diff --git a/checklists/aoai_checklist.en.json b/checklists/aoai_checklist.en.json
index c7b4b9db..8df31982 100644
--- a/checklists/aoai_checklist.en.json
+++ b/checklists/aoai_checklist.en.json
@@ -5,7 +5,7 @@
"subcategory": "Metaprompting",
"text": "Follow Metaprompting guardrails for resonsible AI",
"waf": "Operational Excellence",
- "service": "Azure OpenAI",
+ "service": "OpenAI",
"guid": "a85b86ad-884f-48e3-9273-4b875ba18f10",
"id": "AOAI.1",
"severity": "High",
@@ -16,7 +16,7 @@
"subcategory": "Load Balancing",
"text": "Consider Gateway patterns with APIM or solutions like AI central for better rate limiting, load balancing, authentication and logging",
"waf": "Operational Excellence",
- "service": "Azure OpenAI",
+ "service": "OpenAI",
"guid": "d4391898-cd28-48be-b6b1-7cb8245451e1",
"id": "AOAI.10",
"severity": "High",
@@ -27,7 +27,7 @@
"subcategory": "Monitoring",
"text": "Enable monitoring for your AOAI instances",
"waf": "Operational Excellence",
- "service": "Azure OpenAI",
+ "service": "OpenAI",
"guid": "aed3453a-ec72-4392-97a1-52d6cc5e4029",
"id": "AOAI.11",
"severity": "High",
@@ -38,7 +38,7 @@
"subcategory": "Alerts",
"text": "Create alerts to notify teams of events such as an entry in the activity log created by an action performed on the resource, such as regenerating its subscription keys or a metric threshold such as the number of errors exceeding 10 in an hour",
"waf": "Operational Excellence",
- "service": "Azure OpenAI",
+ "service": "OpenAI",
"guid": "697cb391-ed16-4b2d-886f-0a0241addde6",
"id": "AOAI.12",
"graph": "resources | where type == 'microsoft.insights/metricalerts' | extend compliant = (properties.targetResourceType =~ 'Microsoft.CognitiveServices/accounts') | project id, compliant",
@@ -50,7 +50,7 @@
"subcategory": "Monitoring",
"text": "Monitor token usage to prevent service disruptions due to capacity",
"waf": "Operational Excellence",
- "service": "Azure OpenAI",
+ "service": "OpenAI",
"guid": "8a477cde-b486-41bc-9bc1-0ae66e25d4d5",
"id": "AOAI.13",
"severity": "High",
@@ -61,7 +61,7 @@
"subcategory": "Observability",
"text": "observe metrics like processed inference tokens, generated completion tokens monitor for rate limit",
"waf": "Operational Excellence",
- "service": "Azure OpenAI",
+ "service": "OpenAI",
"guid": "a3aec2c4-e243-46b0-936c-b45e17960eee",
"id": "AOAI.14",
"severity": "Medium",
@@ -72,7 +72,7 @@
"subcategory": "Observability",
"text": "Enable and configure Diagnostics for the Azure OpenAI Service. If not sufficient, consider using a gateway such as Azure API Managements in front of Azure OpenAI to log both incoming prompts and outgoing responses, where permitted",
"waf": "Operational Excellence",
- "service": "Azure OpenAI",
+ "service": "OpenAI",
"guid": "fbdf4cc2-eec4-4d76-8c31-d25ffbb46a39",
"id": "AOAI.15",
"severity": "Low",
@@ -83,7 +83,7 @@
"subcategory": "Infrastructure Deployment",
"text": "Use Infrastructure as code to deploy the Azure OpenAI Service, model deployments, and all related resources",
"waf": "Operational Excellence",
- "service": "Azure OpenAI",
+ "service": "OpenAI",
"guid": "3af30ed3-2947-498b-8178-a2c5a46ceb54",
"id": "AOAI.16",
"severity": "High",
@@ -94,7 +94,7 @@
"subcategory": "Authentication",
"text": "Use Microsoft Entra Authentication with Managed Identity instead of API Key",
"waf": "Security",
- "service": "Azure OpenAI",
+ "service": "OpenAI",
"guid": "4350d092-d234-4292-a752-8537a551c5bf",
"id": "AOAI.17",
"severity": "High",
@@ -105,7 +105,7 @@
"subcategory": "Evaluation",
"text": "Evaluate the performance/accuracy of the system with a known golden dataset which has the inputs and the correct answers. Leverage capabilities in PromptFlow for Evaluation.",
"waf": "Operational Excellence",
- "service": "Azure OpenAI",
+ "service": "OpenAI",
"guid": "4e4f1854-287d-45cd-a126-cc031af5b1fc",
"id": "AOAI.18",
"severity": "High",
@@ -116,7 +116,7 @@
"subcategory": "Hosting model",
"text": "Evaluate usage of Provisioned throughput model ",
"waf": "Performance",
- "service": "Azure OpenAI",
+ "service": "OpenAI",
"guid": "68889535-e327-4897-b31b-67d67be5962a",
"id": "AOAI.19",
"severity": "High",
@@ -127,7 +127,7 @@
"subcategory": "Content Safety",
"text": "Review and implement Azure AI content safety",
"waf": "Operational Excellence",
- "service": "Azure OpenAI",
+ "service": "OpenAI",
"guid": "cd288bed-6b17-4cb8-8454-51e1aed3453a",
"id": "AOAI.2",
"severity": "High",
@@ -138,7 +138,7 @@
"subcategory": "Throughput definition",
"text": "Define and evaluate the throughput of the system based on tokens & response per minute and align with requirements",
"waf": "Performance",
- "service": "Azure OpenAI",
+ "service": "OpenAI",
"guid": "1193846d-697c-4b39-8ed1-6b2d186f0a02",
"id": "AOAI.20",
"severity": "High",
@@ -149,7 +149,7 @@
"subcategory": "Latency improvement",
"text": "Improve latency of the system by limiting token sizes, streaming options for applications like chatbots or conversational interfaces. Streaming can enhance the perceived performance of Azure OpenAI applications by delivering responses to users in an incremental manner",
"waf": "Performance",
- "service": "Azure OpenAI",
+ "service": "OpenAI",
"guid": "41addde6-8a47-47cd-bb48-61bc3bc10ae6",
"id": "AOAI.21",
"severity": "Medium",
@@ -160,7 +160,7 @@
"subcategory": "Elasticity segregation",
"text": "Estimate elasticity demands to determine synchronous and batch request segregation based on priority. For high priority, use synchronous approach and for low priority, asynchronous batch processing with queue is preferred",
"waf": "Performance",
- "service": "Azure OpenAI",
+ "service": "OpenAI",
"guid": "6e25d4d5-a3ae-4c2c-9e24-36b0336cb45e",
"id": "AOAI.22",
"severity": "Medium",
@@ -171,7 +171,7 @@
"subcategory": "Benchmarking",
"text": "Benchmark token consumption requirements based on estimated demands from consumers. Consider using the Azure OpenAI benchmarking tool to help you validate the throughput if you are using Provisioned Throughput Unit deployments",
"waf": "Performance",
- "service": "Azure OpenAI",
+ "service": "OpenAI",
"guid": "5bda4332-4f24-4811-9331-82ba51752694",
"id": "AOAI.23",
"severity": "High",
@@ -182,7 +182,7 @@
"subcategory": "Elasticity ",
"text": "If you are using Provisioned Throughput Units (PTUs), consider deploying a token-per-minute (TPM) deployment for overflow requests. Use a gateway to route requests to the TPM deployment when the PTU limits are reached.",
"waf": "Performance",
- "service": "Azure OpenAI",
+ "service": "OpenAI",
"guid": "4008ae7d-7e47-4432-96d8-bdcf55bce619",
"id": "AOAI.24",
"severity": "Medium",
@@ -193,7 +193,7 @@
"subcategory": "Model choice",
"text": "Choose the right model for the right task. Pick models with right tradeoff between speed, quality of response and output complexity",
"waf": "Performance",
- "service": "Azure OpenAI",
+ "service": "OpenAI",
"guid": "e8a13f98-8794-424d-9267-86d60b96c97b",
"id": "AOAI.25",
"severity": "High",
@@ -204,7 +204,7 @@
"subcategory": "Fine tuning",
"text": "Have a baseline for performance without fine-tuning for knowing whether or not fine-tuning has improved model performance",
"waf": "Performance",
- "service": "Azure OpenAI",
+ "service": "OpenAI",
"guid": "e9951904-8384-45c9-a6cb-2912156a1147",
"id": "AOAI.26",
"severity": "Medium",
@@ -215,7 +215,7 @@
"subcategory": "Multi-region architecture",
"text": "Deploy multiple OAI instances across regions",
"waf": "Reliability",
- "service": "Azure OpenAI",
+ "service": "OpenAI",
"guid": "5e39f541-accc-4d97-a376-bcdb3750ab2a",
"id": "AOAI.27",
"severity": "Low",
@@ -226,7 +226,7 @@
"subcategory": "Load balancing",
"text": "Implement retry & healthchecks with Gateway pattern like APIM",
"waf": "Reliability",
- "service": "Azure OpenAI",
+ "service": "OpenAI",
"guid": "b039da6d-55d7-4c89-8adb-107d5325af62",
"id": "AOAI.28",
"severity": "High",
@@ -237,7 +237,7 @@
"subcategory": "Quotas",
"text": "Ensure having adequate quotas of TPM & RPM for the workload",
"waf": "Reliability",
- "service": "Azure OpenAI",
+ "service": "OpenAI",
"guid": "5ca44e46-85e2-4223-ace8-bb12308ca5f1",
"id": "AOAI.29",
"severity": "Medium",
@@ -248,7 +248,7 @@
"subcategory": "UX best practice",
"text": "Review the considerations in HAI toolkit guidance and apply those interaction practices for the slution",
"waf": "Operational Excellence",
- "service": "Azure OpenAI",
+ "service": "OpenAI",
"guid": "ec723923-7a15-42d6-ac5e-402925387e5c",
"id": "AOAI.3",
"severity": "Medium",
@@ -259,7 +259,7 @@
"subcategory": "Load balancing",
"text": "Deploy separate fine tuned models across regions if finetuning is employed",
"waf": "Reliability",
- "service": "Azure OpenAI",
+ "service": "OpenAI",
"guid": "7f154e3a-a369-4282-ae7e-316183687a04",
"id": "AOAI.30",
"severity": "Medium",
@@ -270,7 +270,7 @@
"subcategory": "Data Backup and Disaster Recovery",
"text": "Regularly backup and replicate critical data to ensure data availability and recoverability in case of data loss or system failures. Leverage Azure's backup and disaster recovery services to protect your data.",
"waf": "Reliability",
- "service": "Azure OpenAI",
+ "service": "OpenAI",
"guid": "77a1f893-5bda-4433-84f2-4811633182ba",
"id": "AOAI.31",
"severity": "Medium",
@@ -281,7 +281,7 @@
"subcategory": "SLA considerations",
"text": "Azure AI search service tiers should be choosen to have a SLA ",
"waf": "Reliability",
- "service": "Azure OpenAI",
+ "service": "OpenAI",
"guid": "95b96ad8-844c-4e3b-8b38-b876ba2cf204",
"id": "AOAI.32",
"graph": "resources | where type == 'microsoft.search/searchservices' | extend compliant = (sku.name != 'free' and properties.replicaCount >= 3) | project id, compliant",
@@ -293,7 +293,7 @@
"subcategory": "Data Sensitivity",
"text": "Classify data and sensitivity, labeling with Microsoft Purview before generating the embeddings and make sure to treat the embeddings generated with same sensitivity and classification",
"waf": "Security",
- "service": "Azure OpenAI",
+ "service": "OpenAI",
"guid": "99013a5d-3ce4-474d-acbd-8682a6abca2a",
"id": "AOAI.33",
"severity": "Low",
@@ -304,7 +304,7 @@
"subcategory": "Encryption at Rest",
"text": "Encrypt data used for RAG with SSE/Disk encryption with optional BYOK",
"waf": "Security",
- "service": "Azure OpenAI",
+ "service": "OpenAI",
"guid": "4fda1dbf-3dd9-45d4-ac7c-891dca1f6d56",
"id": "AOAI.34",
"severity": "High",
@@ -315,7 +315,7 @@
"subcategory": "Transit Encryption",
"text": "Ensure TLS is enforced for data in transit across data sources, AI search used for Retrieval-Augmented Generation (RAG) and LLM communication",
"waf": "Security",
- "service": "Azure OpenAI",
+ "service": "OpenAI",
"guid": "59ae558b-937d-4498-9e11-12dbd7ba012f",
"id": "AOAI.35",
"severity": "High",
@@ -326,7 +326,7 @@
"subcategory": "Access Control",
"text": "Use RBAC to manage access to Azure OpenAI services. Assign appropriate permissions to users and restrict access based on their roles and responsibilities",
"waf": "Security",
- "service": "Azure OpenAI",
+ "service": "OpenAI",
"guid": "7b94ef6e-047d-42ea-8992-b1cd6e2054b2",
"id": "AOAI.36",
"severity": "High",
@@ -337,7 +337,7 @@
"subcategory": "Data Masking and Redaction",
"text": "Implement data encryption, masking or redaction techniques to hide sensitive data or replace it with obfuscated values in non-production environments or when sharing data for testing or troubleshooting purposes",
"waf": "Security",
- "service": "Azure OpenAI",
+ "service": "OpenAI",
"guid": "9769e4a6-91e8-4838-ac93-6667e13c0056",
"id": "AOAI.37",
"severity": "Medium",
@@ -348,7 +348,7 @@
"subcategory": "Threat Detection and Monitoring",
"text": "Utilize Azure Defender to detect and respond to security threats and set up monitoring and alerting mechanisms to identify suspicious activities or breaches. Leverage Azure Sentinel for advanced threat detection and response",
