AzTS

1.0.3

module/ConfigurationProvider/ControlConfigurations/Services/AutomationAccounts.json

                                {

  "FeatureName": "AutomationAccounts",

  "Reference": "aka.ms/azsktcp/automationaccounts",

  "IsMaintenanceMode": false,

  "Controls": [

    {

      "ControlID": "Azure_AutomationAccounts_DP_Encrypt_Variables_MCSB",

      "Description": "[MCSB] Automation account variables should be encrypted",

      "Id": "AutomationAccounts110",

      "ControlSeverity": "High",

      "Automated": "Yes",

      "ControlScanSource": "MDC",

      "DisplayName": "[MCSB] Automation account variables should be encrypted",

      "Category": "Encrypt data at rest",

      "ControlRequirements": "Data must be encrypted in transit and at rest",

      "Rationale": "Encryption helps prevent sensitive data breaches during transfer and storage.",

      "Recommendation": "To encrypt any automation account variable, go to the Azure Portal --> your Automation Account --> Shared Resources --> Variables. As variable's encrypted state cannot be modified after creation, you need to delete that variable and create another variable with the same name and value with encryption enabled or Refer: https://github.com/azsk/AzTS-docs/blob/main/Control%20coverage/Feature/AutomationAccounts.md#azure_automationaccounts_dp_encrypt_variables",

      "Tags": [

        "SDL",

        "Automated",

        "Baseline",

        "DP"

      ],

      "AssessmentProperties": {

        "AssessmentNames": [

          "b12bc79e-4f12-44db-acda-571820191ddc"

        ],

        "ResourceDetails": {

          "HasExtendedResourceId": true,

          "ExtendedIdResourceTypes": [

            "Microsoft.Automation/automationAccounts/variables"

          ],

          "UseExtendedResourceMetadata": false

        }

      },

      "Enabled": false,

      "CustomTags": [

        "Daily",

        "MCSB"

      ]

    },

    {

      "ControlID": "Azure_AutomationAccounts_DP_Encrypt_Variables",

      "Description": "Automation account variables must be encrypted",

      "Id": "AutomationAccounts120",

      "ControlSeverity": "High",

      "Automated": "Yes",

      "MethodName": "CheckAutomationAccountVariableEncrypted",

      "ControlScanSource": "MDCorReader",

      "DisplayName": "Automation account variables must be encrypted",

      "Category": "Encrypt data at rest",

      "ControlRequirements": "Data must be encrypted in transit and at rest",

      "Rationale": "Encryption helps prevent sensitive data breaches during transfer and storage.",

      "Recommendation": "To encrypt any automation account variable, go to the Azure Portal --> your Automation Account --> Shared Resources --> Variables. As variable's encrypted state cannot be modified after creation, you need to delete that variable and create another variable with the same name and value with encryption enabled or Refer: https://github.com/azsk/AzTS-docs/blob/main/Control%20coverage/Feature/AutomationAccounts.md#azure_automationaccounts_dp_encrypt_variables",

      "Tags": [

        "SDL",

        "Automated",

        "Baseline",

        "DP"

      ],

      "AssessmentProperties": {

        "AssessmentNames": [

          "b12bc79e-4f12-44db-acda-571820191ddc"

        ],

        "ResourceDetails": {

          "HasExtendedResourceId": true,

          "ExtendedIdResourceTypes": [

            "Microsoft.Automation/automationAccounts/variables"

          ],

          "UseExtendedResourceMetadata": false

        }

      },

      "ControlEvaluationDetails": {

        "RequiredProperties": [

          "AutomationVariables"

        ]

      },

      "Enabled": true,

      "CustomTags": [

        "Daily",

        "Preview",

        "TenantBaseline",

        "MSD",

        "TBv8",

        "EDPreview",

        "SMTPreview",

        "SN:AutoAcc_VarEncrypt"

      ]

    },

    {

      "ControlID": "Azure_AutomationAccounts_DP_Avoid_Plaintext_Secrets",

      "Description": "Automation Accounts must not have secrets/credentials present in plain text",

      "Id": "AutomationAccounts130",

      "ControlSeverity": "High",

      "Automated": "Yes",

      "MethodName": "AutomationAccountAvoidPlaintextSecretsAsync",

      "DisplayName": "Automation Accounts must not have secrets/credentials present in plain text",

      "Category": "Credentials Access",

      "ControlRequirements": "Eliminating plain text credentials",

      "Rationale": "Keeping secrets/credentials such as DB connection strings, passwords, keys, etc. in plain text can lead to exposure at various avenues during an application's lifecycle. Storing them in a key vault ensures that they are protected at rest.",

      "Recommendation": "Find detected secrets/credentials using the information available in the UI, rotate those credentials and remove them. Use KeyVault to store secrets/credentials and KeyVault.",

      "Tags": [

        "DP",

        "Baseline"

      ],

      "CustomTags": [

        "Daily",

        "TenantBaseline",

        "TBv14",

        "SN:Automation_Accounts_Cred_Scan"

      ],

      "Enabled": true

    }

  ]

}