185 找到的項目

弱點

Azure ARM Misconfiguration: Databricks Missing Customer-Managed Encryption Key

Bicep
JSON

Abstract

組態未將客戶自管加密金鑰指定給靜態資料。

Explanation

客戶自管金鑰未用於加密靜態資料。

客戶自管金鑰讓組織能夠使用自己選擇的加密金鑰來加密資料。這讓組織可以妥善控制加密過程。

因此，客戶自管金鑰通常會納入解決方案的一部分，可滿足包括但不限於以下需求：
- 敏感資料存取的稽核記錄
- 資料落地
- 取代、停用或銷毀金鑰

References

[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1.0

[2] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete

[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0

[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality

[6] Standards Mapping - CIS Kubernetes Benchmark complete

[7] Standards Mapping - Common Weakness Enumeration CWE ID 311

[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475

[9] Standards Mapping - FIPS200 MP

[10] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection

[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-28 Protection of Information at Rest (P1)

[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-28 Protection of Information at Rest

[13] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure

[14] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures

[15] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[16] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)

[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3

[18] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 3.5.1

[19] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography

[20] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography

[21] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography

[22] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II

[23] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II

[24] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II

desc.structural.iac.misconfiguration_missing_customer_managed_encryption_key.base

Abstract

組態未將客戶自管加密金鑰指定給靜態資料。

Explanation

客戶自管金鑰未用於加密靜態資料。

客戶自管金鑰讓組織能夠使用自己選擇的加密金鑰來加密資料。這讓組織可以妥善控制加密過程。

因此，客戶自管金鑰通常會納入解決方案的一部分，可滿足包括但不限於以下需求：
- 敏感資料存取的稽核記錄
- 資料落地
- 取代、停用或銷毀金鑰

References

[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1.0

[2] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete

[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0

[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality

[6] Standards Mapping - CIS Kubernetes Benchmark complete

[7] Standards Mapping - Common Weakness Enumeration CWE ID 311

[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475

[9] Standards Mapping - FIPS200 MP

[10] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection

[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-28 Protection of Information at Rest (P1)

[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-28 Protection of Information at Rest

[13] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure

[14] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures

[15] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[16] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)

[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3

[18] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 3.5.1

[19] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography

[20] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography

[21] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography

[22] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II

[23] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II

[24] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II

desc.structural.iac.misconfiguration_missing_customer_managed_encryption_key.base

Azure ARM Misconfiguration: Event Hubs Missing Customer-Managed Encryption Key

Bicep
JSON

Abstract

組態未將客戶自管加密金鑰指定給靜態資料。

Explanation

客戶自管金鑰未用於加密靜態資料。

客戶自管金鑰讓組織能夠使用自己選擇的加密金鑰來加密資料。這讓組織可以妥善控制加密過程。

因此，客戶自管金鑰通常會納入解決方案的一部分，可滿足包括但不限於以下需求：
- 敏感資料存取的稽核記錄
- 資料落地
- 取代、停用或銷毀金鑰

References

[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1.0

[2] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete

[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0

[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality

[6] Standards Mapping - CIS Kubernetes Benchmark complete

[7] Standards Mapping - Common Weakness Enumeration CWE ID 311

[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475

[9] Standards Mapping - FIPS200 MP

[10] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection

[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-28 Protection of Information at Rest (P1)

[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-28 Protection of Information at Rest

[13] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure

[14] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures

[15] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[16] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)

[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3

[18] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 3.5.1

[19] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography

[20] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography

[21] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography

[22] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II

[23] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II

[24] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II

desc.structural.iac.misconfiguration_missing_customer_managed_encryption_key.base

Abstract

組態未將客戶自管加密金鑰指定給靜態資料。

Explanation

客戶自管金鑰未用於加密靜態資料。

客戶自管金鑰讓組織能夠使用自己選擇的加密金鑰來加密資料。這讓組織可以妥善控制加密過程。

因此，客戶自管金鑰通常會納入解決方案的一部分，可滿足包括但不限於以下需求：
- 敏感資料存取的稽核記錄
- 資料落地
- 取代、停用或銷毀金鑰

References

[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1.0

[2] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete

[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0

[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality

[6] Standards Mapping - CIS Kubernetes Benchmark complete

[7] Standards Mapping - Common Weakness Enumeration CWE ID 311

[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475

[9] Standards Mapping - FIPS200 MP

[10] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection

[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-28 Protection of Information at Rest (P1)

[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-28 Protection of Information at Rest

[13] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure

[14] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures

[15] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[16] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)

[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3

[18] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 3.5.1

[19] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography

[20] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography

[21] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography

[22] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II

[23] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II

[24] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II

desc.structural.iac.misconfiguration_missing_customer_managed_encryption_key.base

Azure ARM Misconfiguration: Hardcoded Secret

JSON

Abstract

範本為具有安全類型的參數定義預設值。

Explanation

敏感的 Azure ARM 範本參數 (例如密碼) 通常使用 securestring 或 secureobject 類型。

對於使用安全類型的參數，參數值不會記錄或儲存在部署歷程記錄中。

但是，如果為安全類型設定了硬式編碼的預設值，則任何人只要可以存取範本或部署歷程記錄，就可以讀取該預設值。

硬式編碼的機密會導致無法輕易修正的安全性問題。當軟體進入生產階段後，除非更新軟體，否則無法變更遭外洩的機密。

如果是用於加密資料的機密，則必須管理金鑰輪換步驟以解密和重新加密受外洩金鑰保護的所有資料。

範例 1：以下範本顯示一個具有機密類型的參數，而機密類型使用硬式編碼的預設值。


{
    ...
    "parameters": {
        "rootPassword": {
            "defaultValue": "HardcodedPassword",
            "type": "secureString"
        },
        "adminLogin": {
            "type": "string"
        },
        "sqlServerName": {
            "type": "string"
        }
    },
    ...
}

References

[1] CISA Alert (TA13-175A) - Risks of Default Passwords on the Internet

[2] Microsoft Use Azure Key Vault to pass secure parameter value during deployment

[3] Microsoft ARM template best practices - Security recommendations for parameters

[4] Microsoft String functions for ARM templates - newGuid

[5] Microsoft Test cases for ARM templates - Secure parameters can't have hardcoded default

[6] Microsoft Data types in ARM templates - Secure strings and objects

[7] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.0

[8] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete

[9] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0

[10] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[11] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality

[12] Standards Mapping - CIS Kubernetes Benchmark complete

[13] Standards Mapping - Common Weakness Enumeration CWE ID 321

[14] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287, [19] CWE ID 798

[15] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287, [20] CWE ID 798

[16] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287, [16] CWE ID 798

[17] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450

[18] Standards Mapping - FIPS200 IA

[19] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection

[20] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-12 Cryptographic Key Establishment and Management (P1)

[21] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-12 Cryptographic Key Establishment and Management

[22] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage

[23] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage

[24] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage

[25] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure

[26] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure

[27] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures

[28] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[29] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.9.1 Cryptographic Software and Devices Verifier Requirements (L2 L3), 2.10.2 Service Authentication Requirements (L2 L3), 2.10.4 Service Authentication Requirements (L2 L3), 3.5.2 Token-based Session Management (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.4.1 Secret Management (L2 L3), 6.4.2 Secret Management (L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3), 10.2.3 Malicious Code Search (L3)

[30] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography

[31] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8, Requirement 8.4

[32] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4

[33] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4

[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1

[35] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1

[36] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1

[37] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1

[38] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6, Requirement 8.3.2

[39] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.2 - Use of Cryptography

[40] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design

[41] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design

[42] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 259

[43] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 798

[44] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 798

[45] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3350 CAT I

[46] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3350 CAT I

[47] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3350 CAT I

[48] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3350 CAT I

[49] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3350 CAT I

[50] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3350 CAT I

[51] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3350 CAT I

[52] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II

[53] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II

[54] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II

[55] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II

[56] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II

[57] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II

[58] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II

[59] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II

[60] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II

[61] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II

[62] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II

[63] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II

[64] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II

[65] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)

desc.structural.json.azure_arm_misconfiguration_hardcoded_secret

Azure ARM Misconfiguration: HTTPS Not Required

JSON

Abstract

HTTP 流量已明確啟用。

Explanation

透過 HTTP 傳送的所有資料都會顯示，安全性可能降低。
範例 1：


"supportsHttpsTrafficOnly": "false"

References

[1] Microsoft.Storage storageAccounts template reference

[2] Require secure transfer to ensure secure connections

[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 4.0

[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.0

[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality

[7] Standards Mapping - CIS Kubernetes Benchmark complete

[8] Standards Mapping - Common Weakness Enumeration CWE ID 319

[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000068, CCI-001453, CCI-002418, CCI-002420, CCI-002421, CCI-002422, CCI-002890, CCI-003123

[10] Standards Mapping - FIPS200 SC

[11] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection

[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-8 Transmission Confidentiality and Integrity (P1)

[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-8 Transmission Confidentiality and Integrity

[14] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management

[15] Standards Mapping - OWASP Top 10 2007 A9 Insecure Communications

[16] Standards Mapping - OWASP Top 10 2010 A9 Insufficient Transport Layer Protection

[17] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure

[18] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure

[19] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[20] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[21] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.9.1 Communications Architectural Requirements (L2 L3), 1.14.1 Configuration Architectural Requirements (L2 L3), 2.2.5 General Authenticator Requirements (L3), 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.8.3 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.9.3 Cryptographic Software and Devices Verifier Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.2 Algorithms (L2 L3), 6.2.3 Algorithms (L2 L3), 6.2.4 Algorithms (L2 L3), 6.2.5 Algorithms (L2 L3), 6.2.6 Algorithms (L2 L3), 6.2.7 Algorithms (L3), 8.1.6 General Data Protection (L3), 8.3.1 Sensitive Private Data (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 8.3.7 Sensitive Private Data (L2 L3), 9.1.1 Communications Security Requirements (L1 L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3), 9.2.1 Server Communications Security Requirements (L2 L3), 9.2.2 Server Communications Security Requirements (L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3), 14.1.3 Build (L2 L3), 14.4.5 HTTP Security Headers Requirements (L1 L2 L3)

[22] Standards Mapping - OWASP Mobile 2014 M3 Insufficient Transport Layer Protection

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 4.1, Requirement 6.5.10

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 4.1, Requirement 6.5.4

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 4.1, Requirement 6.5.4

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 4.1, Requirement 6.5.4

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 4.1, Requirement 6.5.4

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4

[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography

[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography

[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective C.4.1 - Web Software Communications

