Framework/Configurations/SVT/Services/Search.json
|
{
"FeatureName": "Search", "Reference": "aka.ms/azsdkosstcp/azsearch", "IsManintenanceMode": false, "controls": [ { "ControlID": "Azure_Search_AuthZ_Grant_Min_RBAC_Access", "Description": "All Users/Identities must be granted minimum required permissions using Role Based Access Control (RBAC)", "Id": "Search110", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckRBACAccess", "Recommendation": "Clean up any unauthorized access on the Search service. Run command Remove-AzureRmRoleAssignment -SignInName '<SignInName>' -Scope '<Scope>' -RoleDefinitionName <RoleDefinitionName>''. Run 'Get-Help Remove-AzureRmRoleAssignment -full' to get the complete details about this command.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "RBAC" ], "Enabled": true }, { "ControlID": "Azure_Search_AuthZ_Least_Privilege_For_Monitoring", "Description": "Users monitoring/supporting the Search service should be provided with minimum required permissions", "Id": "Search120", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Recommendation": "Clean up any unauthorized access on the Search service. Run command Remove-AzureRmRoleAssignment -SignInName '<SignInName>' -Scope '<Scope>' -RoleDefinitionName <RoleDefinitionName>''. Run 'Get-Help Remove-AzureRmRoleAssignment -full' to get the complete details about this command.", "Tags": [ "SDL", "Best Practice", "Manual", "AuthZ" ], "Enabled": true }, { "ControlID": "Azure_Search_DP_Encrypt_At_Rest", "Description": "Sensitive data at data source must be encrypted at rest", "Id": "Search130", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Recommendation": "Run command 'Set-AzureRmSqlDatabaseTransparentDataEncryption -DatabaseName '<DBName>' -ResourceGroupName '<RGName>' -ServerName '<SQLServerName>' -State 'Enabled'' to encrypt SQL Server data source. Run 'Get-Help Set-AzureRmSqlDatabaseTransparentDataEncryption -full' to get the complete details about this command. Run command 'Set-AzureRmStorageAccount -Name '<StorageAccountName>' -ResourceGroupName '<RGName>' -EnableEncryptionService 'Blob/File'' to encrypt Storage data source. Run 'Get-Help Set-AzureRmStorageAccount -full' to get the complete details about this command.", "Tags": [ "SDL", "TCP", "Manual", "DP" ], "Enabled": true }, { "ControlID": "Azure_Search_DP_Encrypt_In_Transit", "Description": "Sensitive data in transit must be encrypted", "Id": "Search140", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Recommendation": "Specify 'Encrypt=True, TrustServerCertificate=False' parameters in your application's connection string to encrypt the connection with SQL Database or use HTTPS�protocol to ensure secure communication with Azure Blob Storage.", "Tags": [ "SDL", "TCP", "Manual", "DP" ], "Enabled": true }, { "ControlID": "Azure_Search_AuthZ_Grant_Admin_Keys_For_Manage_Access_Only", "Description": "Admin keys must be furnished only for clients who need to manage the search catalog of Search service", "Id": "Search150", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Recommendation": "Admin keys should be maintained and owned only by the users administering the Search service and they must be rotated periodically as per the company standards. To get the Admin keys, go to Azure Portal --> your Search service --> Settings --> Keys.", "Tags": [ "SDL", "TCP", "Manual", "AuthZ" ], "Enabled": true }, { "ControlID": "Azure_Search_AuthZ_Grant_Only_QueryKey_Access_to_Readers", "Description": "Consumers who require read access on Search service must only be granted query keys", "Id": "Search160", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Recommendation": "Query keys grant read-only access to indexes and documents, and end customers should be granted the query key only rather than the admin key. To get the Query keys, go to Azure Portal --> your Search service --> Settings --> Keys --> Manage query keys.", "Tags": [ "SDL", "TCP", "Manual", "AuthZ" ], "Enabled": true }, { "ControlID": "Azure_Search_Availability_Configure_Three_Replicas", "Description": "Search service must have at least three replicas for high availability", "Id": "Search170", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckSearchReplicaCount", "Recommendation": "Go to Azure Portal --> your Search service --> Settings --> Scale --> Replicas.", "Tags": [ "SDL", "TCP", "Automated", "Availability" ], "Enabled": true }, { "ControlID": "Azure_Search_Audit_Enable_Diagnostics_Log", "Description": "Diagnostics logs must be enabled with a retention period of at least $($this.ControlSettings.Diagnostics_RetentionPeriod_Min) days", "Id": "Search180", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckDiagnosticsSettings", "Recommendation": "Run command 'Set-AzureRmDiagnosticSetting -ResourceId '<SearchServiceResourceId>' -StorageAccountId '<StorageAccountId>' -Enable $true -RetentionEnabled $true -RetentionInDays 365'. Run 'Get-Help Set-AzureRmDiagnosticSetting -full' to get the complete details about this command.", "Tags": [ "SDL", "TCP", "Automated", "Audit", "Diagnostics" ], "Enabled": true } ] } |