances, enabling automatic replacement of unhealthy instances to maintain high availability.",
"waf": "Reliability",
"service": "App Services",
"guid": "a3b4d5f6-758c-4f9d-9e1a-d7c6b7e8f9ab",
"id": "01.02.04",
"cost": 1,
"severity": "Medium",
"link": "https://learn.microsoft.com/azure/app-service/monitor-instances-health-check"
},
{
"category": "Operations",
"subcategory": "Monitoring",
"text": "Monitor availability and responsiveness of web app or website using Application Insights availability tests, ensuring proactive detection of performance issues and downtime.",
"waf": "Reliability",
"service": "App Services",
"guid": "c7d3e5f9-a19c-4833-8ca6-1dcb0128e129",
"id": "01.03.01",
"cost": 1,
"severity": "Medium",
"link": "https://learn.microsoft.com/azure/azure-monitor/app/availability-overview"
},
{
"category": "Operations",
"subcategory": "Monitoring",
"text": "Use Application Insights Standard test to monitor availability and responsiveness of web app or website",
"waf": "Reliability",
"service": "App Services",
"guid": "b4e3f2d5-a5c6-4d7e-8b2f-c5d9e7a8f0ea",
"id": "01.03.01.01",
"cost": 1,
"severity": "Low",
"link": "https://learn.microsoft.com/azure/azure-monitor/app/availability-standard-tests"
},
{
"category": "Security",
"subcategory": "Data Protection",
"text": "Use Azure Key Vault to store any secrets the application needs. Key Vault provides a secure, managed, and audited environment for storing secrets, and integrates seamlessly with App Service via App Service Key Vault References for enhanced security.",
"description": "Azure Key Vault ensures secrets are encrypted, securely stored, and accessed only by authorized applications. It supports audit logging, and secret versioning, and reduces the risk of accidental exposure of sensitive information.",
"waf": "Security",
"service": "App Services",
"guid": "834ac932-223e-4ce8-8b12-3071a5416415",
"id": "A01.01",
"severity": "High",
"link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references"
},
{
"category": "Security",
"subcategory": "Data Protection",
"text": "Use Managed Identity to securely connect to Azure Key Vault for accessing secrets, through App Service Key Vault References.",
"description": "Managed Identity eliminates the need for hard-coded credentials by allowing App Service to authenticate to Azure Key Vault securely. This reduces the risk of credential exposure and simplifies secret management for enhanced security.",
"waf": "Security",
"service": "App Services",
"guid": "833ea3ad-2c2d-4e73-8165-c3acbef4abe1",
"id": "A01.02",
"severity": "High",
"link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references"
},
{
"category": "Security",
"subcategory": "Data Protection",
"text": "Use Azure Key Vault to securely store and manage TLS certificates for App Service.",
"description": "Storing TLS certificates in Azure Key Vault enhances security by providing centralized, secure management and automated renewal of certificates. This reduces the risk of manual handling errors and certificate expiration.",
"waf": "Security",
"service": "App Services",
"guid": "f8d39fda-4776-4831-9c11-5775c2ea55b4",
"id": "A01.03",
"severity": "High",
"link": "https://learn.microsoft.com/azure/app-service/configure-ssl-certificate"
},
{
"category": "Security",
"subcategory": "Data Protection",
"text": "Isolate systems that process sensitive information using separate App Service Plans, App Service Environments (ASE), and consider different subscriptions or management groups for enhanced security.",
"description": "To minimize exposure and improve security, isolate systems processing sensitive data. Leverage separate App Service Plans or App Service Environments for isolation, and use different subscriptions or management groups to enforce stricter boundaries and governance.",
"waf": "Security",
"service": "App Services",
"guid": "6ad48408-ee72-4734-a475-ba18fdbf590c",
"id": "A01.04",
"severity": "Medium",
"link": "https://learn.microsoft.com/azure/app-service/overview-hosting-plans"
},
{
"category": "Security",
"subcategory": "Data Protection",
"text": "Do not store sensitive data on local disk",
"description": "Local disks on App Service are not encrypted and sensitive data should not be stored on those. (For example: D:\\\\Local and %TMP%).",
"waf": "Security",
"service": "App Services",
"guid": "e65de8e0-3f9b-4cbd-9682-66abca264f9a",
"id": "A01.05",
"severity": "Medium",
"link": "https://learn.microsoft.com/azure/app-service/operating-system-functionality#file-access"
},
{
"category": "Security",
"subcategory": "Identity and Access Control",
"text": "Use Microsoft Entra ID or B2C for secure authentication and Single Sign-On (SSO).",
