| 0 |
CKV_AZURE_1 |
resource |
Microsoft.Compute/virtualMachines |
Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) |
arm |
AzureInstancePassword.py |
| 1 |
CKV_AZURE_2 |
resource |
Microsoft.Compute/disks |
Ensure Azure managed disk have encryption enabled |
arm |
AzureManagedDiscEncryption.py |
| 2 |
CKV_AZURE_3 |
resource |
Microsoft.Storage/storageAccounts |
Ensure that ‘supportsHttpsTrafficOnly’ is set to ‘true’ |
arm |
StorageAccountsTransportEncryption.py |
| 3 |
CKV_AZURE_4 |
resource |
Microsoft.ContainerService/managedClusters |
Ensure AKS logging to Azure Monitoring is Configured |
arm |
AKSLoggingEnabled.py |
| 4 |
CKV_AZURE_5 |
resource |
Microsoft.ContainerService/managedClusters |
Ensure RBAC is enabled on AKS clusters |
arm |
AKSRbacEnabled.py |
| 5 |
CKV_AZURE_6 |
resource |
Microsoft.ContainerService/managedClusters |
Ensure AKS has an API Server Authorized IP Ranges enabled |
arm |
AKSApiServerAuthorizedIpRanges.py |
| 6 |
CKV_AZURE_7 |
resource |
Microsoft.ContainerService/managedClusters |
Ensure AKS cluster has Network Policy configured |
arm |
AKSNetworkPolicy.py |
| 7 |
CKV_AZURE_8 |
resource |
Microsoft.ContainerService/managedClusters |
Ensure Kubernetes Dashboard is disabled |
arm |
AKSDashboardDisabled.py |
| 8 |
CKV_AZURE_9 |
resource |
Microsoft.Network/networkSecurityGroups |
Ensure that RDP access is restricted from the internet |
arm |
NSGRuleRDPAccessRestricted.py |
| 9 |
CKV_AZURE_9 |
resource |
Microsoft.Network/networkSecurityGroups/securityRules |
Ensure that RDP access is restricted from the internet |
arm |
NSGRuleRDPAccessRestricted.py |
| 10 |
CKV_AZURE_10 |
resource |
Microsoft.Network/networkSecurityGroups |
Ensure that SSH access is restricted from the internet |
arm |
NSGRuleSSHAccessRestricted.py |
| 11 |
CKV_AZURE_10 |
resource |
Microsoft.Network/networkSecurityGroups/securityRules |
Ensure that SSH access is restricted from the internet |
arm |
NSGRuleSSHAccessRestricted.py |
| 12 |
CKV_AZURE_11 |
resource |
Microsoft.Sql/servers |
Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) |
arm |
SQLServerNoPublicAccess.py |
| 13 |
CKV_AZURE_12 |
resource |
Microsoft.Network/networkWatchers/FlowLogs |
Ensure that Network Security Group Flow Log retention period is ‘greater than 90 days’ |
arm |
NetworkWatcherFlowLogPeriod.py |
| 14 |
CKV_AZURE_12 |
resource |
Microsoft.Network/networkWatchers/FlowLogs/ |
Ensure that Network Security Group Flow Log retention period is ‘greater than 90 days’ |
arm |
NetworkWatcherFlowLogPeriod.py |
| 15 |
CKV_AZURE_12 |
resource |
Microsoft.Network/networkWatchers/flowLogs |
Ensure that Network Security Group Flow Log retention period is ‘greater than 90 days’ |
arm |
NetworkWatcherFlowLogPeriod.py |
| 16 |
CKV_AZURE_12 |
resource |
Microsoft.Network/networkWatchers/flowLogs/ |
Ensure that Network Security Group Flow Log retention period is ‘greater than 90 days’ |
arm |
NetworkWatcherFlowLogPeriod.py |
| 17 |
CKV_AZURE_13 |
resource |
Microsoft.Web/sites/config |
Ensure App Service Authentication is set on Azure App Service |
arm |
AppServiceAuthentication.py |
| 18 |
CKV_AZURE_13 |
