diff --git a/rules/S6380/azureresourcemanager/rule.adoc b/rules/S6380/azureresourcemanager/rule.adoc index 054f0878754..4c469ad61ce 100644 --- a/rules/S6380/azureresourcemanager/rule.adoc +++ b/rules/S6380/azureresourcemanager/rule.adoc @@ -22,6 +22,13 @@ For https://azure.microsoft.com/en-us/services/app-service/[App Service]: ] } ---- +[source,bicep,diff-id=101,diff-type=noncompliant] +---- +resource appService 'Microsoft.Web/sites@2022-09-01' = { + name: 'example' + // Sensitive: no authentication defined +} +---- For https://azure.microsoft.com/en-us/services/api-management/[API Management]: @@ -39,6 +46,21 @@ For https://azure.microsoft.com/en-us/services/api-management/[API Management]: ] } ---- +[source,bicep,diff-id=102,diff-type=noncompliant] +---- +resource apiManagementService 'Microsoft.ApiManagement/service@2022-09-01-preview' = { + name: 'example' + // Sensitive: no portal authentication defined + + resource apis 'apis@2022-09-01-preview' = { + name: 'exampleApi' + properties: { + path: '/test' + // Sensitive: no API authentication defined + } + } +} +---- For https://azure.microsoft.com/en-us/services/data-factory/[Data Factory] Linked Services: @@ -62,6 +84,18 @@ For https://azure.microsoft.com/en-us/services/data-factory/[Data Factory] Linke ] } ---- +[source,bicep,diff-id=103,diff-type=noncompliant] +---- +resource linkedService 'Microsoft.DataFactory/factories/linkedservices@2018-06-01' = { + name: 'example' + properties: { + type: 'Web' + typeProperties: { + authenticationType: 'Anonymous' // Sensitive + } + } +} +---- For https://azure.microsoft.com/en-us/product-categories/storage/[Storage Accounts and Storage Containers]: @@ -82,6 +116,16 @@ For https://azure.microsoft.com/en-us/product-categories/storage/[Storage Accoun ] } ---- +[source,bicep,diff-id=104,diff-type=noncompliant] +---- +resource storageAccount 'Microsoft.Storage/storageAccounts@2022-09-01' = { + name: 'example' + properties: { + allowBlobPublicAccess: true // Sensitive + } +} +---- + [source,json,diff-id=5,diff-type=noncompliant] ---- { @@ -106,6 +150,23 @@ For https://azure.microsoft.com/en-us/product-categories/storage/[Storage Accoun ] } ---- +[source,bicep,diff-id=105,diff-type=noncompliant] +---- +resource storageAccount 'Microsoft.Storage/storageAccounts@2022-09-01' = { + name: 'example' + + resource blobService 'blobServices@2022-09-01' = { + name: 'default' + + resource containers 'containers@2022-09-01' = { + name: 'exampleContainer' + properties: { + publicAccess: 'Blob' // Sensitive + } + } + } +} +---- For https://azure.microsoft.com/en-us/services/cache/[Redis Caches]: @@ -128,6 +189,18 @@ For https://azure.microsoft.com/en-us/services/cache/[Redis Caches]: ] } ---- +[source,bicep,diff-id=106,diff-type=noncompliant] +---- +resource redisCache 'Microsoft.Cache/redis@2023-04-01' = { + name: 'example' + location: location + properties: { + redisConfiguration: { + authnotrequired: 'true' // Sensitive + } + } +} +---- == Compliant Solution @@ -160,6 +233,25 @@ For https://azure.microsoft.com/en-us/services/app-service/[App Services and equ ] } ---- +[source,bicep,diff-id=101,diff-type=compliant] +---- +resource appService 'Microsoft.Web/sites@2022-09-01' = { + name: 'example' + + resource authSettings 'config@2022-09-01' = { // Compliant + name: 'authsettingsV2' + properties: { + globalValidation: { + requireAuthentication: true + unauthenticatedClientAction: 'AllowAnonymous' + } + platform: { + enabled: true + } + } + } +} +---- For https://azure.microsoft.com/en-us/services/api-management/[API Management]: @@ -200,6 +292,32 @@ For https://azure.microsoft.com/en-us/services/api-management/[API Management]: ] } ---- +[source,bicep,diff-id=102,diff-type=compliant] +---- +resource apiManagementService 'Microsoft.ApiManagement/service@2022-09-01-preview' = { + name: 'example' + + resource portalSettings 'portalsettings@2022-09-01-preview' = { + name: 'signin' + properties: { + enabled: true // Compliant: Sign-in is enabled for portal access + } + } + + resource apis 'apis@2022-09-01-preview' = { + name: 'exampleApi' + properties: { + path: '/test' + authenticationSettings: { // Compliant: API has authentication enabled + openid: { + bearerTokenSendingMethods: ['authorizationHeader'] + openidProviderId: '' + } + } + } + } +} +---- For https://azure.microsoft.com/en-us/services/data-factory/[Data Factory] Linked Services: @@ -223,6 +341,27 @@ For https://azure.microsoft.com/en-us/services/data-factory/[Data Factory] Linke ] } ---- +[source,bicep,diff-id=103,diff-type=compliant] +---- +@secure() +@description('The password for authentication') +param password string + +resource linkedService 'Microsoft.DataFactory/factories/linkedservices@2018-06-01' = { + name: 'example' + properties: { + type: 'Web' + typeProperties: { + authenticationType: 'Basic' // Compliant + username: 'test' + password: { + type: 'SecureString' + value: password + } + } + } +} +---- For https://azure.microsoft.com/en-us/product-categories/storage/[Storage Accounts]: @@ -243,6 +382,16 @@ For https://azure.microsoft.com/en-us/product-categories/storage/[Storage Accoun ] } ---- +[source,bicep,diff-id=104,diff-type=compliant] +---- +resource storageAccount 'Microsoft.Storage/storageAccounts@2022-09-01' = { + name: 'example' + properties: { + allowBlobPublicAccess: false // Compliant + } +} +---- + [source,json,diff-id=5,diff-type=compliant] ---- { @@ -267,6 +416,23 @@ For https://azure.microsoft.com/en-us/product-categories/storage/[Storage Accoun ] } ---- +[source,bicep,diff-id=105,diff-type=compliant] +---- +resource storageAccount 'Microsoft.Storage/storageAccounts@2022-09-01' = { + name: 'example' + + resource blobService 'blobServices@2022-09-01' = { + name: 'default' + + resource containers 'containers@2022-09-01' = { + name: 'exampleContainer' + properties: { + publicAccess: 'None' // Compliant + } + } + } +} +---- For https://azure.microsoft.com/en-us/services/cache/[Redis Caches]: @@ -287,6 +453,18 @@ For https://azure.microsoft.com/en-us/services/cache/[Redis Caches]: ] } ---- +[source,bicep,diff-id=106,diff-type=compliant] +---- +resource redisCache 'Microsoft.Cache/redis@2023-04-01' = { + name: 'example' + location: location + properties: { + redisConfiguration: { + // Compliant: authentication is enabled by default + } + } +} +---- include::../see.adoc[]