"description": "Use Microsoft Entra ID or B2C for secure user authentication and Single Sign-On (SSO) across applications. Integrate using the built-in App Service Authentication/Authorization feature for streamlined security and compliance with modern authentication protocols like OpenID Connect.",
"waf": "Security",
"service": "App Services",
"guid": "919ca0b2-c121-459e-814b-933df574eccc",
"id": "A02.01",
"severity": "Medium",
"link": "https://learn.microsoft.com/azure/app-service/overview-authentication-authorization"
},
{
"category": "Security",
"subcategory": "Identity and Access Control",
"text": "Deploy code to App Service from a trusted and secure environment.",
"description": "Ensure all code deployments to App Service originate from a controlled, secured environment, such as a well-managed DevOps pipeline. This practice mitigates the risk of deploying unauthorized or malicious code by enforcing version control, code verification, and secure hosting.",
"waf": "Security",
"service": "App Services",
"guid": "3f9bcbd4-6826-46ab-aa26-4f9a19aed9c5",
"id": "A02.02",
"severity": "High",
"link": "https://learn.microsoft.com/azure/app-service/deploy-best-practices"
},
{
"category": "Security",
"subcategory": "Identity and Access Control",
"text": "Disable basic authentication for FTP/FTPS and WebDeploy/SCM.",
"description": "Disable basic authentication for FTP/FTPS and WebDeploy/SCM to enhance security by enforcing Microsoft Entra ID secured endpoints for deployment. This ensures that only authenticated users using Microsoft Entra ID credentials can access deployment services, including the SCM site.",
"waf": "Security",
"service": "App Services",
"guid": "5d04c2c3-919c-4a0b-8c12-159e114b933d",
"id": "A02.03",
"severity": "High",
"link": "https://learn.microsoft.com/azure/app-service/deploy-configure-credentials#disable-basic-authentication"
},
{
"category": "Security",
"subcategory": "Identity and Access Control",
"text": "Use Managed Identity to connect to Microsoft Entra ID secured resources.",
"description": "Wherever possible, use Managed Identity to securely connect to Microsoft Entra ID-secured resources without storing credentials. If this is not feasible, store secrets in Azure Key Vault and access them using Managed Identity to maintain security and reduce the risk of credential exposure.",
"waf": "Security",
"service": "App Services",
"guid": "f574eccc-d9bd-43ba-bcda-3b54eb2eb03d",
"id": "A02.04",
"severity": "High",
"link": "https://learn.microsoft.com/azure/app-service/overview-managed-identity?tabs=portal%2Chttp"
},
{
"category": "Security",
"subcategory": "Identity and Access Control",
"text": "Pull container images from Azure Container Registry using a Managed Identity.",
"description": "When using images stored in Azure Container Registry, pull these images using a Managed Identity to avoid storing credentials. This ensures secure access to container images and reduces the risk of credential exposure.",
"waf": "Security",
"service": "App Services",
"guid": "d9a25827-18d2-4ddb-8072-5769ee6691a4",
"id": "A02.05",
"severity": "High",
"link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-managed-identity-to-pull-image-from-azure-container-registry"
},
{
"category": "Security",
"subcategory": "Logging and Monitoring",
"text": "Send App Service runtime and security logs to Log Analytics for centralized monitoring and alerting.",
"description": "Configure diagnostic settings to send telemetry and security logs (including HTTP, platform, and audit logs) to Log Analytics. Centralized logging enhances monitoring, threat detection, and compliance reporting.",
"waf": "Security",
"service": "App Services",
"guid": "47768314-c115-4775-a2ea-55b46ad48408",
"id": "A03.01",
"severity": "Medium",
"link": "https://learn.microsoft.com/azure/app-service/troubleshoot-diagnostic-logs"
},
{
"category": "Security",
"subcategory": "Logging and Monitoring",
"text": "Send App Service activity logs to Log Analytics",
"description": "Set up a diagnostic setting to send the activity log to Log Analytics as the central destination for logging and monitoring. This allows you to monitor control plane activity on the App Service resource itself.",
"waf": "Security",
"service": "App Services",
"guid": "ee72734b-475b-4a18-bdbf-590ce65de8e0",
"id": "A03.02",
"severity": "Medium",
"link": "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log"
},
{
"category": "Security",
"subcategory": "Network Security",
"text": "Control outbound network access for App Service using VNet integration, NSGs, UDRs, and firewalls.",
