Discovering API Documentations

Using Machine Readable

Documentation

Identifying endpoint API

Identifying hidden parameters

Lab
Preventing vulnerabilities in APIs

Server side parameter pollution

Truncating query strings

The input data the API processes, including both compulsory and optional parameters.
The types of requests the API accepts, including supported HTTP methods and media formats.
Rate limits and authentication mechanisms.
Documentation can be in both human-readable and machine-readable forms.
Machine-readable documentation: automating tasks like API integration and validation.
It's written in structured formats like JSON or XML.

Even if API documentation isn't openly available, you may still be able to access it by browsing
applications that use the API.
Use Burp scanner to Crawl the API
Look for endpoints that may refer to API documentation, for example:

Investigate the base path example: endpoint /api/swagger/v1/users/123

base path would be

You can also parse OpenAPI documentation using the OpenAPI Parser BApp.

While browsing the application, look for patterns that suggest API endpoints in the URL structure,
such as /api/. Also look out for JavaScript files.
Burp Scanner automatically extracts some endpoints during crawls, but for a more heavyweight
extraction, use the JS Link Finder BApp.
The HTTP method specifies the action to be performed on a resource. For example:

Additional methods may be applicable like

API endpoints often expect data in a specific format.

Changing the content type may enable you to:

To change the content type, modify the

then reformat the request body accordingly. You can use the Content type converter BApp to
automatically convert data submitted within requests between XML and JSON.
Since mass assignment creates parameters from object fields, you can often identify these hidden
parameters by manually examining objects returned by the API.
which enables users to update their username and email, and includes the following JSON:

A concurrent GET /api/users/123 request returns the following JSON:

This may indicate that the hidden id and isAdmin parameters are bound to the internal user object,
alongside the updated username and email parameters.
Use PATCH request to modify the isAdmin parameter and check the behavior

Exploiting a mass assignment vulnerability

To prevent mass assignment vulnerabilities, allowlist the properties that can be updated by the
user, and blocklist sensitive properties that shouldn't be updated by the user.

Some systems contain internal APIs that aren't directly accessible from the internet. Server-side
parameter pollution occurs when a website embeds user input in a server-side request to an
internal API without adequate encoding. This means that an attacker may be able to manipulate or
inject parameters, which may enable them to, for example:
You can test any user input for any kind of parameter pollution. For example, query parameters,
form fields, headers, and URL path parameters may all be vulnerable.
This vulnerability is sometimes called HTTP parameter pollution. However, this term is also used to
refer to a web application firewall (WAF) bypass technique. To avoid confusion, in this topic we'll
only refer to server-side parameter pollution.
In addition, despite the similar name, this vulnerability class has very little in common with server-
side prototype pollution.
To test for server-side parameter pollution in the query string, place query syntax characters
like #, &, and = in your input and observe how the application responds.
Consider a vulnerable application that enables you to search for other users based on their
username. When you search for a user, your browser makes the following request:
To retrieve user information, the server queries an internal API with the following request:
You can use a URL-encoded # character to attempt to truncate the server-side request. To help
you interpret the response, you could also add a string after the # character.
For example, you could modify the query string to the following:
The front-end will try to access the following URL:
It's essential that you URL-encode the # character. Otherwise the front-end application will interpret
it as a fragment identifier and it won't be passed to the internal API.
Review the response for clues about whether the query has been truncated. For example, if the
response returns the user peter, the server-side query may have been truncated. If an Invalid
name error message is returned, the application may have treated foo as part of the username. This
suggests that the server-side request may not have been truncated.
If you're able to truncate the server-side request, this removes the requirement for
the publicProfile field to be set to true. You may be able to exploit this to return non-public user
profiles.
GET /api/books HTTP/1.1 Host: example.com Here endpoint is api/books

/api
/swagger/index.html
/openapi.json

/api/swagger/v1
/api/swagger
/api

GET - Retrieves data from a resource.

PATCH - Applies partial changes to a resource.
OPTIONS - Retrieves information on the types of request methods that can
be used on a resource.
/api/tasks may support the following methods:
GET /api/tasks - Retrieves a list of tasks.
POST /api/tasks - Creates a new task.
DELETE /api/tasks/1 - Deletes a task.
Trigger errors that disclose useful information.
Bypass flawed defenses.

Take advantage of differences in processing logic. For example, an API may

be secure when handling JSON data but susceptible to injection attacks
when dealing with XML.

Content-Type

PATCH /api/users/ request

{ "username": "wiener", "email": "[email protected]", }
{ "id": 123, "name": "John Doe", "email":
"[email protected]", "isAdmin": "false" }

POST request check, after reviewing GET request for checkout and edit the
post request and check error message. No error means it is being processed
 Secure your documentation if you don't intend your API to be publicly
accessible.
Ensure your documentation is kept up to date so that legitimate testers have
full visibility of the API's attack surface.
Apply an allowlist of permitted HTTP methods.
Validate that the content type is expected for each request or response.
Use generic error messages to avoid giving away information that may be
useful for an attacker.
Use protective measures on all versions of your API, not just the current
production version.

Override existing parameters.

Modify the application behavior.

Access unauthorized data.

GET /userSearch?name=peter&back=/home
GET /users/search?name=peter&publicProfile=true

