Prowler (complete) 5.13.0
Test results for this specific product, vendor, and version combination
| Vendor | Prowler |
| Product | Prowler (complete) |
| Version | 5.13.0 |
Test Summary
Aggregate summary of all tests for this configuration result
| Resources In Configuration | 21 |
| Count of Tests | 59 |
| Passing Tests | 21 |
| Failing Tests | 38 |
| Catalogs Tested |
Control Catalog Summary
Summary of test results grouped by control catalog and resource
| Control Catalog | Resources | Total Tests | Passing | Failing | Tested Requirements | Missing Requirements |
|---|---|---|---|---|---|---|
| CCC.AuditLog | Diagnostic SettingsMonitorstcfistoragecad63808 | 16 | 2 | 14 | ||
| CCC.Build | nsg-lee8 | 4 | 4 | 0 | ||
| CCC.CntrReg | Containers | 1 | 0 | 1 | ||
| CCC.Core | 083c1758-89d9-4b12-8...154eadeb-e375-4263-b...1b4a98ae-5221-4850-a...2c61de5e-5cbb-42b9-9...Diagnostic SettingsMonitorNetwork WatcherNetworkWatcher_centr...NetworkWatcher_south...NetworkWatcher_swede...NetworkWatcher_westu...nsg-lee8stcfistoragecad63808 | 38 | 13 | 25 | CCC.Core.CN01.AR01CCC.Core.CN01.AR02CCC.Core.CN01.AR03CCC.Core.CN01.AR07CCC.Core.CN02.AR01CCC.Core.CN04.AR01CCC.Core.CN04.AR02CCC.Core.CN04.AR03CCC.Core.CN05.AR01CCC.Core.CN05.AR02CCC.Core.CN05.AR03CCC.Core.CN05.AR04CCC.Core.CN05.AR05CCC.Core.CN05.AR06CCC.Core.CN06.AR01CCC.Core.CN07.AR02CCC.Core.CN08.AR01CCC.Core.CN08.AR02CCC.Core.CN09.AR01CCC.Core.CN09.AR02CCC.Core.CN09.AR03CCC.Core.CN10.AR01CCC.Core.CN11.AR01CCC.Core.CN11.AR02CCC.Core.CN11.AR03CCC.Core.CN11.AR04CCC.Core.CN11.AR05CCC.Core.CN13.AR02 | |
| CCC.DataWar | psql-e9rnpsql-ireupsql-rk6xpsql-rtacpsql-tumw | 5 | 5 | 0 | ||
| CCC.GenAI | 083c1758-89d9-4b12-8...154eadeb-e375-4263-b...1b4a98ae-5221-4850-a...2c61de5e-5cbb-42b9-9... | 4 | 4 | 0 | ||
| CCC.KeyMgmt | Diagnostic SettingsMonitor | 6 | 0 | 6 | ||
| CCC.LB | 083c1758-89d9-4b12-8...154eadeb-e375-4263-b...1b4a98ae-5221-4850-a...2c61de5e-5cbb-42b9-9...Diagnostic SettingsMonitorNetwork WatcherNetworkWatcher_centr...NetworkWatcher_south...NetworkWatcher_swede...NetworkWatcher_westu... | 16 | 4 | 12 | ||
| CCC.Logging | AppInsightsDiagnostic SettingsMonitorNetworkWatcher_centr...NetworkWatcher_south...NetworkWatcher_swede...NetworkWatcher_westu...psql-e9rnpsql-ireupsql-rk6xpsql-rtacpsql-tumwstcfistoragecad63808 | 29 | 2 | 27 | ||
| CCC.MLDE | 083c1758-89d9-4b12-8...154eadeb-e375-4263-b...1b4a98ae-5221-4850-a...2c61de5e-5cbb-42b9-9...nsg-lee8stcfistoragecad63808 | 12 | 10 | 2 | ||
| CCC.Monitor | Diagnostic SettingsMonitor | 10 | 0 | 10 | ||
| CCC.ObjStor | Diagnostic SettingsMonitorstcfistoragecad63808 | 11 | 4 | 7 | ||
| CCC.Vector | 083c1758-89d9-4b12-8...154eadeb-e375-4263-b...1b4a98ae-5221-4850-a...2c61de5e-5cbb-42b9-9... | 4 | 4 | 0 | ||
| CCC.VPC | Network WatcherNetworkWatcher_centr...NetworkWatcher_south...NetworkWatcher_swede...NetworkWatcher_westu... | 9 | 0 | 9 |
Test Mapping Summary
Summary of test mappings showing how event codes map to test requirements
| Control Catalog | Test Requirement | Mapped Tests (Event Code | Total | Passing | Failing) |
|---|---|---|
| CCC.AuditLog | CCC.AuditLog.CN02.AR01 When a manual action is performed to generate each audit log type,
then the corresponding audit log type MUST be generated and recorded.
| monitor_diagnostic_setting_with_appropriate_categories101 monitor_diagnostic_settings_exists101 |
| CCC.AuditLog | CCC.AuditLog.CN03.AR01 When an attempt is made to disable a log source, then an alert MUST be generated.
| monitor_diagnostic_settings_exists101 |
| CCC.AuditLog | CCC.AuditLog.CN03.AR02 When an attempt is made to alter the retention or object lock status
of an external data log source or bucket, then an alert MUST be generated.
| monitor_alert_create_policy_assignment101 monitor_alert_create_update_nsg101 monitor_alert_create_update_public_ip_address_rule101 monitor_alert_create_update_security_solution101 monitor_alert_create_update_sqlserver_fr101 monitor_alert_delete_nsg101 monitor_alert_delete_policy_assignment101 monitor_alert_delete_public_ip_address_rule101 monitor_alert_delete_security_solution101 monitor_alert_service_health_exists101 monitor_diagnostic_setting_with_appropriate_categories101 monitor_diagnostic_settings_exists101 |
| CCC.AuditLog | CCC.AuditLog.CN04.AR01 When audit log buckets are created then verify that server access
logging MUST be enabled for the audit log bucket,
with logs delivered to a separate, secure logging bucket.
| monitor_diagnostic_setting_with_appropriate_categories101 monitor_diagnostic_settings_exists202 storage_blob_public_access_level_is_disabled110 |
| CCC.AuditLog | CCC.AuditLog.CN05.AR01 When audit logs are exported, then audit logs MUST be present in the configured data location.
| monitor_diagnostic_setting_with_appropriate_categories101 monitor_diagnostic_settings_exists101 |
| CCC.AuditLog | CCC.AuditLog.CN06.AR01 When the retention policy is applied, then data MUST
be automatically deleted after the configured number of days.
| monitor_diagnostic_settings_exists101 storage_ensure_soft_delete_is_enabled110 |
| CCC.AuditLog | CCC.AuditLog.CN08.AR01 When an attempt is made to delete data before the object
lock period expires, then the deletion MUST be denied.
