While this may not be feasible in all scenarios, when it can be used, it provides an extra layer of access control protection for critical assets.", "rationale": "Using the firewall feature ensures that access to the data or the service is restricted to a specific set/group of clients. "description": "Cosmos DB firewall should be enabled", "controlId": "Azure_CosmosDB_AuthZ_Enable_Firewall", "resourceType": "Microsoft.DocumentDB/databaseAccounts", Note that after enabling Storage Service Encryption, only new data will be encrypted, and any existing files in this storage account will remain unencrypted.", Run 'Get-Help Set-AzureRmStorageAccount -full' for more help. "recommendation": "Run command 'Set-AzureRmStorageAccount -Name '' -ResourceGroupName '' -StorageEncryption -EnableEncryptionService 'File''. "description": "Sensitive data in Storage File must be encrypted at rest", "controlId": "Azure_Storage_DP_Encrypt_At_Rest_File", "jsonPath": "$.properties.supportsHttpsTrafficOnly", Run 'Get-Help Set-AzureRmStorageAccount -full' for more help.", "recommendation": "Run command 'Set-AzureRmStorageAccount -ResourceGroupName -name -EnableHttpsTrafficOnly `$true'. When enabling HTTPS one must remember to simultaneously disable access over plain HTTP else data can still be subject to compromise over clear text connections.", "rationale": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer man-in-the-middle, eavesdropping, session-hijacking attacks. "description": "HTTPS protocol must be used for accessing Storage Account resources", "controlId": "Azure_Storage_DP_Encrypt_In_Transit", "recommendation": "Run command 'Set-AzureRmStorageAccount -Name '' -ResourceGroupName '' -StorageEncryption -EnableEncryptionService 'Blob''. This minimizes the risk of data loss from physical theft and also helps meet regulatory compliance requirements.", "rationale": "Using this feature ensures that sensitive data is stored encrypted at rest. "description": "Sensitive data in Storage Blob must be encrypted at rest", "controlId": "Azure_Storage_DP_Encrypt_At_Rest_Blob", "recommendation": "Run command 'Set-AzureRmStorageAccount -Name '' -ResourceGroupName '' -SkuName '''. "rationale": "Use of geo-redundant storage (GRS) accounts, ensures that data is not completely lost in the event of a regional disaster.", "description": "Use geo-redundant storage accounts", "controlId": "Azure_Storage_Deploy_Use_Geo_Redundant", "resourceType": "Microsoft.Storage/storageAccounts",
0 kommentar(er)