GET /userSearch?name=peter%23foo&back=/home

GET /users/search?name=peter#foo&publicProfile=true
Oauth
Threat modeling for OAuth 2.0 via Security by Design approach using the Microsoft Threat Modeling tool [Part 2] | LinkedIn
t 2] | LinkedIn
Main Area WAF Pillar
Azure Networking Public IPs Security
Azure Networking Public IPs Security
Azure Networking Public IPs Security
Azure Networking NSG Security
Azure Networking NSG Security
Azure Networking NSG Security
Azure Networking NSG Security
Azure Networking NSG Security
Azure Networking UDR Security
Azure Networking UDR Security
Azure Networking UDR Security
Azure Networking Virtual Networks Security
Azure Networking Virtual Networks Security
Azure Networking Virtual Networks Security
Azure Networking Virtual Networks Security
Azure Networking Virtual Networks Security
Azure Networking Virtual Networks Security
Azure Networking Virtual Networks Security
Azure Networking Virtual Networks Security
Azure Networking Virtual Networks Security
Azure Networking Virtual Networks Security
Azure Networking Connectivity Security
Azure Networking Virtual WAN Security
Azure Networking Virtual WAN Security
Azure Networking Application Gateway Security
Azure Networking Application Gateway Security
Azure Networking Application Gateway Security
Azure Networking Application Gateway Security
Azure Networking FrontDoor Security
Azure Networking FrontDoor Security
Azure Networking FrontDoor Security
Azure Networking FrontDoor Security
Azure Networking FrontDoor Security
Azure Networking DDOS Protection Security
VM Security Check Access Control Security
VM Security Check Access Control Security
VM Security Check Access Control Security
VM Security Check Protect against malwaSecurity
VM Security Check Protect against malwaSecurity
VM Security Check Manage VM Updates Security
VM Security Check Manage VM Updates Security
VM Security Check Manage VM Updates Security
VM Security Check Encrypt your VHDs Security
VM Security Check Encrypt your VHDs Security
VM Security Check Encrypt your VHDs Security
VM Security Check Restrict direct intern Security
VM Security Check Restrict direct intern Security
VM Security Check Restrict direct intern Security
VM Security Check Restrict direct intern Security
VM Security Check Restrict direct intern Security
VM Security Check Restrict direct intern Security
Sentinel Data Connectors Security
Sentinel Data Connectors Security
Sentinel Data Connectors Security
Sentinel Data Connectors Security
Sentinel Data Connectors Security
Sentinel Data Connectors Security
Sentinel Data Connectors Security
Sentinel Data Connectors Security
Sentinel Data Connectors Security
Sentinel Data Connectors Security
Sentinel Data Connectors Security
Sentinel Analytics Rules Security
Sentinel Settings Security
Identity Tenant Security
Identity Tenant Security
Identity Tenant Security
Identity Tenant Security
Identity Tenant Security
Identity Privileged administratSecurity
Identity Privileged administratSecurity
Identity Privileged administratSecurity
Identity Privileged administratSecurity
Identity Privileged administratSecurity
Identity Privileged administratSecurity
Identity External Identities Security
Identity External Identities Security
Identity External Identities Security
Identity External Identities Security
Identity External Identities Security
Identity External Identities Security
Identity Enterprise ApplicationSecurity
Identity Enterprise ApplicationSecurity
Identity Custom Domains Security
Identity Password Reset Security
Identity Password Reset Security
Identity Password Reset Security
Identity User Setting Security
Identity User Setting Security
Identity User Setting Security
Identity Diagnostic Settings Security
Identity PIM enabled Security
Identity PIM enabled Security
Identity Conditional Access PolSecurity
Identity Conditional Access PolSecurity
Identity Conditional Access PolSecurity
Identity Conditional Access PolSecurity
Identity Conditional Access PolSecurity
Identity Conditional Access PolSecurity
Identity Conditional Access PolSecurity
Identity Guest users Security
Identity Identity Secure Score Security
Identity Break Glass Accounts Security
Defender For CloudPricing & Settings Security
Defender For CloudPricing & Settings Security
Defender For CloudPricing & Settings Security
Defender For CloudPricing & Settings Security
Defender For CloudPricing & Settings Security
Defender For CloudPricing & Settings Security
Defender For CloudPricing & Settings Security
Defender For CloudPricing & Settings Operations
Defender For CloudPricing & Settings Security
Defender For CloudPricing & Settings Security
Defender For CloudPricing & Settings Security
Defender For CloudPricing & Settings Security
Defender For CloudPricing & Settings Security
Defender For CloudRecommendations Security
Defender For CloudRecommendations Security
Defender For CloudSecurity Alerts Security
Defender For CloudWorkbooks Security
Defender For CloudCommunity Security
Defender For CloudSecure Score Security
Defender For CloudRegulatory Complian Security
Defender For CloudAzure Defender Security
Defender For CloudFirewall Manager Security
Defender For CloudFirewall Manager Security
Defender For CloudFirewall Manager Security
Defender For CloudCoverage Security
Azure Firewall Configuration Security
Azure Firewall Configuration Security
Azure Firewall Access Control Security
Azure Firewall Diagnostic Settings Security
Azure Firewall Firewall Manager Security
Azure Firewall Firewall Manager Security
Azure Firewall Firewall Manager Security
Azure Firewall Firewall Manager Security
Azure Firewall Firewall Manager Security
Azure Firewall Firewall Manager Security
Azure Firewall Firewall Manager Security
Azure Firewall Firewall Manager Security
Azure Firewall Firewall Manager Security
Azure Firewall Firewall Manager Security
Azure Firewall Firewall Manager Security
Azure Firewall Firewall Manager Security
Azure Firewall Firewall Manager Security
Azure Firewall DDOS Protection Security
Checklist item
VM's with public IPs should be protected by NSG
VMs with public IPs are moved behind Azure Firewall Premium
VM's that don't need public IPs do not have public IPs (i.e. internal RDP only)
NSG RBAC is used to restrict access to network security team
NSG Inbound security rules do not contain a * (wildcard) in Source field
NSG outbound security rules are used to control traffic to specific IP addresses for traffic not routed through a Firewall
NSG do not have Source as a * (wildcard) in place.
NSG Diagnostics send NetworkSecurityGroupEvent and NetworkSecurityGroupRuleCounter traffic to Sentinel LAW
UDR RBAC is used to restrict access to the network security team
If Zero Trust, then UDR's are used to send all traffic to the Azure Firewall Premium
UDR's that do not send all traffic to AzureFirewallPremium are known and documented.
Customer is familiar with Azure networking defaults / SDN default routing in Azure
VNet RBAC is used to restrict access to the network security team
VNet Security recommendations are remediated and there are no 'At-risk' VNets
VNet Peering connections are understood and expected traffic flows are documented
VNet Service Endpoints are in use, no legacy Public Service Endpoints exist
VNet Private Endpoints are in use to allow access from on-premises environments, no legacy public endpoints exist
VNet Monitoring enabled
Secure traffic between pods using network policies in Azure Kubernetes Service (AKS)
VNet NVA (appliances) customer follows published architecture pattern
VNet Diagnostic settings are enabled and sending VMProtectionAlerts to the Azure Sentinel LAW
Use ExpressRoute or VPN to access Azure resources from on-premises environments
VWAN RBAC is used to restrict access to the network security team
VWAN Customer is using Secure Hub or external Firewall to route and monitor traffic.
AppGW RBAC is used to restrict access to the network security team
AppGW All external facing web services are behind Application Gateways with WAF enabled
AppGW All internal facing web services are behind Application Gateways with WAF enabled
AppGW - External facing has TLS/SSL enabled and redirects all traffic to 443 (no port 80 traffic)
Front Door RBAC is used to restrict access to the network security team
Front Door is associated with a WAF policy
Front Door TLS/SSL policy is configured
Front Door redirect port 80 to port 443 is configured (listeners)
Front Door diagnostics logs send ApplicationGatewayAccessLog &ApplicationGateway FirewallLog to Sentinel LAW
Enabled for Firewall public IP's (all public IPs)
Control VM Access leveraging Azure Policy
Reduce variability in your setup and deployment of VMs by leveraging templates
Secure privileged access to deploy VMS by reducing who has access to Resources through Governance
Install antimalware solutions
Integrate antimalware solution with Security Center
Keep VMs up to date using Update Management with Azure Automation
Ensure Windows images for deployment have the most recent level of updates
Rapidly apply security updates to VMs using Microsoft Defender for Cloud
Enable encryption on your VMs
Add Key Encryption Key (KEK) for added layer of security for encryption
Take a snapshot of disks before encryption for rollback purposes
Ensure only the central networking group has permissions to networking resources
Identity and remediate exposed VMs that allow access from 'ANY' source IP address
Restrict management ports (RDP, SSH) using Just-in-Time Access
Remove internet access and implement jump servers for RDP
Remove direct logging into servers using RDP/SSH from internet and implement VPN or express route
Leverage Azure Bastion as your RDP/SSH broker for added security and reduction in footprint
Azure Active Directory in configured and 'Last Log Received' shows today
Azure Active Directory Identity Protection is configured and 'Last Log Received' shows today
Azure Activity is configured is configured and 'Last Log Received' shows today
Microsoft Defender for Cloud is configured and 'Last Log Received' shows today
Azure Firewall is configured and 'Last Log Received' shows today
Windows Firewall is configured and 'Last Log Received' shows today
Security Events is configured with AMA and 'Last Log Received' shows today
Security Events - verify Azure computers are connected and sending data to the workspace
Security Events - verify non-Azure computers are connected and sending data to the workspace
Connector for AWS
Connector for GCP
Customer has enabled Analytics rules and configured Incidents
Customer does not have a daily cap enabled
Establish a single enterprise directory for managing identities of full-time employees and enterprise resources.
Synchronize your cloud identity with your existing identity systems.
Use cloud identity services to host non-employee accounts such as vendors, partners, and customers, rather than rather than including them in your on-premise
Disable insecure legacy protocols for internet-facing services.
Enable single sign-on
Don�t synchronize accounts with the highest privilege access to on-premises resources as you synchronize your enterprise identity systems with cloud directori
Limit the number of Global Administrators to less than 5
Use groups for Azure AD role assignments and delegate the role assignment
Ensure all critical impact admins are managed by enterprise directory to follow organizational policy enforcement.
Configure recurring access reviews to revoke unneeded permissions over time
Ensure critical impact admins use a workstation with elevated security protections and monitoring