resource |
config |
Ensure App Service Authentication is set on Azure App Service |
arm |
AppServiceAuthentication.py |
| 19 |
CKV_AZURE_14 |
resource |
Microsoft.Web/sites |
Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service |
arm |
AppServiceHTTPSOnly.py |
| 20 |
CKV_AZURE_15 |
resource |
Microsoft.Web/sites |
Ensure web app is using the latest version of TLS encryption |
arm |
AppServiceMinTLSVersion.py |
| 21 |
CKV_AZURE_16 |
resource |
Microsoft.Web/sites |
Ensure that Register with Azure Active Directory is enabled on App Service |
arm |
AppServiceIdentity.py |
| 22 |
CKV_AZURE_17 |
resource |
Microsoft.Web/sites |
Ensure the web app has ‘Client Certificates (Incoming client certificates)’ set |
arm |
AppServiceClientCertificate.py |
| 23 |
CKV_AZURE_18 |
resource |
Microsoft.Web/sites |
Ensure that ‘HTTP Version’ is the latest if used to run the web app |
arm |
AppServiceHttps20Enabled.py |
| 24 |
CKV_AZURE_19 |
resource |
Microsoft.Security/pricings |
Ensure that standard pricing tier is selected |
arm |
SecurityCenterStandardPricing.py |
| 25 |
CKV_AZURE_20 |
resource |
Microsoft.Security/securityContacts |
Ensure that security contact ‘Phone number’ is set |
arm |
SecurityCenterContactPhone.py |
| 26 |
CKV_AZURE_21 |
resource |
Microsoft.Security/securityContacts |
Ensure that ‘Send email notification for high severity alerts’ is set to ‘On’ |
arm |
SecurityCenterContactEmailAlert.py |
| 27 |
CKV_AZURE_22 |
resource |
Microsoft.Security/securityContacts |
Ensure that ‘Send email notification for high severity alerts’ is set to ‘On’ |
arm |
SecurityCenterContactEmailAlertAdmins.py |
| 28 |
CKV_AZURE_23 |
resource |
Microsoft.Sql/servers |
Ensure that ‘Auditing’ is set to ‘Enabled’ for SQL servers |
arm |
SQLServerAuditingEnabled.py |
| 29 |
CKV_AZURE_23 |
resource |
Microsoft.Sql/servers/databases |
Ensure that ‘Auditing’ is set to ‘Enabled’ for SQL servers |
arm |
SQLServerAuditingEnabled.py |
| 30 |
CKV_AZURE_24 |
resource |
Microsoft.Sql/servers |
Ensure that ‘Auditing’ Retention is ‘greater than 90 days’ for SQL servers |
arm |
SQLServerAuditingRetention90Days.py |
| 31 |
CKV_AZURE_25 |
resource |
Microsoft.Sql/servers/databases |
Ensure that ‘Threat Detection types’ is set to ‘All’ |
arm |
SQLServerThreatDetectionTypes.py |
| 32 |
CKV_AZURE_26 |
resource |
Microsoft.Sql/servers/databases |
Ensure that ‘Send Alerts To’ is enabled for MSSQL servers |
arm |
SQLServerEmailAlertsEnabled.py |
| 33 |
CKV_AZURE_27 |
resource |
Microsoft.Sql/servers/databases |
Ensure that ‘Email service and co-administrators’ is ‘Enabled’ for MSSQL servers |
arm |
SQLServerEmailAlertsToAdminsEnabled.py |
| 34 |
CKV_AZURE_28 |
resource |
Microsoft.DBforMySQL/servers |
Ensure ‘Enforce SSL connection’ is set to ‘ENABLED’ for MySQL Database Server |
arm |
MySQLServerSSLEnforcementEnabled.py |
| 35 |
CKV_AZURE_29 |
resource |
Microsoft.DBforPostgreSQL/servers |
Ensure ‘Enforce SSL connection’ is set to ‘ENABLED’ for PostgreSQL Database Server |
arm |
PostgreSQLServerSSLEnforcementEnabled.py |
| 36 |
CKV_AZURE_30 |
resource |
Microsoft.DBforPostgreSQL/servers/configurations |
