What cloud services are supported for Azure?

Avatar
Amil Sefo
Follow

Holm Security Cloud Scanner can verify security best practices and security misconfigurations that contribute to the most common causes of security breaches within a vast list of Azure services.

There is also a set of plugins highlighting unused or misused services that could help save monthly Azure costs. Read more about these plugins in this article:

https://support.holmsecurity.com/hc/en-us/articles/7478410504476

 

Here's the list of AZURE cloud services that we currently support:

  • Active Directory
  • Advisor
  • App Service
  • Azure Policy
  • Blob Service
  • CDN Profiles
  • Container Registry
  • Cosmos DB
  • Defender
  • File Service
  • Key Vaults
  • Kubernetes Service
  • Load Balancer
  • Log Alerts
  • Monitor
  • MySQL Server
  • Network Security Groups
  • Network Watcher
  • PostgreSQL Server
  • Queue Service
  • Redis Cache
  • Resources
  • SQL Databases
  • SQL Server
  • Storage Accounts
  • Table Service
  • Virtual Machines
  • Virtual Networks

Across the services, the following policies are scanned for: 

  • Active Directory - Ensure No Guest User
  • Active Directory - Minimum Password Length
  • Active Directory - No Custom Owner Roles
  • Active Directory - Password Requires Lowercase
  • Active Directory - Password Requires Numbers
  • Active Directory - Password Requires Symbols
  • Active Directory - Password Requires Uppercase
  • Advisor - Active Advisor Recommendations
  • App Service - .NET Framework Version
  • App Service - App Service Access Restriction
  • App Service - App Service Certificates Expiry
  • App Service - App Service SCM Site Access Restriction
  • App Service - Authentication Enabled
  • App Service - Client Certificates Enabled
  • App Service - Disable FTP Deployments
  • App Service - FTPS Only Access EnabledApp Service - HTTP 2.0 Enabled
  • App Service - HTTPS Only Enabled
  • App Service - Identity Enabled
  • App Service - Java Version
  • App Service - PHP Version
  • App Service - Python Version
  • App Service - TLS Version Check
  • App Service - Web Apps Active Directory Enabled
  • App Service - Web Apps Always On Enabled
  • App Service - Web Apps Backup Enabled
  • App Service - Web Apps Backup Retention Period
  • App Service - Web Apps Insights Enabled
  • App Service - Web Apps Remote Debugging Disabled
  • Azure Policy - Resource Location Matches Resource Group
  • Azure Policy - Resources Allowed Locations
  • Blob Service - Blob Container Private Access
  • Blob Service - Blob Service Immutable
  • CDN Profiles - Detect Insecure Custom Origin
  • CDN Profiles - Endpoint Logging Enabled
  • Container Registry - ACR Admin User
  • Cosmos DB - Advanced Threat Protection Enabled
  • Cosmos DB - Automatic Failover Enabled
  • Cosmos DB - Cosmos DB Has Tags
  • Cosmos DB - Cosmos DB Public Access Disabled
  • Defender - Admin Security Alerts Enabled
  • Defender - Application Whitelisting Enabled
  • Defender - Auto Provisioning Enabled
  • Defender - Enable Defender Endpoint Integration
  • Defender - Enable Defender For Containers
  • Defender - Enable Defender For DNS
  • Defender - Enable Defender For SQL Servers
  • Defender - Enable Defender For Storage
  • Defender - High Severity Alerts Enabled
  • Defender - Monitor Blob Encryption
  • Defender - Monitor Disk Encryption
  • Defender - Monitor Endpoint Protection
  • Defender - Monitor External Accounts with Write Permissions
  • Defender - Monitor IP Forwarding
  • Defender - Monitor JIT Network Access
  • Defender - Monitor Next Generation Firewall
  • Defender - Monitor NSG Enabled
  • Defender - Monitor SQL Auditing
  • Defender - Monitor SQL Encryption
  • Defender - Monitor System Updates
  • Defender - Monitor Total Number of Subscription Owners
  • Defender - Monitor VM Vulnerability
  • Defender - Security Configuration Monitoring
  • Defender - Security Contacts Enabled
  • Defender - Standard Pricing Enabled
  • File Service - File Service All Access ACL
  • Key Vaults - Allowed Certificates Key Types
  • Key Vaults - App Tier CMK In Use
  • Key Vaults - Database Tier CMK In Use
  • Key Vaults - Key Expiration Enabled
  • Key Vaults - Key Vault Has Tags
  • Key Vaults - Key Vault In Use
  • Key Vaults - Key Vault Key Expiry