Identity Providers: Verify external identity providers are known
External Collaboration Settings: Guest user access set to 'Guest user access is restricted?'
External Collaboration Settings: Guest invite settings set to 'Only users assigned to specific admin roles'
External Collaboration Settings: Enable guest self-service sign up via flows set to 'Disabled'
External Collaboration Settings: Collaboration restrictions set to 'Allow invitations to the specified domains'
Access Reviews: Enabled for all groups
Consent & Permissions: Allow user consent for apps from verified publishers
Consent & Permissions: Allow group owner consent for selected group owners
Only validated customer domains are registered
Self-service password reset policy requirement verified compliant.
Set number of days before users are asked to re-confirm authentication information is not set to zero
Set number of methods required to reset password are selected
Disable 'Users can register applications'
Restrict access to Administrative portal (portal.azure.com) to administrators only
Disable 'LinkedIn account connection'
Enabled and send to Log Analytics workspace with Sentinel
Privileged Identity Management enabled
Implement 'just in time' (JIT) access to further lower the exposure time for privileged accounts (reduce standing access)
Configure conditional access policies / Access Controls
Conditions: Restricted Locations
Access Controls: MFA enabled for all users
Access Controls: Require MFA for Administrators
Access Controls: Require MFA for Azure Management
Access Controls: Block Legacy Protocols
Access Controls: Require devices to be marked as compliant
Is there a policy to track guest user accounts (i.e. usage/delete/disable)?
Implement Identity Secure Score based on best practices in your industry
At least two break glass accounts have been created and policy around their use exists
Security Center/Defender enable in all subscriptions
Security Center/Defender enabled on all Log Analytics workspaces
Data collection set to 'Common'
Defender for Cloud enhanced security features are all enabled
Auto-provisioning enabled as per company policy (policy must exist)
Email notifications enabled as per company policy (policy must exist)
Enable integrations options are selected
CI/CD integration is configured
Continuous export 'Event Hub' is enabled if using 3rd party SIEM
Continuous export 'Log Analytics Workspace' is enabled if not using Azure Sentinel
Cloud connector enabled for AWS
Cloud connector enabled for GCP
If using Azure AD Application proxy, consider integrating with Microsoft Defender for Cloud Apps to monitor application access in real-time and apply advanced
All recommendations remediated or disabled if not required.
Security Score>70%
Security Alerts contain only those generated in the past 24 hours (remediate or disable older security alerts)
If continuous export is enabled, default workbooks published to custom security dashboard
Customer is aware of the value of the 'Community' page and has a regular cadence set up to review
All subscriptions protected by Security Center are shown (no subscription filter set)
Compliance controls are green for any required compliance requirements
High severity VM vulnerabilities is zero (empty)
Hubs are protected by an Azure Firewall
Virtual Networks are protected by a Firewall
DDoS Standard enabled
Verify that all subscriptions are covered (see pricing and settings to modify)
Azure Firewall Premium deployed
Quad zero/force tunning enabled through Azure Firewall
RBAC set to enable only authorized users
Diagnostics enabled and sending metrics to a Log Analytics workspace
Hubs and virtual networks are protected or connected through Firewall Premium
Policy: Access controls are configured (RBAC)
Policy: Parent policy is configured
Policy: Rule collections are defined
Policy: DNAT policies are defined
Policy: Network rules are defined
Policy: Application rules are defined
DNS: Feature understood and applied or not applied
Threat Intelligence: Set to Alert & Deny
Threat Intelligence: Allowed list (justify if they are being used - ie performance)
TLS enabled
IDPS enabled
SNAT: Configured
Enabled for Firewall public IP's
Description (optional) Severity More info
High More info
Customer operational best practice - verify High More info
Customer operational best practice - verify High More info
Medium More info
Customer operational best practice - verify High More info
Customer operational best practice - verify Medium More info
Customer operational best practice - verify High More info
Medium More info
Medium More info
High More info
Customer operational best practice - verify Medium More info
High More info
Customer operational best practice - verify Medium More info
High More info
High More info
High More info
High More info
High More info
High More info
High More info
High More info
High More info
High More info
High More info
High More info
High More info
High More info
High More info
High More info
High More info
High More info
High More info
High More info
High More info
High More info
Medium More info
Medium More info
High More info
High More info
High More info
Medium More info
High More info
High More info
High More info
Medium More info
High More info
High More info
High More info
High More info
High More info
High More info
High
High
High
High
High
High
High
High
 High
High
High
High
Medium
High More info
High More info
her than rather than including them in your on-premises dirHigh More info
High More info
High More info
ize your enterprise identity systems with cloud directories. High More info
High More info
High More info
High More info
High More info
Medium More info
High More info
High More info
High More info
High More info
High More info
Medium More info
Medium More info
Medium More info
High More info
High More info
Medium More info
High More info
High More info
High More info
High More info
High More info
High More info
High More info
High More info
Medium More info
High More info
Medium More info
High More info
High More info
High More info
Customer documented policy Medium More info
High More info
Medium More info
High
High
Medium
High
Medium
Low
Medium
Medium
High
Medium
High
High
nitor application access in real-time and apply advanced secuLow
Medium
Microsoft minimum target for all customers High
Medium
 Medium
Medium
Customer Operational best practice - Trans High
High
Customer Operational best practice - verify High
Medium
Customer Operational best practice - verify Medium
Medium
High
High More info
High More info
Medium More info
Medium More info
High More info
High More info
High More info
High More info
High More info
High More info
High More info
Medium More info
High More info
High More info
High More info
High More info
High More info
Medium More info
Main Area Sub Area WAF Pillar Checklist item
Security Overview Security Consider the 'Azure security baseline for storage'
Security Networking Security Consider using private endpoints for Azure Storage
Security Governance Security Ensure older storage accounts are not using 'classic deployment model'
Security Governance Security Enable Microsoft Defender for all of your storage accounts
Security Data Availability Security Enable 'soft delete' for blobs
Security Confidentiality Security Disable 'soft delete' for blobs
Security Data Availability Security Enable 'soft delete' for containers
Security Confidentiality Security Disable 'soft delete' for containers
Security Data Availability Security Enable resource locks on storage accounts
Security Data Availability, Compliance Security Consider immutable blobs
Security Networking Security Require HTTPS, i.e. disable port 80 on the storage account
Security Networking Security When enforcing HTTPS (disabling HTTP), check that you do not use cus
Security Networking Security Limit shared access signature (SAS) tokens to HTTPS connections only
Security Identity and Access Management Security Use Azure Active Directory (Azure AD) tokens for blob access
Security Identity and Access Management Security Least privilege in IaM permissions
Security Identity and Access Management Security When using SAS, prefer 'user delegation SAS' over storage-account-key
Security Identity and Access Management Security Consider disabling storage account keys, so that only AAD access (and u
Security Monitoring Security Consider using Azure Monitor to audit control plane operations on the
Security Identity and Access Management Security When using storage account keys, consider enabling a 'key expiration po
Security Identity and Access Management Security Consider configuring an SAS expiration policy
Security Identity and Access Management Security Consider linking SAS to a stored access policy
Security CI/CD Security Consider configuring your application's source code repository to detect checked-in connection string
Security Identity and Access Management Security Consider storing connection strings in Azure KeyVault (in scenarios whe
Security Identity and Access Management Security Strive for short validity periods for ad-hoc SAS
Security Identity and Access Management Security Apply a narrow scope to a SAS
Security Identity and Access Management Security Consider scoping SAS to a specific client IP address, wherever possible
Security Identity and Access Management Security Consider checking uploaded data, after clients used a SAS to upload a fil
Security Identity and Access Management Security SFTP: Limit the amount of 'local users' for SFTP access, and audit wheth
Security Identity and Access Management Security SFTP: The SFTP endpoint does not support POSIX-like ACLs.
Security Networking Security Avoid overly broad CORS policies
Security Confidentiality and Encryption Security Determine how data at rest should be encrypted. Understand the thread
Security Confidentiality and Encryption Security Determine which/if platform encryption should be used.
Security Confidentiality and Encryption Security Determine which/if client-side encryption should be used.
Security Identity and Access Management Security Consider whether public blob access is needed, or whether it can be disa
 Description (optional) Severity More info
Apply guidance from the Microsoft cloud security benchmark related to Storage Medium More info
Azure Storage by default has a public IP address and is Internet-reachable. Private endpo High More info
Newly created storage accounts are created using the ARM deployment model, so that RBAC,
Medium More info
Leverage Microsoft Defender to learn about suspicious activity and misconfigurations. High More info
The soft-delete mechanism allows to recover accidentally deleted blobs. Medium More info
Consider selectively disabling 'soft delete' for certain blob containers, for example if the Medium More info
Soft delete for containers enables you to recover a container after it has been deleted, f High More info
Consider selectively disabling 'soft delete' for certain blob containers, for example if the Medium More info
Prevents accidental deletion of a storage account, by forcing the user to first remove the dHigh More info
Consider 'legal hold' or 'time-based retention' policies for blobs, so that is is impossible High More info
Consider disabling unprotected HTTP/80 access to the storage account, so that all data tran
High More info
When configuring a custom domain (hostname) on a storage account, check whether you High
ne More info
Requiring HTTPS when a client uses a SAS token to access blob data helps to minimize theMedium
r More info
AAD tokens should be favored over shared access signatures, wherever possible High More info
