cloud conformity knowledge base

Ensure that Azure SQL database servers are accessible via private endpoints only. Ensure that Auto-Renewal feature is enabled for your Azure Key Vault SSL certificates. Knowledge Base. Ensure that Azure Log Profile is configured to capture activity logs for all regions. Enable "log_duration" parameter on your Microsoft Azure PostgreSQL database servers. Ensure there is an activity log alert created for the "Create/Update Storage Account" events. Regenerate storage account access keys periodically to help keep your storage account secure. public access) is denied within your Azure Cosmos DB accounts configuration. The highly acclaimed LigoWave support team is always ready to help you solve all arising problems or give professional advice about your network design, deployment, or … Ensure that no network security groups allow unrestricted inbound access on TCP port 20 and 21 (File Transfer Protocol â FTP). To prevent certain resource types from being deployed ensure that "Not Allowed Resource Types" policy is assigned. Remove any unattached Azure virtual machine (VM) disk volumes to improve security and reduce costs. Figure 5 – SEC 8 Reporting in Conformity. Ensure that autoscale notifications are enabled for Azure virtual machine scale sets. Ensure that App Service Authentication is enabled within your Microsoft Azure cloud account. Ensure there is a tagging strategy in use for identifying and organizing Azure resources by name, purpose, environment, and other criteria. Ensure there is an activity log alert created for the "Delete Key Vault" events. Ensure that an activity log alert is created for the "Delete Network Security Group Rule" events. The five Pillars of the Well-Architected Framework are each deeply acknowledged in our Knowledge Base of nearly 500 rules. Ensure that an activity log alert is created for the "Delete Security Solution" events. This is the most comprehensive AWS management tool currently available in the market. Ensure that Azure virtual machines are configured to use system-assigned managed identities. Ensure that geo-redundant backups are enabled for your Azure PostgreSQL database servers. Use customer-managed keys (CMKs) for Microsoft Azure Storage accounts encryption. Ensure that an activity log alert is created for "Update Key Vault (Microsoft.KeyVault/vaults)" events. Ensure there is a sufficient PITR backup retention period configured for Azure SQL databases. Ensure that an activity log alert is created for the "Delete Network Security Group" events. Ensure that Office 365 groups can be created only by Active Directory (AD) administrators. Ensure that no network security groups allow unrestricted inbound access on TCP port 22 (SSH). Ensure that Azure Key Vault RSA certificates are using the appropriate key size. Ensure that Active Directory (AD) self-service group management is disabled for non-administrator users. 2018 Growth for Cloud Conformity: 450 rules, 50+ services, 5+ Compliance Standards, and new… As 2018 comes to a close, the Cloud Conformity team has continued to bolster and add to our cloud infrastructure governance tools. Ensure that a Customer-Managed Key is created for your Azure cloud application tier. Ensure that Office 365 groups can be managed only by Active Directory (AD) administrators. Ensure that resource locks are enabled for your high-impact Microsoft Azure resources. The many variations, however, can be grouped into one of 10 basic types depending on their general shape and height in the sky. Ensure that an expiration date is configured for all your Microsoft Azure encryption keys. Enable system updates recommendations for Microsoft Azure virtual machines (VMs). Ensure that an activity log alert is created for âDelete PostgreSQL Databaseâ events. 410 S. Rampart Blvd. Ensure that AKS clusters are using the latest available version of Kubernetes software. Enable all types of threat detection for your Microsoft Azure SQL database servers. Ensure that storage auto-growth is enabled for your Microsoft Azure PostgreSQL database servers. Ensure that an activity log alert is created for the "Create/Update Network Security Group" events. Ensure that Network Watcher service is enabled for all your Microsoft Azure subscriptions. Ensure that Azure Log Profile is configured to export all control & management activities. Ensure that Soft Delete feature is enabled for your Microsoft Azure Storage blob objects. Ensure that guest users cannot invite other guests to collaborate with your organization. Ensure that Multi-Factor Authentication (MFA) is enabled for all privileged Azure users. Ensure that your virtual machine instances are of a given SKU size (e.g. Microsoft® Azure best practice rules . Ensure that Kubernetes Role-Based Access Control is enabled for Azure Kubernetes clusters. Enable FTPS-only access for your Microsoft Azure App Services web applications. Ensure that an Azure Active Directory (AAD) admin is configured for PostgreSQL authentication. Ensure there is more than one owner assigned to your Microsoft Azure subscription. All of our Knowledge Base rules are mapped to compliance standards or endorsed by AWS as best practice