module/ConfigurationProvider/ControlConfigurations/Services/RedisCache.json
|
{
"FeatureName": "RedisCache", "Reference": "aka.ms/azsktcp/rediscache", "IsMaintenanceMode": false, "Controls": [ { "ControlID": "Azure_RedisCache_BCDR_Configure_Allowed_Redundancy", "Description": "Configure allowed redundancy for Azure Redis Cache to ensure BCDR", "Id": "RedisCache250", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckRedisCacheRedundancy", "DisplayName": "Configure allowed redundancy for Azure Redis Cache to ensure BCDR", "Category": "Business Continuity and Disaster Recovery", "ControlRequirements": "Appropriate redundancy must be configured for Azure Redis Cache", "Rationale": "Configuring appropriate redundancy for Azure Redis Cache ensures business continuity and disaster recovery capabilities. It minimizes downtime and data loss risks in case of failures, enhancing overall system reliability and availability.", "Recommendation": "Configure Zone redundancy https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-how-to-zone-redundancy or Geo replication https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-how-to-geo-replication", "ControlSettings": { "ZonalAllocationPolicy": "Automatic", "MinLinkedServers": 1, "LinkedServerCheckApplicableSKUs": [ "Premium" ] }, "ControlEvaluationDetails": { "RequiredProperties": [ "LinkedServersLength", "ZonalAllocationPolicy" ] }, "Tags": [ "Automated", "Baseline", "BCDR", "RedisCache" ], "Enabled": true, "CustomTags": [ "Weekly" ] }, { "ControlID": "Azure_RedisCache_BCDR_Use_RDB_Backup", "DisplayName": "Redis Data Persistence should be enabled to back up Redis Cache data", "Description": "Redis Data Persistence should be enabled to back up Redis Cache data", "Id": "RedisCache140", "ControlSeverity": "Medium", "Category": "Data persistence should be ensured", "ControlRequirements": "Data should be backed to ensure quicker and efficient recovery", "Automated": "Yes", "MethodName": "CheckRedisCacheRDBBackup", "Rationale": "Enabling backup on Redis Cache ensures that there is always a previous snapshot of data that can be leveraged towards recovery scenarios.", "Recommendation": "Configure data persistence. Refer: https://docs.microsoft.com/en-us/azure/azure-cache-for-redis/cache-how-to-premium-persistence", "ControlEvaluationDetails": { "RequiredProperties": [ "RedisConfiguration" ] }, "Tags": [ "Baseline", "Weekly", "SDL", "Best Practice", "Automated", "BCDR", "RedisCache" ], "Enabled": true, "CustomTags": [], "ControlSettings": { "RDBBackApplicableSku": [ "premium" ] } }, { "ControlID": "Azure_RedisCache_DP_Use_SSL_Port", "Description": "Non-SSL port must not be enabled for Redis Cache", "Id": "RedisCache150", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckRedisCacheSSLConfig", "DisplayName": "Non-SSL port must not be enabled for Redis Cache", "Category": "Data must be encrypted in transit and at rest", "ControlRequirements": "Encryption provides data confidentiality as it traverses from the source to the destination server over untrusted networks, and at rest against threats and compromise", "Rationale": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer man-in-the-middle, eavesdropping, session-hijacking attacks.", "Recommendation": "To disable Non-SSL port for Redis Cache, run command: Set-AzRedisCache -ResourceGroupName <String> -Name <String> -EnableNonSslPort $false", "Tags": [ "SDL", "TCP", "Automated", "DP", "RedisCache", "Baseline", "Daily", "CSEOPilotSub" ], "Enabled": true, "ControlScanSource": "MDCorReader", "AssessmentProperties": { "AssessmentNames": [ "35b25be2-d08a-e340-45ed-f08a95d804fc" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "CustomTags": [ "CSEOBaseline", "MSD", "TenantBaseline", "Prod", "CSEOPilot", "Wave8", "EDPreview", "SMTPreview", "SN:Redis_SSL", "WEBXTWave1", "WEBXTPreview", "EPSFWave1", "EPSFPreview" ] }, { "ControlID": "Azure_RedisCache_DP_Use_Secure_TLS_Version", "Description": "Use approved version of TLS for Azure RedisCache.", "Id": "RedisCache190", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckRedisCacheTLSVersion", "DisplayName": "Use approved version of TLS for Azure RedisCache.", "Category": "Encrypt data in transit", "ControlRequirements": "Data must be encrypted in transit and at rest", "Rationale": "TLS provides confidentiality and data integrity between client and server. Using approved TLS version significantly reduces risks from security design issues and security bugs that may be present in older versions.", "Recommendation": "Go to Azure Portal --> your Redis Cache instance --> Settings --> Advanced Settings --> Set Minimum TLS version to '1.2'", "Tags": [ "SDL", "TCP", "Automated", "DP", "Baseline" ], "Enabled": true, "ControlSettings": { "MinReqTLSVersion": "1.2" }, "CustomTags": [ "Daily", "Preview", "TenantBaseline", "MSD", "TBv9", "TRWave4", "TRPreview", "TRBaseline", "CAIPreview", "EDPreview", "SMTPreview", "SN:REDIS_TLS", "CAIWave1" ] }, { "ControlID": "Azure_RedisCache_NetSec_Configure_Virtual_Network_MCSB", "Description": "[MCSB] Azure Cache for Redis should reside within a virtual network", "Id": "RedisCache210", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] Azure