  • Key Vaults - Key Vault Recovery Enabled
  • Key Vaults - Key Vault Restrict Default Network Access
  • Key Vaults - Key Vault Secret Expiry
  • Key Vaults - KeyVault Trusted Services Enabled
  • Key Vaults - Manage Key Access and Permissions
  • Key Vaults - RSA Certificate Allowed Key Size
  • Key Vaults - Secret Expiration Enabled
  • Key Vaults - SSL Certificate Auto Renewal
  • Kubernetes Service - AKS Cluster Has Tags
  • Kubernetes Service - AKS Cluster Private
  • Kubernetes Service - AKS Encryption At Rest with BYOK
  • Kubernetes Service - Kubernetes Latest Version
  • Kubernetes Service - Kubernetes RBAC Enabled
  • Kubernetes Service - Kubernetes Version For Agent Pools
  • Load Balancer - LB HTTPS Only
  • Load Balancer - LB No Instances
  • Load Balancer - Load Balancer Has Tags
  • Log Alerts - Key Vault Logging Enabled
  • Log Alerts - Load Balancers Logging Enabled
  • Log Alerts - Network Security Groups Logging Enabled
  • Log Alerts - Network Security Groups Rule Logging Enabled
  • Log Alerts - Policy Assignment Alerts Enabled
  • Log Alerts - PostgreSQL Server Database Logging Enabled
  • Log Alerts - Security Policy Alerts Enabled
  • Log Alerts - Security Solution Logging
  • Log Alerts - SQL Server Database Logging Enabled
  • Log Alerts - SQL Server Database Rename Alert Enabled
  • Log Alerts - SQL Server Firewall Rule Alerts Monitor
  • Log Alerts - Storage Account Logging Enabled
  • Log Alerts - Virtual Machine Deallocate Alert Enabled
  • Log Alerts - Virtual Machine Logging Enabled
  • Log Alerts - Virtual Machine Power Off Alert Enabled
  • Log Alerts - Virtual Network Alerts Monitor
  • Monitor - Azure Monitor Logs Enabled
  • Monitor - Diagnostics Captured Categories
  • Monitor - Diagnostics Settings Enabled
  • Monitor - Key Vault Log Analytics Enabled
  • Monitor - Load Balancer Log Analytics Enabled
  • Monitor - Log Profile Archive Data
  • Monitor - Log Profile Retention Policy
  • Monitor - NSG Log Analytics Enabled
  • MySQL Server - Enforce MySQL SSL Connection
  • Network Security Groups - Default Security Group
  • Network Security Groups - Excessive Security Groups
  • Network Security Groups - Network Watcher Enabled
  • Network Security Groups - Open All Ports
  • Network Security Groups - Open Cassandra Client
  • Network Security Groups - Open Cassandra Internode
  • Network Security Groups - Open Cassandra Monitoring
  • Network Security Groups - Open Cassandra Thrift
  • Network Security Groups - Open CIFS
  • Network Security Groups - Open DNS
  • Network Security Groups - Open Docker
  • Network Security Groups - Open Elasticsearch
  • Network Security Groups - Open FTP
  • Network Security Groups - Open Hadoop HDFS NameNode Metadata Service
  • Network Security Groups - Open Hadoop HDFS NameNode WebUI
  • Network Security Groups - Open Internal Web
  • Network Security Groups - Open Kibana
  • Network Security Groups - Open LDAP
  • Network Security Groups - Open LDAPS
  • Network Security Groups - Open Memcached
  • Network Security Groups - Open MongoDB
  • Network Security Groups - Open MySQL
  • Network Security Groups - Open NetBIOS
  • Network Security Groups - Open Oracle
  • Network Security Groups - Open Oracle Auto Data Warehouse
  • Network Security Groups - Open PostgreSQL
  • Network Security Groups - Open RDP
  • Network Security Groups - Open Redis
  • Network Security Groups - Open RPC
  • Network Security Groups - Open Salt
  • Network Security Groups - Open SMBoTCP
  • Network Security Groups - Open SMTP
  • Network Security Groups - Open SNMP
  • Network Security Groups - Open SQLServer
  • Network Security Groups - Open SSH
  • Network Security Groups - Open Telnet
  • Network Security Groups - Open UDP Ports
  • Network Security Groups - Open VNC Client
  • Network Security Groups - Open VNC Server
  • Network Watcher - NSG Flow Logs Retention Period
  • PostgreSQL Server - Azure Active Directory Admin Configured
  • PostgreSQL Server - Connection Throttling Enabled
  • PostgreSQL Server - Enable Geo-Redundant Backups
  • PostgreSQL Server - Enforce PostgreSQL SSL Connection
  • PostgreSQL Server - Log Checkpoints Enabled
  • PostgreSQL Server - Log Connections Enabled
  • PostgreSQL Server - Log Disconnections Enabled
  • PostgreSQL Server - Log Duration Enabled