| monitor_diagnostic_settings_exists101 storage_ensure_soft_delete_is_enabled110 |
| CCC.AuditLog | CCC.AuditLog.CN09.AR01 When restricted fields are accessed by unauthorized users, then those fields MUST remain masked.
| monitor_diagnostic_settings_exists101 |
| CCC.AuditLog | CCC.AuditLog.CN10.AR01 When audit log storage bucket's are created then, bucket's access control settings MUST explicitly deny
public read and write access.
| storage_blob_public_access_level_is_disabled110 storage_ensure_private_endpoints_in_storage_accounts101 |
| CCC.AuditLog | CCC.AuditLog.CN10.AR02 When the URL of a audit log storage bucket's object is accessed publicly then,
it should be denied by bucket policy.
| storage_blob_public_access_level_is_disabled110 storage_default_network_access_rule_is_denied101 storage_ensure_private_endpoints_in_storage_accounts101 |
| CCC.Build | CCC.Build.CN03.AR01 Attempt to access the build environment from an external network and verify that access is denied.
| network_http_internet_access_restricted110 network_rdp_internet_access_restricted110 network_ssh_internet_access_restricted110 network_udp_internet_access_restricted110 |
| CCC.CntrReg | CCC.CntrReg.CN01.AR01 Attempt to push an artifact with known vulnerabilities to the registry
and observe if it is flagged or rejected by the vulnerability scanning process.
| defender_container_images_scan_enabled101 |
| CCC.Core | CCC.Core.CN01.AR01 When a port is exposed for non-SSH network traffic, all traffic
MUST include a TLS handshake AND be encrypted using TLS 1.3 or
higher.
| storage_ensure_minimum_tls_version_12110 storage_secure_transfer_required_is_enabled110 |
| CCC.Core | CCC.Core.CN01.AR02 When a port is exposed for SSH network traffic, all traffic MUST
include a SSH handshake AND be encrypted using SSHv2 or higher.
| network_ssh_internet_access_restricted110 storage_ensure_minimum_tls_version_12110 storage_secure_transfer_required_is_enabled110 |
| CCC.Core | CCC.Core.CN01.AR03 When the service receives unencrypted traffic,
then it MUST either block the request or automatically
redirect it to the secure equivalent.
| storage_ensure_minimum_tls_version_12110 storage_secure_transfer_required_is_enabled110 |
| CCC.Core | CCC.Core.CN01.AR07 When a port is exposed, the service MUST ensure that the protocol
and service officially assigned to that port number by the IANA
Service Name and Transport Protocol Port Number Registry, and no
other, is run on that port.
| storage_ensure_minimum_tls_version_12110 storage_secure_transfer_required_is_enabled110 storage_smb_channel_encryption_with_secure_algorithm101 |
| CCC.Core | CCC.Core.CN02.AR01 When data is stored, it MUST be encrypted using the latest
industry-standard encryption methods.
| storage_ensure_encryption_with_customer_managed_keys101 storage_infrastructure_encryption_is_enabled101 |
| CCC.Core | CCC.Core.CN04.AR01 When administrative access or configuration change is attempted on
the service or a child resource, the service MUST log the client
identity, time, and result of the attempt.
| monitor_alert_create_policy_assignment101 monitor_alert_create_update_public_ip_address_rule101 monitor_alert_create_update_security_solution101 monitor_alert_create_update_sqlserver_fr101 monitor_alert_delete_nsg101 monitor_alert_delete_public_ip_address_rule101 monitor_alert_delete_security_solution101 monitor_alert_service_health_exists101 monitor_diagnostic_setting_with_appropriate_categories101 monitor_diagnostic_settings_exists101 network_flow_log_captured_sent404 |
| CCC.Core | CCC.Core.CN04.AR02 When any attempt is made to modify data on the service or a child
resource, the service MUST log the client identity, time, and
result of the attempt.
| monitor_diagnostic_setting_with_appropriate_categories101 monitor_diagnostic_settings_exists101 network_flow_log_captured_sent404 |
| CCC.Core | CCC.Core.CN04.AR03 When any attempt is made to read data on the service or a child
resource, the service MUST log the client identity, time, and
result of the attempt.
| monitor_diagnostic_setting_with_appropriate_categories101 monitor_diagnostic_settings_exists101 network_flow_log_captured_sent404 |
| CCC.Core | CCC.Core.CN05.AR01 When an attempt is made to modify data on the service or a child
resource, the service MUST block requests from unauthorized
entities.
| iam_role_user_access_admin_restricted440 |
| CCC.Core | CCC.Core.CN05.AR02 When administrative access or configuration change is attempted on
the service or a child resource, the service MUST refuse requests
from unauthorized entities.
| iam_role_user_access_admin_restricted440 network_http_internet_access_restricted110 network_rdp_internet_access_restricted110 network_ssh_internet_access_restricted110 network_udp_internet_access_restricted110 storage_account_key_access_disabled101 storage_default_to_entra_authorization_enabled101 storage_ensure_azure_services_are_trusted_to_access_is_enabled110 storage_ensure_private_endpoints_in_storage_accounts101 |
| CCC.Core | CCC.Core.CN05.AR03 When administrative access or configuration change is attempted on
the service or a child resource in a multi-tenant environment, the
service MUST refuse requests across tenant boundaries unless the
origin is explicitly included in a pre-approved allowlist.
| iam_role_user_access_admin_restricted440 network_http_internet_access_restricted110 network_rdp_internet_access_restricted110 network_ssh_internet_access_restricted110 network_udp_internet_access_restricted110 storage_blob_public_access_level_is_disabled110 storage_cross_tenant_replication_disabled101 storage_default_network_access_rule_is_denied101 storage_ensure_private_endpoints_in_storage_accounts101 |
| CCC.Core | CCC.Core.CN05.AR04 When data is requested from outside the trust perimeter, the
service MUST refuse requests from unauthorized entities.
| iam_role_user_access_admin_restricted440 network_http_internet_access_restricted110 network_rdp_internet_access_restricted110 network_ssh_internet_access_restricted110 network_udp_internet_access_restricted110 storage_account_key_access_disabled101 storage_default_network_access_rule_is_denied101 storage_default_to_entra_authorization_enabled101 storage_ensure_azure_services_are_trusted_to_access_is_enabled110 storage_secure_transfer_required_is_enabled110 |
| CCC.Core | CCC.Core.CN05.AR05 When any request is made from outside the trust perimeter,
the service MUST NOT provide any response that may indicate the
service exists.
| iam_role_user_access_admin_restricted440 network_http_internet_access_restricted110 network_rdp_internet_access_restricted110 network_ssh_internet_access_restricted110 network_udp_internet_access_restricted110 storage_account_key_access_disabled101 storage_default_to_entra_authorization_enabled101 storage_ensure_azure_services_are_trusted_to_access_is_enabled110 storage_ensure_private_endpoints_in_storage_accounts101 |
| CCC.Core | CCC.Core.CN05.AR06 When any request is made to the service or a child resource, the
service MUST refuse requests from unauthorized entities.
