AzTS

1.0.3

module/ConfigurationProvider/ControlConfigurations/Services/LogicApps.json

{
  "FeatureName": "LogicApps",
  "Reference": "aka.ms/azsktcp/logicapps",
  "IsMaintenanceMode": false,
  "Controls": [
    {
      "ControlID": "Azure_LogicApps_AuthZ_Provide_Triggers_Access_Control",
      "Description": "Restrict your Logic App to accept trigger requests only from specified IP addresses",
      "Id": "LogicApps150",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckTriggersAccessControl",
      "DisplayName": "Restrict your Logic App to accept trigger requests only from specified IP addresses",
      "Category": "Deploy controls to restrict network traffic",
      "ControlRequirements": "Restrict network traffic flows",
      "Rationale": "Specifying the IP range ensures that the triggers can be invoked only from a restricted set of endpoints.",
      "Recommendation": "Provide access control by navigating to Portal --> Logic App --> Workflow settings --> Access Control Configuration and setting the IP addresses/ranges. Do not add Any-to-Any IP range as this means access to all IPs. Note: In case the IP range is indeterminate (for instance, if the client is a PaaS endpoint), you may need to attest this control.",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "AuthZ",
        "NetSec",
        "Baseline",
        "Daily"
      ],
      "ControlSettings": {
        "AnyIPRangeIPV4Begin": "0.0.0.0",
        "AnyIPRangeIPV4End": "255.255.255.255",
        "AnyIPRangeIPV6Begin": "::",
        "AnyIPRangeIPV6End": "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff",
        "AnyIPCIDRSuffix": "/0"
      },
      "Enabled": true
    },
    {
      "ControlID": "Azure_LogicApps_AuthZ_Provide_Contents_Access_Control",
      "Description": "Access requests to input/output data of Logic App run history must be restricted to specified IP addresses",
      "Id": "LogicApps160",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckContentsAccessControl",
      "DisplayName": "Access requests to input/output data of Logic App run history must be restricted to specified IP addresses",
      "Category": "Deploy controls to restrict network traffic",
      "ControlRequirements": "Restrict network traffic flows",
      "Rationale": "Using the firewall feature ensures that access to the data or the service is restricted to a specific set/group of clients. While this may not be feasible in all scenarios, when it can be used, it provides an extra layer of access control protection for critical assets.",
      "Recommendation": "Provide access control by navigating to Portal --> Logic App --> Workflow settings --> Access Control Configuration and setting the IP addresses/ranges. Do not add Any-to-Any IP range as this means access to all IPs. Note: In case the IP range is indeterminate (for instance, if the client is a PaaS endpoint), you may need to attest this control.",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "AuthZ",
        "NetSec",
        "Baseline",
        "Daily"
      ],
      "ControlSettings": {
        "AnyIPRangeIPV4Begin": "0.0.0.0",
        "AnyIPRangeIPV4End": "255.255.255.255",
        "AnyIPRangeIPV6Begin": "::",
        "AnyIPRangeIPV6End": "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff",
        "AnyIPCIDRSuffix": "/0"
      },
      "Enabled": true
    },
    {
      "ControlID": "Azure_LogicApps_DP_Avoid_Plaintext_Secrets",
      "Description": "Logic Apps must not have secrets/credentials present in plain text",
      "Id": "LogicApps220",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "LogicAppsAvoidPlaintextSecretsAsync",
      "DisplayName": "Logic Apps must not have secrets/credentials present in plain text",
      "Category": "Credentials Access",
      "ControlRequirements": "Eliminating plain text credentials",
      "Rationale": "Keeping secrets/credentials such as DB connection strings, passwords, keys, etc. in plain text can lead to exposure at various avenues during an application's lifecycle. Storing them in a key vault ensures that they are protected at rest.",
      "Recommendation": "Find detected secrets/credentials using the information available in the UI, rotate those credentials and remove them. Use KeyVault to store secrets/credentials and KeyVault connector to fetch those secrets/credentials: https://docs.microsoft.com/en-us/connectors/keyvault/.",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "DP",
        "Baseline",
        "Daily"
      ],
      "CustomTags": [
        "Wave9",
        "TenantBaseline",
        "Prod",
        "CAIPreview",
        "EDPreview",
        "SMTPreview",
        "CAIWave1",
        "Secrets"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_LogicApps_AuthN_Connectors_Use_AAD",
      "Description": "Logic App connectors must use AAD-based authentication wherever possible",
      "Id": "LogicApps230",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckConnectorsAADAuth",
      "DisplayName": "Logic App connectors must use AAD-based authentication wherever possible",
      "Category": "Authentication must be enabled on all user accounts and services",
      "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms",
      "Rationale": "Using the native enterprise directory for authentication ensures that there is a built-in high level of assurance in the user identity established for subsequent access control. All Enterprise subscriptions are automatically associated with their enterprise directory (xxx.onmicrosoft.com) and users in the native directory are trusted for authentication to enterprise subscriptions.",
