The many variations, however, can be grouped into one of 10 basic types depending on their general shape and height in the sky. Ensure that an Azure Active Directory (AAD) admin is configured for SQL authentication. All rights reserved. Ensure that an activity log alert is created for the "Delete Network Security Group Rule" events. Copyright © 2021 Trend Micro Incorporated. Ensure that Azure App Service web applications are using the latest version of PHP. Ensure that "Also send email notification to subscription owners" feature is enabled within Azure Security Center. Cloud Conformity uses its Knowledge Base of over 500 rules to automate checks across most services supported by AWS. Ensure there are budget alerts configured to warn about forthcoming budget overages within your Azure cloud account. Ensure that your Azure App Services web applications stay loaded all the time by enabling the Always On feature. Fully managed, in-memory cache for DynamoDB, Manage the lifecycle of your AWS resources, Migrate your databases to AWS with minimal downtim, Fast, scalable, highly available MongoDB-compatible database service, Fast and flexible NoSQL database service for any scale, Easy to use, high performance block storage at any scale, Secure and resizable compute capacity in the cloud. Ensure there are no custom owner roles within your Microsoft Azure cloud account. Ensure that a Customer-Managed Key is created for your Microsoft Azure cloud web tier. Internal temperature sensor for overheating protection. Cloud security platforms like Cloud Conformity are only as useful as the underlying rules powering the engine that checks your infrastructure. Conformity provides real-time monitoring and auto-remediation for the security, compliance and governance of your cloud infrastructure. Ensure that no SQL databases allow unrestricted inbound access from 0.0.0.0/0 (any IP address). Ensure that no network security groups allow unrestricted ingress access on TCP port 3306 (MySQL Database). Ensure that Network Security Group (NSG) flow log retention period is greater than or equal to 90 days. Features. Ensure that no network security groups allow unrestricted inbound access on TCP port 1521 (Oracle Database). Ensure that security groups can be created only by Active Directory (AD) administrators. Ensure that Office 365 groups can be managed only by Active Directory (AD) administrators. Ensure that Azure App Service web applications are using the latest version of Python. Ensure that in-transit encryption is enabled for your Azure PostgreSQL database servers. According to the World Meteorological Organization's International Cloud Atlas, more than 100 types of clouds exist. Ensure that an activity log alert is created for the “Create/Update Network Security Group Rule” events. Ensure there is a sufficient PITR backup retention period configured for Azure SQL databases. Ensure that anonymous access to blob containers is disabled within your Azure Storage account. Along with continuous assurance of your infrastructure, Cloud Conformity is an educational tool, providing detailed resolution steps to rectify security vulnerabilities, performance and cost inefficiencies, and reliability risks. Ensure that your Azure Key Vault encryption keys are renewed prior to their expiration date. Ensure that an activity log alert exists for "Delete Virtual Machine" events. Enable network security group recommendations for Microsoft Azure virtual machines (VMs). Ensure that Security Center standard pricing tier is enabled in your Microsoft Azure account. Ensure that non-administrator users are not allowed to access Active Directory administration portal. Ensure that a Log Profile exists for each subscription available in your Azure account. Microsoft® Azure best practice rules . Whether your cloud exploration is just starting to take shape, you're mid-way through a migration or you're already running complex workloads in the cloud, Conformity offers full visibility of your infrastructure and provides continuous assurance it's secure, optimized and compliant. public access) rule is set to "Deny" within your Azure Key Vaults configuration. Ensure that SQL database auditing has a sufficient log data retention period configured. This catalogue of cloud guardrails is a core part of Conformity which automatically monitors and auto-remediates cloud infrastructure. Azure Active Directory provides an identity platform with enhanced security, access management, scalability, and reliability for connecting users with all the apps they need. Ensure that Azure Log Profile is configured to capture activity logs for all regions. Ensure that your Microsoft Azure virtual machines are using managed disk volumes. Do not allow users to remember Multi-Factor Authentication (MFA) on their devices and browsers. Ensure that Automatic OS Upgrades feature is enabled for your Azure virtual machine scale sets. Use Bring