"waf": "Security",
- "service": "Azure OpenAI",
+ "service": "OpenAI",
"guid": "74b1e945-b459-4837-be7a-d6c6d3b375a5",
"id": "AOAI.38",
"severity": "High",
@@ -359,7 +359,7 @@
"subcategory": "Data Retention and Disposal",
"text": "Establish data retention and disposal policies to adhere to compliance regulations. Implement secure deletion methods for data that is no longer required and maintain an audit trail of data retention and disposal activities",
"waf": "Security",
- "service": "Azure OpenAI",
+ "service": "OpenAI",
"guid": "c7acbe48-abe5-44cd-99f2-e87768468c55",
"id": "AOAI.39",
"severity": "Medium",
@@ -370,7 +370,7 @@
"subcategory": "Jail break Safety",
"text": "Implement Prompt shields and groundedness detection using Content Safety ",
"waf": "Operational Excellence",
- "service": "Azure OpenAI",
+ "service": "OpenAI",
"guid": "a9c27d9c-42bb-46bd-8c69-99a246f3389a",
"id": "AOAI.4",
"severity": "High",
@@ -381,7 +381,7 @@
"subcategory": "Data Privacy and Compliance",
"text": "Ensure compliance with relevant data protection regulations, such as GDPR or HIPAA, by implementing privacy controls and obtaining necessary consents or permissions for data processing activities.",
"waf": "Security",
- "service": "Azure OpenAI",
+ "service": "OpenAI",
"guid": "a775c6ee-95b9-46ad-a844-ce3b2b38b876",
"id": "AOAI.40",
"severity": "High",
@@ -392,7 +392,7 @@
"subcategory": "Employee Awareness and Training",
"text": "Educate your employees about data security best practices, the importance of handling data securely, and potential risks associated with data breaches. Encourage them to follow data security protocols diligently.",
"waf": "Security",
- "service": "Azure OpenAI",
+ "service": "OpenAI",
"guid": "ba2cf204-9901-43a5-b3ce-474dccbd8682",
"id": "AOAI.41",
"severity": "Medium"
@@ -402,7 +402,7 @@
"subcategory": "Environment segregation",
"text": "Keep production data separate from development and testing data. Only use real sensitive data in production and utilize anonymized or synthetic data in development and test environments.",
"waf": "Security",
- "service": "Azure OpenAI",
+ "service": "OpenAI",
"guid": "eae01e6e-842e-452f-9721-d928c1b1cd52",
"id": "AOAI.42",
"severity": "High"
@@ -412,7 +412,7 @@
"subcategory": "Index Segregation",
"text": "If you have varying levels of data sensitivity, consider creating separate indexes for each level. For instance, you could have one index for general data and another for sensitive data, each governed by different access protocols",
"waf": "Security",
- "service": "Azure OpenAI",
+ "service": "OpenAI",
"guid": "1e54a29a-9de3-499c-bd7b-28dc93555620",
"id": "AOAI.43",
"severity": "Medium"
@@ -422,7 +422,7 @@
"subcategory": "Sensitive Data in Separate Instances",
"text": "Take segregation a step further by placing sensitive datasets in different instances of the service. Each instance can be controlled with its own specific set of RBAC policies",
"waf": "Security",
- "service": "Azure OpenAI",
+ "service": "OpenAI",
"guid": "2bfe4564-b0d8-434a-948b-263e6dd60512",
"id": "AOAI.44",
"severity": "Medium"
@@ -432,7 +432,7 @@
"subcategory": "Embedding and Vector handling",
"text": "Recognize that embeddings and vectors generated from sensitive information are themselves sensitive. This data should be afforded the same protective measures as the source material",
"waf": "Security",
- "service": "Azure OpenAI",
+ "service": "OpenAI",
"guid": "a36498f6-dbad-438e-ad53-cc7ce1d7aaab",
"id": "AOAI.45",
"severity": "High"
@@ -442,7 +442,7 @@
"subcategory": "Access control",
"text": "Apply RBAC to th data stores having embeddings and vectors and scope access based on role's access requirements",
"waf": "Security",
- "service": "Azure OpenAI",
+ "service": "OpenAI",
"guid": "3571449a-b805-43d8-af89-dc7b33be2a1a",
"id": "AOAI.46",
"severity": "High",
@@ -453,7 +453,7 @@
"subcategory": "Network security",
"text": "Configure private endpoint for AI services to restrict service access within your network",
"waf": "Security",
- "service": "Azure OpenAI",
+ "service": "OpenAI",
"guid": "27f7b9e9-1be1-4f38-aef3-9812bd463cbb",
"id": "AOAI.47",
"graph": "resources | where type =~ 'Microsoft.CognitiveServices/accounts' or type == 'microsoft.search/searchservices' | project id, compliant = (properties.privateEndpointConnections != '[]' and properties.publicNetworkAccess !~ 'enabled')",
@@ -465,7 +465,7 @@
"subcategory": "Network security",
"text": "Enforce strict inbound and outbound traffic control with Azure Firewall and UDRs and limit the external integration points",
"waf": "Security",
- "service": "Azure OpenAI",
+ "service": "OpenAI",
"guid": "ac8ac199-ebb9-41a3-9d90-cae2cc881370",
"id": "AOAI.48",
"severity": "High"
@@ -475,7 +475,7 @@
"subcategory": "Control Network Access",
"text": "Implement network segmentation and access controls to restrict access to the LLM application only to authorized users and systems and prevent lateral movement",
"waf": "Security",
- "service": "Azure OpenAI",
+ "service": "OpenAI",
"guid": "6f7c0cba-fe51-4464-add4-57e927138b82",
"id": "AOAI.49",
"severity": "High"
@@ -485,7 +485,7 @@
"subcategory": "Token Optimization",
"text": "Use prompt compression tools like LLMLingua or gprtrim",
"waf": "Cost Optimization",
- "service": "Azure OpenAI",
+ "service": "OpenAI",
"guid": "7f42c78e-78cb-46a2-8ad1-90916e6a8d8f",
"id": "AOAI.5",
"severity": "Medium",
@@ -496,7 +496,7 @@
"subcategory": "Secure APIs and Endpoints",
"text": "Ensure that APIs and endpoints used by the LLM application are properly secured with authentication and authorization mechanisms, such as Managed identities, API keys or OAuth, to prevent unauthorized access.",
"waf": "Security",
- "service": "Azure OpenAI",
+ "service": "OpenAI",
"guid": "1102cac6-eae0-41e6-b842-e52f4721d928",
"id": "AOAI.50",
"graph": "resources | where type =~ 'Microsoft.CognitiveServices/accounts' or type == 'microsoft.search/searchservices' | project id, compliant = (isnotnull(identity))",
@@ -508,7 +508,7 @@
"subcategory": "Implement Strong Authentication",
"text": "Enforce strong end user authentication mechanisms, such as multi-factor authentication, to prevent unauthorized access to the LLM application and associated network resources",
"waf": "Security",
- "service": "Azure OpenAI",
+ "service": "OpenAI",
"guid": "c1b1cd52-1e54-4a29-a9de-399cfd7b28dc",
"id": "AOAI.51",
"severity": "Medium",
@@ -519,7 +519,7 @@
"subcategory": "Use Network Monitoring",
"text": "Implement network monitoring tools to detect and analyze network traffic for any suspicious or malicious activities. Enable logging to capture network events and facilitate forensic analysis in case of security incidents",
"waf": "Security",
- "service": "Azure OpenAI",
+ "service": "OpenAI",
"guid": "93555620-2bfe-4456-9b0d-834a348b263e",
"id": "AOAI.52",
"severity": "Medium"
@@ -529,7 +529,7 @@
"subcategory": "Security Audits and Penetration Testing",
"text": "Conduct security audits and penetration testing to identify and address any network security weaknesses or vulnerabilities in the LLM application's network infrastructure",
"waf": "Security",
- "service": "Azure OpenAI",
+ "service": "OpenAI",
"guid": "6dd60512-a364-498f-9dba-d38ead53cc7c",
"id": "AOAI.53",
"severity": "Medium"
@@ -542,7 +542,7 @@
"guid": "e1d7aaab-3571-4449-ab80-53d89f89dc7b",
"id": "AOAI.54",
"graph": "resources | where type == 'microsoft.cognitiveservices/accounts' or type == 'microsoft.search/searchservices' | project id, compliant = (tags != '{}')",
- "service": "Azure OpenAI",
+ "service": "OpenAI",
"severity": "Low",
"link": "https://learn.microsoft.com/azure/azure-resource-manager/management/tag-resources?tabs=json"
},
@@ -551,7 +551,7 @@
"subcategory": "Infrastructure Deployment",
"text": "Azure AI Service accounts follows organizational naming conventions",
"waf": "Operational Excellence",
- "service": "Azure OpenAI",
+ "service": "OpenAI",
"guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56",
"id": "AOAI.55",
"severity": "Low",
@@ -562,7 +562,7 @@
"subcategory": "Diagnostics Logging",
"text": "Diagnostic logs in Azure AI services resources should be enabled",
"waf": "Operational Excellence",
- "service": "Azure OpenAI",
+ "service": "OpenAI",
"guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36",
"id": "AOAI.56",
"severity": "High",
@@ -573,7 +573,7 @@
"subcategory": "Entra ID based access",
"text": "Key access (local authentication) is recommended to be disabled for security. After disabling key based access, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. ",
"waf": "Security",
- "service": "Azure OpenAI",
+ "service": "OpenAI",
"guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d",
"id": "AOAI.57",
"graph": "resources | where type =~ 'Microsoft.CognitiveServices/accounts' or type == 'microsoft.search/searchservices' | project id, compliant = (properties.disableLocalAuth == true)",
@@ -585,7 +585,7 @@
"subcategory": "Secure Key Management",
"text": "Store and manage keys securely using Azure Key Vault. Avoid hard-coding or embedding sensitive keys within your LLM application's code and retrieve them securely from Azure Key Vault using managed identities",
"waf": "Security",
- "service": "Azure OpenAI",
+ "service": "OpenAI",
"guid": "6b57cfc6-5546-41e1-a3e3-453a3c863964",
"id": "AOAI.58",
"severity": "High",
@@ -596,7 +596,7 @@
"subcategory": "Key Rotation and Expiration",
"text": "Regularly rotate and expire keys stored in Azure Key Vault to minimize the risk of unauthorized access.",
"waf": "Security",
- "service": "Azure OpenAI",
+ "service": "OpenAI",
"guid": "8b652d6c-15f5-4129-9539-8e6ded227dd1",
"id": "AOAI.59",
"severity": "High",
@@ -607,7 +607,7 @@
"subcategory": "Token Optimization",
"text": "Use tiktoken to understand token sizes for token optimizations in conversational mode",
"waf": "Cost Optimization",
- "service": "Azure OpenAI",
+ "service": "OpenAI",
"guid": "adfe27be-e297-401a-a352-baaab79b088d",
"id": "AOAI.6",
"severity": "High",
@@ -618,7 +618,7 @@
"subcategory": "Secure coding practice",
"text": "Follow secure coding practices to prevent common vulnerabilities such as injection attacks, cross-site scripting (XSS), or security misconfigurations",
"waf": "Security",
- "service": "Azure OpenAI",
+ "service": "OpenAI",
"guid": "42b06c21-d799-49a6-96f4-389a7f42c78e",
"id": "AOAI.60",
"severity": "High",
@@ -629,7 +629,7 @@
"subcategory": "Patching and updates",
"text": "Setup a process to regularly update and patch the LLM libraries and other system components",
"waf": "Security",
- "service": "Azure OpenAI",
+ "service": "OpenAI",
"guid": "78c06a73-a22a-4495-9e6a-8dc4a20e27c3",
"id": "AOAI.61",
"severity": "High",
@@ -640,7 +640,7 @@
"subcategory": "Governance",
"text": "Adhere to Azure OpenAI or other LLMs terms of use, policies and guidance and allowed use cases",
"waf": "Operational Excellence",
- "service": "Azure OpenAI",
+ "service": "OpenAI",
"guid": "e29711b1-352b-4eee-879b-588defc4972c",
"id": "AOAI.62",
"severity": "High",
@@ -651,7 +651,7 @@
"subcategory": "Cost familiarization",
"text": "Understand difference in cost of base models and fine tuned models and token step sizes",
"waf": "Cost Optimization",
- "service": "Azure OpenAI",
+ "service": "OpenAI",
"guid": "d3cd21bf-7703-46e5-b6b4-bed3d503547c",
"id": "AOAI.63",
"severity": "Medium",
@@ -662,7 +662,7 @@
"subcategory": "Batch processing",
"text": "Batch requests, where possible, to minimize the per-call overhead which can reduce overall costs. Ensure you optimize batch size",
"waf": "Cost Optimization",
- "service": "Azure OpenAI",
+ "service": "OpenAI",
"guid": "1347dc56-028a-471f-be1c-e15dd3f0d5e7",
"id": "AOAI.64",
"severity": "High",
@@ -673,7 +673,7 @@
"subcategory": "Cost monitoring",
