From 61e0cf48f8003373bfa943630504b0fd5468b011 Mon Sep 17 00:00:00 2001 From: Bernie White Date: Fri, 4 Oct 2024 10:36:21 +1000 Subject: [PATCH] Quality updates for WAF #2570 (#3079) --- docs/en/rules/Azure.AKS.HttpAppRouting.md | 10 ++++++---- docs/en/rules/Azure.AppGw.UseWAF.md | 4 ++-- docs/en/rules/Azure.AppGw.WAFEnabled.md | 4 ++-- docs/en/rules/Azure.Cosmos.DisableLocalAuth.md | 2 +- docs/en/rules/Azure.FrontDoor.WAF.Enabled.md | 4 ++-- docs/en/rules/Azure.Storage.Firewall.md | 4 ++-- docs/en/rules/Azure.VM.ScriptExtensions.md | 6 +++--- docs/en/rules/Azure.VMSS.ScriptExtensions.md | 6 +++--- 8 files changed, 21 insertions(+), 19 deletions(-) diff --git a/docs/en/rules/Azure.AKS.HttpAppRouting.md b/docs/en/rules/Azure.AKS.HttpAppRouting.md index 00d138bd9f3..389ba5ad3c5 100644 --- a/docs/en/rules/Azure.AKS.HttpAppRouting.md +++ b/docs/en/rules/Azure.AKS.HttpAppRouting.md @@ -1,8 +1,8 @@ --- -reviewed: 2021/12/10 +reviewed: 2021-12-10 severity: Important pillar: Security -category: Application endpoints +category: SE:06 Network controls resource: Azure Kubernetes Service online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.AKS.HttpAppRouting/ --- @@ -21,11 +21,13 @@ This may be helpful in some limited scenarios, but should not be used in product When exposing application endpoints consider using an ingress controller that supports: - Security filtering behind web application firewall (WAF). -- Encyption in transit over TLS. +- Encryption in transit over TLS. - Multiple replicas. Azure provides a production ready ingress controller _Application Gateway Ingress Controller_ (AGIC). +HTTP application routing add-on (preview) for Azure Kubernetes Service (AKS) will be retired on 03 March 2025. + ## RECOMMENDATION Consider disabling the HTTP application routing add-on in your AKS cluster. @@ -182,7 +184,7 @@ resource cluster 'Microsoft.ContainerService/managedClusters@2021-07-01' = { ## LINKS -- [Best practices for endpoint security on Azure](https://learn.microsoft.com/azure/architecture/framework/security/design-network-endpoints) +- [SE:06 Network controls](https://learn.microsoft.com/azure/well-architected/security/networking) - [HTTP application routing](https://learn.microsoft.com/azure/aks/http-application-routing) - [Enable Application Gateway Ingress Controller add-on for an existing AKS cluster](https://learn.microsoft.com/azure/application-gateway/tutorial-ingress-controller-add-on-existing) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.containerservice/managedclusters#ManagedClusterAutoUpgradeProfile) diff --git a/docs/en/rules/Azure.AppGw.UseWAF.md b/docs/en/rules/Azure.AppGw.UseWAF.md index b7e2912a217..8079239ec90 100644 --- a/docs/en/rules/Azure.AppGw.UseWAF.md +++ b/docs/en/rules/Azure.AppGw.UseWAF.md @@ -2,7 +2,7 @@ reviewed: 2021-07-25 severity: Critical pillar: Security -category: Application endpoints +category: SE:06 Network controls resource: Application Gateway online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.AppGw.UseWAF/ --- @@ -101,7 +101,7 @@ $AppGw = Set-AzApplicationGatewaySku -ApplicationGateway $AppGw -Name 'WAF_v2' - ## LINKS -- [Best practices for endpoint security on Azure](https://learn.microsoft.com/azure/architecture/framework/security/design-network-endpoints) +- [SE:06 Network controls](https://learn.microsoft.com/azure/well-architected/security/networking) - [Securing PaaS deployments](https://learn.microsoft.com/azure/security/fundamentals/paas-deployments#install-a-web-application-firewall) - [What is Azure Web Application Firewall on Azure Application Gateway?](https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.network/applicationgateways) diff --git a/docs/en/rules/Azure.AppGw.WAFEnabled.md b/docs/en/rules/Azure.AppGw.WAFEnabled.md index f89f4d12575..8a72bbf8caa 100644 --- a/docs/en/rules/Azure.AppGw.WAFEnabled.md +++ b/docs/en/rules/Azure.AppGw.WAFEnabled.md @@ -1,7 +1,7 @@ --- severity: Critical pillar: Security -category: Network security and containment +category: SE:06 Network controls resource: Application Gateway online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.AppGw.WAFEnabled/ --- @@ -102,7 +102,7 @@ Set-AzApplicationGatewayWebApplicationFirewallConfiguration -ApplicationGateway ## LINKS -- [Best practices for endpoint security on Azure](https://learn.microsoft.com/azure/architecture/framework/security/design-network-endpoints) +- [SE:06 Network controls](https://learn.microsoft.com/azure/well-architected/security/networking) - [Securing PaaS deployments](https://learn.microsoft.com/azure/security/fundamentals/paas-deployments#install-a-web-application-firewall) - [What is Azure Web Application Firewall on Azure Application Gateway?](https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.network/applicationgateways) diff --git a/docs/en/rules/Azure.Cosmos.DisableLocalAuth.md b/docs/en/rules/Azure.Cosmos.DisableLocalAuth.md index 3616ddc362c..f2a95965e60 100644 --- a/docs/en/rules/Azure.Cosmos.DisableLocalAuth.md +++ b/docs/en/rules/Azure.Cosmos.DisableLocalAuth.md @@ -1,7 +1,7 @@ --- severity: Critical pillar: Security -category: SE:05 Identity and access +category: SE:05 Identity and access management resource: Cosmos DB online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Cosmos.DisableLocalAuth/ --- diff --git a/docs/en/rules/Azure.FrontDoor.WAF.Enabled.md b/docs/en/rules/Azure.FrontDoor.WAF.Enabled.md index 28059add553..4a1c57c29cf 100644 --- a/docs/en/rules/Azure.FrontDoor.WAF.Enabled.md +++ b/docs/en/rules/Azure.FrontDoor.WAF.Enabled.md @@ -1,7 +1,7 @@ --- severity: Critical pillar: Security -category: Application endpoints +category: SE:06 Network controls resource: Front Door online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.FrontDoor.WAF.Enabled/ --- @@ -25,7 +25,7 @@ Consider enabling WAF policy. ## LINKS -- [Best practices for endpoint security on Azure](https://learn.microsoft.com/azure/architecture/framework/security/design-network-endpoints) +- [SE:06 Network controls](https://learn.microsoft.com/azure/well-architected/security/networking) - [Securing PaaS deployments](https://learn.microsoft.com/azure/security/fundamentals/paas-deployments#install-a-web-application-firewall) - [Policy settings for Web Application Firewall on Azure Front Door](https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings#waf-state) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.network/frontdoorwebapplicationfirewallpolicies) diff --git a/docs/en/rules/Azure.Storage.Firewall.md b/docs/en/rules/Azure.Storage.Firewall.md index 282c3698f9c..8c49b7f6c2e 100644 --- a/docs/en/rules/Azure.Storage.Firewall.md +++ b/docs/en/rules/Azure.Storage.Firewall.md @@ -1,7 +1,7 @@ --- severity: Important pillar: Security -category: Application endpoints +category: SE:06 Network controls resource: Storage Account online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Storage.Firewall/ --- @@ -101,7 +101,7 @@ Azure storage firewall is not supported for Cloud Shell storage accounts. ## LINKS -- [Public endpoints](https://learn.microsoft.com/azure/architecture/framework/security/design-network-endpoints#public-endpoints) +- [SE:06 Network controls](https://learn.microsoft.com/azure/well-architected/security/networking) - [Configure Azure Storage firewalls and virtual networks](https://learn.microsoft.com/azure/storage/common/storage-network-security) - [Use private endpoints for Azure Storage](https://learn.microsoft.com/azure/storage/common/storage-private-endpoints) - [Persist files in Azure Cloud Shell](https://learn.microsoft.com/azure/cloud-shell/persisting-shell-storage) diff --git a/docs/en/rules/Azure.VM.ScriptExtensions.md b/docs/en/rules/Azure.VM.ScriptExtensions.md index 2c6dd461a38..474a4008ef5 100644 --- a/docs/en/rules/Azure.VM.ScriptExtensions.md +++ b/docs/en/rules/Azure.VM.ScriptExtensions.md @@ -2,7 +2,7 @@ reviewed: 2022-11-16 severity: Important pillar: Security -category: Secrets +category: SE:02 Secured development lifecycle resource: Virtual Machine online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.VM.ScriptExtensions/ --- @@ -75,7 +75,7 @@ resource script 'Microsoft.Compute/virtualMachines/extensions@2015-06-15' = { ## LINKS -- [Secure application configuration and dependencies](https://learn.microsoft.com/azure/architecture/framework/security/design-app-dependencies) -- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.compute/virtualmachines?pivots=deployment-language-bicep) +- [SE:02 Secured development lifecycle](https://learn.microsoft.com/azure/well-architected/security/secure-development-lifecycle) - [Windows Custom Script Extensions](https://learn.microsoft.com/azure/virtual-machines/extensions/custom-script-windows) - [Linux Custom Script Extensions](https://learn.microsoft.com/azure/virtual-machines/extensions/custom-script-linux) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.compute/virtualmachines/extensions) diff --git a/docs/en/rules/Azure.VMSS.ScriptExtensions.md b/docs/en/rules/Azure.VMSS.ScriptExtensions.md index 7a13af6caba..173b5d37173 100644 --- a/docs/en/rules/Azure.VMSS.ScriptExtensions.md +++ b/docs/en/rules/Azure.VMSS.ScriptExtensions.md @@ -2,7 +2,7 @@ reviewed: 2022-11-16 severity: Important pillar: Security -category: Secrets +category: SE:02 Secured development lifecycle resource: Virtual Machine Scale Sets online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.VMSS.ScriptExtensions/ --- @@ -80,6 +80,6 @@ extensionProfile: { ## LINKS -- [Secure application configuration and dependencies](https://learn.microsoft.com/azure/architecture/framework/security/design-app-dependencies) -- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.compute/virtualmachinescalesets/extensions) +- [SE:02 Secured development lifecycle](https://learn.microsoft.com/azure/well-architected/security/secure-development-lifecycle) - [Azure VMSS Extensions Overview](https://learn.microsoft.com/azure/virtual-machines/extensions/overview) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.compute/virtualmachinescalesets/extensions)