[34] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 319

[35] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311

[36] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311

[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260.1 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[57] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[58] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Transport Layer Protection (WASC-04)

[59] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage

desc.config.json.azure_arm_misconfiguration_https_not_required

Azure ARM Misconfiguration: Improper AKS Network Access Control

Bicep
JSON

Abstract

範本無法限制對 Kubernetes API 伺服器的存取。

Explanation

可公開存取的 Kubernetes API 伺服器可能會使組織暴露於攻擊的風險中。

範例 1：以下範例顯示一個定義 Kubernetes 服務叢集的範本，該叢集未限制允許連線至 API 伺服器的 IP 位址範圍。


param location string = resourceGroup().location

resource example 'Microsoft.ContainerService/managedClusters@2020-02-01' = {
    name: 'TestCluster'
    location: location
    properties: {
        ...
        servicePrincipalProfile: {
            clientId: '422313d8-123a-41ea-8f8e-90821ff61c05'
            secret: 'xxxxxxxxxxxxxxxxx'
        }
    }
}

References

[1] microsoft Secure access to the API server using authorized IP address ranges in Azure Kubernetes Service (AKS)

[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 4.0

[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0

[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality

[6] Standards Mapping - Common Weakness Enumeration CWE ID 749

[7] Standards Mapping - Common Weakness Enumeration Top 25 2020 [25] CWE ID 862

[8] Standards Mapping - Common Weakness Enumeration Top 25 2021 [18] CWE ID 862

[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165

[10] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-6 Least Privilege (P1)

[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-6 Least Privilege

[13] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control

[14] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference

[15] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References

[16] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References

[17] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control

[18] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control

[19] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[20] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3)

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 1.4.2

[29] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control

[30] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control

[31] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls

[32] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 285

[33] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 863

[34] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863

[35] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I

[37] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I

[38] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I

[39] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I

[40] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I

[41] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I

[42] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[53] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[54] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[55] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)

[56] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization

desc.structural.bicep.azure_arm_misconfiguration_improper_aks_network_access_control

Abstract

範本無法限制對 Kubernetes API 伺服器的存取。

Explanation

可公開存取的 Kubernetes API 伺服器可能會使組織暴露於攻擊的風險中。

範例 1：以下範例顯示一個定義 Kubernetes 服務叢集的範本，該叢集未限制允許連線至 API 伺服器的 IP 位址範圍。


{
    "name": "TestCluster",
    "type": "Microsoft.ContainerService/managedClusters",
    "apiVersion": "2020-02-01",
    "location": "[resourceGroup().location]",
    "properties": {
    ...
    "servicePrincipalProfile": {
        "clientId": "422313d8-123a-41ea-8f8e-90821ff61c05",
        "secret": "xxxxxxxxxxxxxxxxx"
    },
    }
}

References

[1] microsoft Secure access to the API server using authorized IP address ranges in Azure Kubernetes Service (AKS)

[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 4.0

[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0

[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality

[6] Standards Mapping - Common Weakness Enumeration CWE ID 749

[7] Standards Mapping - Common Weakness Enumeration Top 25 2020 [25] CWE ID 862

[8] Standards Mapping - Common Weakness Enumeration Top 25 2021 [18] CWE ID 862

[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165

[10] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-6 Least Privilege (P1)

[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-6 Least Privilege

[13] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control

[14] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference

[15] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References

[16] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References

[17] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control

[18] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control

[19] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[20] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3)

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 1.4.2

[29] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control

[30] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control

[31] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls

[32] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 285

[33] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 863

[34] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863

[35] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I

[37] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I

[38] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I

[39] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I

[40] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I

[41] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I

[42] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[53] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[54] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[55] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)

[56] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization

desc.structural.json.azure_arm_misconfiguration_improper_aks_network_access_control

Azure ARM Misconfiguration: Improper App Service Access Control

Bicep
JSON

Abstract

範本定義一個啟用了遠端除錯的 Azure App Service。

Explanation

除錯介面為攻擊者提供資訊，他們可以利用這些資訊進行更具目標性的攻擊。

範例 1：以下範例範本定義一個啟用了遠端除錯的 Azure 應用服務。


resource example 'Microsoft.Web/sites/config@2022-09-01' = {
    ...
    properties: {
        ...
        remoteDebuggingEnabled: true
    }
}

References

[1] Chris Westbrook and Susan Leighton Remote debugging Azure App Services

[2] Microsoft Azure security baseline for App Service

[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.0

[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0

[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality

[7] Standards Mapping - CIS Kubernetes Benchmark Complete

[8] Standards Mapping - Common Weakness Enumeration CWE ID 11

[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-001314, CCI-002420, CCI-003272

[10] Standards Mapping - FIPS200 CM

[11] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-11 Error Handling (P2)

[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-11 Error Handling

[14] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management

[15] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling

[16] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration

[17] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[18] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[19] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[20] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[21] Standards Mapping - OWASP Application Security Verification Standard 4.0 14.1.3 Build (L2 L3)

[22] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention

[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention

[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention

[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3120 CAT II, APP3620 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3120 CAT II, APP3620 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3120 CAT II, APP3620 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3120 CAT II, APP3620 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3120 CAT II, APP3620 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3120 CAT II, APP3620 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3120 CAT II, APP3620 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[54] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001410 CAT II, APSC-DV-001520 CAT II

[55] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)

[56] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage

desc.structural.bicep.azure_arm_misconfiguration_improper_app_service_access_control

Abstract

範本定義一個啟用了遠端除錯的 Azure App Service。

Explanation

除錯介面為攻擊者提供資訊，他們可以利用這些資訊進行更具目標性的攻擊。

範例 1：以下範例範本定義一個啟用了遠端除錯的 Azure 應用服務。


{
    ...
    "type": "Microsoft.Web/sites/config",
    "properties":
    {
        ...
        "remoteDebuggingEnabled": true,
    }
}

References

[1] Chris Westbrook and Susan Leighton Remote debugging Azure App Services

[2] Microsoft Azure security baseline for App Service

[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.0

[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0

[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality

[7] Standards Mapping - CIS Kubernetes Benchmark Complete

[8] Standards Mapping - Common Weakness Enumeration CWE ID 11

[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-001314, CCI-002420, CCI-003272

[10] Standards Mapping - FIPS200 CM

[11] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-11 Error Handling (P2)

[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-11 Error Handling

[14] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management

[15] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling

[16] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration

[17] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[18] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[19] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[20] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[21] Standards Mapping - OWASP Application Security Verification Standard 4.0 14.1.3 Build (L2 L3)

[22] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention

[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention

[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention

[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3120 CAT II, APP3620 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3120 CAT II, APP3620 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3120 CAT II, APP3620 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3120 CAT II, APP3620 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3120 CAT II, APP3620 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3120 CAT II, APP3620 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3120 CAT II, APP3620 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[54] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001410 CAT II, APSC-DV-001520 CAT II

[55] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)

[56] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage

desc.structural.json.azure_arm_misconfiguration_improper_app_service_access_control

Azure ARM Misconfiguration: Improper Blob Storage Access Control

Bicep
JSON

Abstract

範本將定義一個允許匿名存取的 Azure Blob 儲存體容器。

Explanation

依預設，Azure Blob 儲存體容器會阻止匿名存取其 Blob。

存取組態不足會將系統暴露在外，並擴大組織的受攻擊面。開放公開存取的資源可能會無意間洩露敏感資料。

範例 1：以下範例範本將定義一個 Azure Blob 儲存體容器，其中 publicAccess 屬性設定為 Container。這會允許匿名存取容器的所有 Blob 和資料。


param storageAccountName string
param containerName string

resource example 'Microsoft.Storage/storageAccounts/blobServices/containers@2021-04-01' = {
    name: '${storageAccountName}/default/${containerName}'
    ...
    properties: {
        ...
        publicAccess: 'Container'
    }
}

References

[1] Microsoft Secure your Azure Storage account

[2] Microsoft Prevent anonymous public read access to containers and blobs - Remediate anonymous public access

[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2.0

[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 2.0

[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality

[7] Standards Mapping - CIS Kubernetes Benchmark complete

[8] Standards Mapping - Common Weakness Enumeration CWE ID 284, CWE ID 359

[9] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200

[10] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200

[11] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200

[12] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002475

[13] Standards Mapping - FIPS200 CM

[14] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection

[15] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-28 Protection of Information at Rest (P1)

[16] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-28 Protection of Information at Rest

[17] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage

[18] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling

[19] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration, A7 Insecure Cryptographic Storage, A8 Failure to Restrict URL Access

[20] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure

[21] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure

[22] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control

[23] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[24] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.4.2 Access Control Architectural Requirements (L2 L3), 1.4.4 Access Control Architectural Requirements (L2 L3)

[25] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 8.4

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.6, Requirement 8.4

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.5, Requirement 8.4

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.5, Requirement 8.2.1

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.5, Requirement 8.2.1

[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.5, Requirement 8.2.1

[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.5, Requirement 8.2.1

[33] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.3.1, Requirement 3.5.1, Requirement 4.2.2, Requirement 6.2.4, Requirement 8.3.1

[34] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.1 - Sensitive Data Protection

[35] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.1 - Sensitive Data Protection

[36] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.1 - Sensitive Data Protection

[37] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 863

[38] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863

[39] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3310 CAT I, APP3340 CAT I

[40] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I

[41] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I

[42] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I

[43] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I

[44] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I

[45] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I

[46] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002340 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002340 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002340 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002340 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002340 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002340 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002340 CAT II

[53] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002340 CAT II

[54] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002340 CAT II

[55] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002340 CAT II

[56] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002340 CAT II

[57] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002340 CAT II

[58] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002340 CAT II

[59] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001410 CAT II, APSC-DV-001520 CAT II

[60] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)

[61] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage

desc.structural.bicep.azure_arm_misconfiguration_improper_blob_storage_access_control.base

Abstract

範本將定義一個允許匿名存取的 Azure Blob 儲存體容器。

Explanation

依預設，Azure Blob 儲存體容器會阻止匿名存取其 Blob。

存取組態不足會將系統暴露在外，並擴大組織的受攻擊面。開放公開存取的資源可能會無意間洩露敏感資料。

範例 1：以下範例範本將定義一個 Azure Blob 儲存體容器，其中 publicAccess 屬性設定為 Container。這會允許匿名存取容器的所有 Blob 和資料。