| iam_role_user_access_admin_restricted440 |
| CCC.Core | CCC.Core.CN06.AR01 When the service is running, its region and availability zone MUST
be included in a list of explicitly trusted or approved locations
within the trust perimeter.
| network_http_internet_access_restricted110 network_rdp_internet_access_restricted110 network_ssh_internet_access_restricted110 network_udp_internet_access_restricted110 network_watcher_enabled101 storage_ensure_private_endpoints_in_storage_accounts101 |
| CCC.Core | CCC.Core.CN07.AR02 When enumeration activities are detected, the service MUST log the
client identity, time, and nature of the activity.
| monitor_alert_create_policy_assignment101 monitor_alert_create_update_nsg101 monitor_alert_create_update_public_ip_address_rule101 monitor_alert_create_update_security_solution101 monitor_alert_create_update_sqlserver_fr101 monitor_alert_delete_nsg101 monitor_alert_delete_public_ip_address_rule101 monitor_alert_delete_security_solution101 monitor_alert_service_health_exists101 monitor_diagnostic_setting_with_appropriate_categories101 monitor_diagnostic_settings_exists101 |
| CCC.Core | CCC.Core.CN08.AR01 When data is created or modified, the data MUST have a complete
and recoverable duplicate that is stored in a physically separate
data center.
| storage_geo_redundant_enabled110 |
| CCC.Core | CCC.Core.CN08.AR02 When data is replicated into a second location, the service MUST
be able to accurately represent the replication locations,
replication status, and data synchronization status.
| storage_geo_redundant_enabled110 |
| CCC.Core | CCC.Core.CN09.AR01 When the service is operational, its logs and any child resource
logs MUST NOT be accessible from the resource they record access
to.
| monitor_diagnostic_settings_exists101 network_flow_log_captured_sent404 |
| CCC.Core | CCC.Core.CN09.AR02 When the service is operational, disabling the logs for the service
or its child resources MUST NOT be possible without also disabling
the corresponding resource.
| monitor_diagnostic_setting_with_appropriate_categories101 monitor_diagnostic_settings_exists101 |
| CCC.Core | CCC.Core.CN09.AR03 When the service is operational, any attempt to redirect logs for
the service or its child resources MUST NOT be possible without
halting operation of the corresponding resource and publishing
corresponding events to monitored channels.
| monitor_diagnostic_setting_with_appropriate_categories101 monitor_diagnostic_settings_exists101 network_flow_log_captured_sent404 |
| CCC.Core | CCC.Core.CN10.AR01 When data is replicated, the service MUST ensure that replication
only occurs to destinations that are explicitly included within
the defined trust perimeter.
| storage_cross_tenant_replication_disabled101 storage_ensure_private_endpoints_in_storage_accounts101 |
| CCC.Core | CCC.Core.CN11.AR01 When encryption keys are used, the service MUST verify that
all encryption keys use the latest industry-standard cryptographic
algorithms.
| storage_ensure_encryption_with_customer_managed_keys101 storage_ensure_minimum_tls_version_12110 storage_secure_transfer_required_is_enabled110 storage_smb_channel_encryption_with_secure_algorithm101 |
| CCC.Core | CCC.Core.CN11.AR02 When encryption keys are used, the service MUST rotate active keys
within 180 days of issuance.
| storage_key_rotation_90_days101 |
| CCC.Core | CCC.Core.CN11.AR03 When encrypting data, the service MUST verify that
customer-managed encryption keys (CMEKs) are used.
| storage_ensure_encryption_with_customer_managed_keys101 |
| CCC.Core | CCC.Core.CN11.AR04 When encryption keys are accessed, the service MUST verify that
access to encryption keys is restricted to authorized personnel
and services, following the principle of least privilege.
| storage_ensure_encryption_with_customer_managed_keys101 |
| CCC.Core | CCC.Core.CN11.AR05 When encryption keys are used, the service MUST rotate active keys
within 365 days of issuance.
| storage_ensure_encryption_with_customer_managed_keys101 storage_key_rotation_90_days101 |
| CCC.Core | CCC.Core.CN13.AR02 When a port is exposed that uses certificate-based encryption,
the service MUST rotate active certificates within 180 days of
issuance.
| storage_ensure_encryption_with_customer_managed_keys101 |
| CCC.DataWar | CCC.DataWar.CN03.AR01 Attempt to query data rows that the user should not have access to and verify
that access is denied or data is not returned.
| postgresql_flexible_server_allow_access_services_disabled550 |
| CCC.GenAI | CCC.GenAI.CN06.AR01 When an LLM invokes an external tool (e.g., an API, a plugin),
then the tool MUST operate with the least privileges required
for performing its intended functionality.
| iam_role_user_access_admin_restricted440 |
| CCC.KeyMgmt | CCC.KeyMgmt.CN01.AR01 When a key version is scheduled for deletion or disabled, an
alert MUST be generated within five minutes.
| monitor_alert_create_policy_assignment101 monitor_alert_create_update_nsg101 monitor_alert_create_update_public_ip_address_rule101 monitor_alert_create_update_security_solution101 monitor_alert_service_health_exists101 monitor_diagnostic_settings_exists101 |
| CCC.LB | CCC.LB.CN01.AR02 When throttling is invoked, the load balancer MUST
record the event in the access log within 5 minutes
for alerting and trend analysis.
| monitor_diagnostic_setting_with_appropriate_categories101 monitor_diagnostic_settings_exists101 network_flow_log_captured_sent404 network_watcher_enabled101 |
| CCC.LB | CCC.LB.CN04.AR01 When routing weights change, the request MUST originate
from an explicitly defined and trusted identity and MUST
be logged.
| iam_role_user_access_admin_restricted440 monitor_alert_create_policy_assignment101 monitor_alert_create_update_nsg101 monitor_alert_create_update_public_ip_address_rule101 monitor_alert_create_update_security_solution101 monitor_diagnostic_settings_exists101 |
| CCC.LB | CCC.LB.CN05.AR01 When stickiness is enabled, session cookies MUST expire
within 30 minutes of inactivity.
| iam_role_user_access_admin_restricted440 |
| CCC.LB | CCC.LB.CN06.AR01 When more than 10 percent of targets change from healthy to
unhealthy within five minutes, an alert MUST be issued.
| monitor_alert_create_policy_assignment101 monitor_alert_create_update_nsg101 monitor_alert_create_update_public_ip_address_rule101 monitor_alert_create_update_security_solution101 monitor_alert_service_health_exists101 monitor_diagnostic_setting_with_appropriate_categories101 monitor_diagnostic_settings_exists101 network_flow_log_captured_sent404 network_watcher_enabled101 |
| CCC.LB | CCC.LB.CN09.AR01 When an API call originates outside the approved CIDR
set, the request MUST be denied.
| iam_role_user_access_admin_restricted440 |
| CCC.Logging | CCC.Logging.CN01.AR01 When a new cloud account is created, provider-level audit and network flow logging MUST be
enabled by default and directed to the central sink.