"description": "Use regional VNet integration, Network Security Groups (NSGs), and User-Defined Routes (UDRs) to control outbound network access. Route traffic through a Network Virtual Appliance (NVA), such as Azure Firewall, and monitor firewall logs to ensure traffic is properly controlled and secure.",
"waf": "Security",
"service": "App Services",
"guid": "c12159e1-14b9-433d-b574-ecccd9bd3baf",
"id": "A04.01",
"severity": "Medium",
"link": "https://learn.microsoft.com/azure/app-service/overview-vnet-integration"
},
{
"category": "Security",
"subcategory": "Network Security",
"text": "Ensure a stable IP for outbound communications by using VNet NAT Gateway or Azure Firewall.",
"description": "Provide a stable outbound IP by using VNet integration with a NAT Gateway or Network Virtual Appliance (NVA) like Azure Firewall. This enables the receiving party to allow-list based on IP, if necessary. For communications with Azure services, use mechanisms like Service Endpoints or private endpoints to avoid relying on static IPs, ensuring secure and efficient connectivity.",
"waf": "Security",
"service": "App Services",
"guid": "cda3b54e-b2eb-403d-b9a2-582718d2ddb1",
"id": "A04.02",
"severity": "Low",
"link": "https://learn.microsoft.com/azure/app-service/networking/nat-gateway-integration"
},
{
"category": "Security",
"subcategory": "Network Security",
"text": "Control inbound network access using Access Restrictions, Service Endpoints, or Private Endpoints.",
"description": "Control inbound network access by configuring App Service Access Restrictions, Service Endpoints, or Private Endpoints. Ensure appropriate restrictions are set for both the web app and the SCM (deployment) site to limit unauthorized access and enhance security.",
"waf": "Security",
"service": "App Services",
"guid": "0725769e-e669-41a4-a34a-c932223ece80",
"id": "A04.03",
"severity": "High",
"link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions"
},
{
"category": "Security",
"subcategory": "Network Security",
"text": "Use a Web Application Firewall (WAF) in front of App Service.",
"description": "Protect App Service from malicious inbound traffic by deploying a Web Application Firewall (WAF) using Azure Application Gateway or Azure Front Door. Ensure WAF logs are monitored regularly to detect and respond to security threats.",
"waf": "Security",
"service": "App Services",
"guid": "b123071a-5416-4415-a33e-a3ad2c2de732",
"id": "A04.04",
"severity": "High",
"link": "https://learn.microsoft.com/azure/app-service/networking/app-gateway-with-service-endpoints"
},
{
"category": "Security",
"subcategory": "Network Security",
"text": "Ensure the WAF cannot be bypassed by securing access to App Service.",
"description": "To prevent the Web Application Firewall (WAF) from being bypassed, lock down access to App Service by using Access Restrictions, Service Endpoints, and Private Endpoints. This ensures that all traffic is routed through the WAF, providing a secure front layer of protection.",
"waf": "Security",
"service": "App Services",
"guid": "165c3acb-ef4a-4be1-b8d3-9fda47768314",
"id": "A04.05",
"severity": "High",
"link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions"
},
{
"category": "Security",
"subcategory": "Network Security",
"text": "Set minimum TLS policy to 1.2 or higher, preferably 1.3, in App Service configuration.",
"description": "Ensure that the minimum TLS policy is set to 1.2 or higher, with a preference for TLS 1.3, to enhance security through stronger encryption protocols. TLS 1.3 provides additional security improvements and faster handshake times, reducing vulnerabilities associated with older versions.",
"waf": "Security",
"service": "App Services",
"guid": "c115775c-2ea5-45b4-9ad4-8408ee72734b",
"id": "A04.06",
"severity": "Medium",
"graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.MinTlsVersion>=1.2) | distinct id,compliant",
"link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-tls-versions"
},
{
"category": "Security",
"subcategory": "Network Security",
"text": "Use HTTPS only and consider enabling HTTP Strict Transport Security (HSTS).",
"description": "Configure App Service to enforce HTTPS-only, automatically redirecting all HTTP traffic to HTTPS. Additionally, implement HTTP Strict Transport Security (HSTS) in your code or via a Web Application Firewall (WAF) to ensure browsers only access the site over HTTPS, enhancing security by preventing downgrade attacks.",
"waf": "Security",
"service": "App Services",
"guid": "475ba18f-dbf5-490c-b65d-e8e03f9bcbd4",
"id": "A04.07",
"severity": "High",
"graph": "where (type=='microsoft.web/sites' and (kind == 'app' or kind == 'app,linux' )) | extend compliant = (properties.httpsOnly==true) | distinct id,compliant",