{
    "type": "Microsoft.Storage/storageAccounts/blobServices/containers",
    "apiVersion": "2021-04-01",
    "name": "[format('{0}/default/{1}', parameters('storageAccountName'), parameters('containerName'))]",
    "properties":{
        "publicAccess": "Container"
    }
    ,
    "dependsOn": [
        "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]"
    ]
}

References

[1] Microsoft Secure your Azure Storage account

[2] Microsoft Prevent anonymous public read access to containers and blobs - Remediate anonymous public access

[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2.0

[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 2.0

[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality

[7] Standards Mapping - CIS Kubernetes Benchmark complete

[8] Standards Mapping - Common Weakness Enumeration CWE ID 284, CWE ID 359

[9] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200

[10] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200

[11] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200

[12] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002475

[13] Standards Mapping - FIPS200 CM

[14] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection

[15] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-28 Protection of Information at Rest (P1)

[16] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-28 Protection of Information at Rest

[17] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage

[18] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling

[19] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration, A7 Insecure Cryptographic Storage, A8 Failure to Restrict URL Access

[20] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure

[21] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure

[22] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control

[23] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[24] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.4.2 Access Control Architectural Requirements (L2 L3), 1.4.4 Access Control Architectural Requirements (L2 L3)

[25] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 8.4

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.6, Requirement 8.4

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.5, Requirement 8.4

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.5, Requirement 8.2.1

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.5, Requirement 8.2.1

[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.5, Requirement 8.2.1

[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.5, Requirement 8.2.1

[33] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.3.1, Requirement 3.5.1, Requirement 4.2.2, Requirement 6.2.4, Requirement 8.3.1

[34] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.1 - Sensitive Data Protection

[35] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.1 - Sensitive Data Protection

[36] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.1 - Sensitive Data Protection

[37] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 863

[38] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863

[39] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3310 CAT I, APP3340 CAT I

[40] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I

[41] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I

[42] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I

[43] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I

[44] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I

[45] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I

[46] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002340 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002340 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002340 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002340 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002340 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002340 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002340 CAT II

[53] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002340 CAT II

[54] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002340 CAT II

[55] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002340 CAT II

[56] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002340 CAT II

[57] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002340 CAT II

[58] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002340 CAT II

[59] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001410 CAT II, APSC-DV-001520 CAT II

[60] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)

[61] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage

desc.structural.json.azure_arm_misconfiguration_improper_blob_storage_access_control.base

Azure ARM Misconfiguration: Improper Compute VM Access Control

Bicep
JSON

Abstract

範本將定義一個允許 SSH 基本驗證的 VM。

Explanation

受基本驗證保護的系統為攻擊者提供了一個潛在弱連結。攻擊者可透過暴力破解、猜測或社交工程破解密碼 (尤其是低強度的密碼)。

範例 1：以下範例顯示允許 SSH 基本驗證的 VM。


resource example 'Microsoft.Compute/virtualMachines@2021-03-01' = {
    ...
    properties: {
        ...
        osProfile: {
            ...
            linuxConfiguration: {
                ...
                disablePasswordAuthentication: false
            }
        }
    }
}

References

[1] Yanelis Lopez Eliminate Password-Based Attacks on Azure Linux VMs

[2] Robert Ford No more passwords: the relentless commitment to creating a password-less world at Microsoft

[3] Microsoft Azure Documentation: Microsoft.Compute virtualMachines

[4] Standards Mapping - CIS Azure Kubernetes Service Benchmark 4.5

[5] Standards Mapping - CIS Microsoft Azure Foundations Benchmark Partial

[6] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0

[7] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 2

[8] Standards Mapping - CIS Google Kubernetes Engine Benchmark Integrity

[9] Standards Mapping - CIS Kubernetes Benchmark Partial

[10] Standards Mapping - Common Weakness Enumeration CWE ID 287

[11] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287

[12] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287

[13] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287, [16] CWE ID 798

[14] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001958

[15] Standards Mapping - FIPS200 CM

[16] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[17] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-8 Identification and Authentication (Non-Organizational Users) (P1)

[18] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-8 Identification and Authentication (Non-Organizational Users)

[19] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management

[20] Standards Mapping - OWASP Top 10 2007 A7 Broken Authentication and Session Management

[21] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration

[22] Standards Mapping - OWASP Top 10 2013 A2 Broken Authentication and Session Management

[23] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication

[24] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures

[25] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[26] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)

[27] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8

[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10

[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10

[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10

[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10

[35] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[36] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control

[37] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control

[38] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective C.2.1.2 - Web Software Access Controls

[39] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 285

[40] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001650 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001650 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001650 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001650 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001650 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001650 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001650 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001650 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001650 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001650 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001650 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001650 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001650 CAT II

[53] Standards Mapping - Web Application Security Consortium Version 2.00 Server Misconfiguration (WASC-14)

desc.structural.bicep.azure_arm_misconfiguration_improper_compute_vm_access_control

Abstract

範本將定義一個允許 SSH 基本驗證的 VM。

Explanation

受基本驗證保護的系統為攻擊者提供了一個潛在弱連結。攻擊者可透過暴力破解、猜測或社交工程破解密碼 (尤其是低強度的密碼)。

範例 1：以下範例顯示允許 SSH 基本驗證的 VM。


{
    "resources": [
        {
            "type": "Microsoft.Compute/virtualMachines",
            "apiVersion": "2021-03-01",
            "name": "[variables('vmName')]",
            "location": "[parameters('location')]",
            ...
            "osProfile": {
                "computerName": "[variables('vmName')]",
                "adminUsername": "[parameters('adminUsername')]",
                "linuxConfiguration": {
                    "disablePasswordAuthentication": false
                }
            },
            ...
        }
    ]
}

References

[1] Yanelis Lopez Eliminate Password-Based Attacks on Azure Linux VMs

[2] Robert Ford No more passwords: the relentless commitment to creating a password-less world at Microsoft

[3] Microsoft Azure Documentation: Microsoft.Compute virtualMachines

[4] Standards Mapping - CIS Azure Kubernetes Service Benchmark 4.5

[5] Standards Mapping - CIS Microsoft Azure Foundations Benchmark Partial

[6] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0

[7] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 2

[8] Standards Mapping - CIS Google Kubernetes Engine Benchmark Integrity

[9] Standards Mapping - CIS Kubernetes Benchmark Partial

[10] Standards Mapping - Common Weakness Enumeration CWE ID 287

[11] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287

[12] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287

[13] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287, [16] CWE ID 798

[14] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001958

[15] Standards Mapping - FIPS200 CM

[16] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[17] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-8 Identification and Authentication (Non-Organizational Users) (P1)

[18] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-8 Identification and Authentication (Non-Organizational Users)

[19] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management

[20] Standards Mapping - OWASP Top 10 2007 A7 Broken Authentication and Session Management

[21] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration

[22] Standards Mapping - OWASP Top 10 2013 A2 Broken Authentication and Session Management

[23] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication

[24] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures

[25] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[26] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)

[27] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8

[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10

[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10

[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10

[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10

[35] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[36] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control

[37] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control

[38] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective C.2.1.2 - Web Software Access Controls

[39] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 285

[40] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001650 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001650 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001650 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001650 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001650 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001650 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001650 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001650 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001650 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001650 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001650 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001650 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001650 CAT II

[53] Standards Mapping - Web Application Security Consortium Version 2.00 Server Misconfiguration (WASC-14)

desc.structural.json.azure_arm_misconfiguration_improper_compute_vm_access_control

Azure ARM Misconfiguration: Improper Container Registry Network Access Control

Bicep
JSON

Abstract

範本將定義一個未限制網路存取的 Azure Container Registry。

Explanation

存取組態不足會將系統暴露在外，並擴大組織的受攻擊面。開放與網際網路互動的服務會受到惡意實體連續的掃描和探測。

在發現並發佈針對公開服務的零時差攻擊 (例如 Heartbleed) 時問題特別大。攻擊者可主動追蹤和搜尋未修補和暴露的系統以進行攻擊。

範例 1：以下範例範本透過啟用 publicNetworkAccess 屬性且不建立任何 IP 限制來定義未限制網路存取的 Azure Container Registry。


resource example 'Microsoft.ContainerRegistry/registries@2022-12-01' = {
    ...
    properties: {
        ...
        publicNetworkAccess: 'Enabled'
    }
}

範例 2：以下範例範本透過指定廣泛的允許清單給 networkRuleSet 屬性來定義未限制網路存取的 Azure Container Registry。


resource example 'Microsoft.ContainerRegistry/registries@2022-12-01' = {
    ...
    properties: {
        ...
        publicNetworkAccess: 'Enabled'
        networkRuleSet: {
            defaultAction: 'Allow'
            ipRules: [
                {
                    action: 'Allow'
                    value: '*'
                }
            ]
        }
    }
}

References

[1] Microsoft Azure Container Registry Documentation - Configure public IP network rules

[2] Microsoft Azure security baseline for Container Registry

[3] Microsoft Restrict access to a container registry using a service endpoint in an Azure virtual network

[4] Microsoft Connect privately to an Azure container registry using Azure Private Link

[5] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2.0

[6] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 2.0

[7] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[8] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality

[9] Standards Mapping - CIS Kubernetes Benchmark partial

[10] Standards Mapping - Common Weakness Enumeration CWE ID 749

[11] Standards Mapping - Common Weakness Enumeration Top 25 2020 [25] CWE ID 862

[12] Standards Mapping - Common Weakness Enumeration Top 25 2021 [18] CWE ID 862

[13] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165

[14] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[15] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-6 Least Privilege (P1)

[16] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-6 Least Privilege

[17] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control

[18] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference

[19] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References

[20] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References

[21] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control

[22] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control

[23] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[24] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3)

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8

[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8

[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 1.4.2

[33] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control

[34] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control

[35] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls

[36] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 285

[37] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 863

[38] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863

[39] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I

[41] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I

[42] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I

[43] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I

[44] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I

[45] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I

[46] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[53] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[54] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[55] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[56] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[57] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[58] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[59] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001410 CAT II, APSC-DV-001520 CAT II

[60] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)

[61] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization

desc.structural.bicep.azure_arm_misconfiguration_improper_container_registry_network_access_control

