Recommendations
| Recommendation | Risk Level | Category | Frameworks |
|---|---|---|---|
| A maximum of 3 owners should be designated for subscriptions Ensures no more than 3 users are assigned the Owner role on Azure subscriptions to limit administrative exposure. | CRITICAL | Identity & Access Management | 5 |
| Access to storage accounts with firewall and VNet config should be restricted Ensures storage accounts have firewall rules and VNet restrictions configured to limit network access. | HIGH | Storage Security | 1 |
| Activity log alert should exist for Create or Update NSG Ensures an activity log alert is configured to detect creation or modification of Network Security Groups. | MEDIUM | Logging & Monitoring | 1 |
| Activity log alert should exist for Create or Update NSG Rule Ensures an activity log alert is configured to detect creation or modification of NSG rules. | MEDIUM | Logging & Monitoring | 1 |
| Activity log alert should exist for Create or Update SQL Server Firewall Rule Ensures an activity log alert is configured to detect creation or modification of SQL Server firewall rules. | HIGH | Logging & Monitoring | 1 |
| Activity log alert should exist for Delete NSG Ensures an activity log alert is configured to detect deletion of entire Network Security Groups. | MEDIUM | Logging & Monitoring | 1 |
| Activity log alert should exist for Delete NSG Rule Ensures an activity log alert is configured to detect deletion of NSG rules. | MEDIUM | Logging & Monitoring | 1 |
| Activity log alert should exist for Delete SQL Server Firewall Rule Ensures an activity log alert is configured to detect deletion of SQL Server firewall rules. | HIGH | Logging & Monitoring | 1 |
| Activity log alert should exist for specific Policy operations Ensures activity log alerts are configured for key Azure Policy operations like policy assignment changes. | MEDIUM | Logging & Monitoring | 1 |
| AKS nodes should have vulnerability findings resolved Ensures that vulnerability findings on AKS node images are remediated through image updates or patching. | HIGH | Kubernetes / AKS | 2 |
| AKS OS and data disks should be encrypted by CMK Ensures AKS cluster OS and data disks use customer-managed keys for encryption. | HIGH | Kubernetes / AKS | 1 |
| Audit diagnostic setting for selected resource types Ensures that diagnostic settings are configured for key Azure resource types to enable logging and monitoring. | MEDIUM | Logging & Monitoring | 1 |
| Audit flow logs configuration for every virtual network Audits whether flow log configuration exists for every virtual network to ensure network monitoring coverage. | MEDIUM | Logging & Monitoring | 1 |
| Azure Automation accounts should use CMK for encryption at rest Ensures Azure Automation accounts encrypt data at rest using customer-managed keys. | HIGH | Data Encryption | 1 |
| Azure Container Instance should use CMK for encryption Ensures Azure Container Instances encrypt data at rest using customer-managed keys. | HIGH | Container Security | 1 |
| Azure Database for PostgreSQL flexible server should have Entra-only auth Ensures Azure Database for PostgreSQL uses Entra ID (Azure AD) authentication only, disabling local password auth. | HIGH | Identity & Access Management | 1 |
| Azure Databricks Clusters should disable public IP Ensures Azure Databricks cluster nodes do not have public IP addresses assigned. | HIGH | Databricks | 1 |
| Azure Databricks Workspaces should disable public network access Ensures Azure Databricks workspaces are not accessible from the public internet. | HIGH | Databricks | 1 |
| Azure Databricks Workspaces should use private link Ensures Azure Databricks workspaces are accessible only through private endpoints. | HIGH | Databricks | 1 |
| Azure Key Vaults should use private link Ensures Azure Key Vaults are accessible only through private endpoints, not over the public internet. | HIGH | Key Management | 3 |
| Azure overprovisioned identities should have only necessary permissions Identifies Azure identities with more permissions than they actually use and recommends right-sizing them. | HIGH | Identity & Access Management | 1 |
| Azure running container images should have vulnerabilities resolved Ensures container images running in Azure are scanned and have known vulnerabilities resolved. | HIGH | Container Security | 2 |
| Container CPU and memory limits should be enforced Ensures containers have CPU and memory limits defined, preventing resource exhaustion and noisy-neighbor issues. | HIGH | Container Security | 3 |
| Container images should be deployed from trusted registries only Ensures that only container images from approved, trusted registries are deployed to your environment. | HIGH | General | 3 |
| Container registries should be encrypted with CMK Ensures Azure Container Registry uses customer-managed keys (CMK) for encryption of stored images. | HIGH | Container Security | 1 |
| Container registries should not allow unrestricted network access Ensures Azure Container Registries restrict network access through firewall rules or virtual network integration. | HIGH | Container Security | 3 |
| Container registries should use private link Ensures Azure Container Registries are accessible only through private endpoints, not over the public internet. | HIGH | Container Security | 5 |
| Container with privilege escalation should be avoided Prevents containers from gaining additional privileges beyond their initial set, blocking privilege escalation attacks. | CRITICAL | Container Security | 3 |
| Containers running in Azure should have vulnerability findings resolved Ensures that running containers with known vulnerabilities are remediated by updating to patched images. | HIGH | Container Security | 2 |
| Containers sharing sensitive host namespaces should be avoided Prevents containers from sharing host PID, IPC, or network namespaces, which could expose sensitive host-level data. | HIGH | Container Security | 3 |
| Diagnostic logs in Kubernetes services should be enabled Requires diagnostic logging on AKS clusters to capture control plane events and audit logs. | MEDIUM | Kubernetes / AKS | 2 |
| Diagnostic logs in Service Bus should be enabled Requires diagnostic logging on Azure Service Bus resources to capture operations, errors, and security events. | MEDIUM | Logging & Monitoring | 6 |