"link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-https"
},
{
"category": "Security",
"subcategory": "Network Security",
"text": "Avoid using wildcards for CORS; specify allowed origins explicitly.",
"description": "Do not use wildcards (*) in your CORS configuration, as this permits unrestricted access from any origin, compromising security. Instead, explicitly specify trusted origins that are allowed to access the service, ensuring controlled access.",
"waf": "Security",
"service": "App Services",
"guid": "68266abc-a264-4f9a-89ae-d9c55d04c2c3",
"id": "A04.08",
"severity": "High",
"link": "https://learn.microsoft.com/azure/app-service/app-service-web-tutorial-rest-api"
},
{
"category": "Security",
"subcategory": "Network Security",
"text": "Turn off remote debugging in production environments.",
"description": "Remote debugging should not be enabled in production as it opens additional ports, increasing the attack surface. Although App Service automatically turns off remote debugging after 48 hours, it is recommended to disable it manually in production to maintain a secure environment.",
"waf": "Security",
"service": "App Services",
"guid": "d9bd3baf-cda3-4b54-bb2e-b03dd9a25827",
"id": "A04.09",
"severity": "High",
"graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.RemoteDebuggingEnabled == false) | distinct id,compliant",
"link": "https://learn.microsoft.com/azure/app-service/configure-common#configure-general-settings"
},
{
"category": "Security",
"subcategory": "Network Security",
"text": "Enable Defender for Cloud - Defender for App Service",
"description": "Enable Defender for App Service. This (amongst other threats) detects communications to known malicious IP addresses. Review the recommendations from Defender for App Service as part of your operations.",
"waf": "Security",
"service": "App Services",
"guid": "18d2ddb1-0725-4769-be66-91a4834ac932",
"id": "A04.10",
"severity": "Medium",
"link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-app-service-introduction"
},
{
"category": "Security",
"subcategory": "Network Security",
"text": "Enable DDOS Protection Standard on the WAF VNet",
"description": "Azure provides DDoS Basic protection on its network, which can be improved with intelligent DDoS Standard capabilities which learns about normal traffic patterns and can detect unusual behavior. DDoS Standard applies to a Virtual Network so it must be configured for the network resource in front of the app, such as Application Gateway or an NVA.",
"waf": "Security",
"service": "App Services",
"guid": "223ece80-b123-4071-a541-6415833ea3ad",
"id": "A04.11",
"severity": "Medium",
"link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview"
},
{
"category": "Security",
"subcategory": "Network Security",
"text": "Pull container images over a Virtual Network from Azure Container Registry.",
"description": "When using images stored in Azure Container Registry, ensure they are pulled over a virtual network by using a private endpoint and configuring the app setting 'WEBSITE_PULL_IMAGE_OVER_VNET'. This ensures secure communication between App Service and the registry, preventing exposure to the public internet.",
"waf": "Security",
"service": "App Services",
"guid": "2c2de732-165c-43ac-aef4-abe1f8d39fda",
"id": "A04.12",
"severity": "Medium",
"link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-an-image-from-a-network-protected-registry"
},
{
"category": "Security",
"subcategory": "Penetration Testing",
"text": "Conduct a penetration test on the web application.",
"description": "Perform a penetration test on the web application in accordance with Azure's penetration testing rules of engagement. This helps identify vulnerabilities and security weaknesses that can be addressed before they are exploited.",
"waf": "Security",
"service": "App Services",
"guid": "eb2eb03d-d9a2-4582-918d-2ddb10725769",
"id": "A05.01",
"severity": "Medium",
"link": "https://learn.microsoft.com/azure/security/fundamentals/pen-testing"
},
{
"category": "Security",
"subcategory": "Vulnerability Management",
"text": "Deploy validated and vulnerability-scanned code.",
"description": "Ensure that only trusted code, which has been validated and scanned for vulnerabilities, is deployed to production following DevSecOps practices. This minimizes the risk of introducing security vulnerabilities into the application environment.",
"waf": "Security",
"service": "App Services",
"guid": "19aed9c5-5d04-4c2c-9919-ca0b2c12159e",
"id": "A06.01",
"severity": "Medium",
"link": "https://learn.microsoft.com/azure/architecture/solution-ideas/articles/devsecops-in-azure"
},
{
"category": "Security",
"subcategory": "Vulnerability Management",