Abstract

範本將定義一個未限制網路存取的 Azure Container Registry。

Explanation

存取組態不足會將系統暴露在外，並擴大組織的受攻擊面。開放與網際網路互動的服務會受到惡意實體連續的掃描和探測。

在發現並發佈針對公開服務的零時差攻擊 (例如 Heartbleed) 時問題特別大。攻擊者可主動追蹤和搜尋未修補和暴露的系統以進行攻擊。

範例 1：以下範例範本透過啟用 publicNetworkAccess 屬性且不建立任何 IP 限制來定義未限制網路存取的 Azure Container Registry。


{
    "name": "[variables('acrName')]",
    "type": "Microsoft.ContainerRegistry/registries",
    ...
    "properties": {
        "publicNetworkAccess": "Enabled",
        ..
}

範例 2：以下範例範本透過指定廣泛的允許清單給 networkRuleSet 屬性來定義未限制網路存取的 Azure Container Registry。


{
    "name": "[variables('acrName')]",
    "type": "Microsoft.ContainerRegistry/registries",
    ...
    "properties": {
        "publicNetworkAccess": "Enabled",
        "networkRuleSet":
        {
            "defaultAction": "Allow",
            "ipRules":[{
                "action": "Allow",
                "value": "*"
            }]
        }
        ...
}

References

[1] Microsoft Azure Container Registry Documentation - Configure public IP network rules

[2] Microsoft Azure security baseline for Container Registry

[3] Microsoft Restrict access to a container registry using a service endpoint in an Azure virtual network

[4] Microsoft Connect privately to an Azure container registry using Azure Private Link

[5] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2.0

[6] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 2.0

[7] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[8] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality

[9] Standards Mapping - CIS Kubernetes Benchmark partial

[10] Standards Mapping - Common Weakness Enumeration CWE ID 749

[11] Standards Mapping - Common Weakness Enumeration Top 25 2020 [25] CWE ID 862

[12] Standards Mapping - Common Weakness Enumeration Top 25 2021 [18] CWE ID 862

[13] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165

[14] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[15] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-6 Least Privilege (P1)

[16] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-6 Least Privilege

[17] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control

[18] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference

[19] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References

[20] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References

[21] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control

[22] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control

[23] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[24] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3)

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8

[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8

[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 1.4.2

[33] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control

[34] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control

[35] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls

[36] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 285

[37] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 863

[38] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863

[39] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I

[41] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I

[42] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I

[43] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I

[44] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I

[45] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I

[46] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[53] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[54] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[55] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[56] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[57] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[58] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[59] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001410 CAT II, APSC-DV-001520 CAT II

[60] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)

[61] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization

desc.structural.json.azure_arm_misconfiguration_improper_container_registry_network_access_control

Azure ARM Misconfiguration: Improper CORS Policy

Bicep
JSON

Abstract

範本將定義過度允許的 CORS 原則。

Explanation

Cross-Origin Resource Sharing 通常簡稱為 CORS，是一種允許網域為其資源定義原則，讓託管在不同網域上的網頁存取其資源的技術。根據過去經驗，網頁瀏覽器已限制其網域資源不得由不同網域載入的指令碼所存取，以遵守相同來源原則。
CORS 為網域提供了一種允許其他網域並讓它們可以存取其資源的方法。

定義 CORS 原則時務必小心，因為在伺服器層級為網域或網域上的目錄所設定的原則若過度允許，公開給跨網域存取的內容可能會高於預期。CORS 可能使惡意應用程式與受害應用程式進行不當通訊，進而可導致資訊外洩、詐騙、資料竊取、轉送或其他攻擊。

實作 CORS 可能增加應用程式的受攻擊面，所以僅在必要時才應使用。

範例 1：以下範例範本為 Azure SignalR Web 應用程式定義過度允許的 CORS 原則。


resource example 'Microsoft.SignalRService/SignalR@2022-02-01' = {
    ...
    properties: {
        ...
        cors: {
            ...
            allowedOrigins: [ '*' ]
        }
    }
}

範例 2：以下範例範本為 Azure Web 應用程式定義過度允許的 CORS 原則。


resource example 'Microsoft.Web/sites@2020-12-01' = {
    ...
    properties: {
        ...
        siteConfig: {
            ...
            cors: {
                ...
                allowedOrigins: [ '*' ]
            }
        }
    }
}

範例 3：以下範例範本為 Azure Maps 帳戶定義過度允許的 CORS 原則。


resource example 'Microsoft.Maps/accounts@2021-12-01-preview' = {
    ...
    properties: {
        ...
        cors: {
            corsRules: [
                {
                    allowedOrigins: [ '*' ]
                }
            ]
        }
    }
}

範例 4：以下範例範本為 Azure Cosmos DB 帳戶定義過度允許的 CORS 原則。


resource example 'Microsoft.DocumentDB/databaseAccounts@2023-04-15' = {
    ...
    properties: {
        ...
        cors: [
            {
                ...
                allowedOrigins: '*'
            }
        ]
    }
}

範例 5：以下範例範本為 Azure 儲存體 Blob 服務定義過度允許的 CORS 原則。


resource example 'Microsoft.Storage/storageAccounts/blobServices@2021-09-01' = {
    ...
    properties: {
        ...
        cors: {
            corsRules: [
                {
                    ...
                    allowedOrigins: [ '*' ]
                }
            ]
        }
    }
}

References

[1] W3C Cross-Origin Resource Sharing

[2] Enable Cross-Origin Resource Sharing

[3] Michael Schmidt HTML5 Web Security

[4] Philippe De Ryck, Lieven Desmet, Pieter Philippaerts, and Frank Piessens A Security Analysis of Next Generation Web Standards

[5] Microsoft Cross-Origin Resource Sharing (CORS) support for Azure Storage

[6] Microsoft Cosmos DB - SQL API - Configure Cross-Origin Resource Sharing (CORS)

[7] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1.5

[8] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial

[9] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0

[10] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[11] Standards Mapping - CIS Google Kubernetes Engine Benchmark Integrity

[12] Standards Mapping - Common Weakness Enumeration CWE ID 942

[13] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001368, CCI-001414

[14] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[15] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1)

[16] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement

[17] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[18] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[19] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[20] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[21] Standards Mapping - OWASP Application Security Verification Standard 4.0 14.4.6 HTTP Security Headers Requirements (L1 L2 L3), 14.5.3 Validate HTTP Request Header Requirements (L1 L2 L3)

[22] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control

[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control

[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls

[33] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II

[46] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)

desc.structural.bicep.azure_arm_misconfiguration_improper_cors_policy

Abstract

範本將定義過度允許的 CORS 原則。

Explanation

Cross-Origin Resource Sharing 通常簡稱為 CORS，是一種允許網域為其資源定義原則，讓託管在不同網域上的網頁存取其資源的技術。根據過去經驗，網頁瀏覽器已限制其網域資源不得由不同網域載入的指令碼所存取，以遵守相同來源原則。
CORS 為網域提供了一種允許其他網域並讓它們可以存取其資源的方法。

定義 CORS 原則時務必小心，因為在伺服器層級為網域或網域上的目錄所設定的原則若過度允許，公開給跨網域存取的內容可能會高於預期。CORS 可能使惡意應用程式與受害應用程式進行不當通訊，進而可導致資訊外洩、詐騙、資料竊取、轉送或其他攻擊。

實作 CORS 可能增加應用程式的受攻擊面，所以僅在必要時才應使用。

範例 1：以下範例範本為 Azure SignalR Web 應用程式定義過度允許的 CORS 原則。


{
    ...
    "type": "Microsoft.SignalRService/SignalR",
    ...
    "properties": {
    ...
        "cors": {
            "allowedOrigins": ["*"]
        },
    ...
}

範例 2：以下範例範本為 Azure Web 應用程式定義過度允許的 CORS 原則。


{
    "apiVersion": "2020-12-01",
    "type": "Microsoft.Web/sites",
    ...
    "properties": {
        ...
        "siteConfig": {
            ...
            "cors": {
                "allowedOrigins": [
                    "*"
                ]
            },
    ...
}

範例 3：以下範例範本為 Azure Maps 帳戶定義過度允許的 CORS 原則。


{
    "apiVersion": "2021-12-01-preview",
    "type": "Microsoft.Maps/accounts",
    ...
    "properties":{
        "cors":{
            "allowedOrigins": ["*"]
        }
    },
    ...
}

範例 4：以下範例範本為 Azure Cosmos DB 帳戶定義過度允許的 CORS 原則。


{
    "type": "Microsoft.DocumentDB/databaseAccounts",
    ...
    "properties": {
        "cors": [{
            "allowedOrigins":"*"
        }],
    ...
}

範例 5：以下範例範本為 Azure 儲存體 Blob 服務定義過度允許的 CORS 原則。


{
"type": "Microsoft.Storage/storageAccounts/blobServices",
    ...
    "properties": {
        "cors": {
            "corsRules": [
                {
                    "allowedOrigins":["*"],
                    ...
                }
            ]
        }
    }
    ...
}

References

[1] W3C Cross-Origin Resource Sharing

[2] Enable Cross-Origin Resource Sharing

[3] Michael Schmidt HTML5 Web Security

[4] Philippe De Ryck, Lieven Desmet, Pieter Philippaerts, and Frank Piessens A Security Analysis of Next Generation Web Standards

[5] Microsoft Cross-Origin Resource Sharing (CORS) support for Azure Storage

[6] Microsoft Cosmos DB - SQL API - Configure Cross-Origin Resource Sharing (CORS)

[7] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1.5

[8] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial

[9] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0

[10] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[11] Standards Mapping - CIS Google Kubernetes Engine Benchmark Integrity

[12] Standards Mapping - Common Weakness Enumeration CWE ID 942

[13] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001368, CCI-001414

[14] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[15] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1)

[16] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement

[17] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[18] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[19] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[20] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[21] Standards Mapping - OWASP Application Security Verification Standard 4.0 14.4.6 HTTP Security Headers Requirements (L1 L2 L3), 14.5.3 Validate HTTP Request Header Requirements (L1 L2 L3)

[22] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control

[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control

[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls

[33] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II

[46] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)

desc.structural.json.azure_arm_misconfiguration_improper_cors_policy

Azure ARM Misconfiguration: Improper Custom Role Access Control Policy

Bicep
JSON

Abstract

範本定義一個具有擁有者權限的角色。

Explanation

自訂 Azure 訂閱擁有者角色提供對訂閱下所有資源的無限制存取，大大增加了組織暴露於風險並違反了最低權限原則。

範例 1：以下範例顯示一個具有所有可能權限的自訂擁有者角色定義。


resource example 'Microsoft.Authorization/roleDefinitions@2022-04-01' = {
    ...
    properties: {
        ...
        permissions: [
            {
                ...
                actions: [ '*' ]
            }
        ]
    }
}