"text": "Set up a cost tracking system that monitors model usage and use that information to help inform model choices and prompt sizes",
"waf": "Cost Optimization",
- "service": "Azure OpenAI",
+ "service": "OpenAI",
"guid": "72d41e36-11cc-457b-9a4b-1410d43958a8",
"id": "AOAI.65",
"severity": "Medium",
@@ -684,7 +684,7 @@
"subcategory": "Token limit",
"text": "Set a maximum limit on the number of tokens per model response (max_tokens and the number of completions to generate). Optimize the size to ensure it is large enough for a valid response",
"waf": "Cost Optimization",
- "service": "Azure OpenAI",
+ "service": "OpenAI",
"guid": "166cd072-af9b-4141-a898-a535e737897e",
"id": "AOAI.66",
"severity": "Medium",
@@ -695,7 +695,7 @@
"subcategory": "AI Search Vector Limits",
"text": "Plan and manage AI Search Vector storage",
"waf": "Operational Excellence",
- "service": "Azure OpenAI",
+ "service": "OpenAI",
"guid": "3266b225-86f4-4a16-92bd-ddea8a487cde",
"id": "AOAI.68",
"severity": "Medium",
@@ -706,7 +706,7 @@
"subcategory": "DevOps",
"text": "Ensure deployment of Azure OpenAI instances across your various environments, such as development, test, and production supporting lrarning & experimentation. Apply LLMOps practices to automate the lifecycle management of your GenAI applications",
"waf": "Operational Excellence",
- "service": "Azure OpenAI",
+ "service": "OpenAI",
"guid": "b4861bc3-bc14-4aeb-9e66-e8d9a3aec218",
"id": "AOAI.69",
"severity": "Medium",
@@ -717,7 +717,7 @@
"subcategory": "Costing Model",
"text": "Evaluate usage of billing models - PAYG vs PTU. Start with PAYG and consider PTU when the usage is predictable in production since it offers dedicated memory and compute, reserved capacity, and consistent maximum latency for the specified model version",
"waf": "Cost Optimization",
- "service": "Azure OpenAI",
+ "service": "OpenAI",
"guid": "aa80932c-8ec9-4d1b-a770-26e5e6beba9e",
"id": "AOAI.7",
"severity": "High",
@@ -728,7 +728,7 @@
"subcategory": "DevOps",
"text": "Evaluate the quality of prompts and applications when switching between model versions",
"waf": "Operational Excellence",
- "service": "Azure OpenAI",
+ "service": "OpenAI",
"guid": "e6436b07-36db-455f-9796-03334bdf9cc2",
"id": "AOAI.70",
"severity": "Medium",
@@ -739,7 +739,7 @@
"subcategory": "Development",
"text": "Evaluate, monitor and refine your GenAI apps for features like groundedness, relevance, accuracy, coherence and fluency",
"waf": "Operational Excellence",
- "service": "Azure OpenAI",
+ "service": "OpenAI",
"guid": "3418db61-2712-4650-9bb4-7a393a080327",
"id": "AOAI.71",
"severity": "Medium",
@@ -750,7 +750,7 @@
"subcategory": "Development",
"text": "Evaluate your Azure AI Search results based on different search parameters",
"waf": "Operational Excellence",
- "service": "Azure OpenAI",
+ "service": "OpenAI",
"guid": "294798b1-578b-4219-a46c-eb5443513592",
"id": "AOAI.72",
"severity": "Medium"
@@ -760,7 +760,7 @@
"subcategory": "Development",
"text": "Look at fine tuning models as way of increasing accuracy only when you have tried other basic approaches like prompt engineering and RAG with your data",
"waf": "Operational Excellence",
- "service": "Azure OpenAI",
+ "service": "OpenAI",
"guid": "2744293b-b628-4537-a551-19b08e8f5854",
"id": "AOAI.73",
"severity": "Medium",
@@ -771,7 +771,7 @@
"subcategory": "Development",
"text": "Use prompt engineering techniques to improve the accuracy of LLM responses",
"waf": "Operational Excellence",
- "service": "Azure OpenAI",
+ "service": "OpenAI",
"guid": "287d9cec-166c-4d07-8af9-b141a898a535",
"id": "AOAI.74",
"severity": "Medium",
@@ -782,7 +782,7 @@
"subcategory": "Security Audits and Penetration Testing",
"text": "Red team your GenAI applications",
"waf": "Security",
- "service": "Azure OpenAI",
+ "service": "OpenAI",
"guid": "e737897e-71ca-47da-acfa-962a1594946d",
"id": "AOAI.75",
"severity": "Medium",
@@ -793,7 +793,7 @@
"subcategory": "End user feedback",
"text": "Provide end users with scoring options for LLM responses and track these scores. ",
"waf": "Operational Excellence",
- "service": "Azure OpenAI",
+ "service": "OpenAI",
"guid": "edb117e6-76aa-4f66-aca4-8e5a95f2223e",
"id": "AOAI.76",
"severity": "Medium",
@@ -804,7 +804,7 @@
"subcategory": "Quota Management",
"text": "Consider Quota management practices. Use dynamic quota for certain use cases when your application can use extra capacity opportunistically or the application itself is driving the rate at which the Azure OpenAI API is called",
"waf": "Cost Optimization",
- "service": "Azure OpenAI",
+ "service": "OpenAI",
"guid": "d5f3547c-c346-4d81-9028-a71ffe1b9b5d",
"id": "AOAI.8",
"severity": "High",
@@ -815,7 +815,7 @@
"subcategory": "Load Balancing",
"text": "Use Load balancer solutions like APIM based gateway for balancing load and capacity across services and regions",
"waf": "Operational Excellence",
- "service": "Azure OpenAI",
+ "service": "OpenAI",
"guid": "9de0d5d7-31d4-41e3-911c-817bfafbc410",
"id": "AOAI.9",
"severity": "Medium",
@@ -826,7 +826,7 @@
"subcategory": "Fine tuning",
"text": "Follow the guidance for fine-tuning with large data files and import the data from an Azure blob store. Large files, 100 MB or larger, can become unstable when uploaded through multipart forms because the requests are atomic and can't be retried or resumed",
"waf": "Reliability",
- "service": "Azure OpenAI",
+ "service": "OpenAI",
"guid": "9de0d5d7-31d4-41e3-911c-817bfafbc411",
"id": "AOAI.77",
"severity": "Medium",
@@ -837,7 +837,7 @@
"subcategory": "Monitoring",
"text": "Manage rate limits for your model deployments and monitor usage of tokens per minute (TPM) and requests per minute (RPM) for pay-as-you-go deployments",
"waf": "Reliability",
- "service": "Azure OpenAI",
+ "service": "OpenAI",
"guid": "9de0d5d7-31d4-41e3-911c-817bfafbc412",
"id": "AOAI.78",
"severity": "Medium",
@@ -848,7 +848,7 @@
"subcategory": "Monitoring",
"text": "Monitor provision-managed utilization if you're using the provisioned throughput payment model",
"waf": "Reliability",
- "service": "Azure OpenAI",
+ "service": "OpenAI",
"guid": "9de0d5d7-31d4-41e3-911c-817bfafbc413",
"id": "AOAI.79",
"severity": "Medium",
@@ -859,7 +859,7 @@
"subcategory": "Content Safety",
"text": "Tune content filters to minimize false positives from overly aggressive filters",
"waf": "Reliability",
- "service": "Azure OpenAI",
+ "service": "OpenAI",
"guid": "9de0d5d7-31d4-41e3-911c-817bfafbc414",
"id": "AOAI.80",
"severity": "Medium",
@@ -870,7 +870,7 @@
"subcategory": "Key Management",
"text": "Use customer-managed keys for fine-tuned models and training data that's uploaded to Azure OpenAI",
"waf": "Security",
- "service": "Azure OpenAI",
+ "service": "OpenAI",
"guid": "9de0d5d7-31d4-41e3-911c-817bfafbc415",
"id": "AOAI.81",
"severity": "Medium",
@@ -881,7 +881,7 @@
"subcategory": "Jailbreak protection",
"text": "Implement jailbreak risk detection to safeguard your language model deployments against prompt injection attacks",
"waf": "Security",
- "service": "Azure OpenAI",
+ "service": "OpenAI",
"guid": "9de0d5d7-31d4-41e3-911c-817bfafbc416",
"id": "AOAI.82",
"graph": "resources | where type == 'microsoft.cognitiveservices/accounts' and kind =~ 'contentsafety' | project id, compliant = 1",
@@ -893,7 +893,7 @@
"subcategory": "Quota exhaustion",
"text": "Use security controls like throttling, service isolation and gateway pattern to prevent attacks that might exhaust model usage quotas",
"waf": "Security",
- "service": "Azure OpenAI",
+ "service": "OpenAI",
"guid": "9de0d5d7-31d4-41e3-911c-817bfafbc417",
"id": "AOAI.83",
"severity": "Medium",
@@ -904,7 +904,7 @@
"subcategory": "Cost estimation",
"text": "Develop your cost model, considering prompt sizes. Understanding prompt input and response sizes and how text translates into tokens helps you create a viable cost model",
"waf": "Cost Optimization",
- "service": "Azure OpenAI",
+ "service": "OpenAI",
"guid": "72d41e36-11cc-457b-9a4b-1410d43958a9",
"id": "AOAI.84",
"severity": "Medium",
@@ -915,7 +915,7 @@
"subcategory": "Model selection",
"text": "Consider model pricing and capabilities when you choose models. Start with less-costly models for less-complex tasks like text generation or completion tasks and for complex tasks like language translation or content understanding, consider using more advanced models. Optimize costs while still achieving the desired application performance",
"waf": "Cost Optimization",
- "service": "Azure OpenAI",
+ "service": "OpenAI",
"guid": "72d41e36-11cc-457b-9a4b-1410d43958a1",
"id": "AOAI.85",
"severity": "Medium",
@@ -926,7 +926,7 @@
"subcategory": "Usage Optimization",
"text": "Maximize Azure OpenAI price breakpoints like fine-tuning and model breakpoints like image generation to your advantage. Fine-tuning is charged per hour, use as much time as you have available per hour to improve results without slipping into the next billing period. The cost for generating 100 images is the same as the cost for 1 image",
"waf": "Cost Optimization",
- "service": "Azure OpenAI",
+ "service": "OpenAI",
"guid": "72d41e36-11cc-457b-9a4b-1410d43958a2",
"id": "AOAI.86",
"severity": "Medium",
@@ -937,7 +937,7 @@
"subcategory": "Usage Optimization",
"text": "Remove unused fine-tuned models when they're no longer being consumed to avoid incurring an ongoing hosting fee",
"waf": "Cost Optimization",
- "service": "Azure OpenAI",
+ "service": "OpenAI",
"guid": "72d41e36-11cc-457b-9a4b-1410d43958a3",
"id": "AOAI.87",
"severity": "Medium",
@@ -948,7 +948,7 @@
"subcategory": "Token Optimization",
"text": "Create concise prompts that provide enough context for the model to generate a useful response. Also ensure that you optimize the limit of the response length.",
"waf": "Cost Optimization",
- "service": "Azure OpenAI",
+ "service": "OpenAI",
"guid": "7f42c78e-78cb-46a2-8ad1-90916e6a8d8g",
"id": "AOAI.88",
"severity": "Medium",
@@ -959,7 +959,7 @@
"subcategory": "IaC",
"text": "Use infrastructure as code (IaC) to deploy Azure OpenAI, model deployments, and other infrastructure required for fine-tuning models",
"waf": "Operational Excellence",
- "service": "Azure OpenAI",
+ "service": "OpenAI",
"guid": "b4861bc3-bc14-4aeb-9e66-e8d9a3aec219",
"id": "AOAI.89",
"severity": "Medium",
@@ -970,7 +970,7 @@
"subcategory": "Development",
"text": "Consider using dedicated model deployments per consumer group to provide per-model usage isolation that can help prevent noisy neighbors between your consumer groups",
"waf": "Operational Excellence",
- "service": "Azure OpenAI",
+ "service": "OpenAI",
"guid": "2744293b-b628-4537-a551-19b08e8f5855",
"id": "AOAI.90",
"severity": "Medium",
diff --git a/checklists/azure_storage_checklist.en.json b/checklists/azure_storage_checklist.en.json
index ecb101fb..56459f87 100644
--- a/checklists/azure_storage_checklist.en.json
+++ b/checklists/azure_storage_checklist.en.json
@@ -6,7 +6,7 @@
"text": "Consider the 'Azure security baseline for storage'",
"description": "Apply guidance from the Microsoft cloud security benchmark related to Storage",
"waf": "Security",
- "service": "Azure Storage",
+ "service": "Storage",
"guid": "d237de14-3b16-4c21-b7aa-9b64604489a8",
"id": "A01.01",
"severity": "Medium",
@@ -18,7 +18,7 @@
"text": "Consider using private endpoints for Azure Storage",
"description": "Azure Storage by default has a public IP address and is Internet-reachable. Private endpoints allow to securely expose Azure Storage only to those Azure Compute resources that need access, thus eliminating exposure to the public Internet",
"waf": "Security",
- "service": "Azure Storage",
+ "service": "Storage",
"guid": "f42d78e7-9d17-4a73-a22a-5a67e7a8ed4b",
"id": "A02.01",
"severity": "High",
@@ -31,7 +31,7 @@
"text": "Ensure older storage accounts are not using 'classic deployment model'",
