module/ConfigurationProvider/ControlConfigurations/Services/ContainerApps.json
|
{
"FeatureName": "ContainerApps", "Reference": "aka.ms/azsktcp/Containerapps", "IsMaintenanceMode": false, "Controls": [ { "ControlID": "Azure_ContainerApps_DP_Avoid_Plaintext_Secrets", "Description": "Container Apps must not have secrets/credentials present in plain text.", "Id": "ContainerApps10", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "ContainerAppsAvoidPlaintextSecretsAsync", "DisplayName": "Container Apps must not have secrets/credentials present in plain text.", "Category": "Credentials Access", "ControlRequirements": "Eliminating plain text credentials", "Rationale": "Keeping secrets/credentials such as DB connection strings, passwords, keys, etc. in plain text can lead to exposure at various avenues during an application's lifecycle. Storing them in a key vault ensures that they are protected at rest.", "Recommendation": "Find detected secrets/credentials using the information available in the UI, rotate those credentials and remove them. Refer: https://learn.microsoft.com/en-us/azure/container-apps/manage-secrets?tabs=azure-portal to manage secrets in azure container apps.", "Tags": [ "SDL", "TCP", "Automated", "DP", "Baseline" ], "Enabled": true, "CustomTags": [ "Daily", "Preview", "TenantBaseline", "MSD", "TBv9", "TRWave4", "TRPreview", "TRBaseline", "CAIPreview", "EDPreview", "SMTPreview", "SN:ContainerApps_AvoidSecrets", "CAIWave1", "Secrets" ] }, { "ControlID": "Azure_ContainerApps_DP_Dont_Allow_HTTP_Access", "Description": "Container Apps must only be accessible over HTTPS", "Id": "ContainerApps20", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "ContainerAppsSecureCommunication", "DisplayName": "Container Apps must only be accessible over HTTPS", "Category": "Encrypt data in transit", "ControlRequirements": "Data must be encrypted in transit and at rest", "Rationale": "Enabling HTTPS helps encrypt data in transit, preventing potential eavesdropping and tampering.", "Recommendation": "To use secure communication in Container Apps, Go to Azure Portal --> Container App --> Ingress --> uncheck 'allowInsecure' --> Click Save.", "Tags": [ "SDL", "TCP", "Automated", "DP", "ContainerApps", "Baseline" ], "Enabled": true, "CustomTags": [ "Weekly" ] }, { "ControlID": "Azure_ContainerApps_DP_Enable_mTLS_Encryption", "Description": "Container Apps Environment must have mTLS enabled", "Id": "ContainerApps30", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "ContainerAppsmTLSEnabled", "DisplayName": "Container Apps Environment must have mTLS enabled", "Category": "Encrypt data in transit", "ControlRequirements": "Data must be encrypted in transit and at rest", "Rationale": "mTLS ensures secure end-to-end encryption by requiring encrypted communication between both the Container App and the Managed Environment, enhancing the confidentiality and integrity of data transmissions.", "Recommendation": "To enable mTLS in Container Apps managed environment, Go to Azure Portal --> Container App Environment --> Ingress --> mTLS --> 'Enable' --> Click Apply.", "Tags": [ "SDL", "TCP", "Automated", "DP", "ContainerApps", "Baseline" ], "Enabled": true, "CustomTags": [ "Weekly" ] } ] } |