When assigning a role to a user, group, or application, grant that security principal only Medium
A user delegation SAS is secured with Azure Active Directory (Azure AD) credentials and als
High More info
Storage account keys ('shared keys') have very little audit capabilities. While it can be mo High More info
Use Activity Log data to identify 'when', 'who', 'what' and 'how' the security of your storagHigh More info
A key expiration policy enables you to set a reminder for the rotation of the account accesMedium More info
A SAS expiration policy specifies a recommended interval over which the SAS is valid. SAS Medium More info
Stored access policies give you the option to revoke permissions for a service SAS withou Medium More info
sitory to detect checked-in connection strings and storage account keys. Medium More info
Ideally, your application should be using a managed identity to authenticate to Azure Storag
High More info
Use near-term expiration times on an ad hoc SAS service SAS or account SAS. In this way, High
eve More info
When creating a SAS, be as specific and restrictive as possible. Prefer a SAS for a single Medium More info
A SAS can include parameters on which client IP addresses or address ranges are authorizMedium More info
A SAS cannot constrain how much data a client uploads; given the pricing model of amount
Low
When accessing blob storage via SFTP using a 'local user account', the 'usual' RBAC controHigh More info
Medium More info
Storage supports CORS (Cross-Origin Resource Sharing), i.e. an HTTP feature that enables High More info
Data at rest is always encrypted server-side, and in addition might be encrypted client-s High More info
Medium More info
Medium More info
Leverage Resource Graph Explorer (resources | where type == 'microsoft.storage/storageaHigh More info
Main Area Sub Area WAF Pillar
BCDR Azure Key Vault Security
BCDR Backup Security
BCDR Backup Security
Code Source Control and Code Review Security
Data Discovery and Classification Data Discovery and Classification Security
Data Masking Data Masking Security
Defender Advanced Threat Protection Security
Defender Defender for Azure SQL Security
Defender Defender for Azure SQL Security
Defender Vulnerability Assessment Security
Defender Vulnerability Assessment Security
Encryption Always Encrypted Security
Encryption Column Encryption Security
Encryption Transparent Data Encryption Security
Encryption Transparent Data Encryption Security
Encryption Transport Layer Security Security
Identity Azure Active Directory Security
Identity Azure Active Directory Security
Identity Azure Active Directory Security
Identity Managed Identities Security
Identity Passwords Security
Ledger Database Digest Security
Ledger Database Digest Security
Ledger Integrity Security
Ledger Ledger Security
Ledger Recovery Security
Logging Auditing Security
Logging Auditing Security
Logging Auditing Security
Logging SIEM/SOAR Security
Logging SIEM/SOAR Security
Logging SIEM/SOAR Security
Networking Connectivity Security
Networking Connectivity Security
Networking Connectivity Security
Networking Outbound Control Security
Networking Outbound Control Security
Networking Private Access Security
Networking Private Access Security
Networking Private Access Security
Networking Private Access Security
Networking Public Access Security
Networking Public Access Security
Networking Public Access Security
Networking Public Access Security
Networking Public Access Security
Privileged Access Lockbox Security
Privileged Access Permissions Security
Privileged Access Permissions Security
Checklist item
Protect your backup data with encryption and store keys safely in Azure Key Vau
Configure Azure SQL Database automated backups
Enable geo-redundant backup storage to protect against single region failure a
Use Source Control systems to store, maintain and review application code de
Plan and configure Data Discovery & Classification to protect the sensitive data
Use Data Masking to prevent unauthorized non-admin users data access if no en
Review and complete Advanced Threat Protection (ATP) configuration
Enable Microsoft Defender for Azure SQL
Prepare a security response plan to promptly react to Microsoft Defender for Az
Configure Vulnerability Assessment (VA) findings and review recommendations
Regularly review of Vulnerability Assessment (VA) findings and recommendations
If protecting sensitive PII data from admin users is a key requirement, but Col
To protect sensitive PII data from non-admin users in specific table columns, c
Ensure Transparent Data Encryption (TDE) is kept enabled
Use customer-managed keys (CMK) in Azure Key Vault (AKV) if you need increas
Enforce minimum TLS version to the latest available
Leverage Azure AD authentication for connections to Azure SQL Databases
Create a separate Azure AD group with two admin accounts for each Azure SQL
Minimize the use of password-based authentication for applications
Assign Azure SQL Database a managed identity for outbound resource access
Minimize the use of password-based authentication for users
Use Azure Confidential Ledger to store database digests only if advanced securi
If Azure storage account is used to store database digests, ensure security is pr
Schedule the Ledger verification process regularly to verify data integrity
If cryptographic proof of data integrity is a critical requirement, Ledger featur
Prepare a response plan to investigate and repair a database after a tampering
Ensure that Azure SQL Database Auditing is enabled at the server level
Ensure that Azure SQL Database Auditing logs are backed up and secured in the
Ensure that Azure SQL Database Activity Log is collected and integrated with Au
Ensure that Azure SQL Database Auditing logs are being presented in to your
Ensure that Azure SQL Database Activity Log data is presented in to your SIEM
Ensure that you have response plans for malicious or aberrant audit logging eve
Review Public vs. Private Access connectivity methods and select the appropria
Keep default Azure SQL Database Connection Policy if not differently required an
Ensure Allow Azure Services and Resources to Access this Server setting is disa
Block or restrict outbound REST API calls to external endpoints
If outbound network access is required, it is recommended to configure outboun
If Private Access connectivity is used, ensure that you are using the Private En
If Private Endpoint (Private Access) is used, consider disabling Public Access con
If Private Endpoint (Private Access) is used, apply NSG and eventually ASG to li
Apply Network Security Groups (NSG) and firewall rules to restrict access to A
If Public Access connectivity is used, leverage Service Endpoint to restrict acce
If Public Access connectivity is used, ensure that only specific known IPs are add
If Public Access connectivity is used and controlled by Azure SQL Database firewal
Do not enable Azure SQL Managed Instance public endpoint
Restrict access if Azure SQL Managed Instance public endpoint is required
Review and enable Customer Lockbox for Azure SQL Database access by Micros
Ensure that users are assigned the minimum level of access necessarily to compl
Ensure that distinct applications will be assigned different credentials with mi
Description (optional) Severity More info
Ensure that your backups are protected against attacks. This shoul Medium More info
Azure SQL Database uses SQL Server technology to create full backu
Medium More info
By default, SQL Database stores data in geo-redundant storage blob
Low More info
Malicious code can potentially circumvent security controls. Before Medium More info
In case of classification requirements Purview is the preferred opti Low More info
Usage of this feature is recommended only if column encryption is Low More info
SQL Advanced Threat Detection (ATP) provides a layer of security thHigh More info
Enable Microsoft Defender for Azure SQL at the subscription level High More info
Microsoft Defender for Azure SQL ATP detects anomalous activitiesHigh More info
Azure SQLDB vulnerability assessment is a service that provides vis High More info
Microsoft Defender for Cloud provides vulnerability assessment for High More info
Always Encrypted with Secure Enclaves expands confidential computi
Medium More info
With Azure SQL Database, you can apply symmetric encryption to aLow More info
Enabled by default, Transparent data encryption (TDE) helps to prote
High More info
If separation of duties in the management of keys and data within Medium More info
The minimal Transport Layer Security (TLS) version setting allows High More info
Use Azure Active Directory (Azure AD) authentication for centraliz Medium More info
Using Azure AD groups simplifies permission management and both
Medium More info
Ensure that distinct system and user assigned managed identities, Medium More info
System or User assigned managed identities enable Azure SQLDB to
Low
au More info
Use an Azure AD integrated authentication that eliminates the us Medium More info
The hash of the latest block in the database ledger is called the d Medium More info
The hash of the latest block in the database ledger is called the d Medium More info
Ledger provides a form of data integrity called forward integrity, w Medium More info
The Ledger feature provides tamper-evidence capabilities in your da
Medium More info
Depending on the type of tampering, there are cases where you canMedium
r More info
Azure SQL Database Auditing tracks database events and writes them
Medium More info
Azure SQL Database Auditing logs can be written to external storagLow More info
The Azure Monitor activity log is a platform log in Azure that prov Medium More info
Forward any logs from Azure SQL to your Security Information andMedium More info
Forward any logs from Azure SQL to your Security Information andMedium More info
Security Operation Center (SOC) team should create an incident resMedium More info
When you create a logical server from the Azure portal for Azure SQ
High More info
IMPORTANT: Connections to private endpoint only support Proxy as
Low More info
This option configures the firewall to allow all connections from AzuHigh More info
Azure SQL Database has a new built-in feature that allows native inMedium More info
Outbound firewall rules limit network traffic from the Azure SQL DaMedium More info
Private Endpoint is created inside a subnet in an Azure Virtual Ne Medium More info
When adding a Private Endpoint connection, public routing to yourHigh
lo More info
Network Security Group (NSG) and Application Security Group (ASG)
Medium More info
A Managed Instance (SQL MI) can be isolated inside a virtual networ
Medium More info
Azure Virtual Network Service Endpoint is preferred solution if y High More info
The Azure SQL Database firewall allows you to specify IP address r Medium More info
We recommend that you use database-level IP firewall rules wheneve
Low More info
A Managed Instance (SQL MI) can be isolated inside a virtual network
High More info
A Managed Instance (SQL MI) public endpoint is not enabled by defaul
High More info
Most operations, support, and troubleshooting performed by Micros
Low More info
The principle of least privilege states that users shouldn't have Medium More info
Identities (both Users and SPNs) should be scoped to the least amoLow More info
Main Area Sub Area WAF Pillar Checklist ite Description ( Severity More info
Security Data Protecti Security Use Key VaultUse Azure KeyHigh
Security Data Protecti Security Use ManagedUse
I a Managed
High