"description": "Newly created storage accounts are created using the ARM deployment model, so that RBAC, auditing etc. are all enabled. Ensure that there are no old storage accounts with classic deployment model in a subscription",
"waf": "Security",
- "service": "Azure Storage",
+ "service": "Storage",
"guid": "30e37c3e-2971-41b2-963c-eee079b598de",
"id": "A03.01",
"severity": "Medium",
@@ -43,7 +43,7 @@
"text": "Enable Microsoft Defender for all of your storage accounts",
"description": "Leverage Microsoft Defender to learn about suspicious activity and misconfigurations.",
"waf": "Security",
- "service": "Azure Storage",
+ "service": "Storage",
"guid": "fc5972cd-4cd2-41b0-a803-7f5e6b4bfd3d",
"id": "A03.02",
"severity": "High",
@@ -56,7 +56,7 @@
"text": "Enable 'soft delete' for blobs",
"description": "The soft-delete mechanism allows to recover accidentally deleted blobs.",
"waf": "Security",
- "service": "Azure Storage",
+ "service": "Storage",
"guid": "503547c1-447e-4c66-828a-7100f1ce16dd",
"id": "A04.01",
"severity": "Medium",
@@ -68,7 +68,7 @@
"text": "Disable 'soft delete' for blobs",
"description": "Consider selectively disabling 'soft delete' for certain blob containers, for example if the application must ensure that deleted information is immediately deleted, e.g. for confidentiality, privacy or compliance reasons. ",
"waf": "Security",
- "service": "Azure Storage",
+ "service": "Storage",
"guid": "3f1d5e87-2e52-4e36-81cc-58b4a4b1510e",
"id": "A05.01",
"severity": "Medium",
@@ -80,7 +80,7 @@
"text": "Enable 'soft delete' for containers",
"description": "Soft delete for containers enables you to recover a container after it has been deleted, for example recover from an accidental delete operation.",
"waf": "Security",
- "service": "Azure Storage",
+ "service": "Storage",
"guid": "43a58a9c-2289-4c3d-9b57-d0c655462f2a",
"id": "A06.01",
"severity": "High",
@@ -92,7 +92,7 @@
"text": "Disable 'soft delete' for containers",
"description": "Consider selectively disabling 'soft delete' for certain blob containers, for example if the application must ensure that deleted information is immediately deleted, e.g. for confidentiality, privacy or compliance reasons. ",
"waf": "Security",
- "service": "Azure Storage",
+ "service": "Storage",
"guid": "3e3453a3-c863-4964-ab65-2d6c15f51296",
"id": "A07.01",
"severity": "Medium",
@@ -104,7 +104,7 @@
"text": "Enable resource locks on storage accounts",
"description": "Prevents accidental deletion of a storage account, by forcing the user to first remove the deletion lock, prior to deletion",
"waf": "Security",
- "service": "Azure Storage",
+ "service": "Storage",
"guid": "5398e6de-d227-4dd1-92b0-6c21d7999a64",
"id": "A08.01",
"severity": "High",
@@ -116,7 +116,7 @@
"text": "Consider immutable blobs",
"description": "Consider 'legal hold' or 'time-based retention' policies for blobs, so that is is impossible to delete the blob, the container, or the storage account. Please note that 'impossible' actually means 'impossible'; once a storage account contains an immutable blob, the only way to 'get rid' of that storage account is by cancelling the Azure subscription.",
"waf": "Security",
- "service": "Azure Storage",
+ "service": "Storage",
"guid": "6f4389a8-f42c-478e-98c0-6a73a22a4956",
"id": "A09.01",
"severity": "High",
@@ -128,7 +128,7 @@
"text": "Require HTTPS, i.e. disable port 80 on the storage account",
"description": "Consider disabling unprotected HTTP/80 access to the storage account, so that all data transfers are encrypted, integrity protected, and the server is authenticated. ",
"waf": "Security",
- "service": "Azure Storage",
+ "service": "Storage",
"guid": "e7a8dc4a-20e2-47c3-b297-11b1352beee0",
"id": "A10.01",
"severity": "High",
@@ -141,7 +141,7 @@
"text": "When enforcing HTTPS (disabling HTTP), check that you do not use custom domains (CNAME) for the storage account.",
"description": "When configuring a custom domain (hostname) on a storage account, check whether you need TLS/HTTPS; if so, you might have to put Azure CDN in front of your storage account.",
"waf": "Security",
- "service": "Azure Storage",
+ "service": "Storage",
"guid": "79b588de-fc49-472c-b3cd-21bf77036e5e",
"id": "A10.02",
"severity": "High",
@@ -153,7 +153,7 @@
"text": "Limit shared access signature (SAS) tokens to HTTPS connections only",
"description": "Requiring HTTPS when a client uses a SAS token to access blob data helps to minimize the risk of credential loss.",
"waf": "Security",
- "service": "Azure Storage",
+ "service": "Storage",
"guid": "6b4bed3d-5035-447c-8347-dc56028a71ff",
"id": "A10.03",
"severity": "Medium",
@@ -165,7 +165,7 @@
"text": "Enforce the latest TLS version for a storage account",
"description": ". Enforcing the latest TLS version will reject request from clients using the older version. ",
"waf": "Security",
- "service": "Azure Storage",
+ "service": "Storage",
"guid": "e12be569-a18f-4562-8d5d-ce151b9e7d55",
"id": "A10.4",
"severity": "High",
@@ -178,7 +178,7 @@
"text": "Use Microsoft Entra ID tokens for blob access",
"description": "Microsoft Entra ID tokens should be favored over shared access signatures, wherever possible",
"waf": "Security",
- "service": "Azure Storage",
+ "service": "Storage",
"guid": "e1ce15dd-3f0d-45e7-92d4-1e3611cc57b4",
"id": "A11.01",
"severity": "High",
@@ -190,7 +190,7 @@
"text": "Least privilege in IaM permissions",
"description": "When assigning a role to a user, group, or application, grant that security principal only those permissions that are necessary for them to perform their tasks. Limiting access to resources helps prevent both unintentional and malicious misuse of your data.",
"waf": "Security",
- "service": "Azure Storage",
+ "service": "Storage",
"guid": "a4b1410d-4395-48a8-a228-9b3d6b57cfc6",
"id": "A11.02",
"severity": "Medium"
@@ -201,7 +201,7 @@
"text": "When using SAS, prefer 'user delegation SAS' over storage-account-key based SAS.",
"description": "A user delegation SAS is secured with Azure Active Directory (Azure AD) credentials and also by the permissions specified for the SAS. A user delegation SAS is analogous to a service SAS in terms of its scope and function, but offers security benefits over the service SAS. ",
"waf": "Security",
- "service": "Azure Storage",
+ "service": "Storage",
"guid": "55461e1a-3e34-453a-9c86-39648b652d6c",
"id": "A11.03",
"severity": "High",
@@ -213,7 +213,7 @@
"text": "Consider disabling storage account keys, so that only Microsoft Entra ID access (and user delegation SAS) is supported.",
"description": "Storage account keys ('shared keys') have very little audit capabilities. While it can be monitored on who/when fetched a copy of the keys, once the keys are in the hands of multiple people, it is impossible to attribute usage to a specific user. Solely relying on Entra ID authentication makes it easier to tie storage access to a user. ",
"waf": "Security",
- "service": "Azure Storage",
+ "service": "Storage",
"guid": "15f51296-5398-4e6d-bd22-7dd142b06c21",
"id": "A11.04",
"severity": "High",
@@ -226,7 +226,7 @@
"text": "Consider using Azure Monitor to audit control plane operations on the storage account",
"description": "Use Activity Log data to identify 'when', 'who', 'what' and 'how' the security of your storage account is being viewed or changed (i.e. storage account keys, access policies, etc.).",
"waf": "Security",
- "service": "Azure Storage",
+ "service": "Storage",
"guid": "d7999a64-6f43-489a-af42-c78e78c06a73",
"id": "A12.01",
"severity": "High",
@@ -238,7 +238,7 @@
"text": "When using storage account keys, consider enabling a 'key expiration policy'",
"description": "A key expiration policy enables you to set a reminder for the rotation of the account access keys. The reminder is displayed if the specified interval has elapsed and the keys have not yet been rotated.",
"waf": "Security",
- "service": "Azure Storage",
+ "service": "Storage",
"guid": "a22a4956-e7a8-4dc4-a20e-27c3e29711b1",
"id": "A13.01",
"severity": "Medium",
@@ -250,7 +250,7 @@
"text": "Consider configuring an SAS expiration policy",
"description": "A SAS expiration policy specifies a recommended interval over which the SAS is valid. SAS expiration policies apply to a service SAS or an account SAS. When a user generates service SAS or an account SAS with a validity interval that is larger than the recommended interval, they'll see a warning.",
"waf": "Security",
- "service": "Azure Storage",
+ "service": "Storage",
"guid": "352beee0-79b5-488d-bfc4-972cd3cd21bf",
"id": "A13.02",
"severity": "Medium",
@@ -262,7 +262,7 @@
"text": "Consider linking SAS to a stored access policy",
"description": "Stored access policies give you the option to revoke permissions for a service SAS without having to regenerate the storage account keys. ",
"waf": "Security",
- "service": "Azure Storage",
+ "service": "Storage",
"guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56",
"id": "A13.03",
"severity": "Medium",
@@ -273,7 +273,7 @@
"subcategory": "CI/CD",
"text": "Consider configuring your application's source code repository to detect checked-in connection strings and storage account keys.",
"waf": "Security",
- "service": "Azure Storage",
+ "service": "Storage",
"guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36",
"id": "A14.01",
"severity": "Medium",
@@ -285,7 +285,7 @@
"text": "Consider storing connection strings in Azure KeyVault (in scenarios where managed identities are not possible)",
"description": "Ideally, your application should be using a managed identity to authenticate to Azure Storage. If that is not possible, consider having the storage credential (connection string, storage account key, SAS, service principal credential) in Azure KeyVault or an equivalent service.",
"waf": "Security",
- "service": "Azure Storage",
+ "service": "Storage",
"guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d",
"id": "A15.01",
"severity": "High",
@@ -297,7 +297,7 @@
"text": "Strive for short validity periods for ad-hoc SAS",
"description": "Use near-term expiration times on an ad hoc SAS service SAS or account SAS. In this way, even if a SAS is compromised, it's valid only for a short time. This practice is especially important if you cannot reference a stored access policy. Near-term expiration times also limit the amount of data that can be written to a blob by limiting the time available to upload to it.",
"waf": "Security",
- "service": "Azure Storage",
+ "service": "Storage",
"guid": "27138b82-1102-4cac-9eae-01e6e842e52f",
"id": "A15.02",
"severity": "High",
@@ -309,7 +309,7 @@
"text": "Apply a narrow scope to a SAS",
"description": "When creating a SAS, be as specific and restrictive as possible. Prefer a SAS for a single resource and operation over a SAS which gives much broader access.",
"waf": "Security",
- "service": "Azure Storage",
+ "service": "Storage",
"guid": "4721d928-c1b1-4cd5-81e5-4a29a9de399c",
"id": "A15.03",
"severity": "Medium",
@@ -321,7 +321,7 @@
"text": "Consider scoping SAS to a specific client IP address, wherever possible",
"description": "A SAS can include parameters on which client IP addresses or address ranges are authorized to request a resource using the SAS. ",
"waf": "Security",
- "service": "Azure Storage",
+ "service": "Storage",
"guid": "fd7b28dc-9355-4562-82bf-e4564b0d834a",
"id": "A15.04",
"severity": "Medium",
@@ -333,7 +333,7 @@
"text": "Consider checking uploaded data, after clients used a SAS to upload a file. ",
"description": "A SAS cannot constrain how much data a client uploads; given the pricing model of amount of storage over time, it might make sense to validate whether clients uploaded maliciously large contents.",
"waf": "Security",
- "service": "Azure Storage",
+ "service": "Storage",
"guid": "348b263e-6dd6-4051-8a36-498f6dbad38e",
"id": "A15.05",
"severity": "Low"