| appinsights_ensure_is_configured101 monitor_diagnostic_setting_with_appropriate_categories101 monitor_diagnostic_settings_exists101 network_flow_log_captured_sent404 |
| CCC.Logging | CCC.Logging.CN01.AR02 When a new cloud compute resource is deployed, it MUST be configured to forward all relevant
logs (e.g., OS, application, service logs) to the central log sink.
| monitor_diagnostic_setting_with_appropriate_categories101 monitor_diagnostic_settings_exists101 network_flow_log_captured_sent404 |
| CCC.Logging | CCC.Logging.CN02.AR01 When a new log bucket or stream is created, its retention policy MUST be configured
in accordance with organisation's data retention policy.
| network_flow_log_more_than_90_days404 |
| CCC.Logging | CCC.Logging.CN02.AR02 When a query is performed to retrieve log events older than the number of days defined
in the organisation's data retention policy, it MUST return an empty result.
| network_flow_log_more_than_90_days404 postgresql_flexible_server_log_retention_days_greater_3505 |
| CCC.Logging | CCC.Logging.CN05.AR01 When a log storage bucket is created, the bucket's access control settings MUST
explicitly deny public read and write access.
| monitor_diagnostic_settings_exists101 storage_blob_public_access_level_is_disabled110 |
| CCC.Logging | CCC.Logging.CN05.AR02 When the URL of a log storage bucket's object is accessed publicly, the action MUST be denied
by bucket policy.
| monitor_diagnostic_settings_exists101 storage_blob_public_access_level_is_disabled110 storage_geo_redundant_enabled110 |
| CCC.Logging | CCC.Logging.CN07.AR01 When an audit log event is recorded that corresponds to a modification of the logging service
configuration such as disabling a log trail, deleting a log sink, or altering a log forwarding rule,
an alert MUST be generated.
| monitor_alert_create_policy_assignment101 monitor_alert_create_update_nsg101 monitor_alert_create_update_public_ip_address_rule101 monitor_alert_create_update_security_solution101 monitor_alert_create_update_sqlserver_fr101 monitor_alert_delete_nsg101 monitor_alert_delete_policy_assignment101 monitor_alert_delete_public_ip_address_rule101 monitor_alert_delete_security_solution101 monitor_alert_delete_sqlserver_fr101 monitor_alert_service_health_exists101 monitor_diagnostic_settings_exists101 |
| CCC.MLDE | CCC.MLDE.CN01.AR01 Verify that only authorized users can access MLDE resources,
and that access modes are properly defined and enforced.
| iam_role_user_access_admin_restricted440 |
| CCC.MLDE | CCC.MLDE.CN03.AR01 Verify that root access is disabled on MLDE instances containing sensitive data.
| iam_role_user_access_admin_restricted440 |
| CCC.MLDE | CCC.MLDE.CN03.AR02 For MLDE instances without sensitive data, ensure that root access is only
enabled when necessary and properly authorized.
| iam_role_user_access_admin_restricted440 |
| CCC.MLDE | CCC.MLDE.CN07.AR01 Verify that MLDE instances containing sensitive data cannot be accessed via public IP addresses.
| network_http_internet_access_restricted110 network_rdp_internet_access_restricted110 network_ssh_internet_access_restricted110 network_udp_internet_access_restricted110 storage_blob_public_access_level_is_disabled110 storage_default_network_access_rule_is_denied101 storage_ensure_private_endpoints_in_storage_accounts101 |
| CCC.MLDE | CCC.MLDE.CN07.AR02 For MLDE instances without sensitive data requiring public access,
ensure that appropriate security controls are in place and access is approved.
| network_http_internet_access_restricted110 network_rdp_internet_access_restricted110 network_ssh_internet_access_restricted110 network_udp_internet_access_restricted110 storage_default_network_access_rule_is_denied101 storage_ensure_private_endpoints_in_storage_accounts101 |
| CCC.MLDE | CCC.MLDE.CN08.AR01 Verify that MLDE instances containing sensitive data can only be deployed in
approved virtual networks with appropriate security controls.
| network_http_internet_access_restricted110 network_rdp_internet_access_restricted110 network_ssh_internet_access_restricted110 network_udp_internet_access_restricted110 storage_default_network_access_rule_is_denied101 storage_ensure_private_endpoints_in_storage_accounts101 |
| CCC.MLDE | CCC.MLDE.CN08.AR02 Ensure that MLDE instances without sensitive data are deployed in
networks that meet organizational security standards.
| network_http_internet_access_restricted110 network_rdp_internet_access_restricted110 network_ssh_internet_access_restricted110 network_udp_internet_access_restricted110 storage_default_network_access_rule_is_denied101 storage_ensure_azure_services_are_trusted_to_access_is_enabled110 storage_ensure_private_endpoints_in_storage_accounts101 |
| CCC.Monitor | CCC.Monitor.CN01.AR01 When an External Monitoring system exceeds the anticipated rate of monitoring checks then
Rate Limiting MUST be applied and an Audit Alert MUST be generated.
| monitor_alert_create_policy_assignment101 monitor_alert_create_update_nsg101 monitor_alert_create_update_public_ip_address_rule101 monitor_alert_create_update_security_solution101 monitor_alert_create_update_sqlserver_fr101 monitor_alert_delete_nsg101 monitor_alert_delete_public_ip_address_rule101 monitor_alert_delete_security_solution101 monitor_alert_service_health_exists101 monitor_diagnostic_settings_exists101 |
| CCC.ObjStor | CCC.ObjStor.CN01.AR01 When a request is made to read a bucket, the service
MUST prevent any request using KMS keys not listed as trusted by
the organization.
| storage_ensure_encryption_with_customer_managed_keys101 |
| CCC.ObjStor | CCC.ObjStor.CN01.AR02 When a request is made to read an object, the service
MUST prevent any request using KMS keys not listed as trusted by
the organization.
| storage_ensure_encryption_with_customer_managed_keys101 |
| CCC.ObjStor | CCC.ObjStor.CN01.AR03 When a request is made to write to a bucket, the service MUST
prevent any request using KMS keys not listed as trusted by the
organization.
| storage_ensure_encryption_with_customer_managed_keys101 storage_ensure_private_endpoints_in_storage_accounts101 |
| CCC.ObjStor | CCC.ObjStor.CN01.AR04 When a request is made to write to an object, the service MUST
prevent any request using KMS keys not listed as trusted by the
organization.
| storage_ensure_encryption_with_customer_managed_keys101 |
| CCC.ObjStor | CCC.ObjStor.CN02.AR01 When a permission set is allowed for an object in a bucket, the
service MUST allow the same permission set to access all objects
in the same bucket.
| storage_blob_public_access_level_is_disabled110 storage_default_network_access_rule_is_denied101 storage_ensure_private_endpoints_in_storage_accounts101 |
| CCC.ObjStor | CCC.ObjStor.CN02.AR02 When a permission set is denied for an object in a bucket, the
service MUST deny the same permission set to access all objects
in the same bucket.