      "Recommendation": "For HTTP based connectors, Go to Azure Portal --> Logic App --> Logic app designer --> For each non compliant connector --> Update Authentication type to either Managed Identity or Active Directory Oauth. For more details on AAD auth, refer: https://docs.microsoft.com/en-us/azure/connectors/connectors-native-http#azure-active-directory-oauth-authentication. For other connectors you must manually verify that AAD authentication is used for connectors that support it.",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "AuthN",
        "Baseline",
        "Weekly"
      ],
      "ControlSettings": {
        "AllowedAuthTypes": [ "ActiveDirectoryOAuth", "ManagedServiceIdentity" ],
        "ConnectorTypesToEvaluate": [ "HTTP" ],
        "NonCompliantConnectorTypes": [ "FTP" ],
        "CompliantConnectorTypes": [ "office365" ],
        "NotApplicableConnectorTypes": [ "Request", "Recurrence", "Response", "If", "Switch", "Until", "ForEach" ]
      },
      "ControlEvaluationDetails": {
        "RequiredProperties": [
          "Connectors"
        ]
      },
      "Enabled": true
    },
    {
      "ControlID": "Azure_LogicApps_DP_Connectors_Encrypt_Data_In_Transit",
      "Description": "Data transit across Logic App connectors must use encrypted channel",
      "Id": "LogicApps240",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckConnectorsEncryptionInTransit",
      "DisplayName": "Data transit across Logic App connectors must use encrypted channel",
      "Category": "Encrypt data in transit",
      "ControlRequirements": "Data must be encrypted in transit and at rest",
      "Rationale": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer man-in-the-middle, eavesdropping, session-hijacking attacks.",
      "Recommendation": "For connectors which are HTTP-based, Go to Azure Portal --> Logic App --> Logic app designer --> For each non compliant connector --> Use HTTPS URLs. For other connectors you must manually verify that encrypted connections are used by the connector protocol.",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "DP",
        "Baseline",
        "Weekly"
      ],
      "ControlSettings": {
        "ConnectorTypesToEvaluate": [ "HTTP", "HttpWebhook" ],
        "NonCompliantConnectorTypes": [ "FTP" ],
        "CompliantConnectorTypes": [ "office365", "Request", "azureblob", "sql", "Response" ],
        "NotApplicableConnectorTypes": [ "Recurrence", "If", "Switch", "Until", "ForEach" ]
      },
      "ControlEvaluationDetails": {
        "RequiredProperties": [
          "Connectors"
        ]
      },
      "Enabled": true
    },
    {
      "ControlID": "Azure_LogicApps_Audit_Enable_Resource_Logs_MCSB",
      "Description": "[MCSB] Resource logs in Logic Apps should be enabled",
      "Id": "LogicApps250",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "DisplayName": "[MCSB] Resource logs in Logic Apps should be enabled",
      "Category": "Monitoring must be correctly configured",
      "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance",
      "ControlScanSource": "MDC",
      "Rationale": "Logs should be retained for a long enough period so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. A period of 1 year is typical for several compliance requirements as well.",
      "Recommendation": "Please refer: https://learn.microsoft.com/en-us/azure/logic-apps/monitor-workflows-collect-diagnostic-data?tabs=consumption#enable-log-analytics",
      "Tags": [
        "Automated",
        "Audit",
        "Baseline",
        "LogicApps"
      ],
      "AssessmentProperties": {
        "AssessmentNames": [
          "91387f44-7e43-4ecc-55f0-46f5adee3dd5"
        ],
        "AssessmentStatusMappings": [
          {
            "AssessmentStatusCode": "NotApplicable",
            "EffectiveVerificationResult": "Failed",
            "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*",
            "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed."
          }
        ]
      },
      "Enabled": false,
      "CustomTags": [
        "Daily",
        "MCSB"
      ]
    },
    {
      "ControlID": "Azure_LogicApps_Audit_Enable_Diagnostic_Settings",
      "Description": "Enable Security Logging in Azure Logic Apps",
      "Id": "LogicApps260",
      "ControlSeverity": "Medium",
      "Automated": "Yes",
      "MethodName": "CheckDiagnosticsSettings",
      "DisplayName": "Enable Security Logging in Azure Logic Apps",
      "Category": "Monitoring must be correctly configured",
      "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance",
      "Rationale": "Auditing logs and metrics must be enabled as they provide details for investigation in case of a security breach for threats",
      "Recommendation": "You can change the diagnostic settings from the Azure Portal by following the steps given here: https://learn.microsoft.com/en-us/azure/logic-apps/monitor-workflows-collect-diagnostic-data?source=recommendations&tabs=consumption#add-a-diagnostic-setting and while updating the diagnostic settings 'Workflow runtime diagnostic events' category of logs and 'AllMetrics' metrics should be selected and minimum required retention period is of 90 days.",
      "Tags": [
        "Automated",
        "Audit",
        "Diagnostics",
        "LogicApps",
        "Baseline"
      ],
      "ControlEvaluationDetails": {
        "RequiredProperties": [
          "DiagnosticSettings"
        ]
      },
      "Enabled": true,
      "ControlSettings": {
        "DiagnosticForeverRetentionValue": "0",
        "DiagnosticMinRetentionPeriod": "90",
        "DiagnosticLogs": [
          "WorkflowRuntime"
        ]
      },
      "CustomTags": [
        "Daily",
        "TenantBaseline",
        "MSD",
        "TBv12",
        "SN:LogicApps_Logging"
      ]
    }
  ]
}