-
Notifications
You must be signed in to change notification settings - Fork 16
/
data.yaml
64 lines (59 loc) · 2.39 KB
/
data.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
metadata:
id: 76fea8f6-7bf2-5dc4-85f0-1aec20fbf100
name: |-
Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads)
profile_applicability: '* Level 2'
description: |-
The use of Basic or Free SKUs in Azure whilst cost effective have significant limitations in terms of what can be monitored and what support can be realized from Microsoft.
Typically, these SKU’s do not have a service SLA and Microsoft will usually refuse to provide support for them.
Consequently Basic/Free SKUs should never be used for production workloads.
rationale: |-
Typically, production workloads need to be monitored and should have an SLA with Microsoft, using Basic SKUs for any deployed product will mean that that these capabilities do not exist.
The following resource types should use standard SKUs as a minimum.
- Public IP Addresses
- Network Load Balancers
- REDIS Cache
- SQL PaaS Databases
- VPN Gateways
audit: |-
This needs to be audited by Azure Policy (one for each resource type) and denied for each artifact that is production.
**From Azure Portal**
1. Open `Azure Resource Graph Explorer`
2. Click `New query`
3. Paste the following into the query window:
```
Resources
| where sku contains 'Basic' or sku contains 'consumption'
| order by type
```
4. Click `Run query` then evaluate the results in the results window.
**From Azure CLI**
```
az graph query -q "Resources | sku contains 'Basic' or sku contains 'consumption' | order by type"
```
**From PowerShell**
```
Get-AzResource | ?{ $_.Sku -EQ "Basic"}
```
remediation: |-
Each artifact has its own process for upgrading from basic to standard SKU's and this should be followed if required.
impact: |-
The impact of enforcing Standard SKU's is twofold
1) There will be a cost increase
2) The monitoring and service level agreements will be available and will support the production service.
All resources should be either tagged or in separate Management Groups/Subscriptions
default_value: ''
references: ''
section: Logging and Monitoring
version: '1.0'
tags:
- CIS
- AZURE
- CIS 5.5
- Logging and Monitoring
benchmark:
name: CIS Microsoft Azure Foundations
version: v2.0.0
id: cis_azure
rule_number: '5.5'
posture_type: cspm