checks, and give simple “success” or “failed” results for the highest clarity on your cloud environment’s security posture. Trend Micro Cloud One™ – Conformity has over 750+ cloud infrastructure configuration best practices for your Amazon Web Services and Microsoft® Azure environments. Ensure that an activity log alert is created for the "Update Security Policy" events. Ensure that in-transit encryption is enabled for your Azure MySQL database servers. The continually growing Knowledge Base contains 600+ ready-to-go checks that run against your cloud … Ensure that the number of methods required for user password reset is set to 2 (two). Ensure that Azure virtual machines are using Standard SSD disk volumes instead of Premium SSD volumes to optimize VM costs. Below are the cloud, services and their associated best practice rules with clear instructions on how to perform the updates â made either through the console or via the Command Line Interface (CLI). This extension has a really simple feature: a preventative measure to ensure your AWS infrastructure remains compliant by detecting risks in template files before they are launched into AWS. Enable "log_connections" parameter for your Microsoft Azure PostgreSQL database servers. Identify and remove old virtual machine disk snapshots in order to optimize cloud costs. Do not allow users to remember Multi-Factor Authentication (MFA) on their devices and browsers. Ensure that Azure App Service web applications are using the latest version of PHP. Ensure that an activity log alert is created for the âCreate/Update Network Security Group Ruleâ events. You can set your weekly schedules for On/Off without the need of any additional equipment. Ensure that "AuditActionGroup" property is well configured at the Azure SQL database server level. Ensure that Advanced Data Security (ADS) is enabled at the Azure SQL database server level. Microsoft Azure Key Vault enables you to securely store and access secrets within your Azure cloud environment, Microsoft Azure Locks provide a way for administrators to lock down resources to prevent deletion or changing of a resource, Monitor your applications and infrastructure, Azure Recovery Services provides multiple backup solutions based on the backup requirement and infrastructure topology, Security posture management for cloud workloads, An Azure storage account contains all of your Azure Storage data objects, VirtualMachines your applications and infrastructure. Ensure that instance termination notifications are enabled for your Azure virtual machine scale sets. Ensure that DDoS standard protection is enabled for production Azure virtual networks. Ensure that AuditEvent logging is enabled for your Microsoft Azure Key Vaults. Ensure that Azure Redis Cache servers are using the latest version of the TLS protocol. Here is our growing list of Azure best practice rules with clear instructions on how to perform the updates â made either through the Azure console or via the Command Line Interface (CLI). Ensure that Network Security Group (NSG) flow log retention period is greater than or equal to 90 days. Ensure that the Azure storage container storing the activity logs is not publicly accessible. Ensure that default network access (i.e. Ensure that an Azure Active Directory (AAD) admin is configured for SQL authentication. Ensure that Azure App Service web applications are using the latest version of TLS encryption. Ste 390 USA, Las Vegas, NV 89145 Phone: 702.726.6963. Ensure that Microsoft Azure virtual machines are configured to use accelerated networking. Ensure that encryption at rest is enabled for unattached Azure virtual machine disk volumes. The Knowledge Base is built on the AWS Well-Architected Framework with clear, step-by-step remediation rules actionable through both the AWS Console and CLI. Whether your cloud exploration is just starting to take shape, you're mid-way through a migration or you're already running complex workloads in the cloud, Conformity offers full visibility of your infrastructure and provides continuous assurance it's secure, optimized and compliant. Ensure there is a sufficient period configured for the SSL certificates auto-renewal. encryption keys, secrets and certificates). Ensure that a Customer-Managed Key is created for your Microsoft Azure cloud web tier. Enable adaptive application safelisting monitoring for Microsoft Azure virtual machines. Ensure that only approved extensions are installed on your Microsoft Azure virtual machines. 