AzTS

1.0.3

module/ConfigurationProvider/ControlConfigurations/Services/CDN.json

                                {

  "FeatureName": "CDN",

  "Reference": "aka.ms/azsktcp/cdn",

  "IsMaintenanceMode": false,

  "Controls": [

    {

      "ControlID": "Azure_CDN_DP_Enable_Https",

      "Description": "CDN endpoints must use HTTPS protocol while providing data to the client browser/machine or while fetching data from the origin server",

      "Id": "CDN140",

      "ControlSeverity": "High",

      "Automated": "Yes",

      "MethodName": "CheckCDNHttpsProtocol",

      "DisplayName": "CDN endpoints must use HTTPS protocol while providing data to the client browser/machine or while fetching data from the origin server",

      "Category": "Encrypt data in transit",

      "ControlRequirements": "Data must be encrypted in transit and at rest",

      "Rationale": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer man-in-the-middle, eavesdropping, session-hijacking attacks.",

      "Recommendation": "Enable only HTTPs protocol for endpoints, to enable HTTPS protocol: Go to Azure Portal --> your CDN Profile --> your CDN Endpoint --> Origin --> Select HTTPS --> Save. Else implement through PowerShell as follows: `$ce= Get-AzCdnEndpoint -EndpointName <EndpointName> -ProfileName <CDNprofile> -ResourceGroupName <RGName>; `$ce.IsHttpAllowed =`$false; `$ce.IsHttpsAllowed =`$true; Set-AzCdnEndpoint -CdnEndpoint `$ce. Note: In the interest of user experience, enable both HTTP and HTTPS protocol along with HTTP to HTTPS redirection rule configured in rules engine for all endpoints, to enable HTTP and HTTPS protocol: Go to Azure Portal --> your CDN Profile --> your CDN Endpoint --> Origin --> Select HTTPS and HTTP --> Save. Else implement through PowerShell as follows: `$ce= Get-AzCdnEndpoint -EndpointName <EndpointName> -ProfileName <CDNprofile> -ResourceGroupName <RGName>; `$ce.IsHttpAllowed =`$true; `$ce.IsHttpsAllowed =`$true; Set-AzCdnEndpoint -CdnEndpoint `$ce and refer: https://docs.microsoft.com/en-us/azure/cdn/cdn-standard-rules-engine to configure HTTP to HTTPs redirection rule in rules engine.",

      "Tags": [

        "SDL",

        "TCP",

        "Automated",

        "DP",

        "Baseline",

        "Weekly",

        "CSEOPilotSub"

      ],

      "Enabled": true,

      "ControlEvaluationDetails": {

        "RequiredProperties": [

          "IsHttpAllowed",

          "IsHttpsAllowed"

        ]

      },

      "CustomTags": [

        "CSEOBaseline",

        "CSEOPilot",

        "EligibleForSelfAttestation"

      ]

    },

    {

      "ControlID": "Azure_FrontDoor_CDNProfile_NetSec_Enable_WAF_Configuration",

      "Description": "Protect Internet First Applications with Azure FrontDoor and WAF",

      "Id": "FrontDoorCDNProfile110",

      "ControlSeverity": "Medium",

      "Automated": "Yes",

      "MethodName": "CheckWAFConfiguredInFrontDoorCDNProfile",

      "DisplayName": "Protect Internet First Applications with Azure FrontDoor and WAF",

      "Rationale": "Azure Web Application Firewall (WAF) on Azure Front Door provides centralized protection for your web applications. WAF defends your web services against common exploits & vulnerablities. It keeps your service highly available for your users and helps you meet compliance requirements.",

      "Recommendation": "To configure WAF, Go to Azure Portal --> Web Application Firewall -> Create -> Select Policy For: Global WAF (Front Door). Select Front Door Tier: Standard or Classic. Select appropriate Resource Group & Subscription. Give the Policy a name. In association Tab, add the Front Door Profiles (Endpoints). Finally, Click on 'Review + Create' button. For more information visit: https://learn.microsoft.com/en-us/azure/web-application-firewall/afds/waf-front-door-create-portal",