Ensure server parameter ‘log_checkpoints’ is set to ‘ON’ for PostgreSQL Database Server |
arm |
PostgreSQLServerLogCheckpointsEnabled.py |
| 37 |
CKV_AZURE_30 |
resource |
configurations |
Ensure server parameter ‘log_checkpoints’ is set to ‘ON’ for PostgreSQL Database Server |
arm |
PostgreSQLServerLogCheckpointsEnabled.py |
| 38 |
CKV_AZURE_31 |
resource |
Microsoft.DBforPostgreSQL/servers/configurations |
Ensure configuration ‘log_connections’ is set to ‘ON’ for PostgreSQL Database Server |
arm |
PostgreSQLServerLogConnectionsEnabled.py |
| 39 |
CKV_AZURE_31 |
resource |
configurations |
Ensure configuration ‘log_connections’ is set to ‘ON’ for PostgreSQL Database Server |
arm |
PostgreSQLServerLogConnectionsEnabled.py |
| 40 |
CKV_AZURE_32 |
resource |
Microsoft.DBforPostgreSQL/servers/configurations |
Ensure server parameter ‘connection_throttling’ is set to ‘ON’ for PostgreSQL Database Server |
arm |
PostgreSQLServerConnectionThrottlingEnabled.py |
| 41 |
CKV_AZURE_32 |
resource |
configurations |
Ensure server parameter ‘connection_throttling’ is set to ‘ON’ for PostgreSQL Database Server |
arm |
PostgreSQLServerConnectionThrottlingEnabled.py |
| 42 |
CKV_AZURE_33 |
resource |
Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings |
Ensure Storage logging is enabled for Queue service for read, write and delete requests |
arm |
StorageAccountLoggingQueueServiceEnabled.py |
| 43 |
CKV_AZURE_34 |
resource |
Microsoft.Storage/storageAccounts/blobServices/containers |
Ensure that ‘Public access level’ is set to Private for blob containers |
arm |
StorageBlobServiceContainerPrivateAccess.py |
| 44 |
CKV_AZURE_34 |
resource |
blobServices/containers |
Ensure that ‘Public access level’ is set to Private for blob containers |
arm |
StorageBlobServiceContainerPrivateAccess.py |
| 45 |
CKV_AZURE_34 |
resource |
containers |
Ensure that ‘Public access level’ is set to Private for blob containers |
arm |
StorageBlobServiceContainerPrivateAccess.py |
| 46 |
CKV_AZURE_35 |
resource |
Microsoft.Storage/storageAccounts |
Ensure default network access rule for Storage Accounts is set to deny |
arm |
StorageAccountDefaultNetworkAccessDeny.py |
| 47 |
CKV_AZURE_36 |
resource |
Microsoft.Storage/storageAccounts |
Ensure ‘Trusted Microsoft Services’ is enabled for Storage Account access |
arm |
StorageAccountAzureServicesAccessEnabled.py |
| 48 |
CKV_AZURE_37 |
resource |
Microsoft.Insights/logprofiles |
Ensure that Activity Log Retention is set 365 days or greater |
arm |
MonitorLogProfileRetentionDays.py |
| 49 |
CKV_AZURE_38 |
resource |
Microsoft.Insights/logprofiles |
Ensure audit profile captures all the activities |
arm |
MonitorLogProfileCategories.py |
| 50 |
CKV_AZURE_39 |
resource |
Microsoft.Authorization/roleDefinitions |
Ensure that no custom subscription owner roles are created |
arm |
CustomRoleDefinitionSubscriptionOwner.py |
| 51 |
CKV_AZURE_40 |
resource |
Microsoft.KeyVault/vaults/keys |
Ensure that the expiration date is set on all keys |
arm |
KeyExpirationDate.py |
| 52 |
CKV_AZURE_41 |
resource |
Microsoft.KeyVault/vaults/secrets |