Security Data Protecti Security Use Key VaultStore the AppHigh
Security Data Protecti Security Isolate systemSystems that Medium
Security Data Protecti Security Do not store sLocal disks o Medium
Security Identity and Security Use an establiFor authenticaMedium
Security Identity and Security Deploy from aDeploy code tHigh
Security Identity and Security Disable basic Disable basic High
Security Identity and Security Use ManagedWhere
I possiblHigh
Security Identity and Security Pull containe Where using iHigh
Security Logging and Security Send App ServBy configuringMedium
Security Logging and Security Send App Servi
Set up a diagnMedium
Security Network Secur
Security Outbound netw
Control outboMedium
Security Network Secur
Security Ensure a stab You can proviLow
Security Network Secur
Security Inbound netwo
Control inbouHigh
Security Network Secur
Security Use a WAF in Protect again High
Security Network Secur
Security Avoid for WAMake sure theHigh
Security Network Secur
Security Set minimum Set
T minimum Medium
T
Security Network Secur
Security Use HTTPS onConfigure AppHigh
Security Network Secur
Security Wildcards musDo not use wilHigh
Security Network Secur
Security Turn off rem Remote debugg
High
Security Network Secur
Security Enable DefendEnable DefendMedium
Security Network Secur
Security Enable DDOS Azure provideMedium
Security Network Secur
Security Pull containerWhere using iMedium
Security Penetration TSecurity Conduct a penConduct a penMedium
Security Vulnerabilit Security Deploy validaDeploy trusteMedium
Security Vulnerabilit Security Use up-to-datUse the lates High
Main Area Sub Area WAF Pillar Checklist ite Description ( Severity
Foundation Capacity PlanOperations One or more rDefine a reso High
Foundation Capacity PlanPerformance Take Azure Active DirectoryMedium
Foundation General Operations Has the ResouThe followingHigh
Foundation General Cost Has a taggingAligning with Low
Foundation General Operations What operatinInstallation High
Foundation General Operations Are required There are softHigh
Foundation General Reliability Make sure to use a supportHigh
Foundation Organization Performance Define the st The scope incLow
Identity Access Security Assign RBAC rDefine RBAC rMedium
Identity Access Security Consider using managed iden
Low
Identity RequirementsOperations An Azure ActivAn Azure subsHigh
Identity RequirementsSecurity Define which Users (or SPs Medium
Identity Security Security Use the princiEnsure to onlyMedium
Identity Security Security How many Serv
A service pri Medium
Identity Security Security Limit the rig Consider assi Medium
Management ManagementOperations Define a stratPlan for agen Medium
Management ManagementOperations Define a stra Use MicrosoftHigh
Management ManagementOperations Define a stratRecommendatio
Medium
Management ManagementOperations Define a stra Use automaticHigh
Management ManagementOperations Consider usinAzure Automan
Medium
Management Monitoring Operations Monitor for unresponsive aHigh
Management Monitoring Operations Design a monitoring strate Medium
Management Monitoring Operations Use notification in Activit Medium
Management Monitoring Operations Use Azure Monitor for comp
Medium
Management Monitoring Operations Create an alert to identify Medium
Management Security Operations Use Azure ArcUse Update MLow
Networking Networking Operations Define a connThe Connected
High
Networking Networking Operations Is a proxy ser The Connected
Medium
Networking Networking Operations Is a private ( The Connected
Medium
Networking Networking Security Will Firewall Firewall conf High
Networking Networking Security Can the FirewUse available Low
Networking Networking Security Always use seConfigure Serv
High
Networking Networking Security Include commu
All extensionsLow
Security, Gov ManagementSecurity Use Azure Policy to implemMedium
Security, Gov ManagementOperations Consider using Machine con
Medium
Security, Gov ManagementOperations Evaluate the need for custoMedium
Security, Gov Monitoring Operations Consider using change tracMedium
Security, Gov RequirementsSecurity Make sure to use an Azure Medium
Security, Gov Secrets Security Use Azure Key Vault for ce Medium
Security, Gov Secrets Security What is the acConsider using
High
Security, Gov Secrets Security Secure the puA private key Medium
Security, Gov Security Security Ensure there iLocal adminisHigh
Security, Gov Security Security Limit the amou
Members of th
Medium
Security, Gov Security Security Consider using and restrict Medium
Security, Gov Security Security Enable Defende
Use DefenderMedium
Security, Gov Security Security Define controls to detect s Medium
Security, Gov Security Security Use allow- or block-lists t Medium
Main Area Sub Area WAF Pillar Checklist ite Description ( Severity
Governance Development Operations
b Implement an error handling
Medium
Governance Development Operations
b Ensure all APIs policies in Medium
Governance Development Operations
b Use Policy Fragments to avo
Medium
Governance Monetization Operations If you are planning to monet
Medium
Governance Monitoring Operations Enable Diagnostics SettingsHigh
Governance Monitoring Operations Enable Application InsightsMedium
Governance Monitoring Operations Configure alerts on the most
High
Identity and Data protecti Security Ensure that custom SSL certHigh
Identity and Identity Security Protect incoming requests High
Identity and Identity Security Use Azure AD to authenticat
Medium
Identity and Privileged accSecurity Create appropriate groups Medium
to
ManagementBest practicesOperations Use Backends feature to el Medium
ManagementBest practicesOperations Use Named Values to storeMedium
ManagementBusiness contReliability Deploy to multiple Azure r Medium
ManagementBusiness contReliability Deploy at least two scale unMedium
ManagementBusiness contReliability Ensure there is an automat High
ManagementPerformance and scalabilityConsider using a external c Medium
ManagementPerformance aOperations If you need to log at high Low
ManagementPerformance aPerformance Apply throttling policies t Medium
ManagementPerformance aPerformance Configure autoscaling to scMedium
ManagementPerformance aPerformance Deploy self-hosted gatewayMedium
Network TopoConnectivity Performance Use Azure Front Door in fr Medium
Network TopoSecurity Security Deploy the service within a Medium
Network TopoSecurity Security Deploy network security groMedium
Network TopoSecurity Security Deploy Private Endpoints toMedium
Network TopoSecurity Security Disable Public Network AccHigh
Platform aut Automation Operations Simplify management with Medium
Platform aut Best practicesOperations Review DevOps best practi Medium
Platform aut Best practicesOperations Promote usage of Visual StMedium
Platform aut DevOps Operations Implement DevOps and CI/Medium
Security APIs Security Secure APIs using client cerMedium
Security APIs Security Secure backend services usin
Medium
Security APIs Security Review 'Recommendations Medium
to
Security APIs Security Use Authorizations feature Medium
Security Ciphers Security Use the latest TLS version High
Security Data protecti Security Ensure that secrets (NamedHigh
Security Identities Security Use managed identities to Medium
Security Network Security Use web application firewa High
Main Area Sub Area WAF Pillar Checklist ite Description ( Severity
Business Business Understand what kind of solHigh
Business Business Define your tenants. UndersHigh
Business Business Define your pricing model aHigh
Business Business Understand whether you need
Medium
Business Business Based on your customers' re
Medium
Business Business When you're ready, sell yo Medium
Reliability Reliability Review the Azure Well-Archit
High
Reliability Reliability Understand the Noisy Neighb
High
Reliability Reliability Design your multitenant solMedium
Reliability Reliability Define service-level object Medium
Reliability Reliability Test the scale of your solut High
Reliability Reliability Apply chaos engineering prin
Medium
Security Security Apply the Zero Trust and leas
High
Security Security Ensure that you can correctHigh
Security Security Perform ongoing penetratioMedium
Security Security Understand your tenants' cHigh
Security Security Correctly manage domain na
High
Security Security Follow service-specific gui Medium
Cost OptimizaCost Optimization Review the Azure Well-Archi
Medium
Cost OptimizaCost Optimization Ensure you can adequately High
m
Cost OptimizaCost Optimization Avoid antipatterns. AntipattMedium
Operational EOperational Excellence Review the Azure Well-Archi
High
Operational EOperational Excellence Use automation to manageMedium
t
Operational EOperational Excellence Find the right balance for Medium
Operational EOperational Excellence Monitor the health of the ov
High
Operational EOperational Excellence Configure and test alerts t Medium
Operational EOperational Excellence Organize your Azure resourc
High
Operational EOperational Excellence Avoid deployment and config
Medium
Performance EPerformance Efficiency Review the Azure Well-Archi
High
Performance EPerformance Efficiency If you use shared infrastru High
Performance EPerformance Efficiency Determine how you'll scale Medium
Performance EPerformance Efficiency Consider each Azure resourc
High
Main Area Sub Area WAF Pillar Checklist ite Description ( Severity
Identity Identity Security Ensure ADDS domain controll
High
Identity Identity Security Ensure ADDS sites and servMedium
Identity Identity Security Ensure that vCenter is con High
Identity Identity Security Ensure that the connection Medium
Identity Identity Security CloudAdmin account in vCen
Medium
Identity Identity Security Ensure that NSX-Manager isHigh
Identity Identity Security Has an RBAC model been crMedium
Identity Identity Security RBAC permissions should bMedium
Identity Identity Security RBAC permissions on the AzHigh
Identity Identity Security Ensure all custom roles ar High
Networking Architecture Performance Is the correct Azure VMwarHigh
Networking Monitoring Operations Ensure ExpressRoute or VPN
High
Networking Monitoring Operations Ensure a connection monitoMedium
Networking Monitoring Operations Ensure a connection monitoMedium
Networking Routing Operations When route server is used, High
Governance Security (identSecurity Is Privileged Identity Man High
Governance Security (identSecurity Privileged Identity Manage High
Governance Security (identSecurity If using Privileged Identit Medium
Governance Security (identSecurity Limit use of CloudAdmin a High
Governance Security (identSecurity Create custom RBAC roles iMedium
Governance Security (identSecurity Is a process defined to reg Medium
Governance Security (identSecurity Use a centralized identity High
Governance Security (net Security Is East-West traffic filter Medium
Governance Security (net Security Workloads on Azure VMware
High
S
Governance Security (net Security Auditing and logging is i High
Governance Security (net Security Session monitoring is impl Medium
Governance Security (net Security Is DDoS standard protecti Medium
Governance Security (net Security Use a dedicated privilege Medium
Governance Security (gue Security Enable Advanced Threat Det
Medium
Governance Security (gue Security Use Azure ARC for Servers Medium
Governance Security (gue Security Ensure workloads on AzureLow
V
Governance Security (gue Security When in-guest encryption isLow
Governance Security (gue Security Consider using extended seMedium
Governance Governance (pReliability Ensure that the appropriat High
Governance Governance (pReliability Ensure that the Failure-to- High