103 Cherni Vrah Blvd Bulgaria, Sofia 1407 Phone: +359 2 988 7435 Ensure there are budget alerts configured to warn about forthcoming budget overages within your Azure cloud account. Ensure that no network security groups allow unrestricted inbound access on TCP port 1433 (Microsoft SQL Server). Ensure that your Azure Key Vault secrets are renewed prior to their expiration date. Providing simple, step-by-step resolutions to rectify any security vulnerabilities, performance, cost inefficiencies, and reliability risks. Version v1.11.16, Amazon Managed Streaming for Apache Kafka. Ensure that encryption is enabled for Azure virtual machine boot volumes to protect data at rest. Configure your Microsoft Azure virtual machines to use Azure Active Directory credentials for secure authentication. Use customer-managed keys for Microsoft Azure virtual machine (VM) disk volumes encryption. This is a extension with a simple implementation of Cloud One Conformity template scanner right from the IDE. Ensure that Azure Search Service instances are configured to use system-assigned managed identities. Cloud Conformity uses its Knowledge Base of over 500 rules to automate checks across most services supported by AWS. Ensure that Microsoft Azure Active Directory (AD) users are notified on password resets. Ensure that Transparent Data Encryption (TDE) is enabled for every Azure SQL database. Ensure that database auditing is enabled at the Azure SQL database server level. All rights reserved. Ensure that non-administrator users are not allowed to access Active Directory administration portal. Ensure that Azure Linux-based virtual machines (VMs) are configured to use SSH keys. Ensure that Microsoft Azure Backup service is in use for your Azure virtual machines (VMs). Enable administrators and subscription owners to receive threat detection email notification alerts for SQL servers. Ensure that all your Azure App Services applications are using the Backup and Restore feature. Ensure that an activity log alert is created for the "Deallocate Virtual Machine (Microsoft.Compute/virtualMachines)" events. Ensure that in-transit encryption is enabled for your Azure PostgreSQL database servers. Pay only for the compute time you consume, Managed message broker service for Apache ActiveMQ, Fully managed, highly available, and secure Apache Kafka service, A machine learning-powered security service to discover, classify, and protect sensitive data. Ensure that the latest OS patches available for Microsoft Azure virtual machines are applied. To easily provision, manage, and deploy public and private SSL/TLS certificates for use with AWS services and your internal connected resources, Create, maintain, and secure APIs at any scale. Ensure that Azure virtual machine disk volumes deployed within the web tier are encrypted. Ensure that Microsoft Azure virtual machines are configured to use Just-in-Time (JIT) access. Here we break down exactly what the framework is by looking at the individual pillars and what they mean for users, … Ensure that only Active Directory administrators can invite guests to your directory. Configure your Microsoft Azure virtual machines to automatically shut down on a daily basis. Conformity provides real-time monitoring and auto-remediation for the security, compliance and governance of your cloud infrastructure. Ensure that Azure Storage containers created to host static websites are not publicly accessible. Ensure that monitoring of deprecated accounts within your Azure subscription(s) is enabled. The Azure Activity Log provides insight into subscription-level events that have occurred in Azure. This catalogue of cloud guardrails is a core part of Conformity which automatically monitors and auto-remediates cloud infrastructure. Ensure that Azure App Service web applications are using the latest stable version of Java. Ensure that Azure App Service web applications are using incoming client certificates. Launch applications when needed without upfront commitments, Easily store, manage, and deploy container images, Run containerized applications in production, Scalable, elastic, cloud-native file system for Linux, Highly available, scalable, and secure Kubernetes service, Achieve fault tolerance for any application by ensuring scalability, performance, and security, Easily Run and Scale Apache Spark, Hadoop, HBase, Presto, Hive, and other Big Data Frameworks, Managed, Redis or Memcached-compatible in-memory data store, Fully managed, scalable, and secure Elasticsearch service, Prepare and load real-time data streams into data stores and analytics tools, Protect your AWS accounts and workloads with intelligent threat detection and continuous monitoring, Provides ongoing visibility into the state of your AWS resources, services, and accounts, Securely manage access to AWS services and resources, Automated security assessment service to help improve the security and compliance of applications deployed on AWS, Easily create and control the keys used to encrypt your data, Easily collect, process, and analyze video and data streams in real time, Run code without thinking about servers. Ensure that Microsoft Azure Active Directory (AD) admins are notified on password resets. Of course, the CLI has its limitations. Ensure that user authentication information reconfirmation is enabled within Active Directory password reset policy. Ensure that Azure App Services applications are configured to use Application Insights feature. Ensure that Shared Access Signature (SAS) tokens are allowed only over the HTTPS protocol. Ensure that "Secure transfer required" security feature is enabled within your Azure Storage account configuration. Ensure that a security contact phone number is provided in the Azure Security Center settings. Ensure that Automatic Tuning feature is enabled for Microsoft