| storage_account_key_access_disabled101 storage_blob_public_access_level_is_disabled110 storage_default_to_entra_authorization_enabled101 storage_ensure_private_endpoints_in_storage_accounts101 |
| CCC.ObjStor | CCC.ObjStor.CN03.AR01 When an object storage bucket deletion is attempted, the bucket MUST be
fully recoverable for a set time-frame after deletion is requested.
| storage_blob_versioning_is_enabled110 storage_ensure_soft_delete_is_enabled110 |
| CCC.ObjStor | CCC.ObjStor.CN04.AR01 When an object is uploaded to the object storage system, the object
MUST automatically receive a default retention policy that prevents
premature deletion or modification.
| storage_blob_versioning_is_enabled110 storage_ensure_file_shares_soft_delete_is_enabled110 storage_ensure_soft_delete_is_enabled110 |
| CCC.ObjStor | CCC.ObjStor.CN04.AR02 When an attempt is made to delete or modify an object that is subject
to an active retention policy, the service MUST prevent the action
from being completed.
| storage_ensure_file_shares_soft_delete_is_enabled110 storage_ensure_soft_delete_is_enabled110 |
| CCC.ObjStor | CCC.ObjStor.CN05.AR01 When an object is uploaded to the object storage bucket, the object
MUST be stored with a unique identifier.
| storage_blob_versioning_is_enabled110 |
| CCC.ObjStor | CCC.ObjStor.CN05.AR02 When an object is modified, the service MUST assign a new unique
identifier to the modified object to differentiate it from the
previous version.
| storage_blob_versioning_is_enabled110 |
| CCC.ObjStor | CCC.ObjStor.CN05.AR03 When an object is modified, the service MUST allow for recovery
of previous versions of the object.
| storage_blob_versioning_is_enabled110 |
| CCC.ObjStor | CCC.ObjStor.CN05.AR04 When an object is deleted, the service MUST retain other versions of
the object to allow for recovery of previous versions.
| storage_blob_versioning_is_enabled110 |
| CCC.ObjStor | CCC.ObjStor.CN06.AR01 When an object storage bucket is accessed, the service MUST store
access logs in a separate data store.
| monitor_diagnostic_setting_with_appropriate_categories101 monitor_diagnostic_settings_exists101 |
| CCC.Vector | CCC.Vector.CN02.AR01 When an index lifecycle event is triggered, the service MUST
verify that the actor has explicit permissions for the operation type.
| iam_role_user_access_admin_restricted440 |
| CCC.VPC | CCC.VPC.CN04.AR01 When any network traffic goes to or from an interface in the VPC,
the service MUST capture and log all relevant information.
| network_flow_log_captured_sent404 network_flow_log_more_than_90_days404 network_watcher_enabled101 |
Resource Summary
Summary of all resources mentioned in OCSF results
| Resource Name | Resource Type | Control Catalogs | Total Tests | Passing | Failing |
|---|---|---|---|---|---|
083c1758-89d9-4b12-8005-48e7e359dc4f | AzureIAMRoleassignment | 1 | 1 | 0 | |
154eadeb-e375-4263-b4bd-4a2a2237ecd2 | AzureIAMRoleassignment | 1 | 1 | 0 | |
1b4a98ae-5221-4850-a761-4f9176407028 | AzureIAMRoleassignment | 1 | 1 | 0 | |
2c61de5e-5cbb-42b9-9f2a-9dd930efe3fb | AzureIAMRoleassignment | 1 | 1 | 0 | |
AppInsights | Microsoft.Insights/components | 1 | 0 | 1 | |
Bastion Host | Network | No CCC catalogs | 1 | 0 | 1 |
Containers | Microsoft.Security | 1 | 0 | 1 | |
Containers | AzureDefenderPlan | No CCC catalogs | 1 | 0 | 1 |
default | AzureDefenderPlan | No CCC catalogs | 1 | 0 | 1 |
Defender plan App Services | AzureDefenderPlan | No CCC catalogs | 1 | 0 | 1 |
Defender plan ARM | AzureDefenderPlan | No CCC catalogs | 1 | 0 | 1 |
Defender plan Cosmos DB | AzureDefenderPlan | No CCC catalogs | 1 | 0 | 1 |
Defender plan DNS | AzureDefenderPlan | No CCC catalogs | 1 | 0 | 1 |
Defender plan KeyVaults | AzureDefenderPlan | No CCC catalogs | 1 | 0 | 1 |
Defender plan Open-Source Relational Databases | AzureDefenderPlan | No CCC catalogs | 1 | 0 | 1 |
Defender plan Servers | AzureDefenderPlan | No CCC catalogs | 1 | 0 | 1 |
Defender plan SQL Server VMs | AzureDefenderPlan | No CCC catalogs | 1 | 0 | 1 |
Defender plan Storage Accounts | AzureDefenderPlan | No CCC catalogs | 1 | 0 | 1 |
Diagnostic Settings | Monitor | 1 | 0 | 1 | |
IoT Hub Defender | DefenderIoT | No CCC catalogs | 1 | 0 | 1 |
MCAS | DefenderSettings | No CCC catalogs | 1 | 1 | 0 |
Monitor | Monitor | 12 | 0 | 12 | |
Network Watcher | Network | 1 | 0 | 1 | |
NetworkWatcher_centralindia | Network | 2 | 0 | 2 | |
NetworkWatcher_southcentralus | Network | 2 | 0 | 2 | |
NetworkWatcher_swedencentral | Network | 2 | 0 | 2 | |
NetworkWatcher_westus2 | Network | 2 | 0 | 2 | |
nsg-lee8 | Network | 4 | 4 | 0 | |
psql-e9rn | PostgreSQL | 7 | 5 | 2 | |
psql-ireu | PostgreSQL | 7 | 5 | 2 | |
psql-rk6x | PostgreSQL | 7 | 5 | 2 | |
psql-rtac | PostgreSQL | 7 | 5 | 2 | |
psql-tumw | PostgreSQL | 7 | 5 | 2 | |
SecurityCenterBuiltIn | Microsoft.Authorization/policyAssignments | No CCC catalogs | 1 | 1 | 0 |
SqlServers | AzureDefenderPlan | No CCC catalogs | 2 | 0 | 2 |
stcfistoragecad63808 | AzureStorageAccount | 16 | 8 | 8 | |
stcfistoragecad63808 | AzureRole | 1 | 0 | 1 | |
WDATP | DefenderSettings | No CCC catalogs | 1 | 1 | 0 |
Test Results
OCSF test results filtered for entries with CCC compliance mappings
| Status | Finding | Resource Name | Resource Type | Message | Test Requirements |
|---|---|---|---|---|---|
| FAIL | Ensure Application Insights are Configured. There are no AppInsight configured in subscription Azure subscription 1. | AppInsights | Microsoft.Insights/components | There are no AppInsight configured in subscription Azure subscription 1. | |
| FAIL | Ensure Image Vulnerability Scanning using Azure Defender image scanning or a third party provider Container image scan is disabled in subscription Azure subscription 1. | Containers | Microsoft.Security | Container image scan is disabled in subscription Azure subscription 1. | |
| PASS | Ensure 'User Access Administrator' role is restricted Role assignment 1b4a98ae-5221-4850-a761-4f9176407028 in subscription Azure subscription 1 does not grant User Access Administrator role. | 1b4a98ae-5221-4850-a761-4f9176407028 | AzureIAMRoleassignment | Role assignment 1b4a98ae-5221-4850-a761-4f9176407028 in subscription Azure subscription 1 does not grant User Access Administrator role. | |
| PASS | Ensure 'User Access Administrator' role is restricted Role assignment 083c1758-89d9-4b12-8005-48e7e359dc4f in subscription Azure subscription 1 does not grant User Access Administrator role. | 083c1758-89d9-4b12-8005-48e7e359dc4f | AzureIAMRoleassignment | Role assignment 083c1758-89d9-4b12-8005-48e7e359dc4f in subscription Azure subscription 1 does not grant User Access Administrator role. | |