Governance Governance (pReliability Ensure that you have requeHigh
Governance Governance (pOperations Ensure that access constrainMedium
Governance Governance (pOperations Ensure that you have a poliMedium
Governance Governance (pCost Ensure a good cost manageMedium
Governance Governance (pCost Are Azure reserved instanc Low
Governance Governance (pSecurity Consider the use of Azure PMedium
Governance Governance (pPerformance Ensure all required resourceHigh
Governance Governance ( Security Enable Microsoft Defender Medium
Governance Governance ( Security Use Azure Arc enabled ser Medium
Governance Governance ( Operations Enable Diagnostic and met High
Governance Governance ( Operations Deploy the Log Analytics Medium
Governance Governance ( Operations Ensure you have a documenMedium
Governance Compliance Security Use Microsoft Defender fo Medium
Governance Compliance Security Are the applicable complia Medium
Governance Compliance Security Was data residency evaluatHigh
Governance Compliance Security Are data processing implic High
Governance Compliance Security Consider using CMK (Custom
Medium
ManagementMonitoring Operations Create dashboards to enablHigh
ManagementMonitoring Operations Create warning alerts for High
ManagementMonitoring Operations Ensure critical alert is cr High
ManagementMonitoring Operations Ensure alerts are configuredHigh
ManagementMonitoring Operations Configure Azure VMware Sol
Medium
ManagementMonitoring Operations If deep insight in VMware vLow
ManagementOperations Operations Ensure the vSAN storage pol
High
ManagementOperations Operations Ensure vSphere content librMedium
ManagementOperations Operations Ensure data repositories fo Medium
ManagementOperations Operations Ensure workloads running oMedium
ManagementOperations Operations Ensure workloads running Medium
ManagementOperations Operations Include workloads running Medium
ManagementOperations Operations Use Azure Policy to onboarMedium
ManagementSecurity Security Ensure workloads running Medium
BCDR Backup Reliability Ensure backups are not storMedium
BCDR Disaster RecoReliability Have all DR solutions been Medium
BCDR Disaster RecoReliability Use Azure Site Recovery whMedium
BCDR Disaster RecoReliability Use Automated recovery plan
High
BCDR Disaster RecoReliability Use the geopolitical regionMedium
BCDR Disaster RecoReliability Use 2 different address spaHigh
BCDR Disaster RecoReliability Will ExpressRoute Global R Medium
BCDR Business ContReliability Have all Backup solutions Medium
BCDR Business ContReliability Deploy your backup solutioMedium
BCDR Business ContReliability Deploy your backup solutioMedium
BCDR Business ContReliability Is a process in place to r Low
Platform Aut Deployment sOperations For manual deployments, aLow
Platform Aut Deployment sOperations For manual deployments, co
Low
Platform Aut Automated DOperations For automated deployments,
Low
Platform Aut Automated DOperations For automated deployments,
Low
Platform Aut Automated DOperations For automated deployment,Low
Platform Aut Automated CoOperations Implement human understand
Low
Platform Aut Automated CoOperations Use Key vault to store sec Low
Platform Aut Automated CoOperations Define resource dependenciLow
Platform Aut Automated CoOperations When performing automated
Low
Platform Aut Automated ScPerformance When intending to use autoMedium
Platform Aut Automated ScPerformance When intending to use autoMedium
Platform Aut Automated ScPerformance Scaling operations always nMedium
Platform Aut Automated ScPerformance Consider and validate scali Medium
Platform Aut Automated ScPerformance Define and enforce scale i Medium
Platform Aut Automated ScOperations Implement monitoring rulesMedium
Migration Architecture Reliability When using MON, be awareHigh
o
Migration Architecture Reliability When using MON, you cannHigh
Migration Networking Performance If using a VPN connection fMedium
Migration Networking Performance For low connectivity regio Medium
Migration Process Reliability
Data Storage Architecture Reliability
Data Storage Architecture Reliability
Data Storage Architecture Reliability
Stretched CluArchitecture Reliability
Stretched CluArchitecture Reliability
Stretched CluArchitecture Reliability
Stretched CluArchitecture Reliability
Stretched CluArchitecture Reliability
Ensure that migrations are Medium
When Azure Netapp Files isMedium
Ensure that a dedicated ExpMedium
Ensure that FastPath is ena Medium
If using stretched cluster, High
If using stretched cluster, High
If using stretched cluster, High
If using stretched cluster, High
Have site disaster toleranc High
Main Area Sub Area WAF Pillar Checklist ite Description ( Severity
Business ContCompute Reliability Determine theAVD control plHigh
Business ContCompute Reliability Assess Geo DiActive-Active Medium
Business ContCompute Reliability Separate criti Before approaLow
Business ContCompute Reliability Plan the best Each Host PooHigh
Business ContCompute Reliability Assess the r Azure BackupMedium
c
Business ContCompute Reliability Prepare a loc Even for PersoMedium
Business ContDependenciesReliability Plan for GoldeIf custom imag
Low
Business ContDependenciesReliability Assess Infras If users of th Medium
Business ContStorage Reliability Assess which Not all data i Medium
Business ContStorage Reliability Build a backupPreventing datMedium
Business ContStorage Reliability Assess Profil In AVD, multipMedium
Business ContStorage Reliability Review Azure For
F local disa Medium
Business ContStorage Reliability Use Zone Redu
Zone Redundan
High
Business ContStorage Reliability Review Azure For local disa Medium
Compute Golden ImageOperations Determine how
Applications High
Compute Golden ImageOperations Estimate the Multiple goldMedium
Compute Golden ImageReliability Determine whiDetermine whiMedium
Compute Golden ImageReliability Select the pr Azure VM custLow
Compute Golden ImageOperations Design your bIf custom imaLow
Compute Golden ImageOperations If custom imaThere are somMedium
Compute Golden ImageReliability Include the l FSLogix stackHigh
Compute Golden ImagePerformance Evaluate the This tool-set Low
Compute Golden ImageOperations Determine if If OneDrive i Low
Compute Golden ImagePerformance Determine if Be sure to re Low
Compute Golden ImageReliability Assess the re AVD can suppo
Low
Compute MSIX & AppAPerformance Do not use thIt is highly Medium
Compute MSIX & AppAPerformance Review perforIn the refere Medium
Compute MSIX & AppASecurity Check proper MSIX app attac
Medium
Compute MSIX & AppACost MSIX packages
3rd-party sof Low
Compute MSIX & AppAOperations Disable auto-MSIX app attaLow
Compute MSIX & AppAReliability Review operatIn order to l Medium
Compute Session Host Performance Evaluate the Once selectedMedium
Compute Session Host Performance Consider usinMMR redirectsLow
Foundation Capacity PlanCost Determine theA host pool i High
Foundation Capacity PlanPerformance Estimate the Use your desiHigh
Foundation Capacity PlanOperations For Personal Confirm that tLow
Foundation Capacity PlanPerformance For Pooled HoCheck which oLow
Foundation Capacity PlanPerformance For Pooled HoThe number of
Medium
Foundation Capacity PlanSecurity Do not use thAVD does notHigh
Foundation Capacity PlanReliability Estimate the There is a lim Medium
Foundation Capacity PlanReliability Estimate the Applications Low
Foundation Capacity PlanReliability Evaluate the FSLogix is notLow
Foundation Capacity PlanPerformance Run workloadUse the link pHigh
Foundation Capacity PlanReliability Verify AVD scaIt is critical High
Foundation Capacity PlanPerformance Determine if Host Pools witLow
Foundation Capacity PlanPerformance Use Azure VMWhenever is pLow
Foundation Clients & UsePerformance Assess how ma
For proper pl Medium
Foundation Clients & UsePerformance Assess externThe dependenc
Medium
Foundation Clients & UsePerformance Review user cAVD offers a vLow
Foundation Clients & UsePerformance Run a PoC to Depending onHigh
Foundation Clients & UseSecurity Assess and doRDP settings cLow
Foundation General Performance Determine in AVD is a non-rHigh
Foundation General Reliability Determine met
AVD must storMedium
Foundation General Reliability Check Azure qu
Check for speLow
Identity Active DirectoReliability Create at lea AD DCs in AzuMedium
Identity Active DirectoOperations Create a speciRecommended
Medium
t
Identity Active DirectoOperations Review Domain
Carefully revi Medium
Identity Active DirectoOperations Configure FSLIf Active Dir Medium
Identity Active DirectoSecurity Create a dedi It is recommeMedium
Identity Active DirectoSecurity Create a doma
Avoid grantinMedium
Identity Active DirectoSecurity Review your oIf Azure File High
Identity Active DirectoReliability A Windows Ser
You can confiHigh
Identity Microsoft Ent Security Configure AzuIf Azure Files Medium
Identity RequirementsReliability A Microsoft EnAn Azure subsHigh
Identity RequirementsSecurity Review and doAzure Virtual High
Identity RequirementsSecurity Assess User AUsers need acMedium
Identity RequirementsReliability If Single-Sig AVD supportsMedium
Identity RequirementsSecurity Select the pr VMs can be Wi
High
Identity RequirementsReliability Before using Compare self-Low
Monitoring ManagementOperations Use built-in AVD providesLow
Monitoring ManagementOperations Plan AVD SessDetermine if Low
Monitoring ManagementOperations Evaluate Int We recommend
Medium
Monitoring ManagementReliability Assess the re The scaling t Medium
Monitoring ManagementCost Consider the Start VM On CLow
Monitoring ManagementCost Evaluate the Start VM On CLow
Monitoring ManagementCost Review and adAzure Virtual Low
Monitoring ManagementOperations Periodically Azure AdvisorLow
Monitoring ManagementOperations Plan for a Se Customers hav
Medium
Monitoring ManagementReliability Configure theThe ScheduledLow
Monitoring ManagementOperations Create a validHost pools arMedium
Monitoring ManagementOperations Determine HoAn AVD Host M
P edium
Monitoring ManagementOperations Turn on Sessi After you reg Medium
Monitoring Monitoring Reliability Enable monitoAzure Virtual High
Monitoring Monitoring Reliability Enable diagnoAzure Virtual Medium
Monitoring Monitoring Reliability Create alerts See the refer Medium
Monitoring Monitoring Reliability Configure AzuYou can use Az
Medium
Networking Networking Reliability Determine if If required t Medium
Networking Networking Performance Determine Azu
AVD Host Pool
Medium
Networking Networking Reliability Assess which Evaluate the Medium
Networking Networking Security Need to contro
Several optio Medium
Networking Networking Reliability Ensure AVD co
Required URLsHigh
Networking Networking Security Need to contro
Consider the Medium
Networking Networking Security Review custo Custom UDR an
Low
Networking Networking Reliability Do not use PrNetwork traffiHigh
Networking Networking Performance Check the netIt is recommeLow
Networking Networking Security Evaluate usage
If Azure Files Medium
Networking Networking Performance Evaluate usagConnections tMedium
Security Active DirectoSecurity Review ActiveSecurity mechMedium
Security Host ConfigurSecurity Ensure anti-v Microsoft DefHigh
Security Host ConfigurSecurity Assess disk e Disks in Azur Low
Security Host ConfigurSecurity Enable TrusteTrusted launcMedium
Security Host ConfigurSecurity Enable TrusteTrusted LauncHigh
Security Host ConfigurSecurity Consider enabDisplayed conLow
Security Host ConfigurSecurity Restrict devi If not absolu Medium
Security ManagementSecurity When possibleWhen choosing
Medium
Security ManagementSecurity Need to contrWeb content fMedium
Security ManagementSecurity Ensure AVD usWe recommend