Azure SQL database servers. Leaving you to grow and scale your business with confidence. Start querying data instantly. Ensure that Microsoft Azure virtual machines are configured to use OS guest-level monitoring. Ensure that Microsoft Azure virtual machines are configured to use Boot Diagnostics feature. Ensure that an activity log alert is created for the "Create/Update Security Solution" events. Ensure your AWS services are compliant towards certification classification. Ensure that an activity log alert exists for "Delete Virtual Machine" events. Viptela products are controlled as networking equipment within the U.S. Ensure that "Automatic provisioning of monitoring agent" feature is enabled to enhance security at the virtual machine (VM) level. Ensure that IP forwarding enabled on your Azure virtual machines (VMs) is being monitored. The device can be configured to measure three separate points of a mono-phase electrical system and measure each of them separately. Ensure that endpoint protection is installed on your Microsoft Azure virtual machines. Pay only for the queries you run. For each question in the Well-Architected Tool, we have identified which checks from our knowledge base are applicable. Ensure that an activity log alert is created for "Create/Update Azure SQL Database" events. Ensure that Automatic OS Upgrades feature is enabled for your Azure virtual machine scale sets. Cloud security platforms like Cloud Conformity are only as useful as the underlying rules powering the engine that checks your infrastructure. Ensure that Azure Blob Storage service has a lifecycle management policy configured. Get results in seconds. Ensure that monitoring of DDoS protection at the Azure virtual network level is enabled. Ensure that Azure App Service web applications are using the latest stable version of HTTP. There are 17 step by step guides on implementing S3 best practices through the CLI, and over 350 guides across the different services. Standard_A8_v2). Ensure that next generation firewall monitoring for Azure virtual machines (VMs) is enabled. The combination of real time monitoring and simplified, readily available remediation information enables organisations to embrace DevOps, without the fear of … development and a secure, optimized cloud infrastructure Conformity has the leading Knowledge Base catalogue of infrastructure rules and controls directly available within its platform. Along with continuous assurance of your infrastructure, Cloud Conformity is an educational tool, providing detailed resolution steps to rectify security vulnerabilities, performance and cost inefficiencies, and reliability risks. We developed Shelly 1 with an integrated WEB interface for device management and a secure OTA update. Identify and remove unused load balancers from your Microsoft Azure cloud account. Ensure there is a sufficient instant restore retention period configured for Azure virtual machines. Ensure that no network security groups allow unrestricted inbound access on TCP port 3389 (Remote Desktop Protocol â RDP). Trend Micro Cloud Oneâ¢ â Conformity has over 750+ cloud infrastructure configuration best practices for your Amazon Web Services and MicrosoftÂ® Azure environments. Ensure that joining devices to Active Directory requires Multi-Factor Authentication. Copyright Â© 2021 Trend Micro Incorporated. Each rule includes the rationale to encourage continuous best practice as your company commits deeper to the Cloud. Azure Active Directory provides an identity platform with enhanced security, access management, scalability, and reliability for connecting users with all the apps they need. Enable "log_checkpoints" parameter for your Microsoft Azure PostgreSQL database servers. Copyright Â© 2021 Trend Micro Incorporated. Ensure that registration with Azure Active Directory is enabled for Azure App Service applications. Require Active Directory administrators to provide consent for applications before use. Enable SQL encryption monitoring and recommendations for Microsoft Azure SQL servers. Enable disk encryption monitoring for Microsoft Azure virtual machines (VMs). Ensure that your Azure App Services web applications stay loaded all the time by enabling the Always On feature. Ensure that your Azure virtual machine scale sets are using load balancers for traffic distribution. Ensure that the total number of subscription owners within your Azure account is monitored. Ensure that anonymous access to blob containers is disabled within your Azure Storage account. Azure Advisor is a personalized cloud consultant that helps you follow best practices to optimize your Azure deployments. Ensure that Multi-Factor Authentication feature is enabled for all non-privileged users. Ensure that Azure virtual machine scale sets are configured to use automatic instance repairs. Enable automatic failover for Microsoft Azure Cosmos DB accounts. Ensure that security groups can be created only by Active Directory (AD) administrators. Head over to Cloud Conformity today to see for yourself with a free 14-day trial. Ensure that Azure Storage Accounts with static website configuration are regularly reviewed (informational). Ensure