"text": "Use up-to-date platforms, languages, protocols and frameworks",
"description": "Ensure that the latest versions of supported platforms, programming languages, protocols, and frameworks are used. Regular updates mitigate the risk of security vulnerabilities and ensure compatibility with security patches.",
"waf": "Security",
"service": "App Services",
"guid": "114b933d-f574-4ecc-ad9b-d3bafcda3b54",
"id": "A06.02",
"severity": "High",
"link": "https://learn.microsoft.com/azure/app-service/overview-patch-os-runtime"
},
{
"category": "Operations",
"subcategory": "High Availability",
"text": "Use Auto-Healing with custom rules to restart App Service instances automatically when failures occur.",
"description": "Leverage Auto-Healing in Azure App Service to automatically restart instances or trigger custom actions based on pre-defined failure conditions like memory thresholds, HTTP errors, or specific event logs.",
"waf": "Reliability",
"service": "App Services",
"guid": "60b3a935-33e5-45c9-87c7-53882e395b46",
"id": "01.02.05",
"severity": "Medium",
"link": "https://learn.microsoft.com/azure/app-service/overview-diagnostics"
},
{
"category": "Operations",
"subcategory": "Monitoring",
"text": "Set up alerts for critical Application Insights metrics, such as response time and failure rates.",
"description": "Configure Azure Monitor alerts based on Application Insights metrics for response times, failure rates, and overall availability. Alerts help detect issues proactively and reduce mean-time-to-recovery (MTTR).",
"waf": "Reliability",
"service": "App Services",
"guid": "e52e4514-02a7-4e81-a98e-88ce1b18e557",
"id": "01.03.02",
"cost": 1,
"severity": "Medium",
"link": "https://learn.microsoft.com/azure/azure-monitor/app/alerts"
},
{
"category": "Governance and Security",
"subcategory": "Compliance",
"text": "Apply Azure Policy to enforce compliance across App Service configurations.",
"description": "Use Azure Policy to enforce security, compliance, and governance configurations for App Service. Policies can ensure that critical settings such as TLS versions, backup configurations, and network restrictions are enforced across all App Service instances.",
"waf": "Governance",
"service": "App Services",
"guid": "361e886f-ca40-4ead-a8e9-1379c642ae9c",
"id": "G01.01",
"cost": 2,
"severity": "High",
"link": "https://learn.microsoft.com/azure/governance/policy/overview"
},
{
"category": "Cost Governance",
"subcategory": "Cost Monitoring",
"text": "Monitor App Service costs using Azure Cost Management and create cost alerts.",
"description": "Leverage Azure Cost Management to track and forecast App Service expenses. Set up alerts for budget thresholds to avoid overspending, and optimize costs based on resource utilization trends.",
"waf": "Cost",
"service": "App Services",
"guid": "42eb48f0-28ff-497c-b2c0-a8fa1f989832",
"id": "C01.01",
"cost": 1,
"severity": "Low",
"link": "https://learn.microsoft.com/azure/cost-management-billing/"
},
{
"category": "Cost Governance",
"subcategory": "Cost Optimization",
"text": "Purchase reserved instances for App Service plans to optimize long-term costs.",
"description": "If you have predictable and steady usage of App Service, purchasing Reserved Instances can significantly reduce long-term costs. Commit to one or three years for lower pricing compared to pay-as-you-go.",
"waf": "Cost",
"service": "App Services",
"guid": "e489221b-487e-48a3-aaab-48e3d205ca12",
"id": "C01.02",
"cost": 3,
"severity": "Medium",
"link": "https://learn.microsoft.com/azure/cost-management-billing/reservations/"
}
],
"categories": [
{
"name": "Security"
},
{
"name": "Network Topology and Connectivity"
},
{
"name": "BC and DR"
},
{
"name": "Governance and Security"
},
{
"name": "Cost Governance"
},
{
"name": "Operations"
},
{
"name": "Application Deployment"
}
],
"waf": [
{
"name": "Reliability"
},
{
"name": "Security"
},
{
"name": "Cost"
},
{
"name": "Operations"
},
{
"name": "Performance"
}
],
"yesno": [
{
"name": "Yes"
},
{
"name": "No"
}
],
"status": [
{
"name": "Not verified",
"description": "This check has not been looked at yet"
},
{
"name": "Open",
"description": "There is an action item associated to this check"
},
{
"name": "Fulfilled",
"description": "This check has been verified, and there are no further action items associated to it"
},
{
"name": "N/A",
"description": "Not applicable for current design"
},
{
"name": "Not required",
"description": "Not required"
}
],
"severities": [
{
"name": "High"
},
{
"name": "Medium"
},
{
"name": "Low"
}
],
"metadata": {
"name": "Azure App Service Review",
"state": "Preview",
"waf": "all",
"timestamp": "March 07, 2024"
}
}