@@ -344,7 +344,7 @@
"text": "SFTP: Limit the amount of 'local users' for SFTP access, and audit whether access is needed over time.",
"description": "When accessing blob storage via SFTP using a 'local user account', the 'usual' RBAC controls do not apply. Blob access via NFS or REST might be more restrictive than SFTP access. Unfortunately, as of early 2023, local users are the only form of identity management that is currently supported for the SFTP endpoint",
"waf": "Security",
- "service": "Azure Storage",
+ "service": "Storage",
"guid": "ad53cc7c-e1d7-4aaa-a357-1449ab8053d8",
"id": "A15.06",
"severity": "High",
@@ -355,7 +355,7 @@
"subcategory": "Identity and Access Management",
"text": "SFTP: The SFTP endpoint does not support POSIX-like ACLs.",
"waf": "Security",
- "service": "Azure Storage",
+ "service": "Storage",
"guid": "9f89dc7b-33be-42a1-a27f-7b9e91be1f38",
"id": "A15.07",
"severity": "Medium",
@@ -367,7 +367,7 @@
"text": "Avoid overly broad CORS policies",
"description": "Storage supports CORS (Cross-Origin Resource Sharing), i.e. an HTTP feature that enables web apps from a different domain to loosen the same-origin policy. When enabling CORS, keep the CorsRules to the least privilege.",
"waf": "Security",
- "service": "Azure Storage",
+ "service": "Storage",
"guid": "cef39812-bd46-43cb-aac8-ac199ebb91a3",
"id": "A16.01",
"severity": "High",
@@ -379,7 +379,7 @@
"text": "Determine how data at rest should be encrypted. Understand the thread model for data.",
"description": "Data at rest is always encrypted server-side, and in addition might be encrypted client-side as well. Server-side encryption might happen using a platform-managed key (default) or customer-managed key. Client-side encryption might happen by either having the client supply an encryption/decryption key on a per-blob basis to Azure storage, or by completely handling encryption on the client-side. thus not relying on Azure Storage at all for confidentiality guarantees.",
"waf": "Security",
- "service": "Azure Storage",
+ "service": "Storage",
"guid": "3d90cae2-cc88-4137-86f7-c0cbafe61464",
"id": "A17.01",
"severity": "High",
@@ -390,7 +390,7 @@
"subcategory": "Confidentiality and Encryption",
"text": "Determine which/if platform encryption should be used.",
"waf": "Security",
- "service": "Azure Storage",
+ "service": "Storage",
"guid": "8dd457e9-2713-48b8-8110-2cac6eae01e6",
"id": "A17.02",
"severity": "Medium",
@@ -401,7 +401,7 @@
"subcategory": "Confidentiality and Encryption",
"text": "Determine which/if client-side encryption should be used.",
"waf": "Security",
- "service": "Azure Storage",
+ "service": "Storage",
"guid": "e842e52f-4721-4d92-ac1b-1cd521e54a29",
"id": "A17.03",
"severity": "Medium",
@@ -413,7 +413,7 @@
"text": "Consider whether public blob anonymous access is needed, or whether it can be disabled for certain storage accounts. ",
"description": "Anonymous access may present a security risk. We recommend that you disable anonymous access for optimal security. Disallowing anonymous access helps to prevent data breaches caused by undesired anonymous access.",
"waf": "Security",
- "service": "Azure Storage",
+ "service": "Storage",
"guid": "659ae558-b937-4d49-a5e1-112dbd7ba012",
"id": "A18.01",
"severity": "High",
@@ -425,7 +425,7 @@
"subcategory": "Platform Version",
"text": "Leverage a storagev2 account type for better performance and reliability",
"waf": "Reliability",
- "service": "Azure Storage",
+ "service": "Storage",
"guid": "cb8eb8c0-aa62-4a25-a495-6eaa8dc4a243",
"id": "B01.01",
"severity": "High",
@@ -436,7 +436,7 @@
"subcategory": "Availablity",
"text": "Leverage GRS, ZRS or GZRS storage for the highest availability",
"waf": "Reliability",
- "service": "Azure Storage",
+ "service": "Storage",
"guid": "e05bbe20-9d49-4fda-9777-8424d116785c",
"id": "C01.01",
"severity": "High",
@@ -448,7 +448,7 @@
"subcategory": "Failover",
"text": "For write operation after failover, use customer-Managed Failover ",
"waf": "Reliability",
- "service": "Azure Storage",
+ "service": "Storage",
"guid": "2fa56c56-ad48-4408-be72-734c486ba280",
"id": "C01.02",
"severity": "Medium",
@@ -459,7 +459,7 @@
"subcategory": "Failover",
"text": "Understand Microsoft-Managed Failover details",
"waf": "Reliability",
- "service": "Azure Storage",
+ "service": "Storage",
"guid": "dc0590cf-65de-48e1-909c-cbd579266bcc",
"id": "C01.03",
"severity": "Medium",
@@ -470,7 +470,7 @@
"subcategory": "Data Protection",
"text": "Enable Soft Delete",
"waf": "Reliability",
- "service": "Azure Storage",
+ "service": "Storage",
"guid": "a274faa1-abfe-49d5-9d04-c3c4919cb1b3",
"id": "C01.04",
"severity": "Medium",
diff --git a/checklists/cost_checklist.en.json b/checklists/cost_checklist.en.json
index af5b865c..be1a0738 100644
--- a/checklists/cost_checklist.en.json
+++ b/checklists/cost_checklist.en.json
@@ -6,7 +6,7 @@
"text": "Data collection rules in Azure Monitor -https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-rule-overview",
"severity": "Medium",
"waf": "Cost",
- "service": "Azure Monitor",
+ "service": "Monitor",
"guid": "a95b86ad-8840-48e3-9273-4b875ba18f20",
"id": "A01.01",
"training": "https://azure.microsoft.com/pricing/reservations/",
@@ -18,7 +18,7 @@
"text": "check backup instances with the underlying datasource not found",
"severity": "Medium",
"waf": "Cost",
- "service": "Azure Backup",
+ "service": "Backup",
"guid": "45901365-d38e-443f-abcb-d868266abca2",
"id": "A02.01",
"link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation"
@@ -60,7 +60,7 @@
"text": "Consider a good balance between site recovery storage and backup for non mission critical applications",
"severity": "Medium",
"waf": "Cost",
- "service": "Azure Backup",
+ "service": "Backup",
"guid": "69bad37a-ad53-4cc7-ae1d-76667357c449",
"id": "A03.04",
"link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations"
@@ -71,7 +71,7 @@
"text": "Check spending and savings opportunities among the 40 different log analytics workspaces- use different retention and data collection for nonprod workspaces-create daily cap for awareness and tier sizing - If you do set a daily cap, in addition to creating an alert when the cap is reached,ensure that you also create an alert rule to be notified when some percentage has been reached (90% for example). - consider workspace transformation if possible - https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-transformations#workspace-transformation-dcr ",
"severity": "Medium",
"waf": "Cost",
- "service": "Azure Monitor",
+ "service": "Monitor",
"guid": "674b5ed8-5a85-49c7-933b-e2a1a27b765a",
"id": "A04.01",
"training": "https://learn.microsoft.com/azure/cost-management-billing/costs/understand-work-scopes",
@@ -83,7 +83,7 @@
"text": "Enforce a purging log policy and automation (if needed, logs can be moved to cold storage)",
"severity": "Medium",
"waf": "Cost",
- "service": "Azure Monitor",
+ "service": "Monitor",
"guid": "91be1f38-8ef3-494c-8bd4-63cbbac75819",
"id": "A05.01",
"training": "https://www.youtube.com/watch?v=nHQYcYGKuyw",
@@ -460,7 +460,7 @@
"text": "Check if applicable and enforce policy/change https://learn.microsoft.com/azure/azure-sql/azure-hybrid-benefit?view=azuresql&tabs=azure-portalhttps://learn.microsoft.com/azure/cost-management-billing/scope-level/create-sql-license-assignments?source=recommendations",
"severity": "Medium",
"waf": "Cost",
- "service": "Azure SQL",
+ "service": "SQL",
"guid": "d7bb012f-7b95-4e06-b158-e2ea3992c2de",
"id": "D09.01",
"link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy"
@@ -574,7 +574,7 @@
"text": "Move recovery points to vault-archive where applicable (Validate)",
"severity": "Medium",
"waf": "Cost",
- "service": "Azure Backup",
+ "service": "Backup",
"guid": "44be3b1a-27f8-4b9e-a1be-1f38df03a822",
"id": "E03.01",
"training": "https://azure.microsoft.com/pricing/reservations/",
@@ -597,7 +597,7 @@
"text": "Functions - Reuse connections",
"severity": "Medium",
"waf": "Cost",
- "service": "Azure Functions",
+ "service": "Functions",
"guid": "cc881470-607c-41cc-a0e6-14658dd458e9",
"id": "E05.01",
"training": "https://learn.microsoft.com/azure/cost-management-billing/reservations/reservation-apis?toc=%2Fazure%2Fcost-management-billing%2Ftoc.json",
@@ -609,7 +609,7 @@
"text": "Functions - Cache data locally",
"severity": "Medium",
"waf": "Cost",
- "service": "Azure Functions",
+ "service": "Functions",
"guid": "27139b82-1102-4dbd-9eaf-11e6f843e52f",
"id": "E05.02",
"training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-compute-resources/",
@@ -621,7 +621,7 @@
"text": "Functions - Cold starts-Use the 'Run from package' functionality. This way, the code is downloaded as a single zip file. This can, for example, result in significant improvements with Javascript functions, which have a lot of node modules.Use language specific tools to reduce the package size, for example, tree shaking Javascript applications.",
"severity": "Medium",
"waf": "Cost",
- "service": "Azure Functions",
+ "service": "Functions",
"guid": "4722d928-c1b1-4cd5-81e5-4a29b9de39ac",
"id": "E05.03",
"training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/",
@@ -633,7 +633,7 @@
"text": "Functions - Keep your functions warm",
"severity": "Medium",
"waf": "Cost",
- "service": "Azure Functions",
+ "service": "Functions",
"guid": "0e7c28dc-9366-4572-82bf-f4564b0d934a",
"id": "E05.04",
"training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
@@ -645,7 +645,7 @@
"text": "When using autoscale with different functions, there might be one driving all the autoscale for all the resources - consider moving it to a separate consumption plan (and consider higher plan for CPU)",
"severity": "Medium",
"waf": "Cost",
- "service": "Azure Functions",
+ "service": "Functions",
"guid": "359c363e-7dd6-4162-9a36-4a907ebae38e",
"id": "E05.05",
"link": "https://learn.microsoft.com/azure/governance/policy/overview"
@@ -656,7 +656,7 @@
"text": "Function apps in a given plan are all scaled together, so any issues with scaling can affect all apps in the plan.",
"severity": "Medium",
"waf": "Cost",
- "service": "Azure Functions",
+ "service": "Functions",
"guid": "ad53cc7d-e2e8-4aaa-a357-1549ab9153d8",
"id": "E05.06",
"link": "https://learn.microsoft.com/azure/service-health/alerts-activity-log-service-notifications-portal"
@@ -667,7 +667,7 @@
"text": "Am I billed for 'await time'? This question is typically asked in the context of a C# function that does an async operation and waits for the result, e.g. await Task.Delay(1000) or await client.GetAsync('http://google.com'). The answer is yes - the GB second calculation is based on the start and end time of the function and the memory usage over that period. What actually happens over that time in terms of CPU activity is not factored into the calculation.One exception to this rule is if you are using durable functions. You are not billed for time spent at awaits in orchestrator functions.apply demand shaping techinques where possible (dev environments?) https://github.com/Azure-Samples/functions-csharp-premium-scaler",
"severity": "Medium",
"waf": "Cost",
- "service": "Azure Functions",
+ "service": "Functions",
"guid": "9f89dc7b-44be-43b1-a27f-8b9e91be1f38",
"id": "E05.07",
"link": "https://learn.microsoft.com/azure/azure-monitor/alerts/action-groups"
diff --git a/checklists/databricks_checklist.en.json b/checklists/databricks_checklist.en.json
index de4ed20d..082090fe 100644
--- a/checklists/databricks_checklist.en.json
+++ b/checklists/databricks_checklist.en.json
@@ -5,7 +5,7 @@
"subcategory": "Best Practices",
"text": "Reference Databricks HA/DR playbook",
"waf": "Reliability",
- "service": "Azure Data Factory",
+ "service": "Data Factory",
"guid": "65285269-440c-44be-9d3e-0844276d4bdc",
"id": "46.1",
"severity": "High",
@@ -16,7 +16,7 @@
"subcategory": "Migration",
