AzSK.AAD

0.8.3

Framework/Configurations/SVT/AAD/AAD.Application.json

{
    "FeatureName": "Application",
    "Reference": "aka.ms/azsktcp/Application",
    "IsMaintenanceMode": false,
  "Controls": [
    {
      "ControlID": "AAD_Application_AuthZ_Min_RBAC_Access",
      "Description": "All teams/groups must be granted minimum required permissions on build defination",
      "Id": "App110",
      "ControlSeverity": "High",
      "Automated": "No",
      "MethodName": "",
      "Rationale": "Granting minimum access by leveraging RBAC feature ensures that users are granted just enough permissions to perform their tasks. This minimizes exposure of the resources in case of user/service account compromise.",
      "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/devops/pipelines/policies/permissions?view=vsts",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "AuthZ",
        "RBAC"
      ],
      "Enabled": true
    },
    {
      "ControlID": "AAD_Application_Remove_Test_Demo_Apps",
      "Description": "Old test/demo apps should be removed from the tenant",
      "Id": "App120",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckOldTestDemoApps",
      "Rationale": "Demo apps expose attack vectors...don't keep them too long.",
      "Recommendation": "Refer: TODO",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "AuthZ",
        "RBAC"
      ],
      "Enabled": true
    },
    {
      "ControlID": "AAD_Application_DP_Return_URLs_HTTPS",
      "Description": "All return URLs configured for an application must be HTTPS endpoints",
      "Id": "App130",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckReturnURLsAreHTTPS",
      "Rationale": "Return URL HTTPS...TODO.",
      "Recommendation": "Refer: TODO",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "AuthZ",
        "RBAC"
      ],
      "Enabled": true
    },
    {
      "ControlID": "AAD_Application_Check_Orphan_App",
      "Description": "Do not permit orphaned apps (i.e., apps with no owners) in the tenant",
      "Id": "App140",
      "ControlSeverity": "Medium",
      "Automated": "Yes",
      "MethodName": "CheckOrphanedApp",
      "Rationale": "TODO-App-has-no-owner.",
      "Recommendation": "Refer: TODO",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "AuthZ",
        "RBAC"
      ],
      "Enabled": true
    },
    {
      "ControlID": "AAD_Application_Check_FTE_Owner",
      "Description": "At least one of the owners of an app must be an FTE",
      "Id": "App150",
      "ControlSeverity": "Medium",
      "Automated": "Yes",
      "MethodName": "CheckAppFTEOwner",
      "Rationale": "TODO-App-has-FTE-owner.",
      "Recommendation": "Refer: TODO",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "AuthZ",
        "RBAC"
      ],
      "Enabled": true
    }
  ]
}