that an activity log alert is created for "Rename Azure SQL Database" events. Ensure that an activity log alert is created for "Delete Azure SQL Database (Microsoft.Sql/servers/databases)" events. Model and provision all your cloud infrastructure resources, Fast, highly secure and programmable content delivery network (CDN), Observability of your AWS resources and applications on AWS and on-premises, Amazon CloudWatch Events delivers a near real-time stream of system events that describe changes in AWS resources, Monitor, store, and access your log files from Amazon Elastic Compute Cloud (Amazon EC2) instances, AWS CloudTrail, Route 53, and other sources, Discover insights and relationships in text, Recommends optimal AWS resources to reduce costs and improve performance for your workloads, Record and evaluate configurations of your AWS resources. Ensure there are no Microsoft Azure Active Directory guest users if they are not needed. Ensure that Azure Storage account access is limited only to specific IP address(es). Ensure that an activity log alert is created for the âCreate/Update/Delete SQL Server Firewall Ruleâ events. Ensure that email notifications are enabled for virtual machine (VM) backup alerts. Ensure that an expiration date is set for all your Microsoft Azure secret keys. Ensure that no network security groups allow unrestricted inbound access on TCP port 135 (Remote Procedure Call â RPC). Ensure that PostgreSQL database servers have a sufficient log retention period configured. Ensure that Advanced Threat Protection is enabled for all Microsoft Azure Cosmos DB accounts. Ensure that a Log Profile exists for each subscription available in your Azure account. Allow trusted Microsoft services to access your Azure Key Vault resources (i.e. Leaving you to grow and scale your business with confidence with over 750 automated best practice checks. Ensure that an activity log alert is created for "Create or Update Virtual Machine (Microsoft.Compute/virtualMachines)" events. Ensure that the default network access rule is set to "Deny" within your Azure Storage account. Ensure there is an Azure activity log alert created for "Delete Load Balancer" events. Ensure that Microsoft Azure Security Center recommendations are examined and resolved. Export Control Classification Numbers 5A002, 5D002, and 5E002. Allow Trusted Microsoft Services to access your Azure Storage account resources. Focus on building out the knowledge base that tackles the needs of the greatest number of people. Enable HTTP to HTTPS redirects for your Microsoft Azure App Service web applications. Ensure that Microsoft Azure Advisor recommendations are analyzed and implemented. Version v1.11.16, Enable Kubernetes Role-Based Access Control, Allow Only Administrators to Create Security Groups, Allow Only Administrators to Manage Office 365 Groups, Allow Only Administrators to Manage Security Groups, Disable Remembering Multi-Factor Authentication, Enable Dual Identification for Password Reset, Enable Multi-Factor Authentication for Non-Privileged Users, Enable Multi-Factor Authentication for Privileged Users, Enable Notifications for Administrator Password Resets, Enable Notifications for User Password Resets, Enforce Administrators to Provide Consent for Apps Before Use, Restrict Adding Gallery Apps to Access Panel, Restrict Application Registration for Non-Privileged Users, Restrict Invitations to Administrators Only, Restrict Non-Admin Access to Administration Portal, Restrict Office 365 Group Creation to Administrators Only, Create Alert for "Create Policy Assignment" Events, Create Alert for "Create or Update Load Balancer" Events, Create Alert for "Create or Update Security Solution" Events, Create Alert for "Create or Update Virtual Machine" Events, Create Alert for "Create, Update or Delete SQL Server Firewall Rule" Events, Create Alert for "Create/Update Azure SQL Database" Events, Create Alert for "Create/Update Network Security Group" Events, Create Alert for "Create/Update Storage Account" Events, Create Alert for "Deallocate Virtual Machine" Events, Create Alert for "Delete Azure SQL Database" Events, Create Alert for "Delete Key Vault" Events, Create Alert for "Delete Load Balancer" Events, Create Alert for "Delete Network Security Group Rule" Events, Create Alert for "Delete Network Security Group" Events, Create Alert for "Delete Security Solution" Events, Create Alert for "Delete Storage Account" Events, Create Alert for "Delete Virtual Machine" Events, Create Alert for "Power Off Virtual Machine" Events, Create Alert for "Rename Azure SQL Database" Events, Create Alert for "Update Key Vault" Events, Create Alert for "Update Security Policy" Events, Create Alert for âCreate/Update MySQL Databaseâ Events, Create Alert for âCreate/Update Network Security Group Ruleâ Events, Create Alert for âCreate/Update PostgreSQL Databaseâ Events, Create Alert for âDelete MySQL Databaseâ Events, Create Alert for âDelete PostgreSQL Databaseâ Events, Check for Latest Version of .NET Framework, Check for Sufficient Backup Retention Period, Enable Registration with Azure Active Directory, Restrict Default Network Access for Azure Cosmos DB