"text": "Use Databricks Sync",
"waf": "Reliability",
- "service": "Azure Data Factory",
+ "service": "Data Factory",
"guid": "a0e6c465-89d5-458b-a37d-3974d1112dbd",
"id": "46.10",
"severity": "Low",
@@ -27,7 +27,7 @@
"subcategory": "Backup",
"text": "Backup your workspace configuration including ARM templates and secret scopes",
"waf": "Reliability",
- "service": "Azure Data Factory",
+ "service": "Data Factory",
"guid": "89d558b9-37d3-4974-b111-2dbd7aaf12e6",
"id": "46.2",
"severity": "Medium",
@@ -38,7 +38,7 @@
"subcategory": "Backup",
"text": "Share metaData across different Databricks workspaces using Hive external metastore",
"waf": "Reliability",
- "service": "Azure Data Factory",
+ "service": "Data Factory",
"guid": "b94ee5ef-47d2-4d92-a81b-1cd6d1f54b29",
"id": "46.3",
"severity": "Medium",
@@ -49,7 +49,7 @@
"subcategory": "Backup",
"text": "Plan Disaster Recovery strategy in Databricks using the Hive External Metastore",
"waf": "Reliability",
- "service": "Azure Data Factory",
+ "service": "Data Factory",
"guid": "769e3969-0e78-428a-a936-657d03b0f466",
"id": "46.4",
"severity": "Medium",
@@ -60,7 +60,7 @@
"subcategory": "Backup",
"text": "Backup your data with deep and shallow clones",
"waf": "Reliability",
- "service": "Azure Data Factory",
+ "service": "Data Factory",
"guid": "4b1d944a-3598-437e-b79d-6c6d3a364a5b",
"id": "46.5",
"severity": "Medium",
@@ -72,7 +72,7 @@
"text": "Backup your data to Azure Storage RA-GRS",
"description": "Download the blob using the secondary endpoint in RAGRS storage account",
"waf": "Reliability",
- "service": "Azure Data Factory",
+ "service": "Data Factory",
"guid": "7abae48a-bd54-4cd7-ae2e-86768357c559",
"id": "46.6",
"severity": "Medium",
@@ -83,7 +83,7 @@
"subcategory": "Backup",
"text": "Backup your code with DevOps",
"waf": "Reliability",
- "service": "Azure Data Factory",
+ "service": "Data Factory",
"guid": "675c5ee8-5b85-49c7-944c-e3b1a28b875a",
"id": "46.7",
"severity": "High",
@@ -94,7 +94,7 @@
"subcategory": "Disaster Recovery",
"text": "Plan for Disaster recovery using Active/Active or Active/Passive Configuration",
"waf": "Reliability",
- "service": "Azure Data Factory",
+ "service": "Data Factory",
"guid": "a1bf1038-9f03-4a4d-8ce4-63dbbbc8682a",
"id": "46.8",
"severity": "High",
@@ -106,7 +106,7 @@
"text": "Use Databricks Migration tools",
"description": "Migration package to log all Databricks resources for backup and/or migrating to another Databricks workspace",
"waf": "Reliability",
- "service": "Azure Data Factory",
+ "service": "Data Factory",
"guid": "5abc92a4-eda1-4dae-8cc8-5c47c6b781cc",
"id": "46.9",
"severity": "Medium",
diff --git a/checklists/datasecurity_checklist.en.json b/checklists/datasecurity_checklist.en.json
index 5bbb6f5f..8cfeffb1 100644
--- a/checklists/datasecurity_checklist.en.json
+++ b/checklists/datasecurity_checklist.en.json
@@ -6,7 +6,7 @@
"text": "Restrict use of local users on sql workloads on Synapse",
"description": "Restrict the use of local authentication methods for data plane access. Instead, use Microsoft Entra ID as the default authentication method to control your data plane access.",
"waf": "Security",
- "service": "Azure Synapse Analytics",
+ "service": "Synapse Analytics",
"guid": "32d41e36-11c8-417b-8afb-c410d4391898",
"id": "A01.01",
"severity": "High"
@@ -17,7 +17,7 @@
"text": "Encrypt sensitive data in transit",
"description": "No additional configurations are required as this is enabled on a default deployment.",
"waf": "Security",
- "service": "Azure Event Hubs",
+ "service": "Event Hubs",
"guid": "21d41d25-00c8-417b-b9ea-c41fd3390798",
"id": "A01.01",
"severity": "Medium",
@@ -29,7 +29,7 @@
"text": "Use managed identity to authenticate to the services",
"description": "Use Microsoft Entra ID as the default authentication method to control your data plane access.",
"waf": "Security",
- "service": "Azure Synapse Analytics",
+ "service": "Synapse Analytics",
"guid": "cd289bed-6b17-4cb8-8454-61e1aee3453a",
"id": "A01.02",
"severity": "Medium",
@@ -40,7 +40,7 @@
"subcategory": "",
"text": "Enable data at rest encryption by default",
"waf": "Security",
- "service": "Azure Event Hubs",
+ "service": "Event Hubs",
"guid": "bc288bec-6a17-4ca7-8444-51e1add3452a",
"id": "A01.02",
"severity": "Medium"
@@ -51,7 +51,7 @@
"text": "Separate and limit highly privileged/administrative users and enable MFA and conditional policies",
"description": "If not required for routine administrative operations, disable or restrict any local admin accounts for only emergency use.",
"waf": "Security",
- "service": "Azure Synapse Analytics",
+ "service": "Synapse Analytics",
"guid": "ec823923-7a15-42d6-ac5e-402925388e5d",
"id": "A01.03",
"severity": "High"
@@ -62,7 +62,7 @@
"text": "Use customer-managed key option in data at rest encryption when required",
"description": "Use Keyvaults to store your CMK",
"waf": "Security",
- "service": "Azure Event Hubs",
+ "service": "Event Hubs",
"guid": "ec723923-7a15-41c5-ab5e-401915387e5c",
"id": "A01.03",
"severity": "Medium",
@@ -74,7 +74,7 @@
"text": "Use Azure RBAC to control access on storage and Synapse RBAC to control access on workspace level depending on the personas of the team to fine grain the access on data and compute",
"description": "Azure Synapse also includes Synapse role-based access control (RBAC) roles to manage different aspects of Synapse Studio. Leverage these built-in roles to assign permissions to users, groups, or other security principals to manage who can Publish code artifacts and list or access published code artifacts,Execute code on Apache Spark pools and integration runtimes,Access linked (data) services that are protected by credentials,Monitor or cancel job executions, review job output and execution logs.",
"waf": "Security",
- "service": "Azure Synapse Analytics",
+ "service": "Synapse Analytics",
"guid": "a9c27d9c-42bb-46cd-8c79-99a246f3389a",
"id": "A01.04",
"severity": "Medium",
@@ -85,7 +85,7 @@
"subcategory": "",
"text": "Implement RLS, CLS and data masking on sql workloads in dedicated sql pool to add additional layer of security",
"waf": "Security",
- "service": "Azure Synapse Analytics",
+ "service": "Synapse Analytics",
"guid": "7f42c78e-78cb-46a2-8ad1-a0916e6a8d8f",
"id": "A01.05",
"severity": "Medium",
@@ -97,7 +97,7 @@
"text": "Use managed vnet workspace to restrict the access over public internet",
"description": "When you create your Azure Synapse workspace, you can choose to associate it to a Microsoft Azure Virtual Network. The Virtual Network associated with your workspace is managed by Azure Synapse. This Virtual Network is called a Managed workspace Virtual Network. This can be selected when deploying a workspace",
"waf": "Security",
- "service": "Azure Synapse Analytics",
+ "service": "Synapse Analytics",
"guid": "e2436b03-36db-455e-8796-0eee0bdf4cc2",
"id": "B01.01",
"severity": "Medium",
@@ -109,7 +109,7 @@
"text": "Use Microsoft Entra ID as the default authentication method and disable local access wherever possible",
"description": "Use Microsoft Entra ID as the default authentication method.",
"waf": "Security",
- "service": "Azure Event Hubs",
+ "service": "Event Hubs",
"guid": "a9c26d9c-42bb-45bd-8c69-99a246e3389a",
"id": "B01.01",
"severity": "High"
@@ -120,7 +120,7 @@
"text": "Configure private endpoints to connect to the external services and disable public access",
"description": "To protect any sensitive data, it's recommended to disable public access to the workspace endpoints entirely. By doing so, it ensures all workspace endpoints can only be accessed using\ufffdprivate endpoints.",
"waf": "Security",
- "service": "Azure Synapse Analytics",
+ "service": "Synapse Analytics",
"guid": "efc4d761-c31d-425f-bbb4-7a393a040ed3",
"id": "B01.02",
"severity": "Medium",
@@ -132,7 +132,7 @@
"text": "Use managed identity to authenticate to the services",
"description": "Use Microsoft Entra ID as the default authentication method.",
"waf": "Security",
- "service": "Azure Event Hubs",
+ "service": "Event Hubs",
"guid": "7e42c77d-78cb-46a2-8ad1-9f916e698d8f",
"id": "B01.02",
"severity": "Medium"
@@ -143,7 +143,7 @@
"text": "If enabling public access highly recommended to configure IP firewall rules",
"description": "If public access needs to be enabled, it's highly recommended to configure the IP firewall rules to allow inbound connections only from the specified list of public IP addresses.",
"waf": "Security",
- "service": "Azure Synapse Analytics",
+ "service": "Synapse Analytics",
"guid": "294798b1-178a-42c5-a46c-eb544350d092",
"id": "B01.03",
"link": "https://learn.microsoft.com/azure/synapse-analytics/security/synapse-workspace-ip-firewall"
@@ -153,7 +153,7 @@
"subcategory": "",
"text": "Configure conditional access policies to restrict the access on Data plane",
"waf": "Security",
- "service": "Azure Event Hubs",
+ "service": "Event Hubs",
"guid": "adfe27bd-e187-401a-a352-baa9b68a088c",
"id": "B01.03",
"severity": "Medium"
@@ -163,7 +163,7 @@
"subcategory": "",
"text": "Deploy SHIR VMs in your vnet if you are working with sensitive data that shouldn\ufffdt leave your corporate network",
"waf": "Security",
- "service": "Azure Synapse Analytics",
+ "service": "Synapse Analytics",
"guid": "d234292b-7528-4537-a551-c5bf4e4f1854",
"id": "B01.04",
"severity": "Medium",
@@ -175,7 +175,7 @@
"text": "Use Azure Key Vaults to store secrets and crendentials.",
"description": "Restrict exposure of keys and secerts",
"waf": "Security",
- "service": "Azure Event Hubs",
+ "service": "Event Hubs",
"guid": "9a80822b-8eb9-4d1b-a77f-26e5e6beba8e",
"id": "B01.04",
"severity": "High"
@@ -186,7 +186,7 @@
"text": "Enable Data Exfiltration Protection (DEP)",
"description": "This can be done only when deploying the workspace, but Python libraries installed from public repositories like PyPI are not supported. (Think about the limitation before enabling it)",
"waf": "Security",
- "service": "Azure Synapse Analytics",
+ "service": "Synapse Analytics",
"guid": "287d5cdc-126c-4c03-8af5-b1fc6898a535",
"id": "B01.05",
"severity": "Medium",
@@ -197,7 +197,7 @@
"subcategory": "",
"text": "Separate and limit highly privileged/administrative users",
"waf": "Security",
- "service": "Azure Event Hubs",
+ "service": "Event Hubs",
"guid": "d4f3437c-c336-4d81-9f27-a71efe1b9b5d",
"id": "B01.05",
"severity": "High"
@@ -208,7 +208,7 @@
"text": "Authenticate access to Event Hubs resources using shared access signatures (SAS) and restrict local users",
"description": "When you create an Event Hubs namespace, a policy rule named RootManageSharedAccessKey is automatically created for the namespace. This policy has manage permissions for the entire namespace. It\ufffds recommended that you treat this rule like an administrative root account and don\ufffdt use it in your application. You can create additional policy rules in the Configure tab for the namespace in the portal, via PowerShell or Azure CLI. Avoid the usage of local authentication methods or accounts, these should be disabled wherever possible. Instead use Azure AD to authenticate where possible.",
"waf": "Security",
- "service": "Azure Event Hubs",
+ "service": "Event Hubs",
"guid": "9de0d5d7-21d4-41d2-900c-817bf9eac41f",
"id": "B01.06",
"severity": "Medium",
@@ -220,7 +220,7 @@
"text": "Use Azure RBACs to fine grain the access ",
"description": "Use Azure role-based access control (Azure RBAC) to manage Azure resource access through built-in role assignments. Azure RBAC roles can be assigned to users, groups, service principals, and managed identities.",
"waf": "Security",
- "service": "Azure Event Hubs",
+ "service": "Event Hubs",
"guid": "387e5ced-127d-4d14-8b06-b20c6999a646",
"id": "B01.07",
"severity": "Medium",
@@ -232,7 +232,7 @@
"text": "Data Encryption at rest using Customer managed Keys for workspace",