Ensure that the expiration date is set on all secrets |
arm |
SecretExpirationDate.py |
| 53 |
CKV_AZURE_42 |
resource |
Microsoft.KeyVault/vaults |
Ensure the key vault is recoverable |
arm |
KeyvaultRecoveryEnabled.py |
| 54 |
CKV_AZURE_47 |
resource |
Microsoft.DBforMariaDB/servers |
Ensure ‘Enforce SSL connection’ is set to ‘ENABLED’ for MariaDB servers |
arm |
MariaDBSSLEnforcementEnabled.py |
| 55 |
CKV_AZURE_49 |
resource |
Microsoft.Compute/virtualMachineScaleSets |
Ensure Azure linux scale set does not use basic authentication(Use SSH Key Instead) |
arm |
AzureScaleSetPassword.py |
| 56 |
CKV_AZURE_50 |
resource |
Microsoft.Compute/virtualMachines |
Ensure Virtual Machine Extensions are not Installed |
arm |
AzureInstanceExtensions.py |
| 57 |
CKV_AZURE_58 |
resource |
Microsoft.Synapse/workspaces |
Ensure that Azure Synapse workspaces enables managed virtual networks |
arm |
SynapseWorkspaceEnablesManagedVirtualNetworks.py |
| 58 |
CKV_AZURE_59 |
resource |
Microsoft.Storage/storageAccounts |
Ensure that Storage accounts disallow public access |
arm |
StorageAccountDisablePublicAccess.py |
| 59 |
CKV_AZURE_63 |
resource |
Microsoft.Web/sites/config |
Ensure that App service enables HTTP logging |
arm |
AppServiceHttpLoggingEnabled.py |
| 60 |
CKV_AZURE_65 |
resource |
Microsoft.Web/sites/config |
Ensure that App service enables detailed error messages |
arm |
AppServiceDetailedErrorMessagesEnabled.py |
| 61 |
CKV_AZURE_66 |
resource |
Microsoft.Web/sites/config |
Ensure that App service enables failed request tracing |
arm |
AppServiceEnableFailedRequest.py |
| 62 |
CKV_AZURE_80 |
resource |
Microsoft.Web/sites/config |
Ensure that ‘Net Framework’ version is the latest, if used as a part of the web app |
arm |
AppServiceDotnetFrameworkVersion.py |
| 63 |
CKV_AZURE_88 |
resource |
Microsoft.Web/sites/config |
Ensure that app services use Azure Files |
arm |
AppServiceUsedAzureFiles.py |
| 64 |
CKV_AZURE_89 |
resource |
Microsoft.Cache/redis |
Ensure that Azure Cache for Redis disables public network access |
arm |
RedisCachePublicNetworkAccessEnabled.py |
| 65 |
CKV_AZURE_93 |
resource |
Microsoft.Compute/disks |
Ensure that managed disks use a specific set of disk encryption sets for the customer-managed key encryption |
arm |
AzureManagedDiskEncryptionSet.py |
| 66 |
CKV_AZURE_94 |
resource |
Microsoft.DBforMySQL/flexibleServers |
Ensure that My SQL server enables geo-redundant backups |
arm |
MySQLGeoBackupEnabled.py |
| 67 |
CKV_AZURE_100 |
resource |
Microsoft.DocumentDb/databaseAccounts |
Ensure that Cosmos DB accounts have customer-managed keys to encrypt data at rest |
arm |
CosmosDBHaveCMK.py |
| 68 |
CKV_AZURE_101 |
resource |
Microsoft.DocumentDB/databaseAccounts |
Ensure that Azure Cosmos DB disables public network access |
arm |
CosmosDBDisablesPublicNetwork.py |
| 69 |
CKV_AZURE_107 |
resource |
Microsoft.ApiManagement/service |
Ensure that API management services use virtual networks |
arm |
APIServicesUseVirtualNetwork.py |
| 70 |
CKV_AZURE_109 |
resource |
Microsoft.KeyVault/vaults |
Ensure that key vault allows firewall rules settings |
arm |