References

[1] Microsoft Azure Resources Documentation: Microsoft.Authorization roleDefinitions

[2] Microsoft Azure RBAC documentation: Create custom roles

[3] Microsoft Security recommendations - a reference guide

[4] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.5

[5] Standards Mapping - CIS Microsoft Azure Foundations Benchmark Partial

[6] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0

[7] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[8] Standards Mapping - CIS Google Kubernetes Engine Benchmark Integrity

[9] Standards Mapping - CIS Kubernetes Benchmark Partial

[10] Standards Mapping - Common Weakness Enumeration CWE ID 250

[11] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000381, CCI-002233, CCI-002235

[12] Standards Mapping - FIPS200 AC

[13] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[14] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-6 Least Privilege (P1)

[15] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-6 Least Privilege

[16] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control

[17] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration

[18] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[19] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[20] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[21] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[22] Standards Mapping - OWASP Application Security Verification Standard 4.0 10.2.2 Malicious Code Search (L2 L3)

[23] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 7.1.1

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 7.1.1

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 7.1.2

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 7.1.2

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 7.1.2

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 7.1.2

[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 7.2.2

[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control

[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control

[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls

[35] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 285

[36] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 285

[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3500 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3500 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3500 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3500 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3500 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3500 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3500 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[57] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)

[58] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization

desc.structural.bicep.azure_arm_misconfiguration_improper_custom_role_access_control_policy

Abstract

範本定義一個具有擁有者權限的角色。

Explanation

自訂 Azure 訂閱擁有者角色提供對訂閱下所有資源的無限制存取，大大增加了組織暴露於風險並違反了最低權限原則。

範例 1：以下範例顯示一個具有所有可能權限的自訂擁有者角色定義。


{
    "resources": [
        {
            "name": "roleDef",
            "type": "Microsoft.Authorization/roleDefinitions",
            "apiVersion": "2018-01-01-preview",
            "properties": {
                "roleName": "InfraAdmin",
                "description": "Infrastructure Admin",
                "permissions": [
                    {
                        "actions": [
                            "*"
                        ]
                    }
                ],
                ...
            }
        }
    ]
}

References

[1] Microsoft Azure Resources Documentation: Microsoft.Authorization roleDefinitions

[2] Microsoft Azure RBAC documentation: Create custom roles

[3] Microsoft Security recommendations - a reference guide

[4] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.5

[5] Standards Mapping - CIS Microsoft Azure Foundations Benchmark Partial

[6] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0

[7] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[8] Standards Mapping - CIS Google Kubernetes Engine Benchmark Integrity

[9] Standards Mapping - CIS Kubernetes Benchmark Partial

[10] Standards Mapping - Common Weakness Enumeration CWE ID 250

[11] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000381, CCI-002233, CCI-002235

[12] Standards Mapping - FIPS200 AC

[13] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[14] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-6 Least Privilege (P1)

[15] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-6 Least Privilege

[16] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control

[17] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration

[18] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[19] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[20] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[21] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[22] Standards Mapping - OWASP Application Security Verification Standard 4.0 10.2.2 Malicious Code Search (L2 L3)

[23] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 7.1.1

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 7.1.1

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 7.1.2

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 7.1.2

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 7.1.2

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 7.1.2

[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 7.2.2

[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control

[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control

[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls

[35] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 285

[36] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 285

[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3500 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3500 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3500 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3500 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3500 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3500 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3500 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[57] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)

[58] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization

desc.structural.json.azure_arm_misconfiguration_improper_custom_role_access_control_policy

Azure ARM Misconfiguration: Improper DocumentDB Network Access Control

Bicep
JSON

Abstract

範本將定義一個未限制網路存取的 Azure Cosmos DB。

Explanation

寬鬆的存取組態會將系統暴露在外，並擴大組織的受攻擊面。開放與網際網路互動的服務會受到惡意實體幾乎連續的掃描和探測。

在發現並發佈針對公開服務的零時差攻擊 (例如 Heartbleed) 時問題特別大。攻擊者可主動追蹤和搜尋未修補和暴露的系統以進行攻擊。

範例 1：以下範例範本將定義一個未限制網路存取的 Azure Cosmos DB。publicNetworkAccess 屬性設定為 Enabled，且 IP 位址範圍包括所有 IP。


resource example 'Microsoft.DocumentDB/databaseAccounts@2021-04-15' = {
    ...
    properties: {
        ...
        publicNetworkAccess: 'Enabled'
        ipRules: [
            {
                ipAddressOrRange: '0.0.0.0'
            }
        ]
    }
}

References

[1] Microsoft Configure IP firewall in Azure Cosmos DB

[2] Microsoft Azure security baseline for Azure Cosmos DB

[3] Microsoft Configure access to Azure Cosmos DB from virtual networks (VNet)

[4] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2.0

[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 2.0

[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality

[8] Standards Mapping - CIS Kubernetes Benchmark partial

[9] Standards Mapping - Common Weakness Enumeration CWE ID 749

[10] Standards Mapping - Common Weakness Enumeration Top 25 2020 [25] CWE ID 862

[11] Standards Mapping - Common Weakness Enumeration Top 25 2021 [18] CWE ID 862

[12] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165

[13] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[14] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-6 Least Privilege (P1)

[15] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-6 Least Privilege

[16] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control

[17] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference

[18] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References

[19] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References

[20] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control

[21] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control

[22] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[23] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3)

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8

[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 1.4.2

[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control

[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control

[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls

[35] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 285

[36] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 863

[37] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863

[38] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I

[40] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I

[41] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I

[42] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I

[43] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I

[44] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I

[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[53] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[54] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[55] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[56] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[57] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[58] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001410 CAT II, APSC-DV-001520 CAT II

[59] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)

[60] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization

desc.structural.bicep.azure_arm_misconfiguration_improper_documentdb_network_access_control

Abstract

範本將定義一個未限制網路存取的 Azure Cosmos DB。

Explanation

寬鬆的存取組態會將系統暴露在外，並擴大組織的受攻擊面。開放與網際網路互動的服務會受到惡意實體幾乎連續的掃描和探測。

在發現並發佈針對公開服務的零時差攻擊 (例如 Heartbleed) 時問題特別大。攻擊者可主動追蹤和搜尋未修補和暴露的系統以進行攻擊。

範例 1：以下範例範本將定義一個未限制網路存取的 Azure Cosmos DB。publicNetworkAccess 屬性設定為 Enabled，且 IP 位址範圍包括所有 IP。


{
    "type": "Microsoft.DocumentDB/databaseAccounts",
    "apiVersion": "2021-04-15",
    ...
    "properties": {
        ...
        "publicNetworkAccess": "Enabled",
        "ipRules":[{
                "ipAddressOrRange":  "0.0.0.0"
            }]
    ...
}

References

[1] Microsoft Configure IP firewall in Azure Cosmos DB

[2] Microsoft Azure security baseline for Azure Cosmos DB

[3] Microsoft Configure access to Azure Cosmos DB from virtual networks (VNet)

[4] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2.0

[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 2.0

[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality

[8] Standards Mapping - CIS Kubernetes Benchmark partial

[9] Standards Mapping - Common Weakness Enumeration CWE ID 749

[10] Standards Mapping - Common Weakness Enumeration Top 25 2020 [25] CWE ID 862

[11] Standards Mapping - Common Weakness Enumeration Top 25 2021 [18] CWE ID 862

[12] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165

[13] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[14] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-6 Least Privilege (P1)

[15] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-6 Least Privilege

[16] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control

[17] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference

[18] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References

[19] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References

[20] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control

[21] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control

[22] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[23] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3)

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8

[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 1.4.2

[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control

[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control

[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls

[35] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 285

[36] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 863

[37] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863

[38] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I

[40] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I

[41] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I

[42] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I

[43] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I

[44] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I

[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[53] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[54] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[55] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[56] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[57] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[58] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001410 CAT II, APSC-DV-001520 CAT II

[59] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)

[60] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization

desc.structural.json.azure_arm_misconfiguration_improper_documentdb_network_access_control

Azure ARM Misconfiguration: Improper KeyVault Access Control Policy

Bicep
JSON

Abstract

範本定義一個沒有到期日的機密。

Explanation

有效期間長的機密容易被盜，進而將組織置於被入侵的風險之中。

範例 1：以下範例顯示一個定義金鑰的範本，但金鑰沒有到期日。


@secure()
param secretValue string

resource example 'Microsoft.KeyVault/vaults/secrets@2019-09-01' = {
    ...
    properties: {
        ...
        value: secretValue
    }
}

References

[1] Microsoft Key and secret management considerations in Azure

[2] Gary Klionsky Managing and Rotating Secrets with Azure Key Vault, Managed Services, and some automation

[3] Microsoft Tutorial: Use a Windows VM system-assigned managed identity to access Azure Key Vault

[4] Marcel.L Automate password rotation with Github and Azure

[5] Elaine Barker NIST Special Publication 800-57 Part 1 Revision 5- Recommendation for Key Management: Part 1 – General

[6] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.0

[7] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0

[8] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[9] Standards Mapping - CIS Google Kubernetes Engine Benchmark Confidentiality

[10] Standards Mapping - Common Weakness Enumeration CWE ID 261

[11] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287

[12] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287

[13] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287

[14] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287

[15] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000196, CCI-001199

[16] Standards Mapping - FIPS200 MP

[17] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[18] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-28 Protection of Information at Rest (P1)

[19] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-28 Protection of Information at Rest

[20] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management

[21] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration

[22] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[23] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[24] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[25] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[26] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.2.1 Algorithms (L1 L2 L3), 9.2.1 Server Communications Security Requirements (L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)

[27] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 3.4, Requirement 6.5.8, Requirement 8.4

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 3.4, Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 3.4, Requirement 6.5.3, Requirement 8.4

[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 3.4, Requirement 6.5.3, Requirement 8.2.1

[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 3.4, Requirement 6.5.3, Requirement 8.2.1

[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 3.4, Requirement 6.5.3, Requirement 8.2.1

[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 3.4, Requirement 6.5.3, Requirement 8.2.1

[35] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.5.1, Requirement 6.2.4, Requirement 8.3.1

[36] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.1 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography

[37] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.1 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design

[38] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.1 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design

