AzSDK

2.1.0

Framework/Configurations/SVT/Services/RedisCache.json

{
  "FeatureName": "RedisCache",
  "Reference": "aka.ms/azsdkosstcp",
  "IsManintenanceMode": false,
  "Controls": [
    {
      "ControlID": "Azure_RedisCache_AuthZ_Grant_Min_RBAC_Access",
      "Description": "All Users/Identities must be granted minimum required permissions using Role Based Access Control (RBAC)",
      "Id": "RedisCache110",
                         "ControlSeverity": "Medium",
      "Automated": "Yes",
      "MethodName": "CheckRBACAccess",
      "Recommendation": "Clean up any unauthorized access on the Redis Cache. Assign 'Redis Cache Contributor' RBAC role to developers who manages Redis Cache configurations. Run command Remove-AzureRmRoleAssignment -SignInName '{signInName}' -Scope '{scope}}' -RoleDefinitionName {role definition name}'. Run 'Get-Help Remove-AzureRmRoleAssignment -full' to get the complete details about this command. Refer Link - https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-control-manage-access-powershell",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "AuthZ",
        "RBAC"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_RedisCache_Audit_Enable_Diagnostics_Log",
      "Description": "Diagnostics logs must be enabled with a retention period of at least $($this.ControlSettings.Diagnostics_RetentionPeriod_Min) days.",
      "Id": "RedisCache120",
                         "ControlSeverity": "Medium",
      "Automated": "No",
      "MethodName": "",
      "Recommendation": "Diagnostics logs must be enabled with a retention period of at least $($this.ControlSettings.Diagnostics_RetentionPeriod_Min) days. Run command Set-AzureRmDiagnosticSetting -ResourceId {'ResourceId'} -Enable $true -StorageAccountId '{StorageAccountId}' -RetentionInDays 365 -RetentionEnabled $true. For more info visit: https://docs.microsoft.com/en-us/azure/redis-cache/cache-how-to-monitor#enable-cache-diagnostics",
      "Tags": [
        "SDL",
        "TCP",
        "Manual",
        "Audit",
        "Diagnostics"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_RedisCache_AuthZ_Configure_IP_Range",
      "Description": "Consider configuring Redis Cache firewall settings for additional protection",
      "Id": "RedisCache130",
                         "ControlSeverity": "Medium",
      "Automated": "Yes",
      "MethodName": "CheckRedisCacheFirewallIPAddressRange",
      "Recommendation": "Enable firewall and add rules (Don't add IP range $($this.ControlSettings.UniversalIPRange)). For more information visit: https://docs.microsoft.com/en-us/azure/redis-cache/cache-configure#firewall. REST API refernce link - https://docs.microsoft.com/en-in/rest/api/redis/redisfirewallrule",
      "Tags": [
        "SDL",
        "Best Practice",
        "Automated",
        "AuthZ"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_RedisCache_BCDR_Use_RDB_Backup",
      "Description": "Redis Data Persistence should be enabled to back up Redis Cache data",
      "Id": "RedisCache140",
                         "ControlSeverity": "Medium",
      "Automated": "Yes",
      "MethodName": "CheckRedisCacheRDBBackup",
      "Recommendation": "For steps to configure Data Persistance for Redis Cache visit: https://docs.microsoft.com/en-us/azure/redis-cache/cache-configure#redis-data-persistence",
      "Tags": [
        "SDL",
        "Best Practice",
        "Automated",
        "BCDR",
        "OwnerAccess"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_RedisCache_DP_Use_SSL_Port",
      "Description": "Non-SSL port must not be enabled",
      "Id": "RedisCache150",
                         "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckRedisCacheSSLConfig",
      "Recommendation": "To disable Non-SSL port for Redis Cache, Go to Azure Portal -> Redis Cache -> <Select your Redis Cache> -> Advance Settings -> Allow access only via SSL -> Select Yes.",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "DP"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_RedisCache_DP_Rotate_Keys",
      "Description": "Access keys must be rotated periodically",
      "Id": "RedisCache160",
                         "ControlSeverity": "Medium",
      "Automated": "No",
      "MethodName": "",
      "Recommendation": "Run command 'New-AzureRmRedisCacheKey'. Run 'Get-Help New-AzureRmRedisCacheKey -full' to get the complete details about this command.",
      "Tags": [
        "SDL",
        "TCP",
        "Manual",
        "DP"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_RedisCache_AuthN_Dont_Share_Cache_Instances",
      "Description": "Do not share cache instances across applications",
      "Id": "RedisCache170",
                         "ControlSeverity": "High",
      "Automated": "No",
      "MethodName": "",
      "Recommendation": "Create new Redis Cache instance for each application. For more information visit: https://docs.microsoft.com/en-us/azure/redis-cache/cache-web-app-howto#configure-the-application-to-use-redis-cache",
      "Tags": [
        "SDL",
        "TCP",
        "Manual",
        "AuthN"
      ],
      "Enabled": true
    },
      {
      "ControlID": "Azure_RedisCache_NetSec_Configure_Virtual_Network_For_Domin_App",
      "Description": "Redis Cache instance is configured with a Virtual Network for Domain Joined Applications",
      "Id": "RedisCache180",
                         "ControlSeverity": "Medium",
      "Automated": "No",
      "MethodName": "",
      "Recommendation": "For steps to configure Azure Redis Cache to Virtual Network visit https://docs.microsoft.com/en-us/azure/redis-cache/cache-how-to-premium-vnet",
      "Tags": [
        "SDL",
        "TCP",
        "Manual",
        "NetSec"
      ],
      "Enabled": true
    }
  ]
}