Cache for Redis should reside within a virtual network", "Category": "Deploy controls to restrict network traffic", "ControlRequirements": "To support threat detection scenarios, monitor all known resource types for known and expected threats and anomalies", "Rationale": "Azure Virtual Network deployment provides enhanced security, isolation and the instance can only be accessed from virtual machines and applications within the virtual network.", "Recommendation": "To configure virtual network on Azure Cache for Redis from Azure Portal: Azure Portal -->Azure Cache for Redis services --> Select Azure Cache for Redis --> Select 'Virtual Network' blade -->Add virtual network --> click 'Save'. For more info Refer:https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-how-to-premium-vnet#set-up-virtual-network-support. NOTE: Virtual network is supported for only Premium tier Azure Cache for Redis.", "Tags": [ "SDL", "Automated", "Baseline", "NetSec", "RedisCache" ], "AssessmentProperties": { "AssessmentNames": [ "be264018-593c-1162-bd5e-b74a39396652" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_RedisCache_DP_Use_Secure_Connections_MCSB", "Description": "[MCSB] Only secure connections to your Azure Cache for Redis should be enabled", "Id": "RedisCache220", "ControlSeverity": "High", "ControlScanSource": "MDC", "Automated": "Yes", "DisplayName": "[MCSB] Only secure connections to your Azure Cache for Redis should be enabled", "Category": "Data must be encrypted in transit and at rest", "ControlRequirements": "Encryption provides data confidentiality as it traverses from the source to the destination server over untrusted networks, and at rest against threats and compromise", "Rationale": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer man-in-the-middle, eavesdropping, session-hijacking attacks.", "Recommendation": "To configure SSL port on Azure Redis Cache from Azure portal, go to Azure Portal --> Redis Cache --> Console --> use following command: Set-AzRedisCache -ResourceGroupName <String> -Name <String> -EnableNonSslPort $false or refer: https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-configure#access-ports", "Tags": [ "DP", "RedisCache", "Baseline" ], "AssessmentProperties": { "AssessmentNames": [ "35b25be2-d08a-e340-45ed-f08a95d804fc" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_RedisCache_DP_Use_SSL_Port_KR51", "Description": "[KR51] Non-SSL port must not be enabled for Redis Cache.", "Id": "RedisCache230", "ControlSeverity": "Medium", "Automated": "Yes", "ControlScanSource": "Policy", "DisplayName": "[KR51] Non-SSL port must not be enabled for Redis Cache.", "Category": "Data must be encrypted in transit and at rest", "ControlRequirements": "Encryption provides data confidentiality as it traverses from the source to the destination server over untrusted networks, and at rest against threats and compromise", "Rationale": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer man-in-the-middle, eavesdropping, session-hijacking attacks.", "Recommendation": "To disable Non-SSL port for Redis Cache, run command: Set-AzRedisCache -ResourceGroupName <String> -Name <String> -EnableNonSslPort $false", "Tags": [ "Baseline", "Automated", "RedisCache", "DP" ], "CustomPolicyProperties": { "PolicyDefinitionandAssignmentIdMapping": [ { "PolicyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb", "AssignmentId": "" } ] }, "CustomDeploymentPolicyProperties": { "PolicyDefinitonMappings": [ { "EffectType": "Deny", "DefinitionType": "Definition", "DisplayName": "Redis Cache should allow access only via SSL", "Description": "Enable only connections via SSL to Redis Cache. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.", "Id": "/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb" } ] }, "Enabled": false, "CustomTags": [ "KR51", "Daily" ] }, { "ControlID": "Azure_RedisCache_Audit_Enable_Diagnostic_Settings", "Description": "Enable Security Logging in Azure Redis Cache", "Id": "RedisCache240", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckDiagnosticsSettings", "DisplayName": "Enable Security Logging in Azure Redis Cache", "Category": "Monitoring must be correctly configured", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Rationale": "Auditing logs and metrics must be enabled as they provide details for investigation in case of a security breach for threats", "Recommendation": "You can change the diagnostic settings from the Azure Portal by following the steps given here: https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-monitor-diagnostic-settings?tabs=basic-standard-premium#enable-connection-logging-using-the-azure-portal and while updating the diagnostic settings 'ConnectedClientList' category of logs and minimum required retention period is of 90 days", "Tags": [ "Baseline", "Automated", "RedisCache", "Audit", "Diagnostics" ], "ControlEvaluationDetails": { "RequiredProperties": [ "DiagnosticSettings" ] }, "Enabled": true, "ControlSettings": { "DiagnosticForeverRetentionValue": "0", "DiagnosticMinRetentionPeriod": "90", "DiagnosticLogs": [ "ConnectedClientList" ] }, "CustomTags": [ "Daily", "TenantBaseline", "MSD", "TBv12", "SN:RedisCache_Logging" ] } ] } |