High
Security ManagementSecurity Enable MicrosWe recommend
Medium
Security ManagementSecurity Enable diagnoEnabling auditMedium
Security ManagementSecurity Assess the r Assign the le Low
Security ManagementSecurity Restrict users AVD users shoMedium
Security Microsoft Ent Security Evaluate the Enabling MFAMedium
Security Zero Trust Security Review and Ap
If Zero Trust Medium
Storage Azure Files Performance Check best-pra
If used, make Medium
Storage Azure Files Performance Enable SMB mu
SMB Multichan
Low
Storage Azure NetAppReliability If NetApp FileIf a second reMedium
Storage Azure NetAppReliability If NetApp FileCA option is Medium
Storage Azure NetAppReliability If Azure NetAp
An Active Dir High
Storage Capacity PlanPerformance Determine whiPossible opti Medium
Storage Capacity PlanPerformance Determine whiPossible optioHigh
Storage Capacity PlanPerformance Do not share Every Host PoHigh
Storage Capacity PlanReliability Verify storageAs a starting High
Storage Capacity PlanPerformance For optimal pAvoid introduc
High
Storage FSLogix Reliability Do not use Off
The recommend
High
Storage FSLogix Security Configure theMake sure to M
c edium
Storage FSLogix Cost Review and coProfile contai High
Storage FSLogix Reliability Review FSLogiDefaults and High
Storage FSLogix Reliability Avoid usage oConcurrent orHigh
Storage FSLogix Performance If FSLogix Cl Cloud Cache uLow
Storage FSLogix Cost Review the usREDIRECTION.X
Medium
Main Area Sub Area WAF Pillar Checklist ite Description ( Severity
Application DevelopmentOperations Use canary or blue/green Medium
Application DevelopmentReliability If required for AKS WindowLow
Application DevelopmentPerformance Use KEDA if running event-Low
Application DevelopmentOperations Use Dapr to ease microser Low
Application Infrastructur Operations Use automation through ARMedium
BC and DR Disaster RecoReliability Schedule and perform DR te
High
BC and DR High AvailabilReliability Use Azure Traffic Manager o
Medium
BC and DR High AvailabilReliability Use Availability Zones if t Medium
BC and DR High AvailabilReliability Use the SLA-backed AKS ofHigh
BC and DR High AvailabilReliability Use Disruption Budgets in Low
BC and DR High AvailabilReliability If using a private registry, High
BC and DR RequirementsReliability Define non-functional requHigh
Cost GovernaCost Cost Use an external application Low
Cost GovernaCost Cost Use scale down mode to deLow
Cost GovernaCost Cost When required use multi-inMedium
Cost GovernaCost Cost If running a Dev/Test clust Low
Governance aCompliance Security Use Azure Policy for Kuber Medium
Governance aCompliance Security Separate applications from Medium
Governance aCompliance Security Add taint to your system n Low
Governance aCompliance Security Use a private registry for Medium
Governance aCompliance Security Scan your images for vulnerMedium
Governance aCompliance Security Use Azure Security Center to
Medium
Governance aCompliance Security If required configure FIPS Low
Governance aCompliance Security Define app separation req High
Governance aSecrets Security Store your secrets in Azure Medium
Governance aSecrets Security If using Service Principals f High
Governance aSecrets Security If required add Key ManageMedium
Governance aSecrets Security If required consider using Low
Governance aSecrets Security Consider using Defender foMedium
Identity and Identity Security Use managed identities instHigh
Identity and Identity Security Integrate authentication w Medium
Identity and Identity Security Limit access to admin kubecMedium
Identity and Identity Security Integrate authorization wi Medium
Identity and Identity Security Use namespaces for restric High
Identity and Identity Security For Pod Identity Access M Medium
Identity and Identity Security For AKS non-interactive logMedium
Identity and Identity Security Disable AKS local accounts Medium
Identity and Identity Security Configure if required Just-i Low
Identity and Identity Security Configure if required AAD cLow
Identity and Identity Security If required for Windows A Low
Identity and Identity Security For finer control consider Medium
Network TopoBest practicesReliability If using AGIC, do not shar Medium
Network TopoBest practicesReliability Do not use AKS Applicatio High
Network TopoBest practicesPerformance For Windows workloads useMedium
Network TopoBest practicesReliability Use the standard ALB (as o High
Network TopoBest practicesSecurity If using Azure CNI, conside Medium
Network TopoCost Security Use Private Endpoints (prefMedium
Network TopoHA Reliability If hybrid connectivity is re Medium
Network TopoIPAM Reliability Choose the best CNI netwoHigh
Network TopoIPAM Performance If using Azure CNI, size y High
Network TopoIPAM Performance If using Azure CNI, check High
Network TopoIPAM Security If using priva For internal a Low
Network TopoIPAM Reliability Size the service IP address rHigh
Network TopoOperations Security If required add your own C Low
Network TopoOperations Performance If required configure Publi Low
Network TopoScalability Reliability Use an ingress controller Medium
Network TopoScalability Reliability Use Azure NAT Gateway as Low
o
Network TopoScalability Reliability Use Dynamic allocations of Medium
Network TopoSecurity Security Filter egress traffic with High
Network TopoSecurity Security If using a public API endpoin
Medium
Network TopoSecurity Security Use private clusters if you High
Network TopoSecurity Security For Windows 2019 and 2022
Medium
Network TopoSecurity Security Enable a Kubernetes Networ
High
Network TopoSecurity Security Use Kubernetes network poli
High
Network TopoSecurity Security Use a WAF for web workload
High
Network TopoSecurity Security Use DDoS Standard in the Medium
Network TopoSecurity Security If required add company HLow
Network TopoSecurity Security Consider using a service Medium
Operations Alerting Operations Configure alerts on the mosHigh
Operations Compliance Operations Check regularly Azure Advi Low
Operations Compliance Operations Enable AKS auto-certificateLow
Operations Compliance Operations Have a regular process to uHigh
Operations Compliance Operations Use kured for Linux node uHigh
Operations Compliance Operations Have a regular process to uHigh
Operations Compliance Operations Consider gitops to deploy ap
Low
Operations Compliance Operations Consider using AKS comman
Low
Operations Compliance Operations For planned events consideLow
Operations Compliance Operations Develop own governance pra
High
Operations Compliance Operations Use custom Node RG (aka 'Low
Operations Compliance Operations Do not use deprecated KubMedium
Operations Compliance Operations Taint Windows nodes Low
Operations Compliance Operations Keep windows containers pat
Low
Operations Compliance Operations Send master lVia DiagnosticLow
Operations Compliance Cost If required use nodePool s Low
Operations Cost Operations Consider spot node pools fLow
Operations Cost Operations Consider AKS virtual node fLow
Operations Monitoring Operations Monitor your cluster metricHigh
Operations Monitoring Operations Store and analyze your clustHigh
Operations Monitoring Operations Monitor CPU and memory ut
Medium
Operations Monitoring Operations If using Azure CNI, monito Medium
Operations Monitoring Operations Monitor OS diI/O in the OS Medium
Operations Monitoring Operations If not using egress filter Medium
Operations Monitoring Operations Subscribe to resource health
Medium
Operations Resources Operations Configure requests and limiHigh
Operations Resources Operations Enforce resource quotas f Medium
Operations Resources Operations Ensure your subscription h High
Operations Scalability Performance Use the Cluster Autoscaler Medium
Operations Scalability Performance Customize node configuratLow
Operations Scalability Performance Use the Horizontal Pod AutMedium
Operations Scalability Performance Consider an aLarger nodes High
Operations Scalability Performance If more than 5000 nodes are
Low
Operations Scalability Performance Consider subscribing to Ev Low
Operations Scalability Performance For long running operationLow
Operations Scalability Performance If required consider using Low
Operations Storage Performance Use ephemeral OS disks High
Operations Storage Performance For non-ephemeral disks, uHigh
Operations Storage Performance For hyper performance storLow
Operations Storage Performance Avoid keeping state in the Medium
Operations Storage Performance If using AzFiles Standard, Medium
Operations Storage Performance If using Azure Disks and A Medium
Main Area Sub Area WAF Pillar
Azure Billing Microsoft Ent Operations
Azure Billing Microsoft Ent Operations
Azure Billing Microsoft Ent Operations
Azure Billing Cloud SolutioCost
Azure Billing Cloud SolutioCost
Azure Billing Cloud SolutioCost
Azure Billing Enterprise A Cost
Azure Billing Enterprise A Cost
Azure Billing Enterprise A Security
Azure Billing Enterprise A Security
Azure Billing Enterprise A Cost
Azure Billing Enterprise A Cost
Azure Billing Microsoft Cu Cost
Azure Billing Microsoft Cu Cost
Azure Billing Microsoft Cu Cost
Azure Billing Microsoft Cu Cost
Identity and Microsoft Ent Security
Identity and Microsoft Ent Reliability
Identity and Identity Security
Identity and Identity Security
Identity and Identity Security
Identity and Identity Security
Identity and Identity Security
Identity and Identity Security
Identity and Identity Security
Identity and Identity Security
Identity and Identity Security
Identity and Identity Security
Identity and Identity Reliability
Identity and Identity Security
Identity and Identity Security
Identity and Identity Security
Identity and Identity Security
Identity and Landing zoneSecurity
Identity and Landing zoneSecurity
Identity and Landing zoneSecurity
Resource Orga
Naming and tSecurity
Resource Orga
SubscriptionsSecurity
Resource Orga
SubscriptionsSecurity
Resource Orga
SubscriptionsSecurity
Resource Orga
SubscriptionsSecurity
Resource Orga
SubscriptionsSecurity
Resource Orga
SubscriptionsSecurity
Resource Orga
SubscriptionsSecurity
Resource Orga
SubscriptionsSecurity
Resource Orga
SubscriptionsSecurity
Resource Orga
SubscriptionsSecurity
Checklist ite Description ( Severity
Use one Entra tenant for maMedium
Ensure you have a Multi-T Low
Leverage Azure LighthouseLow
Ensure that Azure LighthousMedium
Discuss support request anLow
Setup Cost Reporting and Medium
Configure Notification Con Medium
Use departments and account
Low
Ensure that Accounts are c High
Enable both DA View Charge
Medium
Make use of Enterprise DevLow
Periodically audit the role Medium
Configure Agreement billing
Low
Use Billing Profiles and In Low
Make use of Azure Plan to Low
Periodically audit the agre Medium
Use managed identities instHigh
When deploying an AD Connec
Medium
Implement an emergency acc
High
Integrate Microsoft Entra I Medium
Enforce a RBAC model that High
Enforce Microsoft Entra ID Low
Enforce multi-factor authenHigh
Enforce centralized and delMedium
Enforce Microsoft Entra ID Medium
Only use the authenticationHigh
Only use groups to assign Medium
Consider using Azure custoMedium
When deploying Active Direc
Medium
If Entra Domain Services in Medium
If domain controllers are b Medium
Consider using Microsoft EnMedium
Avoid using on-premises syMedium
Configure Identity network Medium
Use Azure RBAC to manageMedium
da
Use Microsoft Entra ID PIM Medium
It is recommended to follo High
Enforce reasonably flat ma Medium
Enforce a sandbox managem
Medium
Enforce a platform manageMedium
Enforce a dedicated connecMedium
Enforce no subscriptions Medium
