diff --git a/src/Analyzer.Core/Rules/BuiltInRules.json b/src/Analyzer.Core/Rules/BuiltInRules.json index 4ac1b61b..37c3bc9b 100644 --- a/src/Analyzer.Core/Rules/BuiltInRules.json +++ b/src/Analyzer.Core/Rules/BuiltInRules.json @@ -626,8 +626,8 @@ "id": "TA-000020", "name": "Authorization.UseBuiltInRBAC", "shortDescription": "Audit usage of custom RBAC roles", - "fullDescription": "Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling.", - "recommendation": "Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling", + "fullDescription": "Audit built-in roles such as 'Owner, Contributor, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling.", + "recommendation": "Audit built-in roles such as 'Owner, Contributor, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling", "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-rules.md/#ta-000020-audit-usage-of-custom-rbac-roles", "severity": 3, "evaluation": { @@ -712,26 +712,16 @@ "id": "TA-000025", "name": "AKS.UpgradeToNonVulnerableVersion", "shortDescription": "Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version", - "fullDescription": "Upgrade your Kubernetes service cluster to a later Kubernetes version to protect against known vulnerabilities in your current Kubernetes version. Vulnerability CVE-2019-9946 has been patched in Kubernetes versions 1.11.9+, 1.12.7+, 1.13.5+, and 1.14.0+. Running on older versions could mean you are not using latest security classes. Usage of such old classes and types can make your application vulnerable.", - "recommendation": "Upgrade to a non-vulnerable Kubernetes version (1.11.9+, 1.12.7+, 1.13.5+, and 1.14.0+)", + "fullDescription": "Upgrade your Kubernetes service cluster to a supported version to protect against known vulnerabilities. Older versions of Kubernetes are not supported and do not receive security patches.", + "recommendation": "Upgrade to a supported Kubernetes version. According to the AKS release calendar, supported versions are 1.31, 1.32, 1.33, and newer.", "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-rules.md/#ta-000025-kubernetes-services-should-be-upgraded-to-a-non-vulnerable-kubernetes-version", "severity": 1, "evaluation": { "resourceType": "Microsoft.ContainerService/managedClusters", - "allOf": [ - { - "not": { - "path": "properties.kubernetesVersion", - "regex": "^1\\.((11\\.[0-8])|(12\\.[0-6])|(13\\.[0-4]))" - } - }, - { - "not": { - "path": "properties.kubernetesVersion", - "regex": "^1\\.(([0-9]|10)\\.\\d+)" - } - } - ] + "not": { + "path": "properties.kubernetesVersion", + "regex": "^1\\.(3[1-9]|[4-9][0-9])\\.\\d+" + } } }, { @@ -807,7 +797,7 @@ }, { "path": "properties.retentionDays", - "equals": 0 // 0 == unlimited retention + "equals": 0 }, { "path": "properties.retentionDays", @@ -851,9 +841,9 @@ { "id": "TA-000030", "name": "ClassicCompute.MigrateToARM", - "shortDescription": "Migrate your Classic Compute VM to ARM", - "fullDescription": "Azure supports two deployment models: Classic and Azure Resource Manager (ARM). ARM provides several security enhancements to the Classic model.", - "recommendation": "Use ARM for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, ARM-based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management", + "shortDescription": "Migrate Classic Compute VMs to ARM", + "fullDescription": "Azure Resource Manager (ARM) provides several security enhancements over the Classic deployment model.", + "recommendation": "Use Azure Resource Manager for your virtual machines for improved security and access to features like RBAC, better auditing, managed identities, and Key Vault integration.", "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-rules.md/#ta-000030-migrate-your-classic-compute-vm-to-arm", "severity": 1, "evaluation": { @@ -865,9 +855,9 @@ { "id": "TA-000031", "name": "ClassicStorage.MigrateToARM", - "shortDescription": "Migrate your Classic Storage Account to ARM", - "fullDescription": "Azure supports two deployment models: Classic and Azure Resource Manager (ARM). ARM provides several security enhancements to the Classic model.", - "recommendation": "Use ARM for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, ARM-based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management", + "shortDescription": "Migrate Classic Storage Accounts to ARM", + "fullDescription": "Azure Resource Manager (ARM) provides several security enhancements over the Classic deployment model.", + "recommendation": "Use Azure Resource Manager for your storage accounts for improved security and access to features like RBAC, better auditing, managed identities, and Key Vault integration.", "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-rules.md/#ta-000031-migrate-your-classic-storage-account-to-arm", "severity": 1, "evaluation": { @@ -882,7 +872,7 @@ "shortDescription": "API Management calls to API backends should not bypass certificate thumbprint or name validation", "fullDescription": "API Management calls to API backends should not bypass certificate thumbprint or name validation", "recommendation": "To improve security, API Management should validate the backend server certificate for all API calls. Enable SSL certificate thumbprint and name validation by setting the tls.validateCertificateName and tls.validateCertificateChain properties to true.", - "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-bpa-rules.md/#ta-000032-api-management-calls-to-api-backends-should-not-bypass-certificate-thumbprint-or-name-validation", + "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-rules.md/#ta-000032-api-management-calls-to-api-backends-should-not-bypass-certificate-thumbprint-or-name-validation", "severity": 2, "evaluation": { "resourceType": "Microsoft.ApiManagement/service/backends", @@ -904,7 +894,7 @@ "shortDescription": "API Management direct management endpoint should not be enabled", "fullDescription": "The direct management REST API in Azure API Management bypasses Azure Resource Manager (ARM) Role-Based