Framework/Configurations/SVT/Services/LogicApps.json
|
{
"FeatureName": "LogicApps", "Reference": "aka.ms/azsdkosstcp/logicapps", "IsManintenanceMode": false, "Controls": [ { "ControlID": "Azure_LogicApps_Deploy_Dont_Use_Apps_In_Same_RG_Unless_Trust", "Description": "Multiple Logic Apps should not be deployed in the same resource group unless they trust each other", "Id": "LogicApps110", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckLogicAppsInSameRG", "Recommendation": "Separate Logic Apps into different resource groups unless the apps trust each other and need to use API Connections present in the resource group.", "Tags": [ "SDL", "Best Practice", "Automated", "Deploy" ], "Enabled": true }, { "ControlID": "Azure_LogicApps_AuthN_Connectors_Use_AAD", "Description": "Logic App connectors must use AAD-based authentication wherever possible", "Id": "LogicApps120", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckConnectorsAADAuth", "Recommendation": "For HTTP based connectors, refer: https://docs.microsoft.com/en-us/azure/connectors/connectors-native-http#azure-active-directory-oauth-authentication", "Tags": [ "SDL", "TCP", "Automated", "AuthN" ], "Enabled": true }, { "ControlID": "Azure_LogicApps_AuthZ_Connector_Use_Min_Permissions", "Description": "Logic App connectors must have minimum required permissions on data source", "Id": "LogicApps130", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Recommendation": "Connectors must be configured with minimum permissions. E.g., 'SQL Server-Get Row' must use an account with only Read permission on the required table.", "Tags": [ "SDL", "TCP", "Manual", "AuthZ" ], "Enabled": true }, { "ControlID": "Azure_LogicApps_AuthZ_Grant_Min_RBAC_Access", "Description": "All users/identities must be granted minimum required permissions using Role Based Access Control (RBAC)", "Id": "LogicApps140", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckRBACAccess", "Recommendation": "Assign 'Logic App Contributor' role to developers and 'Logic App Operator' role to operators. Refer: https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-securing-a-logic-app#secure-access-to-manage-or-edit-logic-apps", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "RBAC" ], "Enabled": true }, { "ControlID": "Azure_LogicApps_AuthZ_Provide_Triggers_Access_Control", "Description": "If Logic App fires on an HTTP Request (e.g. Request or Webhook) then provide IP ranges for triggers to prevent unauthorized access", "Id": "LogicApps150", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckTriggersAccessControl", "Recommendation": "Provide access control by navigating to Portal --> Logic App --> Access Control Configuration and setting the IP addresses/ranges. Do not add IP range $($this.ControlSettings.UniversalIPRange) as this means access to all IPs.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ" ], "Enabled": true }, { "ControlID": "Azure_LogicApps_AuthZ_Provide_Contents_Access_Control", "Description": "Must provide IP ranges for contents to prevent unauthorized access to inputs/outputs data of Logic App run history", "Id": "LogicApps160", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckContentsAccessControl", "Recommendation": "Provide access control by navigating to Portal --> Logic App --> Access Control Configuration and setting the IP addresses/ranges. Do not add IP range $($this.ControlSettings.UniversalIPRange) as this means access to all IPs.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ" ], "Enabled": true }, { "ControlID": "Azure_LogicApps_DP_Encrypt_Data_In_Transit", "Description": "Data transit across connectors must use encrypted channel", "Id": "LogicApps170", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckConnectorsEncryptionInTransit", "Recommendation": "Use HTTPS URI in HTTP-based connectors.", "Tags": [ "SDL", "TCP", "Automated", "DP" ], "Enabled": true }, { "ControlID": "Azure_LogicApps_DP_Dont_Allow_PlainText_Secrets_In_Codeview", "Description": "Application secrets and credentials must not be in plain text in source code (code view) of a Logic App", "Id": "LogicApps180", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckConnectorsSecretsHandling", "Recommendation": "Use 'secureString' type parameter in Logic App code view for secret parameters. Refer: https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-securing-a-logic-app#secure-parameters-and-inputs-within-a-workflow", "Tags": [ "SDL", "TCP", "Automated", "DP" ], "Enabled": true }, { "ControlID": "Azure_LogicApps_DP_Rotate_Keys", "Description": "Logic App access keys must be rotated periodically", "Id": "LogicApps190", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Recommendation": "Rotate access keys at regular intervals. Naviagte to Logic App --> Access Keys --> Regenerate Access Key to generate a new access key.", "Tags": [ "SDL", "TCP", "Manual", "DP" ], "Enabled": true }, { "ControlID": "Azure_LogicApps_Audit_Enable_Diagnostics_Log", "Description": "Diagnostics logs must be enabled with a retention period of at least $($this.ControlSettings.Diagnostics_RetentionPeriod_Min) days.", "Id": "LogicApps200", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckDiagnosticsSettings", "Recommendation": "Enable diagnostics logs with retention days $($this.ControlSettings.Diagnostics_RetentionPeriod_Min) or $($this.ControlSettings.Diagnostics_RetentionPeriod_Forever) (= forever). Refer: https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-monitor-your-logic-apps#azure-diagnostics-and-alerts", "Tags": [ "SDL", "TCP", "Automated", "Audit", "Diagnostics" ], "Enabled": true }, { "ControlID": "Azure_LogicApps_BCDR_Backup_Periodically", "Description": "Logic App Code View code should be backed up periodically", "Id": "LogicApps210", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Recommendation": "Navigate to Logic App --> Logic App Code View and save content to a backup location.", "Tags": [ "SDL", "Best Practice", "Manual", "BCDR" ], "Enabled": true } ] } |