"description": "First layer of encryption is done by Microsoft managed keys, you can add a second layer of encryption using Customer managed Keys",
"waf": "Security",
- "service": "Azure Synapse Analytics",
+ "service": "Synapse Analytics",
"guid": "e337897e-31b6-47d6-9be5-962a1193846d",
"id": "C01.01",
"severity": "Medium",
@@ -244,7 +244,7 @@
"text": "Disable Public Network Access",
"description": "Service supports disabling public network access either through using service-level IP ACL filtering rule (not NSG or Azure Firewall) or using a 'Disable Public Network Access' toggle switch.",
"waf": "Security",
- "service": "Azure Event Hubs",
+ "service": "Event Hubs",
"guid": "f3389a7e-42c7-48e7-ac06-a62a2194956e",
"id": "C01.01",
"severity": "Medium"
@@ -255,7 +255,7 @@
"text": "Data Encryption in transit ",
"description": "Azure Synapse leverages TLS to ensure data is encrypted in motion. SQL dedicated pools support TLS 1.0, TLS 1.1, and TLS 1.2 versions for encryption wherein Microsoft-provided drivers use TLS 1.2 by default. Serverless SQL pool and Apache Spark pool use TLS 1.2 for all outbound connections.",
"waf": "Security",
- "service": "Azure Synapse Analytics",
+ "service": "Synapse Analytics",
"guid": "697cc391-ed16-4b2d-886f-0a1241bddde6",
"id": "C01.02",
"severity": "Medium",
@@ -266,7 +266,7 @@
"subcategory": "",
"text": "Use Vnets to isolate traffic over restricted network ",
"waf": "Security",
- "service": "Azure Event Hubs",
+ "service": "Event Hubs",
"guid": "6a8dc4a2-fe27-4b2e-8870-1a1352beedf7",
"id": "C01.02",
"severity": "Medium"
@@ -277,7 +277,7 @@
"text": "Store passwords, secerts and keys in Azure key vault",
"description": "Use Keyvaults to store your secrets and credentials",
"waf": "Security",
- "service": "Azure Synapse Analytics",
+ "service": "Synapse Analytics",
"guid": "8a477cde-b486-41bc-9bc1-0ae66e25e4d5",
"id": "C01.03",
"severity": "High"
@@ -287,7 +287,7 @@
"subcategory": "",
"text": "Deploy private endpoints for all Azure resources that support the Private Link feature, to establish a private access point for the resources.",
"waf": "Security",
- "service": "Azure Event Hubs",
+ "service": "Event Hubs",
"guid": "9b488dee-c496-42cc-9cd2-1bf77f26e5e6",
"id": "C01.03",
"severity": "Medium",
@@ -296,7 +296,7 @@
{
"category": "",
"subcategory": "",
- "service": "Azure Data Factory",
+ "service": "Data Factory",
"waf": "Security",
"text": "Use Azure Key Vault secrets in pipeline activities",
"description": "You can store credentials or secret values in an Azure Key Vault and use them during pipeline execution to pass to your activities.",
@@ -411,7 +411,7 @@
"text": "Restrict use of local users whereever necessary",
"description": "Restrict the use of local authentication methods for data plane access. Instead, use Microsoft Entra ID as the default authentication method to control your data plane access.",
"waf": "Security",
- "service": "Azure Data Factory",
+ "service": "Data Factory",
"guid": "0bdf4cc2-efc4-4d76-8c31-d25ffbb47a39",
"id": "E01.01",
"severity": "High"
@@ -434,7 +434,7 @@
"text": "Use managed identity to authenticate to the services",
"description": "Managed identities eliminate the need to manage credentials. Managed identities provide an identity for the service instance when connecting to resources that support Microsoft Entra authentication.",
"waf": "Security",
- "service": "Azure Data Factory",
+ "service": "Data Factory",
"guid": "3a040ed3-2947-498b-8178-a2c5a46ceb54",
"id": "E01.02",
"severity": "Medium",
@@ -458,7 +458,7 @@
"text": "Separate and limit highly privileged/administrative users and enable MFA and conditional policies",
"description": "If not required for routine administrative operations, disable or restrict any local admin accounts for only emergency use.",
"waf": "Security",
- "service": "Azure Data Factory",
+ "service": "Data Factory",
"guid": "4350d092-d234-4292-a752-8537a551c5bf",
"id": "E01.03",
"severity": "High"
@@ -479,7 +479,7 @@
"category": "Network Security",
"subcategory": "",
"text": "Disable access over public internet and configure either firewall rules or trusted services rules",
- "service": "Azure Data Factory",
+ "service": "Data Factory",
"waf": "Security",
"guid": "4e4f1854-287d-45cd-a126-cc032af5b1fc",
"id": "F01.01",
@@ -502,7 +502,7 @@
"subcategory": "",
"text": "Deploy SHIR VMs in your vnet if you are working with sensitive data that shouldn\ufffdt leave your corporate network",
"waf": "Security",
- "service": "Azure Data Factory",
+ "service": "Data Factory",
"guid": "6898a535-e337-4897-b31b-67d67be5962a",
"id": "F01.02",
"severity": "Medium"
@@ -526,7 +526,7 @@
"text": "Use managed vnet IR to restrict the access over public internet for Azure Integration Runtime",
"description": "When you create an Azure integration runtime within a Data Factory managed virtual network, the integration runtime is provisioned with the managed virtual network. It uses private endpoints to securely connect to supported data stores.",
"waf": "Security",
- "service": "Azure Data Factory",
+ "service": "Data Factory",
"guid": "1193846d-697c-4c39-8ed1-6b2d186f0a12",
"id": "F01.03",
"severity": "Medium"
@@ -550,7 +550,7 @@
"text": "Configure managed private endpoints to connect to resources using managed azure IR",
"description": "Managed private endpoints are private endpoints created in the Data Factory managed virtual network that establishes a private link to Azure resources. Data Factory manages these private endpoints on your behalf.",
"waf": "Security",
- "service": "Azure Data Factory",
+ "service": "Data Factory",
"guid": "41bddde6-8a47-47cd-bb48-61bc3bc10ae6",
"id": "F01.04",
"severity": "Medium",
@@ -639,7 +639,7 @@
"text": "Configure Private Links to connect to sources in customer Vnet and data factory",
"description": "By using Azure Private Link, you can connect to various platform as a service (PaaS) deployments in Azure via a private endpoint. A private endpoint is a private IP address within a specific virtual network and subnet",
"guid": "b47a393a-0804-4272-a479-8b1578b219a4",
- "service": "Azure Data Factory",
+ "service": "Data Factory",
"waf": "Security",
"id": "G01.01",
"severity": "Medium",
@@ -651,7 +651,7 @@
"text": "Data Encryption at rest by Microsoft managed keys",
"description": "This is a default setting",
"waf": "Security",
- "service": "Azure Data Factory",
+ "service": "Data Factory",
"guid": "6ceb5443-5135-4922-9442-93bb628637a5",
"id": "H01.01",
"severity": "Medium"
@@ -662,7 +662,7 @@
"text": "Data Encryption in transit by Microsoft managed keys",
"description": "This is a default setting",
"waf": "Security",
- "service": "Azure Data Factory",
+ "service": "Data Factory",
"guid": "5119b08e-8f58-4543-a7e9-cec166cd072a",
"id": "H01.02",
"severity": "Medium"
@@ -673,7 +673,7 @@
"text": "Data Encryption in transit by BYOK (Customer managed keys)",
"description": "When you specify a customer-managed key, Data Factory uses\ufffdboth\ufffdthe factory system key and the CMK to encrypt customer data. Missing either would result in Deny of Access to data and factory.",
"waf": "Security",
- "service": "Azure Data Factory",
+ "service": "Data Factory",
"guid": "f9b241a9-98a5-435e-9378-97e71ca7da8c",
"id": "H01.03",
"severity": "Medium",
@@ -684,7 +684,7 @@
"subcategory": "",
"text": "Store passwords, secrets in Azure Key Vault",
"waf": "Security",
- "service": "Azure Data Factory",
+ "service": "Data Factory",
"guid": "faa62a15-9495-46da-a7dc-3a23267b2258",
"id": "H01.04",
"severity": "High",
@@ -695,7 +695,7 @@
"subcategory": "",
"text": "Use Azure Key Vault secrets in pipeline activities",
"description": "You can store credentials or secret values in an Azure Key Vault and use them during pipeline execution to pass to your activities.",
- "service": "Azure Data Factory",
+ "service": "Data Factory",
"waf": "Security",
"guid": "6f4a1652-bddd-4ea8-a487-cdec4861bc3b",
"id": "H01.05",
@@ -707,7 +707,7 @@
"subcategory": "",
"text": "Encrypt credentials for on-premises using SHIR data stores in Azure Data Factory",
"description": "You can encrypt and store credentials for any of your on-premises data stores (linked services with sensitive information) on a machine with self-hosted integration runtime.",
- "service": "Azure Data Factory",
+ "service": "Data Factory",
"waf": "Security",
"guid": "c14aeb7e-66e8-4d9a-9bec-218e6436b173",
"id": "H01.06",
@@ -967,7 +967,7 @@
"text": "Define Least Privilege model and Lower exposure of privileged accounts",
"description": "Separate admin accounts from normal user accounts.",
"waf": "Security",
- "service": "Azure Databricks",
+ "service": "Databricks",
"guid": "d7999a64-6f43-489a-af42-c78e78c06a73",
"id": "O01.01",
"severity": "High"
@@ -978,7 +978,7 @@
"text": "Configure single sign-on and unified login. Enable multi-factor authentication.",
"description": "Azure Databricks supports Microsoft Entra ID conditional access, which allows administrators to control where and when users are permitted to sign in to Azure Databricks. Conditional access policies can restrict sign-in to your corporate network or can require multi-factor authentication (MFA).",
"waf": "Security",
- "service": "Azure Databricks",
+ "service": "Databricks",
"guid": "a22a4956-e7a8-4dc4-a20e-27c3e29711b1",
"id": "O01.02",
"severity": "High",
@@ -990,7 +990,7 @@
"text": "Use token management.",
"description": "Customers can use the Token Management API or UI controls to enable or disable personal access tokens (PATs) for REST API authentication, limit the users who are allowed to use PATs, set the maximum lifetime for new tokens, and manage existing tokens. Highly-secure customers typically provision a maximum token lifetime for new tokens for a workspace. This feature requires the Premium pricing tier.",
"waf": "Security",
- "service": "Azure Databricks",
+ "service": "Databricks",
"guid": "352beee0-79b5-488d-bfc5-972cd4cd21b0",
"id": "O01.03",
"severity": "Medium",
@@ -1002,7 +1002,7 @@
"text": "Separate admin accounts from normal user accounts",
"description": "If you have Databricks administrators who are also normal users of the Databricks platform (for example, there\ufffds a lead data engineer who administers the platform and also does data engineering work), Databricks recommends creating a separate account for administrative tasks. It\ufffds important to note that as part of the Azure RBAC model, users that are given Contributor or above permissions to the Resource Group for a deployed Azure Databricks workspace automatically become administrators when they login to that workspace. Therefore, the same considerations outlined above should be applied to Azure portal users too.",
"waf": "Security",
- "service": "Azure Databricks",
+ "service": "Databricks",
"guid": "77036e5e-6b4b-4fd3-b503-547c1447dc56",
"id": "O01.04",
"severity": "High"
@@ -1013,7 +1013,7 @@
"text": "SCIM synchronization of users and groups.",
"description": "SCIM (System for Cross-domain Identity Management) allows you to sync users and groups from Microsoft Entra ID to Azure Databricks. There are three major benefits of this approach: 1. When you remove a user, the user is automatically removed from Databricks. 2. Users can also be disabled temporarily via SCIM. Customers have used this capability for scenarios where customers believe that an account may be compromised and need to investigate 3. Groups are automatically synchronized Please refer to the documentation for detailed instructions on how to configure SCIM for Azure Databricks. This feature requires the Premium pricing tier",
"waf": "Security",
- "service": "Azure Databricks",
+ "service": "Databricks",
"guid": "028a71ff-f1ce-415d-b3f0-d5e872d42e36",
"id": "O01.05",
"severity": "Medium",
@@ -1025,7 +1025,7 @@
"text": "Limit cluster creation rights.",
