module/ConfigurationProvider/ControlConfigurations/Services/CognitiveSearch.json
|
{
"FeatureName": "CognitiveSearch", "Reference": "", "IsMaintenanceMode": false, "Controls": [ { "ControlID": "Azure_AISearch_Audit_Enable_Resource_Logs_MCSB", "Description": "[MCSB] Resource logs in AI search services must be enabled", "Id": "AISearch100", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] Resource logs in AI search services must be enabled", "Category": "Monitoring must be correctly configured", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Rationale": "Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised.", "Recommendation": "To enable resource logs in AI Search please refer: https://learn.microsoft.com/en-us/azure/ai-services/diagnostic-logging#enable-diagnostic-log-collection.", "Tags": [ "Automated", "Baseline", "Audit", "AISearch" ], "AssessmentProperties": { "AssessmentNames": [ "dea5192e-1bb3-101b-b70c-4646546f5e1e" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_AISearch_AuthZ_Enable_Role_Based_API_Access_Only", "Description": "Protect Azure AI Search Instances by only allowing RBAC API Access", "Id": "AISearch110", "ControlSeverity": "High", "DisplayName": "Protect Azure AI Search Instances by only allowing RBAC API Access", "Category": "Authentication must be enabled on all user accounts and services.", "ControlRequirements": "Access to resources must be controlled by authorization mechanisms.", "Automated": "Yes", "MethodName": "CheckIfRoleBasedAPIAccessIsEnabled", "Rationale": "Disabling key-based API access control mitigates the risk of unauthorized access, ensuring that only authenticated users with appropriate credentials can interact with the service. This security measure aligns with best practices, protecting sensitive data and system integrity.", "Recommendation": "Remediation Steps for failed Configurations: 1. In the Azure portal, navigate to your search service. 2. In the left-navigation pane, select Keys. 3. Select Role-based access control. For more information, please refer: https://learn.microsoft.com/en-us/azure/search/search-security-rbac?tabs=config-svc-portal%2Croles-portal%2Ctest-portal%2Ccustom-role-portal%2Cdisable-keys-portal.", "Tags": [ "AuthZ", "Baseline", "AISearch" ], "Enabled": true, "CustomTags": [ "Daily", "TenantBaseline", "MSD", "TBv12", "SN:AISearch_API_Access" ] }, { "ControlID": "Azure_AISearch_Audit_Enable_Diagnostic_Settings", "Description": "Enable Security Logging in Azure AI Search", "Id": "AISearch120", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckDiagnosticsSettings", "DisplayName": "Enable Security Logging in Azure AI Search", "Category": "Monitoring must be correctly configured", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Rationale": "Auditing logs and metrics must be enabled as they provide details for investigation in case of a security breach for threats", "Recommendation": "You can change the diagnostic settings from the Azure Portal by following the steps given here: https://learn.microsoft.com/en-us/azure/ai-services/openai/how-to/monitoring#configure-diagnostic-settings and while updating the diagnostic settings ''Operation Logs' category of logs and 'AllMetrics' metrics should be selected and minimum required retention period is of 90 days", "Tags": [ "Automated", "Audit", "Diagnostics", "AISearch", "Baseline" ], "ControlEvaluationDetails": { "RequiredProperties": [ "DiagnosticSettings" ] }, "Enabled": true, "ControlSettings": { "DiagnosticForeverRetentionValue": "0", "DiagnosticMinRetentionPeriod": "90", "DiagnosticLogs": [ "OperationLogs" ] }, "CustomTags": [ "Daily", "TenantBaseline", "MSD", "TBv12", "SN:AISearch_Logging" ] }, { "ControlID": "Azure_AISearch_NetSec_Restrict_Public_Network_Access", "Description": "Public network access must be restricted in Azure AI Search", "Id": "AISearch130", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "RestrictPublicNetworkAccess", "DisplayName": "Public network access must be restricted in Azure AI Search", "ControlRequirements": "Restrict network traffic flows", "Category": "Deploy controls to restrict network traffic", "Rationale": "Access to Azure AI Search Resource from public network must be restricted. This will prevent unauthorized access on the resource outside of network boundaries.", "Recommendation": "It is recommended that IP firewall (https://learn.microsoft.com/en-us/azure/search/service-configure-firewall) or Private endpoints (https://learn.microsoft.com/en-us/azure/search/service-create-private-endpoint) be used instead of complete public accessibility enabled.", "Tags": [ "Automated", "NetSec", "AISearch" ], "ControlEvaluationDetails": { "RequiredProperties": [ "PublicNetworkAccessSetting" ] }, "Enabled": true, "ControlSettings": { "PossibleAddressSpaceSize": "3702258432", "AllowedPercentageCoverage": "2", "ItemsInAdditionalInformation": "10" }, "CustomTags": [ "Baseline", "Weekly" ] } ] } |