| Email notification for high severity alerts should be enabled Ensures email notifications are configured for high-severity security alerts in Defender for Cloud. | MEDIUM | Logging & Monitoring | 1 |
| Flow logs should be configured for every NSG Ensures NSG flow logs are enabled to capture network traffic flowing through Network Security Groups. | MEDIUM | Logging & Monitoring | 1 |
| Immutable (read-only) root filesystem should be enforced for containers Enforces a read-only root filesystem on containers, preventing runtime modification of system files. | HIGH | Container Security | 3 |
| Key vaults should have deletion protection enabled Ensures Azure Key Vaults cannot be accidentally or maliciously deleted by enabling soft-delete and purge protection. | HIGH | Key Management | 6 |
| Kubernetes clusters should be accessible only over HTTPS Ensures Kubernetes API server and ingress endpoints are only accessible over HTTPS with TLS encryption. | HIGH | Kubernetes / AKS | 3 |
| Kubernetes clusters should disable automounting API credentials Prevents Kubernetes from automatically mounting service account API tokens into pods that do not need them. | HIGH | Kubernetes / AKS | 3 |
| Kubernetes clusters should not use the default namespace Ensures workloads are deployed in dedicated namespaces instead of the default namespace for better isolation. | HIGH | Kubernetes / AKS | 2 |
| Least privileged Linux capabilities should be enforced for containers Enforces that containers run with the minimum required Linux capabilities, following the principle of least privilege. | CRITICAL | Container Security | 3 |
| Microsoft Defender CSPM should be enabled Ensures Microsoft Defender CSPM (Cloud Security Posture Management) is enabled for advanced security posture capabilities. | HIGH | Defender Plans | 1 |
| Microsoft Defender for Resource Manager should be enabled Ensures Microsoft Defender for Resource Manager is enabled to detect suspicious management operations. | HIGH | Defender Plans | 1 |
| Microsoft Defender for Storage with Malware Scanning and Sensitive Data Threat Detection Ensures Microsoft Defender for Storage is enabled with malware scanning and sensitive data threat detection. | HIGH | Defender Plans | 1 |
| OS and data disks should be encrypted with customer-managed key (CMK) Ensures VM OS and data disks use customer-managed keys (CMK) for encryption instead of platform-managed keys. | HIGH | Data Encryption | 1 |
| Permissions of inactive identities should be revoked Ensures permissions of inactive identities are revoked to reduce standing access. | HIGH | Identity & Access Management | 1 |
| Privileged containers should be avoided Prevents containers from running in privileged mode, which grants full access to all host devices and capabilities. | CRITICAL | Container Security | 3 |
| Privileged roles should not have permanent access at subscription/RG level Ensures privileged roles (Owner, Contributor, etc.) are not permanently assigned but use just-in-time activation. | CRITICAL | Identity & Access Management | 2 |
| Resource logs in Azure Databricks Workspaces should be enabled Requires resource logging on Azure Databricks workspaces for security monitoring and audit purposes. | MEDIUM | Databricks | 1 |
| Running containers as root user should be avoided Ensures containers do not run as the root user, limiting the impact of container breakout vulnerabilities. | CRITICAL | Container Security | 3 |
| Saved-queries in Azure Monitor should be saved in customer storage account Ensures Azure Monitor saved queries are stored in a customer-owned storage account for data sovereignty. | MEDIUM | Storage Security | 1 |
| Service Bus Premium namespaces should use CMK for encryption Ensures Azure Service Bus Premium namespaces use customer-managed keys for encryption at rest. | HIGH | Data Encryption | 1 |
| Service Principals should not be assigned administrative roles at sub/RG level Ensures service principals are not assigned highly privileged roles like Owner or Contributor at subscription or resource group scope. | CRITICAL | Identity & Access Management | 2 |
| Services should listen on allowed ports only Ensures container services only listen on approved ports, restricting network exposure. | HIGH | Network Security | 1 |
| Storage account should use a private link connection Ensures storage accounts are accessible only through private endpoints instead of public endpoints. | HIGH | Storage Security | 1 |
| Storage accounts should have infrastructure encryption Ensures storage accounts have infrastructure encryption (double encryption) enabled for enhanced data protection. | HIGH | Storage Security | 1 |
| Storage accounts should restrict network access using VNet rules Ensures storage accounts restrict network access using virtual network rules instead of allowing all networks. | HIGH | Storage Security | 1 |
| Storage accounts should use CMK for encryption Ensures storage accounts use customer-managed keys for encryption instead of platform-managed keys. | HIGH | Storage Security | 1 |
| Temp disks and cache for AKS agent node pools should be encrypted at host Ensures AKS node pool temp disks and caches are encrypted at the host level. | HIGH | Kubernetes / AKS | 1 |
| Usage of host networking and ports should be restricted Restricts containers from using host networking or binding to host ports, maintaining network isolation. | HIGH | Network Security | 3 |
| Usage of pod HostPath volume mounts should be restricted Restricts the use of hostPath volume mounts in pods, preventing containers from accessing the host filesystem. | HIGH | General | 3 |
| Virtual networks should be protected by Azure Firewall Ensures Azure virtual networks are protected by Azure Firewall for centralized network security and traffic filtering. | HIGH | Network Security | 1 |
| VMs and VMSS should have encryption at host enabled Ensures that VM and VMSS temp disks and caches are encrypted at the host level before data reaches Azure Storage. | HIGH | Data Encryption | 3 |
| Vulnerable AKS should be updated to resolve vulnerability findings Ensures AKS clusters with known vulnerabilities are updated to patched versions. | HIGH | Kubernetes / AKS | 2 |