"description": "Using either cluster policies or the older cluster ACLs, admins can define what users or groups within the organization are able to create clusters. Cluster ACLs allow you to specify which users can attach a notebook to a given cluster. Note that if a user shares a notebook already attached to a standard mode cluster, the recipient will also be able to execute code on that cluster. This does not apply to clusters that enforce user isolation: SQL Warehouses, high concurrency with table ACLs clusters, and high concurrency with credential passthrough clusters. Customers who use Unity Catalog can also enable single-user clusters to enforce isolation clusters.",
"waf": "Security",
- "service": "Azure Databricks",
+ "service": "Databricks",
"guid": "11cc57b4-a4b1-4410-b43a-58a9c2289b3d",
"id": "O01.06",
"severity": "Medium"
@@ -1037,7 +1037,7 @@
"description": "Account admins can configure a workspace setting called RestrictWorkspaceAdmins to restrict workspace admins to only change a job owner to themselves and the job run as setting to a service principal that they have the Service Principal User role on.",
"guid": "6b57dfc6-5546-41e1-a3e3-453a3c863964",
"waf": "Security",
- "service": "Azure Databricks",
+ "service": "Databricks",
"id": "P01.01",
"severity": "High",
"link": "https://learn.microsoft.com/azure/databricks/admin/workspace-settings/restrict-workspace-admins"
@@ -1048,7 +1048,7 @@
"text": "Store passwords, secrets in Azure Key Vault",
"description": "It\ufffds important to note that even if customers use Azure Key Vault to store their secrets, access controls still need to be defined within Azure Databricks. This is because the same service identity is used to retrieve the secret for all users of an Azure Databricks workspace.",
"waf": "Security",
- "service": "Azure Databricks",
+ "service": "Databricks",
"guid": "8b662d6c-15f5-4129-9539-8e6ded237dd1",
"id": "Q01.01",
"severity": "High"
@@ -1068,7 +1068,7 @@
"text": "Use clusters that support user isolation.",
"description": "Clusters with user isolation include enforcement such that each user runs as a different non-privileged user account on the cluster host. Languages are also limited to those that can be implemented in an isolated manner (SQL and Python), and Spark APIs must be on an allowlist of those we believe to be isolation-safe.",
"waf": "Security",
- "service": "Azure Databricks",
+ "service": "Databricks",
"guid": "78c06a73-a22a-4495-9e7a-8dc4a20e27c3",
"id": "S01.01",
"severity": "Medium"
@@ -1079,7 +1079,7 @@
"text": "Use service principals to run production jobs. Use proper access control for workspace level (ACLs), account level (RBACs) and data level (Unity catalog) security controls",
"description": "It is against security best practices to tie production workloads to individual user accounts, and so we recommend configuring Service Principals within Databricks. Service Principles separate administrator and user actions from the workload and prevent workloads from being impacted if a user leaves an organization. With Databricks, you can configure jobs to run as service principals and generate Personal Access Tokens for Service Principals.",
"waf": "Security",
- "service": "Azure Databricks",
+ "service": "Databricks",
"guid": "e29711b1-352b-4eee-879b-588defc5972c",
"id": "S01.02",
"severity": "Medium",
@@ -1091,7 +1091,7 @@
"text": "Avoid storing production data in DBFS.",
"description": "By default, DBFS is a filesystem that is accessible to all users of the given workspace and can be accessed via API. This is not necessarily a major data exfiltration concern as you can limit access to accessing data via the DBFS API or Databricks cli using IP access lists or private network access. However, as use of Azure Databricks grows and more users join a workspace, those users would have access to any data stored in DBFS, creating the potential for undesired information sharing. Databricks recommends that our customers do not store production data in DBFS.",
"waf": "Security",
- "service": "Azure Databricks",
+ "service": "Databricks",
"guid": "d4cd21b0-7703-46e5-b6b4-bfd3d503547c",
"id": "T01.01",
"severity": "High"
@@ -1102,7 +1102,7 @@
"text": "Encrypt storage and restrict access.",
"description": "For the storage accounts that you manage, it is your responsibility to ensure that the storage accounts are protected according to your requirements. Examples might include: Encryption with your customer-managed key, Restrict access to trusted networks with a storage firewall, Anonymous public access is not allowed",
"waf": "Security",
- "service": "Azure Databricks",
+ "service": "Databricks",
"guid": "1447dc56-028a-471f-bf1c-e15dd3f0d5e8",
"id": "T01.02",
"severity": "Medium",
@@ -1114,7 +1114,7 @@
"text": "Add a customer-managed key for managed services and workspace storage",
"description": "Add a customer-managed key for select data stored within the Azure Databricks control plane, such as notebooks, secrets, Databricks SQL queries, and Databricks SQL query history and for the root storage account used for DBFS. Azure Databricks requires access to this key for ongoing operations. You can revoke access to the key to prevent Azure Databricks from accessing encrypted data within the control plane (or in our backups). This is like a \ufffdnuclear option\ufffd where the workspace ceases to function, but it provides an emergency control for extreme situations. This feature requires the Premium pricing tier.",
"waf": "Security",
- "service": "Azure Databricks",
+ "service": "Databricks",
"guid": "72d42e36-11cc-457b-9a4b-1410e43a58a9",
"id": "T01.03",
"severity": "Medium",
@@ -1126,7 +1126,7 @@
"text": "Enable IP access lists to restrict access to certain IP addresses.",
"description": "Configure IP access lists that restrict the IP addresses that can authenticate to Databricks at account console and workspace level by checking if the user or API client is coming from a known good IP address range such as a VPN or office network. Established user sessions do not work if the user moves to a bad IP address, such as when disconnecting from the VPN. ",
"waf": "Security",
- "service": "Azure Databricks",
+ "service": "Databricks",
"guid": "277de183-b1ac-4252-a9a9-b64608489a8f",
"id": "U01.01",
"severity": "Medium",
@@ -1138,7 +1138,7 @@
"text": "Configure and use Azure Private Link to access Azure resources.",
"description": "Azure Private Link provides a private network route from one Azure environment to another. Private Link can be configured both between Azure Databricks users and the control plane, and also between the control plane and the data plane. Between Databricks users and the control plane, Private Link provides strong controls that limit the source for inbound requests. If a company already routes traffic through an Azure environment, they can use Private Link so that the communication between users and the Azure Databricks control plane does not traverse public IP addresses. This feature requires the Premium pricing tier. Use Azure Private Link to connect from Azure Databricks to your Azure resources. Not only does Private Link ensure",
"waf": "Security",
- "service": "Azure Databricks",
+ "service": "Databricks",
"guid": "82db8eb9-d1ba-473b-86a5-a57eba8dd4b3",
"id": "U01.02",
"severity": "Medium",
@@ -1205,7 +1205,7 @@
}
],
"metadata": {
- "name": "Use the 'Import latest checklist' button to get the latest version of a review checklist",
+ "name": "Data Security review checklist",
"state": "Preview",
"waf": "Security",
"timestamp": "October 23, 2024"
diff --git a/checklists/resiliency_checklist.en.json b/checklists/resiliency_checklist.en.json
index 06614b08..65c0203d 100644
--- a/checklists/resiliency_checklist.en.json
+++ b/checklists/resiliency_checklist.en.json
@@ -138,7 +138,7 @@
"text": "Choose the most appropriate data redundancy option for Azure Storage based on your requirements",
"description": "Use Zone-redundant Storage (ZRS) in the primary region for scenarios that require high availability and for restricting replication to a particular country or region. For protection against regional disasters, use Geo-zone-redundant Storage (GZRS), which combines ZRS in the primary region with geo-replication to a secondary region?.",
"waf": "Reliability",
- "service": "Azure Storage",
+ "service": "Storage",
"guid": "48c7c891-dcb1-4f7d-9769-ae568ba38d4a",
"severity": "Medium",
"link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy"
@@ -149,7 +149,7 @@
"text": "Apply a Delete lock to prevent accidental or malicious deletion of storage accounts",
"description": "Assigning a Delete lock to your storage account helps protect the availability of your data, minimizing the risk of disruptions to your business operations.",
"waf": "Reliability",
- "service": "Azure Storage",
+ "service": "Storage",
"guid": "85e2213d-bd7b-4b01-8f7b-95e06e158e3e",
"severity": "Low",
"link": "https://learn.microsoft.com/azure/storage/common/lock-account-resource"
@@ -160,7 +160,7 @@
"text": "Enable soft delete for Storage Account Containers",
"description": "Container soft delete protects your data from being accidentally deleted by maintaining the deleted data in the system for a specified period of time.",
"waf": "Reliability",
- "service": "Azure Storage",
+ "service": "Storage",
"guid": "a3992c2d-e6e2-4065-a3a7-6af4a691e893",
"severity": "Low",
"link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-enable"
@@ -171,7 +171,7 @@
"text": "Enable soft delete for blobs",
"description": "Blob soft delete protects an individual blob and its versions, snapshots, and metadata from accidental deletes or overwrites by maintaining the deleted data in the system for a specified period of time.",
"waf": "Reliability",
- "service": "Azure Storage",
+ "service": "Storage",
"guid": "9ada4666-7e13-4c10-96b9-153d89f89dc7",
"severity": "Low",
"link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable"
@@ -182,7 +182,7 @@
"text": "Enable Azure Backup enhanced soft delete for improved data protection and recovery",
"description": "Azure Backup enhanced soft delete provides critical protection against ransomware attacks by retaining deleted backups, enabling recovery from potential ransomware encryption or deletion.",
"waf": "Reliability",
- "service": "Azure Backup",
+ "service": "Backup",
"guid": "b44be3b1-a27f-48b9-b91b-e1038df03a82",
"severity": "Medium",
"link": "https://learn.microsoft.com/azure/backup/backup-azure-enhanced-soft-delete-about"
@@ -193,7 +193,7 @@
"text": "Implement multi-user authorization for Azure Backup to ensure secure and controlled access to backup resources",
"description": "Azure Backup's multi-user authorization enables fine-grained control over user access to backup resources, allowing you to restrict privileges and ensure proper authentication and authorization for backup operations.",
"waf": "Reliability",
- "service": "Azure Backup",
+ "service": "Backup",
"guid": "2cd463cb-bbc8-4ac2-a9eb-c92a43da1dae",
"severity": "Low",
"link": "https://learn.microsoft.com/azure/backup/multi-user-authorization-concept"
@@ -204,7 +204,7 @@
"text": "Implement Immutable Storage for your vaults to protect against ransomware and prevent unauthorized modifications to backups",
"description": "Azure Immutable Storage provides an additional layer of security by ensuring that backup data stored in the vault cannot be modified or deleted for a specified retention period. This helps safeguard your backups from ransomware attacks that may attempt to compromise or manipulate your backup data.",
"waf": "Reliability",
- "service": "Azure Backup",
+ "service": "Backup",
"guid": "2cc88147-0607-4c1c-aa0e-614658dd458e",
"severity": "Low",
"link": "https://learn.microsoft.com/azure/backup/backup-azure-immutable-vault-concept?source=recommendations&tabs=recovery-services-vault"