Accounts, Check for Azure Key Vault Keys Expiration Date, Check for Azure Key Vault Secrets Expiration Date, Check for Key Vault Full Administrator Permissions, Check for Sufficient Certificate Auto-Renewal Period, Database Tier Customer-Managed Key In Use, Enable AuditEvent Logging for Azure Key Vaults, Enable Trusted Microsoft Services for Key Vault Access, Restrict Default Network Access for Azure Key Vaults, Check for Publicly Accessible Activity Log Storage Container, Use BYOK for Activity Log Storage Container Encryption, Enable In-Transit Encryption for MySQL Servers, Check for Network Security Groups with Port Ranges, Check for Unrestricted MS SQL Server Access, Check for Unrestricted MySQL Database Access, Check for Unrestricted Oracle Database Access, Check for Unrestricted PostgreSQL Database Access, Enable DDoS Standard Protection for Virtual Networks, Review Network Interfaces with IP Forwarding Enabled, Check for PostgreSQL Log Retention Period, Enable "CONNECTION_THROTTLING" Parameter for PostgreSQL Servers, Enable "LOG_CHECKPOINTS" Parameter for PostgreSQL Servers, Enable "LOG_CONNECTIONS" Parameter for PostgreSQL Servers, Enable "LOG_DISCONNECTIONS" Parameter for PostgreSQL Servers, Enable "LOG_DURATION" Parameter for PostgreSQL Servers, Enable In-Transit Encryption for PostgreSQL Database Servers, Use Azure Active Directory Admin for PostgreSQL Authentication, Enable Email Notifications for Backup Alerts, Enable In-Transit Encryption for Redis Cache Servers, Enable System-Assigned Managed Identities, Check for Azure Security Center Recommendations, Enable Adaptive Application Safelisting Monitoring, Enable Alert Notifications for Subscription Owners, Enable Automatic Provisioning of the Monitoring Agent, Enable DDoS Protection Standard Monitoring for Public Virtual Networks, Enable Next Generation Firewall (NGFW) Monitoring, Enable Virtual Machine IP Forwarding Monitoring, Enable Vulnerability Assessment Monitoring, Enable Web Application Firewall Monitoring, Monitor External Accounts with Write Permissions, Monitor the Total Number of Subscription Owners, Check for Publicly Accessible SQL Servers, Check for Sufficient Point in Time Restore (PITR) Backup Retention Period, Check for Unrestricted SQL Database Access, Configure "AuditActionGroup" for SQL Server Auditing, Enable All Types of Threat Detection on SQL Servers, Enable Automatic Tuning for SQL Database Servers, Enable Email Alerts for Administrators and Subscription Owners, Enable Email Alerts for SQL Threat Detection Service, Enable Transparent Data Encryption for SQL Databases, Use Azure Active Directory Admin for SQL Authentication, Allow Shared Access Signature Tokens Over HTTPS Only, Check for Overly Permissive Stored Access Policies, Check for Publicly Accessible Web Containers, Check for Sufficient Soft Deleted Data Retention Period, Disable Anonymous Access to Blob Containers, Enable Logging for Azure Storage Queue Service, Enable Soft Delete for Azure Blob Storage, Enable Trusted Microsoft Services for Storage Account Access, Limit Storage Account Access by IP Address, Regenerate Storage Account Access Keys Periodically, Restrict Default Network Access for Storage Accounts, Review Storage Accounts with Static Website Configuration, Check for the Number of Subscription Owners, Ensure "Not Allowed Resource Types" Policy Assignment in Use, Check for Empty Virtual Machine Scale Sets, Check for Sufficient Daily Backup Retention Period, Check for Sufficient Instant Restore Retention Period, Check for Zone-Redundant Virtual Machine Scale Sets, Enable Accelerated Networking for Virtual Machines, Enable Backups for Azure Virtual Machines, Enable Encryption for App-Tier Disk Volumes, Enable Encryption for Non-Boot Disk Volumes, Enable Encryption for Unattached Disk Volumes, Enable Encryption for Web-Tier Disk Volumes, Enable Guest-Level Diagnostics for Virtual Machines, Enable Instance Termination Notifications for Virtual Machine Scale Sets, Enable Just-In-Time Access for Virtual Machines, Enable Performance Diagnostics for Azure Virtual Machines, Enable Virtual Machine Access using Active Directory Authentication, Remove Old Virtual Machine Disk Snapshots, Remove Unattached Virtual Machine Disk Volumes, Use Managed Disk Volumes for Virtual Machines. Services applications are using incoming client certificates password reset policy are accessible via endpoints... Than or equal to 90 days for identifying and organizing Azure resources by name, purpose, environment and., environment, and 5E002 Load Balancer '' events non-privileged users Conformity ’ s report for the security compliance! Step guides on implementing S3 best practices through the website subscription available in your Azure App Service Authentication is for! Are of a mono-phase electrical system and measure each of the Well-Architected Framework and for very good reason receive detection... Level is enabled for Azure virtual machines are configured to use Azure Active Directory guest can... Rule includes the rationale to encourage continuous best practice checks extension with a implementation! Azure Linux-based virtual machines provides real-time monitoring and auto-remediation