Azure SQL Database instances with unrestricted ranges of allowable IP addresses unnecessarily broaden an organization's attack surface. Services open to interaction with the public are subjected to almost continuous scanning and probing by attackers.

Example 1: The following example template defines an overly exposed Azure SQL Database instance.

resource example 'Microsoft.Sql/servers@2021-11-01' = {
    ...
    resource fwRules 'firewallRules' = {
        properties: {
            startIpAddress: '0.0.0.0'
            endIpAddress: '255.255.255.255'
        }
    }
}

The Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols provide a protection mechanism to ensure the authenticity, confidentiality, and integrity of data transmitted between a client and web server. Both TLS and SSL have undergone revisions that result in periodic version updates. Each new revision addresses security weaknesses discovered in the previous version. Use of an insecure version of TLS/SSL weakens the strength of the data protection and might allow an attacker to compromise, steal, or modify sensitive information.

Insecure versions of TLS/SSL might exhibit one or more of the following properties:

- No protection against man-in-the-middle attacks
- Same key used for authentication and encryption
- Weak message authentication control
- No protection against TCP connection closing

The presence of these properties might enable an attacker to intercept, modify, or tamper with sensitive data.

Application Gateways are typically used for managing web traffic, including SSL termination. Exposing traffic on port 80 without encryption can leave sensitive data vulnerable to interception, making the system susceptible to attacks.

Example 1: The following example shows a misconfigured Application Gateway that allows unencrypted HTTP traffic on port 80:

resource example 'Microsoft.Network/applicationGateways@2024-09-02-preview' = {
    ...
    properties: {
        frontendPorts: [
            {
                port: 80
            }
        ]
    }
}

Data Box Edge devices are used for offline data transfer to Azure, often handling sensitive data. Disabling SSL exposes data transfers to potential interception, compromising confidentiality and integrity.

Example 1: The following example shows a misconfigured Data Box Edge device configuration where SSL is disabled by setting the sslStatus property to DISABLED:

resource example 'Microsoft.DataBoxEdge/dataBoxEdgeDevices@2024-09-02-preview' = {
    ...
    properties: {
        sslStatus: 'Disabled'
    }
}

Azure Data Factory linked services can be configured to connect to various data stores. The sslMode property, when set to 0 (disable), 1 (allow), or 2 (prefer), does not fully enforce a secure SSL/TLS connection. This can leave data transfers vulnerable to interception or downgrade attacks.

Example 1: The following example shows a misconfigured linked service using sslMode set to 0 (disabled). The same risk applies if sslMode is 1 or 2:

resource example 'Microsoft.DataFactory/factories/linkedservices@2024-09-02-preview' = {
    ...
    properties: {
        typeProperties: {
            sslMode: 0
        }
    }
}

Azure Front Door is a global, scalable entry point for managing web traffic. Allowing unencrypted HTTP traffic exposes sensitive data to potential interception. It is crucial to ensure that only secure HTTPS traffic is accepted.

Example 1: The following example shows a misconfigured Front Door service that accepts HTTP traffic, which is insecure:

resource example 'Microsoft.Network/frontDoors@2024-09-02-preview' = {
    ...
    properties: {
        routingRules: [
            {
                properties: {
                    acceptedProtocols: ['Http', 'Https']
                }
            }
        ]
    }
}

Grafana is commonly used for monitoring and alerting, often relying on SMTP for sending notifications. Configuring SMTP without enforcing secure TLS communication leaves email credentials and content vulnerable to interception. It is critical to ensure that SMTP connections are encrypted using TLS.

Example 1: The following example shows a misconfigured Grafana resource where TLS is not enforced:

resource example 'Microsoft.Dashboard/grafana@2024-09-02-preview' = {
    ...
    properties: {
        grafanaConfigurations: {
            smtp: {
                startTLSPolicy: 'NoStartTLS'
            }
        }
    }
}

Example 2: The following example shows a misconfigured Grafana resource using `OpportunisticStartTLS`, which means that SMTP transactions are encrypted if STARTTLS is supported by the SMTP server. If STARTTLS is not supported, the messages are sent in plain text, leaving the email communication vulnerable:

resource example 'Microsoft.Dashboard/grafana@2024-09-02-preview' = {
    ...
    properties: {
        grafanaConfigurations: {
            smtp: {
                startTLSPolicy: 'OpportunisticStartTLS'
            }
        }
    }
}

Disabling SSL for hostname bindings exposes web traffic to potential interception, making sensitive information vulnerable to attackers. In an ideal configuration, enable SSL to secure the connection between the client and the web application.