| PASS | Ensure 'User Access Administrator' role is restricted Role assignment 2c61de5e-5cbb-42b9-9f2a-9dd930efe3fb in subscription Azure subscription 1 does not grant User Access Administrator role. | 2c61de5e-5cbb-42b9-9f2a-9dd930efe3fb | AzureIAMRoleassignment | Role assignment 2c61de5e-5cbb-42b9-9f2a-9dd930efe3fb in subscription Azure subscription 1 does not grant User Access Administrator role. | |
| PASS | Ensure 'User Access Administrator' role is restricted Role assignment 154eadeb-e375-4263-b4bd-4a2a2237ecd2 in subscription Azure subscription 1 does not grant User Access Administrator role. | 154eadeb-e375-4263-b4bd-4a2a2237ecd2 | AzureIAMRoleassignment | Role assignment 154eadeb-e375-4263-b4bd-4a2a2237ecd2 in subscription Azure subscription 1 does not grant User Access Administrator role. | |
| FAIL | Ensure that Activity Log Alert exists for Create Policy Assignment There is not an alert for creating Policy Assignments in subscription Azure subscription 1. | Monitor | Monitor | There is not an alert for creating Policy Assignments in subscription Azure subscription 1. | |
| FAIL | Ensure that Activity Log Alert exists for Create or Update Network Security Group There is not an alert for creating/updating Network Security Groups in subscription Azure subscription 1. | Monitor | Monitor | There is not an alert for creating/updating Network Security Groups in subscription Azure subscription 1. | |
| FAIL | Ensure that Activity Log Alert exists for Create or Update Public IP Address rule There is not an alert for creating/updating Public IP address rule in subscription Azure subscription 1. | Monitor | Monitor | There is not an alert for creating/updating Public IP address rule in subscription Azure subscription 1. | |
| FAIL | Ensure that Activity Log Alert exists for Create or Update Security Solution There is not an alert for creating/updating Security Solution in subscription Azure subscription 1. | Monitor | Monitor | There is not an alert for creating/updating Security Solution in subscription Azure subscription 1. | |
| FAIL | Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule There is not an alert for creating/updating SQL Server firewall rule in subscription Azure subscription 1. | Monitor | Monitor | There is not an alert for creating/updating SQL Server firewall rule in subscription Azure subscription 1. | |
| FAIL | Ensure that Activity Log Alert exists for Delete Network Security Group There is not an alert for deleting Network Security Groups in subscription Azure subscription 1. | Monitor | Monitor | There is not an alert for deleting Network Security Groups in subscription Azure subscription 1. | |
| FAIL | Ensure that Activity Log Alert exists for Delete Policy Assignment There is not an alert for deleting policy assignment in subscription Azure subscription 1. | Monitor | Monitor | There is not an alert for deleting policy assignment in subscription Azure subscription 1. | |
| FAIL | Ensure that Activity Log Alert exists for Delete Public IP Address rule There is not an alert for deleting public IP address rule in subscription Azure subscription 1. | Monitor | Monitor | There is not an alert for deleting public IP address rule in subscription Azure subscription 1. | |
| FAIL | Ensure that Activity Log Alert exists for Delete Security Solution There is not an alert for deleting Security Solution in subscription Azure subscription 1. | Monitor | Monitor | There is not an alert for deleting Security Solution in subscription Azure subscription 1. | |
| FAIL | Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule There is not an alert for deleting SQL Server firewall rule in subscription Azure subscription 1. | Monitor | Monitor | There is not an alert for deleting SQL Server firewall rule in subscription Azure subscription 1. | |
| FAIL | Ensure that an Activity Log Alert exists for Service Health There is no activity log alert for Service Health in subscription Azure subscription 1. | Monitor | Monitor | There is no activity log alert for Service Health in subscription Azure subscription 1. | |
| FAIL | Ensure Diagnostic Setting captures appropriate categories There are no diagnostic settings capturing appropiate categories in subscription Azure subscription 1. | Monitor | Monitor | There are no diagnostic settings capturing appropiate categories in subscription Azure subscription 1. | |
| FAIL | Ensure that a 'Diagnostic Setting' exists for Subscription Activity Logs No diagnostic settings found in subscription Azure subscription 1. | Diagnostic Settings | Monitor | No diagnostic settings found in subscription Azure subscription 1. | CCC.AuditLog.CN02.AR01CCC.AuditLog.CN03.AR01CCC.AuditLog.CN03.AR02CCC.AuditLog.CN04.AR01CCC.AuditLog.CN05.AR01CCC.AuditLog.CN06.AR01CCC.AuditLog.CN08.AR01CCC.AuditLog.CN09.AR01CCC.KeyMgmt.CN01.AR01CCC.LB.CN01.AR02CCC.LB.CN06.AR01CCC.LB.CN04.AR01CCC.Logging.CN01.AR01CCC.Logging.CN01.AR02CCC.AuditLog.CN04.AR01CCC.Logging.CN05.AR01CCC.Logging.CN05.AR02CCC.Logging.CN07.AR01CCC.ObjStor.CN06.AR01CCC.Monitor.CN01.AR01CCC.Core.CN09.AR01CCC.Core.CN09.AR02CCC.Core.CN09.AR03CCC.Core.CN04.AR01CCC.Core.CN04.AR02CCC.Core.CN04.AR03CCC.Core.CN07.AR02 |
| FAIL | Ensure that network flow logs are captured and fed into a central log analytics workspace. Network Watcher NetworkWatcher_southcentralus from subscription Azure subscription 1 has no flow logs | NetworkWatcher_southcentralus | Network | Network Watcher NetworkWatcher_southcentralus from subscription Azure subscription 1 has no flow logs | |
| FAIL | Ensure that network flow logs are captured and fed into a central log analytics workspace. Network Watcher NetworkWatcher_centralindia from subscription Azure subscription 1 has no flow logs | NetworkWatcher_centralindia | Network | Network Watcher NetworkWatcher_centralindia from subscription Azure subscription 1 has no flow logs | |
| FAIL | Ensure that network flow logs are captured and fed into a central log analytics workspace. Network Watcher NetworkWatcher_westus2 from subscription Azure subscription 1 has no flow logs | NetworkWatcher_westus2 | Network | Network Watcher NetworkWatcher_westus2 from subscription Azure subscription 1 has no flow logs | |
| FAIL | Ensure that network flow logs are captured and fed into a central log analytics workspace. Network Watcher NetworkWatcher_swedencentral from subscription Azure subscription 1 has no flow logs | NetworkWatcher_swedencentral | Network | Network Watcher NetworkWatcher_swedencentral from subscription Azure subscription 1 has no flow logs | |
| FAIL | Ensure that Network Security Group Flow Log retention period is 0, 90 days or greater Network Watcher NetworkWatcher_southcentralus from subscription Azure subscription 1 has no flow logs | NetworkWatcher_southcentralus | Network | Network Watcher NetworkWatcher_southcentralus from subscription Azure subscription 1 has no flow logs | |