[39] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3340 CAT I

[40] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I

[41] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I

[42] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I

[43] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I

[44] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I

[45] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I

[46] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II

[53] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II

[54] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II

[55] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II

[56] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II

[57] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II

[58] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II

[59] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)

desc.structural.bicep.azure_arm_misconfiguration_improper_keyvault_access_control_policy.base

Abstract

範本定義一個沒有到期日的機密。

Explanation

有效期間長的機密容易被盜，進而將組織置於被入侵的風險之中。

範例 1：以下範例顯示一個定義金鑰的範本，但金鑰沒有到期日。


  {
    "type": "Microsoft.KeyVault/vaults/secrets",
    "name": "[concat(parameters('keyVaultName'), '/', parameters('secretName'))]",
    "apiVersion": "2019-09-01",
    "location": "[parameters('location')]",
    "dependsOn": [
        "[resourceId('Microsoft.KeyVault/vaults', parameters('keyVaultName'))]"
    ],
    "properties": {
        "value": "[parameters('secretValue')]"
    }
}

References

[1] Microsoft Key and secret management considerations in Azure

[2] Gary Klionsky Managing and Rotating Secrets with Azure Key Vault, Managed Services, and some automation

[3] Microsoft Tutorial: Use a Windows VM system-assigned managed identity to access Azure Key Vault

[4] Marcel.L Automate password rotation with Github and Azure

[5] Elaine Barker NIST Special Publication 800-57 Part 1 Revision 5- Recommendation for Key Management: Part 1 – General

[6] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.0

[7] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0

[8] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[9] Standards Mapping - CIS Google Kubernetes Engine Benchmark Confidentiality

[10] Standards Mapping - Common Weakness Enumeration CWE ID 261

[11] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287

[12] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287

[13] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287

[14] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287

[15] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000196, CCI-001199

[16] Standards Mapping - FIPS200 MP

[17] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[18] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-28 Protection of Information at Rest (P1)

[19] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-28 Protection of Information at Rest

[20] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management

[21] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration

[22] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[23] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[24] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[25] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[26] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.2.1 Algorithms (L1 L2 L3), 9.2.1 Server Communications Security Requirements (L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)

[27] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 3.4, Requirement 6.5.8, Requirement 8.4

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 3.4, Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 3.4, Requirement 6.5.3, Requirement 8.4

[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 3.4, Requirement 6.5.3, Requirement 8.2.1

[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 3.4, Requirement 6.5.3, Requirement 8.2.1

[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 3.4, Requirement 6.5.3, Requirement 8.2.1

[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 3.4, Requirement 6.5.3, Requirement 8.2.1

[35] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.5.1, Requirement 6.2.4, Requirement 8.3.1

[36] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.1 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography

[37] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.1 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design

[38] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.1 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design

[39] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3340 CAT I

[40] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I

[41] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I

[42] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I

[43] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I

[44] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I

[45] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I

[46] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II

[53] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II

[54] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II

[55] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II

[56] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II

[57] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II

[58] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II

[59] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)

desc.structural.json.azure_arm_misconfiguration_improper_keyvault_access_control_policy.base

Azure ARM Misconfiguration: Improper Security Group Network Access Control

Bicep
JSON

Abstract

範本將定義一個允許存取管理服務的網路安全性群組。

Explanation

範圍過大的存取組態會將系統暴露在外，並擴大組織的受攻擊面。開放與公眾互動的服務會受到攻擊者幾乎連續的掃描和探測。

在發現並發佈針對公開服務的零時差攻擊 (例如 Heartbleed) 時問題特別大。攻擊者可主動追蹤和搜尋未修補和暴露的系統以進行攻擊。

範例 1：以下範例範本允許將未受限制的輸入流量傳輸至某個範圍內的連接埠，其中包括 RDP 服務連接埠 (3389)。


resource example 'Microsoft.Network/networkSecurityGroups/securityRules@2020-11-01' = {
    ...
    properties: {
        ...
        description: 'Services Inbound Range'
        protocol: 'Tcp'
        sourcePortRange: '*'
        destinationPortRanges: [ '3333-3389' ]
        sourceAddressPrefix: '*'
        destinationAddressPrefix: '*'
        access: 'Allow'
        priority: 100
        direction: 'Inbound'
    }
}

References

[1] Microsoft Network security groups

[2] David Geer Securing risky network ports

[3] Josh Fruhlinger CSO: What is the Heartbleed bug, how does it work and how was it fixed?

[4] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2.0

[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 2.0

[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality

[8] Standards Mapping - Common Weakness Enumeration CWE ID 749

[9] Standards Mapping - Common Weakness Enumeration Top 25 2020 [25] CWE ID 862

[10] Standards Mapping - Common Weakness Enumeration Top 25 2021 [18] CWE ID 862

[11] Standards Mapping - Common Weakness Enumeration Top 25 2022 [16] CWE ID 862

[12] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165

[13] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[14] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-6 Least Privilege (P1)

[15] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-6 Least Privilege

[16] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control

[17] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference

[18] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References

[19] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References

[20] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control

[21] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control

[22] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[23] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3)

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8

[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 1.4.2

[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control

[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control

[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls

[35] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 285

[36] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 863

[37] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863

[38] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I

[40] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I

[41] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I

[42] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I

[43] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I

[44] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I

[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[53] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[54] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[55] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[56] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[57] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[58] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001410 CAT II, APSC-DV-001520 CAT II

[59] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)

[60] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization

desc.structural.bicep.azure_arm_misconfiguration_improper_security_group_network_access_control.base

Abstract

範本將定義一個允許存取管理服務的網路安全性群組。

Explanation

範圍過大的存取組態會將系統暴露在外，並擴大組織的受攻擊面。開放與公眾互動的服務會受到攻擊者幾乎連續的掃描和探測。

在發現並發佈針對公開服務的零時差攻擊 (例如 Heartbleed) 時問題特別大。攻擊者可主動追蹤和搜尋未修補和暴露的系統以進行攻擊。

範例 1：以下範例範本允許將未受限制的輸入流量傳輸至某個範圍內的連接埠，其中包括 RDP 服務連接埠 (3389)。


{
    ...
    "name": "sample/securitygroup",
    "type": "Microsoft.Network/networkSecurityGroups/securityRules",
    "apiVersion": "2020-11-01",
    "properties": {
        "description": "Services Inbound Range",
        "protocol": "Tcp",
        "sourcePortRange": "*",
        "destinationPortRanges": [
            "3333-3389"
        ],
        "sourceAddressPrefix": "*",
        "destinationAddressPrefix": "*",
        "access": "Allow",
        "priority": 100,
        "direction": "Inbound"
    ...
}

References

[1] Microsoft Network security groups

[2] David Geer Securing risky network ports

[3] Josh Fruhlinger CSOOnline: The Heartbleed bug: How a flaw in OpenSSL caused a security crisis

[4] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2.0

[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 2.0

[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality

[8] Standards Mapping - Common Weakness Enumeration CWE ID 749

[9] Standards Mapping - Common Weakness Enumeration Top 25 2020 [25] CWE ID 862

[10] Standards Mapping - Common Weakness Enumeration Top 25 2021 [18] CWE ID 862

[11] Standards Mapping - Common Weakness Enumeration Top 25 2022 [16] CWE ID 862

[12] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165

[13] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[14] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-6 Least Privilege (P1)

[15] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-6 Least Privilege

[16] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control

[17] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference

[18] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References

[19] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References

[20] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control

[21] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control

[22] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[23] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3)

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8

[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 1.4.2

[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control

[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control

[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls

[35] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 285

[36] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 863

[37] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863

[38] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I

[40] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I

[41] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I

[42] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I

[43] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I

[44] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I

[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[53] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[54] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[55] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[56] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[57] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[58] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001410 CAT II, APSC-DV-001520 CAT II

[59] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)

[60] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization

desc.structural.json.azure_arm_misconfiguration_improper_security_group_network_access_control.base

Azure ARM Misconfiguration: Improper SQL Server Network Access Control

Bicep
JSON

Abstract

範本將定義一個未限制網路存取的 Azure SQL 資料庫執行個體。

Explanation

未限制允許 IP 位址範圍的 Azure SQL 資料庫執行個體，會不必要地擴大組織的受攻擊面。開放與公眾互動的服務會受到攻擊者幾乎連續的掃描和探測。

範例 1：以下範例範本將定義一個過度公開的 Azure SQL 資料庫執行個體。


resource example 'Microsoft.Sql/servers@2021-11-01' = {
    ...
    resource fwRules 'firewallRules' = {
        properties: {
            startIpAddress: '0.0.0.0'
            endIpAddress: '255.255.255.255'
        }
    }
}

References

[1] Tom Olzak Attack Surface Reduction – Chapter 4

[2] Microsoft Azure SQL Database and Azure Synapse Analytics network access controls

[3] Microsoft Azure SQL Database and Azure Synapse IP firewall rules

[4] Microsoft Private IP addresses

[5] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2.0

[6] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 2.0

[7] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[8] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality

[9] Standards Mapping - Common Weakness Enumeration CWE ID 749

[10] Standards Mapping - Common Weakness Enumeration Top 25 2020 [25] CWE ID 862

[11] Standards Mapping - Common Weakness Enumeration Top 25 2021 [18] CWE ID 862

[12] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165

[13] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[14] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-6 Least Privilege (P1)

[15] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-6 Least Privilege

[16] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control

[17] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference

[18] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References

[19] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References

[20] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control

[21] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control

[22] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[23] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3)

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8

[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 1.4.2

[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control

[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control

[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls

[35] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 285

[36] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 863

[37] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863

[38] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I

[40] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I

[41] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I

[42] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I

[43] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I

[44] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I

[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[53] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[54] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[55] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[56] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[57] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[58] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001410 CAT II, APSC-DV-001520 CAT II

[59] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)

[60] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization

desc.structural.bicep.azure_arm_misconfiguration_improper_sql_server_network_access_control

Abstract

範本將定義一個未限制網路存取的 Azure SQL 資料庫執行個體。

Explanation

未限制允許 IP 位址範圍的 Azure SQL 資料庫執行個體，會不必要地擴大組織的受攻擊面。開放與公眾互動的服務會受到攻擊者幾乎連續的掃描和探測。

範例 1：以下範例範本將定義一個過度公開的 Azure SQL 資料庫執行個體。


{
    "resources": [
        {
            "name": "[variables('sqlServerName')]",
            "type": "Microsoft.Sql/servers",
            ...
            "resources": [
                {
                    "type": "databases",
                    ...
                },
                {
                    "name": "AllowAllIPs",
                    "type": "firewallrules",
                    "apiVersion": "2020-02-02-preview",
                    "location": "[parameters('location')]",
                    "properties": {
                        "endIpAddress": "255.255.255.255",
                        "startIpAddress": "0.0.0.0"
                    },
                }
            ]
        }
    ]
}

