Framework/Configurations/SVT/Services/CDN.json
|
{
"FeatureName": "CDN", "Reference": "aka.ms/azsdkosstcp", "IsManintenanceMode": false, "Controls": [ { "ControlID": "Azure_CDN_AuthZ_Grant_Min_RBAC_Access", "Description": "All Users/Identities must be granted minimum required permissions using Role Based Access Control (RBAC)", "Id": "CDN110", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckRBACAccess", "Recommendation": "Clean up any unauthorized access on the CDN. Run command Remove-AzureRmRoleAssignment -SignInName '{signInName}' -Scope '{scope}}' -RoleDefinitionName {role definition name}'. Run 'Get-Help Remove-AzureRmRoleAssignment -full' to get the complete details about this command.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "RBAC" ], "Enabled": true }, { "ControlID": "Azure_CDN_AuthN_Config_Token_AuthN", "Description": "CDN profile should be deployed on Premium Verizon tier to restrict anonymous access of the endpoints using token authentication", "Id": "CDN120", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Recommendation": "To enable token authentication, Go to Azure Portal --> your CDN Profile --> Manage --> HTTP LARGE --> Token Auth. Please refer https://docs.microsoft.com/en-us/azure/cdn/cdn-token-auth for more details on token authentication.", "Tags": [ "SDL", "Best Practice", "Manual", "AuthN" ], "Enabled": true }, { "ControlID": "Azure_CDN_DP_TokenKey_Protection", "Description": "Token encryption key must be protected in a Key Vault if a website is dynamically generating the token from the code", "Id": "CDN130", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Recommendation": "Refer https://azure.microsoft.com/en-in/documentation/articles/key-vault-get-started/ for configuring Key Vault and storing secrets and https://docs.microsoft.com/en-us/azure/cdn/cdn-token-auth for token authentication.", "Tags": [ "SDL", "TCP", "Manual", "DP" ], "Enabled": true }, { "ControlID": "Azure_CDN_DP_Enable_Https", "Description": "CDN endpoints must use HTTPS protocol while providing data to the client browser/machine or while fetching data from the origin server", "Id": "CDN140", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckCDNHttpsProtocol", "Recommendation": "To enable HTTPS protocol, Go to Azure Portal --> your CDN Profile --> your CDN Endpoint --> Origin --> Select HTTPS --> Save.", "Tags": [ "SDL", "TCP", "Automated", "DP" ], "Enabled": true }, { "ControlID": "Azure_CDN_DP_Don't_Use_Protected_Data", "Description": "Do not put anything that should be protected in a CDN, CDN is suitable for resources where anonymous access is not an issue", "Id": "CDN150", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Recommendation": "Refer https://docs.microsoft.com/en-gb/azure/architecture/best-practices/cdn for details.", "Tags": [ "SDL", "Best Practice", "Manual", "DP" ], "Enabled": true }, { "ControlID": "Azure_CDN_DP_Use_Only_For_Public_Data", "Description": "Do not convert private content into public in order to use CDN, rather use CDN to load the contents of a web page which are public (like CSS)", "Id": "CDN160", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Recommendation": "Refer https://docs.microsoft.com/en-gb/azure/architecture/best-practices/cdn for details.", "Tags": [ "SDL", "Best Practice", "Manual", "DP" ], "Enabled": true }, { "ControlID": "Azure_CDN_Audit_Configure_Real_Time_Alerts", "Description": "Configure real time alerts on status code 403 to be observant of any unauthorized request for CDN endpoint", "Id": "CDN170", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Recommendation": "To set up alerts, Go to Azure Portal --> your CDN Profile --> Manage --> Analytics --> Real-Time Stats --> Real-Time Alerts.", "Tags": [ "SDL", "TCP", "Manual", "Audit" ], "Enabled": true } ] } |