  • PostgreSQL Server - Log Retention Period
  • PostgreSQL Server - PostgreSQL Server Has Tags
  • PostgreSQL Server - Storage Auto-Growth Enabled
  • Queue Service - Queue Service All Access ACL
  • Redis Cache - Minimum TLS Version
  • Redis Cache - Redis Cache Has Tags
  • Redis Cache - SSL Access Only Enabled
  • Resources - Management Lock Enabled
  • Resources - Resources Usage Limits
  • SQL Databases - Database Auditing Enabled
  • SQL Databases - DB Restorable
  • SQL Databases - Point in Time Restore Backup Retention
  • SQL Databases - SQL DB Multiple AZ
  • SQL Server - Advanced Data Security Enabled
  • SQL Server - Audit Action Groups Enabled
  • SQL Server - Audit Retention Policy
  • SQL Server - Auto-Failover Groups Enabled
  • SQL Server - Azure Active Directory Admin Enabled
  • SQL Server - Email Account Admins Enabled
  • SQL Server - Send Alerts Enabled
  • SQL Server - Server Auditing Enabled
  • SQL Server - Server Send Email to Admin and Owners
  • SQL Server - SQL Server Advanced Threat Protection Enabled
  • SQL Server - SQL Server Automatic Tuning Enabled
  • SQL Server - SQL Server Has Tags
  • SQL Server - SQL Server Minimum TLS Version
  • SQL Server - SQL Server Private Endpoints Configured
  • SQL Server - SQL Server Public Access
  • SQL Server - SQL Server Recurring Scans Enabled
  • SQL Server - SQL Server Send Scan Reports
  • SQL Server - TDE Protector Encrypted
  • Storage Accounts - Blob Service Encryption
  • Storage Accounts - Blobs Soft Deletion Enabled
  • Storage Accounts - File Service Encryption
  • Storage Accounts - Log Container Public Access
  • Storage Accounts - Log Storage Encryption
  • Storage Accounts - Network Access Default Action
  • Storage Accounts - Storage Account Has Tags
  • Storage Accounts - Storage Accounts AAD Enabled
  • Storage Accounts - Storage Accounts Encryption
  • Storage Accounts - Storage Accounts HTTPS
  • Storage Accounts - Storage Accounts Minimum TLS Version
  • Storage Accounts - Trusted MS Access Enabled
  • Table Service - Table Service All Access ACL
  • Virtual Machines - Accelerated Networking Enabled
  • Virtual Machines - Automatic Instance Repairs Enabled
  • Virtual Machines - Automatic OS Upgrades Enabled
  • Virtual Machines - Classic Instances
  • Virtual Machines - Disk Volumes BYOK Encryption Enabled
  • Virtual Machines - Guest Level Diagnostics Enabled
  • Virtual Machines - Managed VM Machine Image
  • Virtual Machines - No Empty Scale Sets
  • Virtual Machines - No Unattached Disk Volumes
  • Virtual Machines - Old VM Disk Snapshots
  • Virtual Machines - Password Authentication Disabled
  • Virtual Machines - Premium SSD Disabled
  • Virtual Machines - Scale Set Multi Az
  • Virtual Machines - Scale Sets Autoscale Enabled
  • Virtual Machines - Scale Sets Autoscale Notifications Enabled
  • Virtual Machines - Scale Sets Health Monitoring Enabled
  • Virtual Machines - Snapshot Has Tags
  • Virtual Machines - Virtual Machine Boot Diagnostics Enabled
  • Virtual Machines - Virtual Machine Has Tags
  • Virtual Machines - Virtual Machine Performance Diagnostics Enabled
  • Virtual Machines - VM Active Directory (AD) Authentication Enabled
  • Virtual Machines - VM Agent Enabled
  • Virtual Machines - VM Approved Extensions
  • Virtual Machines - VM Auto Update Enabled
  • Virtual Machines - VM Availability Set Enabled
  • Virtual Machines - VM Availability Set Limit
  • Virtual Machines - VM Backups Enabled
  • Virtual Machines - VM Daily Backup Retention Period
  • Virtual Machines - VM Data Disk Encryption
  • Virtual Machines - VM Desired SKU Size
  • Virtual Machines - VM Disk Has Tags
  • Virtual Machines - VM Endpoint Protection
  • Virtual Machines - VM Instance Limit
  • Virtual Machines - VM Instant Restore Backup Retention Period
  • Virtual Machines - VM Managed Disks Enabled
  • Virtual Machines - VM OS Disk Encryption
  • Virtual Networks - DDoS Standard Protection Enabled
  • Virtual Networks - Managed NAT Gateway In Use
  • Virtual Networks - Multiple Subnets
  • Virtual Networks - No Network Gateways Connections
  • Virtual Networks - No Network Gateways In Use
  • Virtual Networks - Virtual Network Has Tags
  • Virtual Networks - Virtual Network Peering
Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.