| FAIL | Ensure that Network Security Group Flow Log retention period is 0, 90 days or greater Network Watcher NetworkWatcher_centralindia from subscription Azure subscription 1 has no flow logs | NetworkWatcher_centralindia | Network | Network Watcher NetworkWatcher_centralindia from subscription Azure subscription 1 has no flow logs | |
| FAIL | Ensure that Network Security Group Flow Log retention period is 0, 90 days or greater Network Watcher NetworkWatcher_westus2 from subscription Azure subscription 1 has no flow logs | NetworkWatcher_westus2 | Network | Network Watcher NetworkWatcher_westus2 from subscription Azure subscription 1 has no flow logs | |
| FAIL | Ensure that Network Security Group Flow Log retention period is 0, 90 days or greater Network Watcher NetworkWatcher_swedencentral from subscription Azure subscription 1 has no flow logs | NetworkWatcher_swedencentral | Network | Network Watcher NetworkWatcher_swedencentral from subscription Azure subscription 1 has no flow logs | |
| PASS | Ensure that HTTP(S) access from the Internet is evaluated and restricted Security Group nsg-lee8 from subscription Azure subscription 1 has HTTP internet access restricted. | nsg-lee8 | Network | Security Group nsg-lee8 from subscription Azure subscription 1 has HTTP internet access restricted. | |
| PASS | Ensure that RDP access from the Internet is evaluated and restricted Security Group nsg-lee8 from subscription Azure subscription 1 has RDP internet access restricted. | nsg-lee8 | Network | Security Group nsg-lee8 from subscription Azure subscription 1 has RDP internet access restricted. | |
| PASS | Ensure that SSH access from the Internet is evaluated and restricted Security Group nsg-lee8 from subscription Azure subscription 1 has SSH internet access restricted. | nsg-lee8 | Network | Security Group nsg-lee8 from subscription Azure subscription 1 has SSH internet access restricted. | |
| PASS | Ensure that UDP access from the Internet is evaluated and restricted Security Group nsg-lee8 from subscription Azure subscription 1 has UDP internet access restricted. | nsg-lee8 | Network | Security Group nsg-lee8 from subscription Azure subscription 1 has UDP internet access restricted. | |
| FAIL | Ensure that Network Watcher is 'Enabled' for all locations in the Azure subscription Network Watcher is not enabled for the following locations in subscription 'Azure subscription 1': ukwest, malaysiawest, uksouth, koreasouth, norwayeast, uaenorth, australiacentral, switzerlandwest, newzealandnorth, eastus, centralus, northeurope, westindia, eastus2, japanwest, japaneast, australiasoutheast, southafricanorth, mexicocentral, westus, brazilsouth, israelcentral, germanynorth, eastasia, switzerlandnorth, australiaeast, southafricawest, westus3, brazilsoutheast, francesouth, austriaeast, southindia, uaecentral, chilecentral, westeurope, southeastasia, spaincentral, italynorth, germanywestcentral, canadacentral, jioindiawest, polandcentral, australiacentral2, westcentralus, norwaywest, canadaeast, indonesiacentral, northcentralus, qatarcentral, koreacentral, francecentral, jioindiacentral. | Network Watcher | Network | Network Watcher is not enabled for the following locations in subscription 'Azure subscription 1': ukwest, malaysiawest, uksouth, koreasouth, norwayeast, uaenorth, australiacentral, switzerlandwest, newzealandnorth, eastus, centralus, northeurope, westindia, eastus2, japanwest, japaneast, australiasoutheast, southafricanorth, mexicocentral, westus, brazilsouth, israelcentral, germanynorth, eastasia, switzerlandnorth, australiaeast, southafricawest, westus3, brazilsoutheast, francesouth, austriaeast, southindia, uaecentral, chilecentral, westeurope, southeastasia, spaincentral, italynorth, germanywestcentral, canadacentral, jioindiawest, polandcentral, australiacentral2, westcentralus, norwaywest, canadaeast, indonesiacentral, northcentralus, qatarcentral, koreacentral, francecentral, jioindiacentral. | |
| PASS | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled Flexible Postgresql server psql-e9rn from subscription Azure subscription 1 has allow public access from any Azure service disabled | psql-e9rn | PostgreSQL | Flexible Postgresql server psql-e9rn from subscription Azure subscription 1 has allow public access from any Azure service disabled | |
| PASS | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled Flexible Postgresql server psql-ireu from subscription Azure subscription 1 has allow public access from any Azure service disabled | psql-ireu | PostgreSQL | Flexible Postgresql server psql-ireu from subscription Azure subscription 1 has allow public access from any Azure service disabled | |
| PASS | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled Flexible Postgresql server psql-rk6x from subscription Azure subscription 1 has allow public access from any Azure service disabled | psql-rk6x | PostgreSQL | Flexible Postgresql server psql-rk6x from subscription Azure subscription 1 has allow public access from any Azure service disabled | |
| PASS | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled Flexible Postgresql server psql-rtac from subscription Azure subscription 1 has allow public access from any Azure service disabled | psql-rtac | PostgreSQL | Flexible Postgresql server psql-rtac from subscription Azure subscription 1 has allow public access from any Azure service disabled | |
| PASS | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled Flexible Postgresql server psql-tumw from subscription Azure subscription 1 has allow public access from any Azure service disabled | psql-tumw | PostgreSQL | Flexible Postgresql server psql-tumw from subscription Azure subscription 1 has allow public access from any Azure service disabled | |
| FAIL | Ensure Server Parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server Flexible Postgresql server psql-e9rn from subscription Azure subscription 1 has log_retention disabled | psql-e9rn | PostgreSQL | Flexible Postgresql server psql-e9rn from subscription Azure subscription 1 has log_retention disabled | |
| FAIL | Ensure Server Parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server Flexible Postgresql server psql-ireu from subscription Azure subscription 1 has log_retention disabled | psql-ireu | PostgreSQL | Flexible Postgresql server psql-ireu from subscription Azure subscription 1 has log_retention disabled | |
| FAIL | Ensure Server Parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server Flexible Postgresql server psql-rk6x from subscription Azure subscription 1 has log_retention disabled | psql-rk6x | PostgreSQL | Flexible Postgresql server psql-rk6x from subscription Azure subscription 1 has log_retention disabled | |