Access Control (RBAC), authorization, and throttling mechanisms, thus increasing the vulnerability of your service.", "recommendation": "Set the properties.enabled field to false to ensure that direct access to the management REST API is disabled.", - "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-bpa-rules.md/#ta-000033-api-management-direct-management-endpoint-should-not-be-enabled", + "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-rules.md/#ta-000033-api-management-direct-management-endpoint-should-not-be-enabled", "severity": 3, "evaluation": { "resourceType": "Microsoft.ApiManagement/service/tenant", @@ -925,9 +915,9 @@ "id": "TA-000034", "name": "APIM.DisabletServiceSecretsSharingWithReadOnlyUsers", "shortDescription": "API Management minimum API version should be set to 2019-12-01 or higher", - "fullDescription": "To prevent service secrets from being shared with read-only users, the minimum API version should be set to 2019-12-01 or higher.", - "recommendation": "Set the apiVersionContstraint.minAPIversion property to 2019-12-01 or higher to prevent service secrets from being shared with read-only users.", - "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-bpa-rules.md/#ta-000034-api-management-minimum-api-version-should-be-set-to-2019-12-01-or-higher", + "fullDescription": "To prevent service secrets from being shared with read-only users, the minimum API version should be set to 2019-12-01 or higher. This opts in to a breaking change that enhances security by not returning secrets for users with read-only permissions.", + "recommendation": "Set the properties.apiVersionConstraint.minApiVersion property to '2019-12-01' or a later date to prevent service secrets from being shared with read-only users.", + "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-rules.md/#ta-000034-api-management-minimum-api-version-should-be-set-to-2019-12-01-or-higher", "severity": 2, "evaluation": { "resourceType": "Microsoft.ApiManagement/service", @@ -961,7 +951,7 @@ "shortDescription": "API Management Named Values secrets should be stored in Azure Key Vault", "fullDescription": "Named Values are a collection of name and value pairs in each API Management service. Secret values can be stored either as encrypted text in API Management (custom secrets) or by referencing secrets in Azure Key Vault. To improve security of API Management and secrets, reference secret Named Values from Azure Key Vault. Azure Key Vault supports granular access management and secret rotation policies.", "recommendation": "To utilize secrets stored in Key Vault for Azure API Management, learn more here: https://learn.microsoft.com/azure/api-management/api-management-howto-properties?tabs=azure-portal#key-vault-secrets", - "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-bpa-rules.md/#ta-000035-api-management-named-value-secrets-should-be-stored-in-azure-key-vault", + "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-rules.md/#ta-000035-api-management-named-value-secrets-should-be-stored-in-azure-key-vault", "severity": 2, "evaluation": { "resourceType": "Microsoft.ApiManagement/service/namedValues", @@ -991,7 +981,7 @@ "shortDescription": "API Management services should use a virtual network", "fullDescription": "Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network.", "recommendation": "To learn more about virtual networks for Azure API Management, please visit here: https://aka.ms/apim-vnet. To see an example of how to configure a VNet via Azure Policy, please visit here: https://learn.microsoft.com/samples/azure/azure-quickstart-templates/api-management-create-with-internal-vnet-application-gateway/", - "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-bpa-rules.md/#ta-000036-api-management-services-should-use-a-virtual-network", + "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-rules.md/#ta-000036-api-management-services-should-use-a-virtual-network", "severity": 2, "evaluation": { "resourceType": "Microsoft.ApiManagement/service", @@ -1025,7 +1015,7 @@ "shortDescription": "API Management subscriptions should not be scoped at the all API scope", "fullDescription": "API Management subscriptions should be scoped to a product or an individual API instead of all APIs, which could result in an excessive data exposure.", "recommendation": "To ensure the API Management service is not configured at the all API scope, please set the properties.scope property to a value other than /apis. For example, /product/{productId}, or /apis/{apiId}", - "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-bpa-rules.md/#ta-000037-api-management-subscriptions-should-not-be-scoped-at-the-all-api-scope", + "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-rules.md/#ta-000037-api-management-subscriptions-should-not-be-scoped-at-the-all-api-scope", "severity": 2, "evaluation": { "resourceType": "Microsoft.ApiManagement/service/subscriptions", @@ -1049,7 +1039,7 @@ "shortDescription": "API Management calls to API backends should be authenticated", "fullDescription": "Calls from API Management to backends should use some form of authentication, whether via certificates or credentials. Does not apply to Service Fabric backends.", "recommendation": "To enable API backend authentication, configure authentication credentials in the query parameters, client certificate, or authorization header. To learn more about configuring Authentication in Azure API Management, please visit here: https://learn.microsoft.com/azure/api-management/authentication-authorization-overview", - "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-bpa-rules.md/#ta-000038-api-management-calls-to-api-backends-should-be-authenticated", + "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-rules.md/#ta-000038-api-management-calls-to-api-backends-should-be-authenticated", "severity": 2, "evaluation": { "resourceType": "Microsoft.ApiManagement/service/backends", @@ -1097,4 +1087,4 @@ ] } } -] \ No newline at end of file +]