Example 1: The following example shows a misconfigured hostname binding where SSL is disabled:

resource example 'Microsoft.Web/sites/hostNameBindings@2024-09-02-preview' = {
    ...
    properties: {
        sslState: 'Disabled'
    }
}

Machine Learning services often handle sensitive data and computations. Disabling SSL means that communication between clients and the service is not encrypted, leaving it vulnerable to interception and unauthorized access.

Example 1: The following example shows a misconfigured Machine Learning service where SSL is disabled by setting the sslEnabled property to false:

resource example 'Microsoft.MachineLearningServices/workspaces/services@2024-09-02-preview' = {
    ...
    properties: {
        sslEnabled: false
    }
}

Unencrypted communication channels are prone to eavesdropping and tampering.

Disabling transport security exposes the data to unauthorized access, potential theft, and tampering.

Unencrypted communication channels are prone to eavesdropping and tampering.

Disabling transport security exposes the data to unauthorized access, potential theft, and tampering.

Unencrypted communication channels are prone to eavesdropping and tampering.

Disabling transport security exposes the data to unauthorized access, potential theft, and tampering.

When configuring Azure VMware Solution (AVS) private clouds, it's critical to enable SSL for LDAP connections to protect sensitive information. Disabling SSL such as setting the ssl property to DISABLED, can expose directory credentials and data to potential interception or man-in-the-middle attacks.

Example 1: The following example shows a misconfigured private cloud resource where ssl is disabled:

resource example 'Microsoft.AVS/privateClouds@2024-09-02-preview' = {
    ...
    properties: {
        identitySources: [
            {
                ssl: 'Disabled'
            }
        ]
    }
}

Insufficiently protected data communication channels can put critical organizational data at risk of theft, tampering, or disclosure.

By default, Azure Kubernetes Service (AKS) clusters do not send log events to Azure Monitor. This can allow malicious behavior to go undetected and prevent forensic analysis in the event of a breach.

Example 1: The following example template shows an AKS cluster that does not send log events to Azure Monitor.

resource example 'Microsoft.ContainerService/managedClusters@2018-03-31' = {
    ...
    properties: {
        ...
        addonProfiles: {}
    }
}

A short retention period reduces the amount of log information that the organization can consult in the event of an investigation. Industry standards recommend different retention periods depending on the type of data and the legal obligations required for the organization.

A lack of audit records limits the ability to detect and respond to security related incidents and prevents forensic investigation.

Example 1: The following example template defines an Azure Monitor log profile that does not collect all Activity Log administrative events.

targetScope = 'subscription'

resource example 'microsoft.insights/logprofiles@2016-03-01' = {
    ...
    properties: {
        ...
        categories: [ 'Write' ]
    }
}

Unmonitored systems provide attackers with a way to probe and potentially penetrate defenses without detection.

If security personnel are not alerted in a timely fashion to security-related events, they cannot respond to incidents in time to reduce the impact of an attack or breach.

Example 1: The following example template successfully defines a security contact but explicitly disables the delivery of security alert email notifications to that contact.

targetScope = 'subscription'

param emailAddress string
param phoneNumber string

resource example 'Microsoft.Security/securityContacts@2020-01-01-preview' = {
    ...
    properties: {
        ...
        emails: emailAddress
        phone: phoneNumber
        alertNotifications: {
            state: 'Off'
            minimalSeverity: 'High'
        }
    }
}

A short retention period reduces the amount of log information that the organization can consult in the event of an investigation. Industry standards recommend different retention periods depending on the type of data and the legal obligations required for the organization.

A lack of audit records limits the ability to detect and respond to security related incidents and prevents forensic investigation.

Example 1: The following example template shows an Azure SQL server configuration without auditing enabled.

@secure()
param sqlLogin string

@secure()
param sqlLoginPass string

param location string = resourceGroup().location

resource sqlServer 'Microsoft.Sql/servers@2021-11-01-preview' = {
    name: 'server name'
    location: location
    tags: {
        displayName: 'server name'
    }
    properties: {
        administratorLogin: sqlLogin
        administratorLoginPassword: sqlLoginPass
        version: '12.0'
        publicNetworkAccess: 'Disabled'
    }
}