References

[1] Tom Olzak Attack Surface Reduction – Chapter 4

[2] Microsoft Azure SQL Database and Azure Synapse Analytics network access controls

[3] Microsoft Azure SQL Database and Azure Synapse IP firewall rules

[4] Microsoft Private IP addresses

[5] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2.0

[6] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 2.0

[7] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[8] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality

[9] Standards Mapping - Common Weakness Enumeration CWE ID 749

[10] Standards Mapping - Common Weakness Enumeration Top 25 2020 [25] CWE ID 862

[11] Standards Mapping - Common Weakness Enumeration Top 25 2021 [18] CWE ID 862

[12] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165

[13] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[14] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-6 Least Privilege (P1)

[15] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-6 Least Privilege

[16] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control

[17] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference

[18] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References

[19] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References

[20] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control

[21] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control

[22] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[23] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3)

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8

[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 1.4.2

[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control

[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control

[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls

[35] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 285

[36] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 863

[37] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863

[38] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I

[40] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I

[41] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I

[42] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I

[43] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I

[44] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I

[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[53] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[54] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[55] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[56] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[57] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[58] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001410 CAT II, APSC-DV-001520 CAT II

[59] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)

[60] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization

desc.structural.json.azure_arm_misconfiguration_improper_sql_server_network_access_control

Azure ARM Misconfiguration: Improper Storage Network Access Control

Bicep
JSON

Abstract

範本定義一個網路存取權不當的 Azure 儲存體帳戶。

Explanation

寬鬆的存取組態會將系統不必要地暴露在外，並擴大組織的受攻擊面。開放與公眾互動的服務會受到惡意實體幾乎連續的掃描和探測。

References

[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.0

[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.0

[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality

[5] Standards Mapping - CIS Kubernetes Benchmark complete

[6] Standards Mapping - Common Weakness Enumeration CWE ID 284

[7] Standards Mapping - Common Weakness Enumeration Top 25 2020 [25] CWE ID 862

[8] Standards Mapping - Common Weakness Enumeration Top 25 2021 [18] CWE ID 862

[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165

[10] Standards Mapping - FIPS200 AC

[11] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1)

[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement

[14] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control

[15] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference

[16] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References

[17] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[18] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[19] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[20] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[21] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.4.2 Access Control Architectural Requirements (L2 L3), 1.4.4 Access Control Architectural Requirements (L2 L3)

[22] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 7.3.2

[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control

[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control

[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls

[34] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 285

[35] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 285

[36] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 676

[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I

[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I

[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I

[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I

[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I

[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I

[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I

[44] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[57] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)

[58] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization

desc.structural.iac.azure.improper_storage_network_access_control.base

Abstract

範本定義一個網路存取權不當的 Azure 儲存體帳戶。

Explanation

寬鬆的存取組態會將系統不必要地暴露在外，並擴大組織的受攻擊面。開放與公眾互動的服務會受到惡意實體幾乎連續的掃描和探測。

References

[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.0

[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.0

[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality

[5] Standards Mapping - CIS Kubernetes Benchmark complete

[6] Standards Mapping - Common Weakness Enumeration CWE ID 284

[7] Standards Mapping - Common Weakness Enumeration Top 25 2020 [25] CWE ID 862

[8] Standards Mapping - Common Weakness Enumeration Top 25 2021 [18] CWE ID 862

[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165

[10] Standards Mapping - FIPS200 AC

[11] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1)

[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement

[14] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control

[15] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference

[16] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References

[17] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[18] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[19] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[20] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[21] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.4.2 Access Control Architectural Requirements (L2 L3), 1.4.4 Access Control Architectural Requirements (L2 L3)

[22] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 7.3.2

[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control

[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control

[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls

[34] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 285

[35] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 285

[36] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 676

[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I

[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I

[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I

[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I

[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I

[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I

[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I

[44] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[57] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)

[58] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization

desc.structural.iac.azure.improper_storage_network_access_control.base

Azure ARM Misconfiguration: Insecure Active Directory Domain Service Transport

Bicep
JSON

Abstract

範本允許使用過時的 TLS 版本。

Explanation

傳輸層安全性 (TLS) 和安全通訊端層 (SSL) 通訊協定提供保護機制，確保用戶端與 Web 伺服器之間所傳輸的資料的真實性、機密性和完整性。TLS 和 SSL 均歷經多次修訂，定期提供更新版本。每次新的修訂皆會解決之前版本中發現的安全性弱點。使用不安全版本的 TLS/SSL 將會減弱資料保護的強度，可能讓攻擊者危及、竊取或修改敏感資訊。

不安全的 TLS/SSL 版本可能存在以下一或多個屬性：

- 無法防範 man-in-the-middle 攻擊
- 驗證及加密使用同一金鑰
- 訊息驗證控制弱
- 無法防範 TCP 連線關閉

這些屬性可能會讓攻擊者得以攔截、修改或竄改敏感資料。

References

[1] National Security Agency Eliminating Obsolete Transport Layer Security (TLS) Protocol Configurations

[2] Microsoft Secure a custom DNS name with a TLS/SSL binding in Azure App Service

[3] Microsoft Security in Azure App Service

[4] Microsoft Custom configuration settings for App Service Environments - Disable TLS 1.0 and TLS 1.1

[5] Microsoft Harden an Azure Active Directory Domain Services managed domain

[6] Microsoft UPDATE: Transport Layer Security 1.0 and 1.1 disablement

[7] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.0

[8] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0

[9] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[10] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal

[11] Standards Mapping - Common Weakness Enumeration CWE ID 327

[12] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000068, CCI-000382, CCI-001453, CCI-001941, CCI-001942, CCI-002418, CCI-002420, CCI-002421, CCI-002422, CCI-002890, CCI-003123

[13] Standards Mapping - FIPS200 CM, SC

[14] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection

[15] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-8 Transmission Confidentiality and Integrity (P1)

[16] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-8 Transmission Confidentiality and Integrity

[17] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management

[18] Standards Mapping - OWASP Top 10 2007 A9 Insecure Communications

[19] Standards Mapping - OWASP Top 10 2010 A9 Insufficient Transport Layer Protection

[20] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[21] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[22] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures

[23] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[24] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.9.3 Cryptographic Software and Devices Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.2 Algorithms (L2 L3), 8.3.7 Sensitive Private Data (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3)

[25] Standards Mapping - OWASP Mobile 2014 M3 Insufficient Transport Layer Protection

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 4.1, Requirement 6.5.10

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 4.1, Requirement 6.5.4

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 4.1, Requirement 6.5.4

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 4.1, Requirement 6.5.4

[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 4.1, Requirement 6.5.4

[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4

[33] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4

[34] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography

[35] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design

[36] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design, Control Objective C.4.1 - Web Software Communications

[37] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 327

[38] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 327

[39] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 327

[40] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3250.1 CAT I, APP3260.1 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3250.1 CAT I, APP3260 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3250.1 CAT I, APP3260 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3250.1 CAT I, APP3260 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3250.1 CAT I, APP3260 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3250.1 CAT I, APP3260 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3250.1 CAT I, APP3260 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[53] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[54] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[55] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[56] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[57] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[58] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[59] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[60] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Transport Layer Protection (WASC-04)

desc.structural.bicep.azure_arm_misconfiguration_insecure_active_directory_domain_service_transport.base

Abstract

範本允許使用過時的 TLS 版本。

Explanation

傳輸層安全性 (TLS) 和安全通訊端層 (SSL) 通訊協定提供保護機制，確保用戶端與 Web 伺服器之間所傳輸的資料的真實性、機密性和完整性。TLS 和 SSL 均歷經多次修訂，定期提供更新版本。每次新的修訂皆會解決之前版本中發現的安全性弱點。使用不安全版本的 TLS/SSL 將會減弱資料保護的強度，可能讓攻擊者危及、竊取或修改敏感資訊。

不安全的 TLS/SSL 版本可能存在以下一或多個屬性：

- 無法防範 man-in-the-middle 攻擊
- 驗證及加密使用同一金鑰
- 訊息驗證控制弱
- 無法防範 TCP 連線關閉

這些屬性可能會讓攻擊者得以攔截、修改或竄改敏感資料。

References

[1] National Security Agency Eliminating Obsolete Transport Layer Security (TLS) Protocol Configurations

[2] Microsoft Secure a custom DNS name with a TLS/SSL binding in Azure App Service

[3] Microsoft Security in Azure App Service

[4] Microsoft Custom configuration settings for App Service Environments - Disable TLS 1.0 and TLS 1.1

[5] Microsoft Harden an Azure Active Directory Domain Services managed domain

[6] Microsoft UPDATE: Transport Layer Security 1.0 and 1.1 disablement

[7] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.0

[8] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0

[9] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[10] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal

[11] Standards Mapping - Common Weakness Enumeration CWE ID 327

[12] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000068, CCI-000382, CCI-001453, CCI-001941, CCI-001942, CCI-002418, CCI-002420, CCI-002421, CCI-002422, CCI-002890, CCI-003123

[13] Standards Mapping - FIPS200 CM, SC

[14] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection

[15] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-8 Transmission Confidentiality and Integrity (P1)

[16] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-8 Transmission Confidentiality and Integrity

[17] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management

[18] Standards Mapping - OWASP Top 10 2007 A9 Insecure Communications

[19] Standards Mapping - OWASP Top 10 2010 A9 Insufficient Transport Layer Protection

[20] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[21] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[22] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures

[23] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[24] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.9.3 Cryptographic Software and Devices Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.2 Algorithms (L2 L3), 8.3.7 Sensitive Private Data (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3)

[25] Standards Mapping - OWASP Mobile 2014 M3 Insufficient Transport Layer Protection

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 4.1, Requirement 6.5.10

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 4.1, Requirement 6.5.4

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 4.1, Requirement 6.5.4

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 4.1, Requirement 6.5.4

[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 4.1, Requirement 6.5.4

[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4

[33] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4

[34] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography

[35] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design

[36] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design, Control Objective C.4.1 - Web Software Communications