Your Own Key (BYOK) support for Transparent Data Encryption (TDE). Trend Micro Cloud One™ – Conformity has over 750+ cloud infrastructure configuration best practices for your Amazon Web Services and Microsoft® Azure environments. Ensure that an activity log alert is created for the "Create/Update Network Security Group" events. Ensure that Azure Storage Accounts with static website configuration are regularly reviewed (informational). Ensure that "Automatic provisioning of monitoring agent" feature is enabled to enhance security at the virtual machine (VM) level. Enable storage encryption monitoring and recommendations for Azure Storage resources. Cloud One Conformity VSCode Extension. Application scaling to optimize performance and costs, Centrally manage and automate backups across AWS services. All of our Knowledge Base rules are mapped to compliance standards or endorsed by AWS as best practice checks, and give simple “success” or “failed” results for the highest clarity on your cloud environment’s security posture. Ensure that an activity log alert exists for "Delete Storage Account" events. Ensure that no network security groups allow unrestricted inbound access on TCP port 5432 (PostgreSQL Database Server). Ensure that Microsoft Azure Security Center recommendations are examined and resolved. Identify and remove old virtual machine disk snapshots in order to optimize cloud costs. There are 17 step by step guides on implementing S3 best practices through the CLI, and over 350 guides across the different services. Enable endpoint protection monitoring and recommendations for Microsoft Azure virtual machines. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. Ensure that Azure virtual machine scale sets are configured for zone redundancy. Enable "log_duration" parameter on your Microsoft Azure PostgreSQL database servers. Standard_A8_v2). Ensure that encryption is enabled for Azure virtual machine boot volumes to protect data at rest. Ensure that Azure Storage shared access signature (SAS) tokens are not using overly permissive access policies. Ensure there is an Azure activity log alert created for "Delete Load Balancer" events. Ensure that Active Directory (AD) guest users permissions are limited. Ensure that geo-redundant backups are enabled for your Azure PostgreSQL database servers. Figure 5 – SEC 8 Reporting in Conformity. Ensure that "Secure transfer required" security feature is enabled within your Azure Storage account configuration. Ensure your AWS services are compliant towards certification classification. The Azure Activity Log provides insight into subscription-level events that have occurred in Azure. Ensure that an activity log alert is created for the "Deallocate Virtual Machine (Microsoft.Compute/virtualMachines)" events. Ensure that Active Directory users are not allowed to add applications to Azure Access Panel. Ensure that JIT network access monitoring for Azure virtual machines (VMs) is enabled. Allow Trusted Microsoft Services to access your Azure Storage account resources. Identify and remove unused load balancers from your Microsoft Azure cloud account. Viptela products are controlled as networking equipment within the U.S. Ensure that next generation firewall monitoring for Azure virtual machines (VMs) is enabled. The Knowledge Base is built on the AWS Well-Architected Framework with clear, step-by-step remediation rules actionable through both the AWS Console and CLI. Ensure that joining devices to Active Directory requires Multi-Factor Authentication. Ensure that default network access (i.e. Enable "log_disconnections" parameter for your Microsoft Azure PostgreSQL database servers. Ensure that PostgreSQL database servers are using the latest major version of PostgreSQL database. Ensure that Automatic Tuning feature is enabled for Microsoft Azure SQL database servers. Enable FTPS-only access for your Microsoft Azure App Services web applications. Ensure that Advanced Threat Protection is enabled for all Microsoft Azure Cosmos DB accounts. Ensure there is more than one owner assigned to your Microsoft Azure subscription. Export Control Classification Numbers 5A002, … Ensure that Microsoft Azure virtual machines are configured to use Just-in-Time (JIT) access. Ensure there is a sufficient instant restore retention period configured for Azure virtual machines. Allow trusted Microsoft services to access your Azure Key Vault resources (i.e. Copyright © 2021 Trend Micro Incorporated. Ensure that Microsoft Azure virtual machines are configured to use accelerated networking. Ensure that vulnerability assessment monitoring for Azure virtual machines (VMs) is enabled. 103 Cherni Vrah Blvd Bulgaria, Sofia 1407 Phone: +359 2 988 7435 Ensure that DDoS standard protection is enabled for production Azure virtual networks. Each rule includes the rationale to encourage continuous best practice as your company commits deeper to the Cloud.