KeyVaultEnablesFirewallRulesSettings.py |
| 71 |
CKV_AZURE_111 |
resource |
Microsoft.KeyVault/vaults |
Ensure that key vault enables soft delete |
arm |
KeyVaultEnablesSoftDelete.py |
| 72 |
CKV_AZURE_112 |
resource |
Microsoft.KeyVault/vaults/keys |
Ensure that key vault key is backed by HSM |
arm |
KeyBackedByHSM.py |
| 73 |
CKV_AZURE_113 |
resource |
Microsoft.Sql/servers |
Ensure that SQL server disables public network access |
arm |
SQLServerHasPublicAccessDisabled.py |
| 74 |
CKV_AZURE_114 |
resource |
Microsoft.KeyVault/vaults/secrets |
Ensure that key vault secrets have “content_type” set |
arm |
SecretContentType.py |
| 75 |
CKV_AZURE_121 |
resource |
Microsoft.Network/frontDoors |
Ensure that Azure Front Door enables WAF |
arm |
AzureFrontDoorEnablesWAF.py |
| 76 |
CKV_AZURE_123 |
resource |
Microsoft.Network/FrontDoorWebApplicationFirewallPolicies |
Ensure that Azure Front Door uses WAF in “Detection” or “Prevention” modes |
arm |
FrontdoorUseWAFMode.py |
| 77 |
CKV_AZURE_130 |
resource |
Microsoft.DBforPostgreSQL/servers |
Ensure that PostgreSQL server enables infrastructure encryption |
arm |
PostgreSQLEncryptionEnabled.py |
| 78 |
CKV_AZURE_131 |
parameter |
secureString |
SecureString parameter should not have hardcoded default values |
arm |
SecureStringParameterNoHardcodedValue.py |
| 79 |
CKV_AZURE_132 |
resource |
Microsoft.DocumentDB/databaseAccounts |
Ensure cosmosdb does not allow privileged escalation by restricting management plane changes |
arm |
CosmosDBDisableAccessKeyWrite.py |
| 80 |
CKV_AZURE_134 |
resource |
Microsoft.CognitiveServices/accounts |
Ensure that Cognitive Services accounts disable public network access |
arm |
CognitiveServicesDisablesPublicNetwork.py |
| 81 |
CKV_AZURE_149 |
resource |
Microsoft.Compute/virtualMachineScaleSets |
Ensure that Virtual machine does not enable password authentication |
arm |
VMDisablePasswordAuthentication.py |
| 82 |
CKV_AZURE_149 |
resource |
Microsoft.Compute/virtualMachines |
Ensure that Virtual machine does not enable password authentication |
arm |
VMDisablePasswordAuthentication.py |
| 83 |
CKV_AZURE_151 |
resource |
Microsoft.Compute/virtualMachines |
Ensure Windows VM enables encryption |
arm |
WinVMEncryptionAtHost.py |
| 84 |
CKV_AZURE_160 |
resource |
Microsoft.Network/networkSecurityGroups |
Ensure that HTTP (port 80) access is restricted from the internet |
arm |
NSGRuleHTTPAccessRestricted.py |
| 85 |
CKV_AZURE_160 |
resource |
Microsoft.Network/networkSecurityGroups/securityRules |
Ensure that HTTP (port 80) access is restricted from the internet |
arm |
NSGRuleHTTPAccessRestricted.py |
| 86 |
CKV_AZURE_216 |
resource |
Microsoft.Network/azureFirewalls |
Ensure DenyIntelMode is set to Deny for Azure Firewalls |
arm |
AzureFirewallDenyThreatIntelMode.py |
| 87 |
CKV2_AZURE_23 |
resource |
Microsoft.AppPlatform/Spring |
Ensure Azure spring cloud is configured with Virtual network (Vnet) |
arm |
AzureSpringCloudConfigWithVnet.yaml |
| 88 |
CKV2_AZURE_27 |
resource |
Microsoft.Sql/servers |
Ensure Azure AD authentication is enabled for Azure SQL (MSSQL) |
arm |
SQLServerUsesADAuth.py |