| FAIL | Ensure Server Parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server Flexible Postgresql server psql-rtac from subscription Azure subscription 1 has log_retention disabled | psql-rtac | PostgreSQL | Flexible Postgresql server psql-rtac from subscription Azure subscription 1 has log_retention disabled | |
| FAIL | Ensure Server Parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server Flexible Postgresql server psql-tumw from subscription Azure subscription 1 has log_retention disabled | psql-tumw | PostgreSQL | Flexible Postgresql server psql-tumw from subscription Azure subscription 1 has log_retention disabled | |
| FAIL | Ensure allow storage account key access is disabled Storage account stcfistoragecad63808 from subscription Azure subscription 1 has shared key access enabled. | stcfistoragecad63808 | AzureStorageAccount | Storage account stcfistoragecad63808 from subscription Azure subscription 1 has shared key access enabled. | |
| PASS | Ensure that the 'Public access level' is set to 'Private (no anonymous access)' for all blob containers in your storage account Storage account stcfistoragecad63808 from subscription Azure subscription 1 has allow blob public access disabled. | stcfistoragecad63808 | AzureStorageAccount | Storage account stcfistoragecad63808 from subscription Azure subscription 1 has allow blob public access disabled. | |
| PASS | Ensure Blob Versioning is Enabled on Azure Blob Storage Accounts Storage account stcfistoragecad63808 from subscription Azure subscription 1 has blob versioning enabled. | stcfistoragecad63808 | AzureStorageAccount | Storage account stcfistoragecad63808 from subscription Azure subscription 1 has blob versioning enabled. | |
| FAIL | Ensure cross-tenant replication is disabled Storage account stcfistoragecad63808 from subscription Azure subscription 1 has cross-tenant replication enabled. | stcfistoragecad63808 | AzureStorageAccount | Storage account stcfistoragecad63808 from subscription Azure subscription 1 has cross-tenant replication enabled. | |
| FAIL | Ensure Default Network Access Rule for Storage Accounts is Set to Deny Storage account stcfistoragecad63808 from subscription Azure subscription 1 has network access rule set to Allow. | stcfistoragecad63808 | AzureStorageAccount | Storage account stcfistoragecad63808 from subscription Azure subscription 1 has network access rule set to Allow. | |
| FAIL | Ensure Microsoft Entra authorization is enabled by default for Azure Storage Accounts Default to Microsoft Entra authorization is not enabled for storage account stcfistoragecad63808. | stcfistoragecad63808 | AzureStorageAccount | Default to Microsoft Entra authorization is not enabled for storage account stcfistoragecad63808. | |
| PASS | Ensure that 'Allow trusted Microsoft services to access this storage account' is enabled for storage accounts Storage account stcfistoragecad63808 from subscription Azure subscription 1 allows trusted Microsoft services to access this storage account. | stcfistoragecad63808 | AzureStorageAccount | Storage account stcfistoragecad63808 from subscription Azure subscription 1 allows trusted Microsoft services to access this storage account. | |
| FAIL | Ensure that your Microsoft Azure Storage accounts are using Customer Managed Keys (CMKs) instead of Microsoft Managed Keys Storage account stcfistoragecad63808 from subscription Azure subscription 1 does not encrypt with CMKs. | stcfistoragecad63808 | AzureStorageAccount | Storage account stcfistoragecad63808 from subscription Azure subscription 1 does not encrypt with CMKs. | |
| PASS | Ensure soft delete for Azure File Shares is enabled File share soft delete is enabled for storage account stcfistoragecad63808 with a retention period of 7 days. | stcfistoragecad63808 | AzureStorageAccount | File share soft delete is enabled for storage account stcfistoragecad63808 with a retention period of 7 days. | |
| PASS | Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2' Storage account stcfistoragecad63808 from subscription Azure subscription 1 has TLS version set to 1.2. | stcfistoragecad63808 | AzureStorageAccount | Storage account stcfistoragecad63808 from subscription Azure subscription 1 has TLS version set to 1.2. | |
| FAIL | Ensure Private Endpoints are used to access Storage Accounts Storage account stcfistoragecad63808 from subscription Azure subscription 1 does not have private endpoint connections. | stcfistoragecad63808 | AzureStorageAccount | Storage account stcfistoragecad63808 from subscription Azure subscription 1 does not have private endpoint connections. | |
| PASS | Ensure Soft Delete is Enabled for Azure Containers and Blob Storage Storage account stcfistoragecad63808 from subscription Azure subscription 1 has soft delete enabled. | stcfistoragecad63808 | AzureStorageAccount | Storage account stcfistoragecad63808 from subscription Azure subscription 1 has soft delete enabled. | |
| PASS | Ensure geo-redundant storage (GRS) is enabled on critical Azure Storage Accounts Storage account stcfistoragecad63808 from subscription Azure subscription 1 has Geo-redundant storage Standard_GRS enabled. | stcfistoragecad63808 | AzureStorageAccount | Storage account stcfistoragecad63808 from subscription Azure subscription 1 has Geo-redundant storage Standard_GRS enabled. | |
| FAIL | Ensure that 'Enable Infrastructure Encryption' for Each Storage Account in Azure Storage is Set to 'enabled' Storage account stcfistoragecad63808 from subscription Azure subscription 1 has infrastructure encryption disabled. | stcfistoragecad63808 | AzureRole | Storage account stcfistoragecad63808 from subscription Azure subscription 1 has infrastructure encryption disabled. | |
| FAIL | Ensure that Storage Account Access Keys are Periodically Regenerated Storage account stcfistoragecad63808 from subscription Azure subscription 1 has no key expiration period set. | stcfistoragecad63808 | AzureStorageAccount | Storage account stcfistoragecad63808 from subscription Azure subscription 1 has no key expiration period set. | |
| PASS | Ensure that all data transferred between clients and your Azure Storage account is encrypted using the HTTPS protocol. Storage account stcfistoragecad63808 from subscription Azure subscription 1 has secure transfer required enabled. | stcfistoragecad63808 | AzureStorageAccount | Storage account stcfistoragecad63808 from subscription Azure subscription 1 has secure transfer required enabled. | |
| FAIL | Ensure SMB channel encryption uses a secure algorithm for SMB file shares Storage account stcfistoragecad63808 from subscription Azure subscription 1 does not have SMB channel encryption enabled for file shares. | stcfistoragecad63808 | AzureStorageAccount | Storage account stcfistoragecad63808 from subscription Azure subscription 1 does not have SMB channel encryption enabled for file shares. |