      "Tags": [

        "Baseline",

        "NetSec",

        "Daily"

      ],

      "Enabled": true,

      "CustomTags": [

        "Preview",

        "TenantBaseline",

        "MSD",

        "TBv7",

        "TRWave4",

        "TRPreview",

        "TRBaseline",

        "EDPreview",

        "SMTPreview",

        "CAIPreview",

        "SN:FrontDoor_WAF"

      ]

    },

    {

      "ControlID": "Azure_FrontDoor_Audit_Enable_Diagnostic_Settings",

      "Description": "Enable security logging in Front Door",

      "Id": "FrontDoorCDNProfile130",

      "ControlSeverity": "Medium",

      "Automated": "Yes",

      "MethodName": "CheckFrontDoorDiagnosticsSettings",

      "DisplayName": "Enable security logging in Front Door",

      "Category": "Monitoring must be correctly configured",

      "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance",

      "Rationale": "Enabling front door diagnostic settings helps us monitor the application, track requests, debug the Front Door configuration and provide details for investigation in case of a security breach for threats.",

      "Enabled": true,

      "Recommendation": "To enable 'FrontDoorAccessLog' and 'FrontDoorWebApplicationFirewallLog' diagnostic settings, refer https://learn.microsoft.com/en-us/azure/frontdoor/standard-premium/how-to-logs#configure-logs",

      "Tags": [

        "Audit",

        "Diagnostics",

        "Baseline",

        "FrontDoor"

      ],

      "ControlSettings": {

        "ApplicableKinds": [

          "frontdoor"

        ],

        "ApplicableSkuNames": [

          "Premium_AzureFrontDoor",

          "Standard_AzureFrontDoor"

        ],

        "DiagnosticLogs": [

          "FrontDoorAccessLog",

          "FrontDoorWebApplicationFirewallLog"

        ]

      },

      "ControlEvaluationDetails": {

        "RequiredProperties": [

          "DiagnosticSettings"

        ]

      },

      "CustomTags": [

        "Daily",

        "SN:FrontDoor_Logging",

        "TenantBaseline",

        "TBv13"

      ]

    },

    {

      "ControlID": "Azure_FrontDoor_CDNProfile_DP_Use_Secure_TLS_Version",

      "Description": "Front Door should have Approved Minimum TLS version",

      "Id": "FrontDoorCDNProfile120",

      "ControlSeverity": "Medium",

      "Automated": "Yes",

      "MethodName": "CheckTLSConfigurationInFrontDoorCDNProfile",

      "DisplayName": "Front Door should have Approved Minimum TLS version",

      "Rationale": "TLS provides privacy and data integrity between client and server. Using approved TLS version significantly reduces risks from security design issues and security bugs that may be present in older versions.",

      "Recommendation": "To configure TLS Version, Go to Azure Portal --> Front Door and CDN profiles -> Select Front door with pricing tier as Standard/Premium -> Goto Domains -> Select Certification Type for All the domains listed -> Select Minimum TLS Version as 1.2",

      "Tags": [

        "Baseline",

        "DP",

        "Automated"

      ],

      "Enabled": true,

      "Category": "Encrypt data in transit",

      "CustomTags": [

        "Preview",

        "Daily",

        "TenantBaseline",

        "MSD",

        "TBv8",

        "CAIPreview",

        "EDPreview",

        "SMTPreview",

        "SN:FRONTDOORCDNPROFILE_TLS",

        "CAIWave1"

      ],

      "ControlSettings": {

        "MinReqTLSVersion": "12"

      },

      "ControlEvaluationDetails": {

        "RequiredProperties": [

          "FrontDoorEndpointMinTLSVersion"

        ]

      }

    }

  ]

}