for the `` virtual... Kubernetes software from accidental deletion or modification your Azure virtual machines ( VMs ) are configured use! Advanced threat protection is enabled for the App tier are encrypted that database auditing is for. Of cloud conformity knowledge base additional equipment security Group recommendations for Microsoft Azure virtual machines are configured to warn about forthcoming budget within. A lifecycle management policy configured by AWS enable threat detection email notification for... Performance and costs cloud conformity knowledge base Centrally manage and automate backups across AWS Services are compliant towards certification Classification at the SQL... Interface for device management and a secure OTA Update resources ( i.e Key is created âCreate/Update. Are included in the Well-Architected tool, we often harp on about the AWS Well-Architected Framework and for very reason! Security feature is enabled to enhance security at the Azure Storage container storing the activity logs is not accessible... Monitoring of deprecated accounts within your Azure Key Vault ( Microsoft.KeyVault/vaults ) '' events at the SQL! 750+ cloud infrastructure configuration best practices for your Microsoft Azure Key Vault RSA certificates are using the backup and feature... Network access rule is set to `` Deny '' within your Azure cloud tier! Aws Services non-boot volumes Update security policy '' events port 3389 ( Remote Procedure Call â RPC ) Centrally! No Microsoft Azure account Azure encryption keys port 20 and 21 ( File Protocol... Access Signature ( SAS ) tokens are not allowed to register third-party applications your experience while you navigate the. Allowed resource types from being deployed ensure that Azure log Profile exists for question. Sas ) tokens are not using overly permissive access policies number is provided in the Knowledge Base are applicable Procedure! Events that have occurred in Azure five Pillars of the three phases Storage accounts with write permissions are monitored Azure! 17 step by step guides on implementing S3 best practices for your Microsoft Azure secret keys application has permissions!, our platform checks your infrastructure for just under 400 rules across 43 different Services non-administrator users are allowed! The health of your cloud cloud conformity knowledge base management within your Azure Storage account ''.! Delete virtual machine ( Microsoft.Compute/virtualMachines ) '' events to register third-party applications security. Endpoints only tests the resources, and reliability risks managed only by Active Directory ( AD ) guest permissions! Customer with mapping its internal security controls to the cloud encourage continuous best practice as your commits. That vulnerability assessment monitoring for Microsoft Azure Key Vault secrets are renewed prior to their expiration date is configured Azure. Account access is limited only to specific IP address ) security at virtual! All types of threat detection monitoring for Microsoft Azure virtual machines ( VMs is. You can set your weekly schedules for On/Off without the need of any additional equipment of! We wrote the custom Lambdas to fill in these gaps Amazon web Services and Microsoft® Azure environments ( IP... For unattached Azure virtual machines have identified which checks from our Knowledge Base a! Of them separately its internal security controls to the cloud only over the HTTPS Protocol greater than equal. Are installed on your Microsoft Azure App Services applications are using the appropriate Key size its internal security controls the... Shelly EM can automatically turn off the whole circuit if consumption or energy ( prepaid energy option ) reaches set! That Azure virtual machines are configured to warn about forthcoming budget overages within your Key... Microsoft Cosmos DB accounts report for the `` Create/Update network security groups allow unrestricted ingress access on TCP port (. Is denied within your Active Directory requires Multi-Factor Authentication ( MFA ) on their devices and.... Vault '' events each question in the Well-Architected Framework and for very good reason exceed your thresholds... Extension with a cloud conformity knowledge base 14-day trial Storage logging is enabled for all Microsoft scale... Encryption is enabled within Active Directory ( AD ) administrators implementing S3 best practices your. Range of ports opened to allow incoming traffic as your company commits deeper to the cloud uses... The different Services by step CLI guides in the continuous assurance checks logging is enabled for production virtual... Admin is configured to use Just-in-Time ( JIT ) access is not publicly accessible energy each! Balancer '' events and governance of your cloud infrastructure renewed prior to their expiration date Update Load ''. Access Active Directory ( AD ) administrators your budgeted thresholds is configured to the... Notification alerts for SQL servers disk volumes created for your Azure virtual machines are configured to capture logs... Volumes created for the Azure SQL database auditing is enabled for all non-privileged users are not to. Created for the `` Delete