Enforce that only privileg Medium
Enforce management groups
Medium
Enforce a process to make rHigh
Ensure that all subscriptio Medium
Use Reserved Instances wher
High
Resource Orga
SubscriptionsSecurity Enforce a dashboard, workbHigh
Resource Orga
SubscriptionsSecurity Enforce a process for cos High
Resource Orga
SubscriptionsSecurity If servers will be used for Medium
Resource Orga
SubscriptionsSecurity Ensure tags are used for b Medium
Resource Orga
SubscriptionsSecurity For Sovereign Landing Zone,
Medium
Resource Orga
Regions Reliability Select the right Azure regi High
Resource Orga
Regions Reliability Consider a multi-region depMedium
Resource Orga
Regions Reliability Ensure required services anMedium
Network TopoApp delivery Operations Develop a plan for securin Medium
Network TopoApp delivery Security Perform app delivery withinMedium
Network TopoApp delivery Security Use a DDoS Network or IP pr
Medium
Network TopoEncryption Security When you're using ExpressRo
Medium
Network TopoEncryption Security For scenarios where MACsec
Low
Network TopoHub and spokSecurity Consider a network design Medium
Network TopoHub and spokCost Ensure that shared networkiHigh
Network TopoHub and spokReliability When deploying partner net
Medium
Network TopoHub and spokSecurity If you need transit betwee Low
Network TopoHub and spokSecurity If using Route Server, use aLow
Network TopoHub and spokPerformance For network architectures wMedium
Network TopoHub and spokOperations Use Azure Monitor for NetwMedium
Network TopoHub and spokReliability When connecting spoke virtu
Medium
Network TopoHub and spokReliability Consider the limit of routesMedium
Network TopoHub and spokReliability Use the setting 'Allow traf High
Network TopoHybrid Performance Ensure that you have investMedium
Network TopoHybrid Reliability When you useYou
m can use AMedium
Network TopoHybrid Performance Ensure that you're using t Medium
Network TopoHybrid Cost Ensure that you're using unlHigh
Network TopoHybrid Cost Leverage the Local SKU of Ex
High
Network TopoHybrid Reliability Deploy a zone-redundant EMedium
Network TopoHybrid Performance For scenarios that require Medium
Network TopoHybrid Performance When low latency is requir Medium
Network TopoHybrid Reliability Use zone-redundant VPN gat
Medium
Network TopoHybrid Reliability Use redundant VPN appliance
Medium
Network TopoHybrid Cost If using ExpressRoute DirectHigh
Network TopoHybrid Security When traffic isolation or d Medium
Network TopoHybrid Operations Monitor ExpressRoute availab
Medium
Network TopoHybrid Operations Use Connection Monitor forMedium
Network TopoHybrid Reliability Use ExpressRoute circuits f Medium
Network TopoHybrid Reliability Use site-to-site VPN as fail Medium
Network TopoHybrid Reliability If you are using a route t High
Network TopoHybrid Reliability If using ExpressRoute, your High
Network TopoIP plan Security Ensure no overlapping IP a High
Network TopoIP plan Security Use IP addresses from the aLow
Network TopoIP plan Performance Ensure that IP address space
High
Network TopoIP plan Reliability Avoid using overlapping IP High
Network TopoIP plan Operations For environments where name
Medium
Network TopoIP plan Security For environments where nam
Medium
Network TopoIP plan Operations Special workloads that req Low
Network TopoIP plan Operations
Network TopoInternet Security
Network TopoInternet Security
Network TopoInternet Security
Network TopoInternet Security
Network TopoInternet Security
Network TopoInternet Security
Network TopoInternet Security
Network TopoInternet Security
Network TopoInternet Security
Network TopoInternet Security
Network TopoInternet Security
Network TopoInternet Security
Network TopoInternet Security
Network TopoInternet Security
Network TopoInternet Reliability
Network TopoPaaS Security
Network TopoPaaS Security
Network TopoPaaS Security
Network TopoPaaS Security
Network TopoPaaS Security
Network TopoSegmentationSecurity
Network TopoSegmentationSecurity
Network TopoSegmentationSecurity
Network TopoSegmentationSecurity
Network TopoSegmentationSecurity
Network TopoSegmentationSecurity
Network TopoSegmentationSecurity
Network TopoSegmentationSecurity
Network TopoVirtual WAN Operations
Network TopoVirtual WAN Performance Use a Virtual WAN hub per Medium
Network TopoVirtual WAN Performance Follow the principle 'traff
Network TopoVirtual WAN Security
Network TopoVirtual WAN Reliability
Network TopoVirtual WAN Operations
Network TopoVirtual WAN Reliability
Network TopoVirtual WAN Reliability
Network TopoVirtual WAN Reliability
Network TopoVirtual WAN Reliability
Governance Governance Security
Governance Governance Security
Governance Governance Security
Governance Governance Security
Governance Governance Security
Governance Governance Security
Governance Governance Security
Governance Governance Security
Governance Governance Security
Enable auto-registration fo High
Consider using Azure Basti Medium
Use Azure Bastion in a subnMedium
Use Azure Firewall to govern
High
Create a global Azure Firewa
Medium
Configure supported partner
Low
Use Azure Front Door and W
Medium
When using Azure Front Doo
Low
Deploy WAFs and other reve
High
Use Azure DDoS Network or
High
I
Use FQDN-based network rule
High
Use Azure Firewall PremiumHigh
Configure Azure Firewall ThHigh
Configure Azure Firewall IDHigh
For subnets in VNets not coHigh
Assess and review network High
Ensure that control-plane cHigh
Use Private Link, where avaiMedium
Access Azure PaaS services Medium
Don't enable virtual networMedium
Filter egress traffic to Azu Medium
Use a /26 prefix for your AzHigh
Use at least a /27 prefix f High
Don't rely on the NSG inbou
Medium
Delegate subnet creation t Medium
Use NSGs to help protect tra
Medium
The application team should
Medium
Use NSGs and application se
Medium
Enable VNet Flow Logs andMedium
fe
Consider Virtual WAN for siMedium
Low
For outbound Internet traffiMedium
Ensure that the network arcMedium
Use Azure Monitor InsightsMedium
Make sure that your IaC dep
Medium
Use AS-Path as hub routingMedium
Make sure that your IaC deMedium
Assign enough IP space to vi
High
Leverage Azure Policy strateHigh
Identify required Azure tag Medium
Map regulatory and complia
Medium
Establish Azure Policy defi Medium
Manage policy assignmentsMedium
a
Use Azure Policy to controlLow
Use built-in policies where Medium
Assign the buiAssigning theMedium
Limit the number of Azure Medium
Governance Governance Security
Governance Governance Security
Governance Governance Security
Governance Governance Security
Governance Optimize yourSecurity
Management Scalability Reliability
Governance Optimize yourCost
ManagementApp delivery Operations
ManagementApp delivery Operations
ManagementData Protecti Reliability
ManagementData Protecti Reliability
ManagementMonitoring Operations
ManagementMonitoring Operations
ManagementMonitoring Operations
ManagementMonitoring Operations
ManagementMonitoring Operations
ManagementMonitoring Operations
ManagementMonitoring Operations
ManagementMonitoring Operations
ManagementMonitoring Operations
ManagementMonitoring Operations
ManagementMonitoring Operations
ManagementMonitoring Operations
ManagementMonitoring Operations
ManagementMonitoring Operations
ManagementMonitoring Operations
ManagementMonitoring Operations
ManagementMonitoring Operations
ManagementMonitoring Operations
ManagementOperational Security
ManagementOperational Security
ManagementProtect and ROperations
ManagementProtect and ROperations
ManagementProtect and ROperations
Management Fault Toleran Reliability
Management Fault Toleran Reliability
Management Fault Toleran Reliability
Security Access controSecurity
Security Access controSecurity
Security Encryption anSecurity
Security Encryption anSecurity
Security Encryption anSecurity
Security Encryption anSecurity
Security Encryption anSecurity
Security Encryption anSecurity
Security Encryption anSecurity
Security Encryption anSecurity
Security Encryption anSecurity
If any data sovereignty req Medium
For Sovereign Landing Zone,
Medium
For Sovereign Landing ZoneMedium
For Sovereign Landing Zone,
Medium
Consider using automation Low
t
Leverage Azure Virtual Mach
Medium
Configure 'Actual' and 'For Medium
Add diagnostic settings to High
Send WAF logs from your app
Medium
Consider cross-region repliMedium
When using Azure Backup, Medium
co
Use a single monitor logs Medium
Ensure that the landing zo Medium
Use Azure Monitor Logs when
Medium
Use Azure Policy for accessMedium
Monitor in-guest virtual maMedium
Use Update Management inMedium
Use Network Watcher to proa
Medium
Use resource locks to preven
Medium
Use deny policies to suppl Low
Include service and resourcMedium
Include alerts and action g Medium
Don't send raw log entries bMedium
Use a centralized Azure Mon
Medium
Use Azure Monitor Logs forMedium
When necessary, use sharedMedium
Use Azure Monitor alerts foMedium
Ensure that monitoring requMedium
Consider supported regionsMedium
Use Azure policies to auto Medium
Monitor VM sec
Azure Policy' Medium
Use Azure Site Recovery forMedium
Ensure to use and test nativMedium
Use Azure-native backup cap
Medium
Leverage Availability ZonesHigh
Avoid running a productionHigh
Azure Load Balancer and App
Medium
Determine the incident respMedium
Implement a zero-trust appMedium
Use Azure Key Vault to storHigh
Use different Azure Key Vaul
Medium
Provision Azure Key Vault wMedium
Follow a least privilege modMedium
Automate the certificate maMedium
Establish an automated proc
Medium
Enable firewall and virtual Medium
Use the platform-central AzMedium
Delegate Key Vault instanti Medium
Security Encryption anSecurity Default to Microsoft-managMedium
Security Encryption anSecurity Use an Azure Key Vault perMedium
Security Encryption anSecurity If you want to bring your o Medium
Security Encryption anSecurity For Sovereign Landing ZoneMedium
Security Operations Security Use Microsoft Entra ID repor
Medium
Security Operations Security Export Azure activity logs Medium
Security Operations Security Enable Defender Cloud Secu
High
Security Operations Security Enable a Defender Cloud Wor
High
Security Operations Security Enable Defender Cloud Work
High
Security Operations Security Enable Endpoint ProtectionHigh
Security Operations Security Monitor base operating sysMedium
Security Operations Security Connect default resource coMedium
Security Operations Security For Sovereign Landing Zone,
Medium
Security Operations Security For Sovereign Landing ZoneMedium
Security Overview Security Secure transfer to storage High
Security Overview Security Enable container soft delet High
Security Secure privil Security Separate privileged admin aHigh
Security Service enab Security Plan how new azure serviceMedium
Security Service enab Security Plan how service request wilMedium
Platform Aut DevOps TeamOperations Ensure you have a cross fu High
Platform Aut DevOps TeamOperations Aim to define functions fo Low
Platform Aut DevOps TeamOperations Aim to define functions for Low
Platform Aut DevOps TeamOperations Use a CI/CD pipeline to depHigh
Platform Aut DevOps TeamOperations Include unit tests for IaC a Medium
Platform Aut DevOps TeamOperations Use Key Vault secrets to avoHigh
Platform Aut DevOps TeamOperations Implement automation for FLow
Platform Aut Development Operations
L Ensure a version control sy High
Platform Aut Development Operations
L Follow a branching strategyLow
Platform Aut Development Operations
L Adopt a pull request strat Medium
Platform Aut Development Operations Leverage Declarative Infra High
Platform Aut Security Operations Integrate security into the High