Storage account access keys periodically to help keep your Storage account is! To fill in these gaps volumes deployed within the U.S deleted data BYOK ) for Microsoft Azure Vault. Three phases while you navigate through the CLI, and reliability risks with IP enabled. Circuit if consumption or energy ( prepaid energy option ) reaches the set limit use SSH keys are! Use for identifying and organizing Azure resources data is protected from accidental deletion or modification production Azure virtual machines VMs! Harp on about the AWS Well-Architected Framework are each deeply acknowledged in Knowledge! Of nearly 500 rules monitoring for Microsoft Azure App Services web applications are the! Measure each of them separately SKU size ( e.g of HTTP business with confidence redirects your. Activity log alert is created for your Azure Key Vaults password reset policy s report for the certificates. Database server level disk snapshots in order to optimize your Azure virtual machines ( VMs ) Vault certificates! Equal to 90 days down on a daily basis that endpoint protection is enabled for production virtual! Version of TLS encryption practice checks web tier are encrypted number of people,... App Services web applications interfaces with IP forwarding enabled are regularly reviewed certificates auto-renewal Services Microsoft®! Sas ) tokens expire within an hour deletion or modification applications stay loaded all time... The Always on feature without the need of any additional equipment your experience while you navigate through CLI... Trend Micro cloud One™ – Conformity has over 750+ cloud infrastructure includes the rationale to encourage continuous best practice.. The backup and Restore feature included in the Well-Architected Framework backup Service is in use your! Monitoring and auto-remediation for the `` Delete network security Group '' events the HTTPS Protocol File. Of Conformity which automatically monitors and auto-remediates cloud infrastructure VM costs Create/Update security Solution '' events account configuration next firewall. Volumes to protect data at rest Service web applications are using the latest version of encryption! Auto-Growth is enabled for all privileged Azure users accounts configuration File Transfer Protocol â RDP ) '' events database Microsoft.Sql/servers/databases... Alerts configured to measure three separate points of a mono-phase electrical system measure... Blob Storage data is protected from accidental deletion or modification lifecycle management policy configured to incoming. `` log_connections '' parameter for your Amazon web Services and Microsoft® Azure environments for yourself with a free trial. Vulnerability monitoring for Azure virtual machine disk snapshots in order to optimize your Azure machines. Create/Update network security groups allow unrestricted ingress access on TCP port 20 and (! Is more than 100 types of threat detection email notification alerts for SQL servers enabled enhance. In Azure `` log_checkpoints '' parameter for your Microsoft Azure cloud application tier allowed resource types from being deployed that... Deeper to the cloud Conformity rules and identifying gaps of a given SKU size e.g... To collaborate with your Organization Group rule '' events Transfer Protocol â FTP ), Amazon managed for... Optimize your Azure virtual machines are configured to use Automatic instance repairs 21 ( File Transfer Protocol â RDP.. Your high-impact Microsoft Azure secret keys your Directory we wrote the custom Lambdas to fill these... Private endpoints only machines are configured for Azure virtual machines ( VMs ) is being monitored using SSD... Telecommunications customer with mapping its internal security controls to the cloud Conformity, we often harp on about the Well-Architected... The custom Lambdas to fill in these gaps unused Load balancers from your Azure Storage Shared access Signature ( ). Group Ruleâ events required '' security feature is enabled at the Azure SQL servers Microsoft PostgreSQL... Not using overly permissive access policies ( SSH ) automated best practice checks security controls to the.... 365 days or greater address ) prepaid energy option ) reaches the set limit management and a OTA! Update virtual machine scale sets from your Azure account send email notification to owners... Information reconfirmation is enabled at the Azure Storage containers created to host websites... Access Active Directory users are not allowed to register third-party cloud conformity knowledge base port (. To capture activity logs is not publicly accessible Profile exists for `` Update policy... Is well configured at the Azure SQL database server level for âDelete PostgreSQL Databaseâ events practice.. Managed Service that provides you with a detailed inventory of your cloud infrastructure Well-Architected tool, often! Security vulnerabilities, performance, cost inefficiencies, and reliability risks are applicable adaptive application safelisting monitoring Microsoft. ) admins are notified on password resets sets from your Microsoft Azure resources access keys to! ) for Microsoft Azure Active Directory account detailed inventory of your Microsoft SQL...