[37] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 327

[38] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 327

[39] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 327

[40] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3250.1 CAT I, APP3260.1 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3250.1 CAT I, APP3260 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3250.1 CAT I, APP3260 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3250.1 CAT I, APP3260 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3250.1 CAT I, APP3260 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3250.1 CAT I, APP3260 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3250.1 CAT I, APP3260 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[53] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[54] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[55] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[56] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[57] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[58] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[59] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[60] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Transport Layer Protection (WASC-04)

desc.structural.json.azure_arm_misconfiguration_insecure_active_directory_domain_service_transport.base

Azure ARM Misconfiguration: Insecure App Service Transport

Bicep
JSON

Abstract

範本允許使用過時的 TLS 版本。

Explanation

傳輸層安全性 (TLS) 和安全通訊端層 (SSL) 通訊協定提供保護機制，確保用戶端與 Web 伺服器之間所傳輸的資料的真實性、機密性和完整性。TLS 和 SSL 均歷經多次修訂，定期提供更新版本。每次新的修訂皆會解決之前版本中發現的安全性弱點。使用不安全版本的 TLS/SSL 將會減弱資料保護的強度，可能讓攻擊者危及、竊取或修改敏感資訊。

不安全的 TLS/SSL 版本可能存在以下一或多個屬性：

- 無法防範 man-in-the-middle 攻擊
- 驗證及加密使用同一金鑰
- 訊息驗證控制弱
- 無法防範 TCP 連線關閉

這些屬性可能會讓攻擊者得以攔截、修改或竄改敏感資料。

References

[1] National Security Agency Eliminating Obsolete Transport Layer Security (TLS) Protocol Configurations

[2] Microsoft Secure a custom DNS name with a TLS/SSL binding in Azure App Service

[3] Microsoft Security in Azure App Service

[4] Microsoft Custom configuration settings for App Service Environments - Disable TLS 1.0 and TLS 1.1

[5] Microsoft Harden an Azure Active Directory Domain Services managed domain

[6] Microsoft UPDATE: Transport Layer Security 1.0 and 1.1 disablement

[7] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.5

[8] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0

[9] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[10] Standards Mapping - CIS Google Kubernetes Engine Benchmark Confidentiality

[11] Standards Mapping - CIS Kubernetes Benchmark Complete

[12] Standards Mapping - Common Weakness Enumeration CWE ID 319

[13] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000068, CCI-001453, CCI-002418, CCI-002420, CCI-002421, CCI-002422, CCI-002890, CCI-003123

[14] Standards Mapping - FIPS200 SC

[15] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection

[16] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-8 Transmission Confidentiality and Integrity (P1)

[17] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-8 Transmission Confidentiality and Integrity

[18] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management

[19] Standards Mapping - OWASP Top 10 2007 A9 Insecure Communications

[20] Standards Mapping - OWASP Top 10 2010 A9 Insufficient Transport Layer Protection

[21] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure

[22] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure

[23] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures

[24] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[25] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.9.1 Communications Architectural Requirements (L2 L3), 2.2.5 General Authenticator Requirements (L3), 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.3.1 Sensitive Private Data (L1 L2 L3), 8.1.6 General Data Protection (L3), 9.1.1 Communications Security Requirements (L1 L2 L3), 9.2.2 Server Communications Security Requirements (L2 L3), 14.4.5 HTTP Security Headers Requirements (L1 L2 L3)

[26] Standards Mapping - OWASP Mobile 2014 M3 Insufficient Transport Layer Protection

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 4.1, Requirement 6.5.10

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 4.1, Requirement 6.5.4

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 4.1, Requirement 6.5.4

[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 4.1, Requirement 6.5.4

[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 4.1, Requirement 6.5.4

[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4

[34] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4

[35] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography

[36] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography

[37] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective C.4.1 - Web Software Communications

[38] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 319

[39] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311

[40] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311

[41] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260.1 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[53] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[54] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[55] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[56] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[57] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[58] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[59] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[60] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[61] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Transport Layer Protection (WASC-04)

[62] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage

desc.structural.bicep.azure_arm_misconfiguration_insecure_active_directory_domain_service_transport.base

Abstract

範本定義一個不強制 HTTPS 通訊的 Azure App Service。

Explanation

未加密的通訊通道容易遭受竊聽和竄改。

透過 HTTP 為 Web 應用程式提供服務時，將允許攻擊者執行 man-in-the-middle 攻擊，讓他們能夠讀取或修改正透過通道傳輸的資料。

範例 1：以下範例顯示一個範本，其定義不強制 HTTPS 通訊的 Azure App Service。


{
    "resources": [
        {
            "name": "webSite",
            "type": "Microsoft.Web/sites",
            "apiVersion": "2020-12-01",
            "location": "location1",
            "tags": {},
            "properties": {
                "enabled": true
            },
            "resources": []
        }
    ]
}

References

[1] CIO Council The HTTPS-Only Standard

[2] Josh Fruhlinger What is SSL, TLS? And how this encryption protocol works

[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.5

[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0

[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark Confidentiality

[7] Standards Mapping - CIS Kubernetes Benchmark Complete

[8] Standards Mapping - Common Weakness Enumeration CWE ID 319

[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000068, CCI-001453, CCI-002418, CCI-002420, CCI-002421, CCI-002422, CCI-002890, CCI-003123

[10] Standards Mapping - FIPS200 SC

[11] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection

[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-8 Transmission Confidentiality and Integrity (P1)

[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-8 Transmission Confidentiality and Integrity

[14] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management

[15] Standards Mapping - OWASP Top 10 2007 A9 Insecure Communications

[16] Standards Mapping - OWASP Top 10 2010 A9 Insufficient Transport Layer Protection

[17] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure

[18] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure

[19] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures

[20] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[21] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.9.1 Communications Architectural Requirements (L2 L3), 2.2.5 General Authenticator Requirements (L3), 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.3.1 Sensitive Private Data (L1 L2 L3), 8.1.6 General Data Protection (L3), 9.1.1 Communications Security Requirements (L1 L2 L3), 9.2.2 Server Communications Security Requirements (L2 L3), 14.4.5 HTTP Security Headers Requirements (L1 L2 L3)

[22] Standards Mapping - OWASP Mobile 2014 M3 Insufficient Transport Layer Protection

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 4.1, Requirement 6.5.10

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 4.1, Requirement 6.5.4

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 4.1, Requirement 6.5.4

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 4.1, Requirement 6.5.4

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 4.1, Requirement 6.5.4

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4

[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography

[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography

[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective C.4.1 - Web Software Communications

[34] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 319

[35] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311

[36] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311

[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260.1 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[57] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Transport Layer Protection (WASC-04)

[58] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage

desc.structural.json.azure_arm_misconfiguration_insecure_app_service_transport

Azure ARM Misconfiguration: Insecure CDN Transport

Bicep
JSON

Abstract

服務不會在傳輸過程中強制執行強加密。

Explanation

保護不足的資料通訊管道可能會使關鍵的組織資料面臨遭受竊取、篡改或外洩的風險。

References

[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.5

[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0

[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark Confidentiality

[5] Standards Mapping - CIS Kubernetes Benchmark Complete

[6] Standards Mapping - Common Weakness Enumeration CWE ID 319

[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000068, CCI-001453, CCI-002418, CCI-002420, CCI-002421, CCI-002422, CCI-002890, CCI-003123

[8] Standards Mapping - FIPS200 SC

[9] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection

[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-8 Transmission Confidentiality and Integrity (P1)

[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-8 Transmission Confidentiality and Integrity

[12] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management

[13] Standards Mapping - OWASP Top 10 2007 A9 Insecure Communications

[14] Standards Mapping - OWASP Top 10 2010 A9 Insufficient Transport Layer Protection

[15] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure

[16] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure

[17] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures

[18] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[19] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.9.1 Communications Architectural Requirements (L2 L3), 2.2.5 General Authenticator Requirements (L3), 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.3.1 Sensitive Private Data (L1 L2 L3), 8.1.6 General Data Protection (L3), 9.1.1 Communications Security Requirements (L1 L2 L3), 9.2.2 Server Communications Security Requirements (L2 L3), 14.4.5 HTTP Security Headers Requirements (L1 L2 L3)

[20] Standards Mapping - OWASP Mobile 2014 M3 Insufficient Transport Layer Protection

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 4.1, Requirement 6.5.10

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 4.1, Requirement 6.5.4

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 4.1, Requirement 6.5.4

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 4.1, Requirement 6.5.4

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 4.1, Requirement 6.5.4

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4

[29] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography

[30] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography

[31] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective C.4.1 - Web Software Communications

[32] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 319

[33] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311

[34] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311

[35] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260.1 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[53] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[54] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[55] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Transport Layer Protection (WASC-04)

[56] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage

desc.structural.iac.misconfiguration_insecure_transport.base

Abstract

服務不會在傳輸過程中強制執行強加密。

Explanation

保護不足的資料通訊管道可能會使關鍵的組織資料面臨遭受竊取、篡改或外洩的風險。

References

[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.5

[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0

[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark Confidentiality

[5] Standards Mapping - CIS Kubernetes Benchmark Complete

[6] Standards Mapping - Common Weakness Enumeration CWE ID 319

[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000068, CCI-001453, CCI-002418, CCI-002420, CCI-002421, CCI-002422, CCI-002890, CCI-003123

[8] Standards Mapping - FIPS200 SC

[9] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection

[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-8 Transmission Confidentiality and Integrity (P1)

[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-8 Transmission Confidentiality and Integrity

[12] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management

[13] Standards Mapping - OWASP Top 10 2007 A9 Insecure Communications

[14] Standards Mapping - OWASP Top 10 2010 A9 Insufficient Transport Layer Protection

[15] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure

[16] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure

[17] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures

[18] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[19] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.9.1 Communications Architectural Requirements (L2 L3), 2.2.5 General Authenticator Requirements (L3), 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.3.1 Sensitive Private Data (L1 L2 L3), 8.1.6 General Data Protection (L3), 9.1.1 Communications Security Requirements (L1 L2 L3), 9.2.2 Server Communications Security Requirements (L2 L3), 14.4.5 HTTP Security Headers Requirements (L1 L2 L3)

[20] Standards Mapping - OWASP Mobile 2014 M3 Insufficient Transport Layer Protection

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 4.1, Requirement 6.5.10

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 4.1, Requirement 6.5.4

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 4.1, Requirement 6.5.4

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 4.1, Requirement 6.5.4

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 4.1, Requirement 6.5.4

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4

[29] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography

[30] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography

[31] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective C.4.1 - Web Software Communications

[32] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 319

[33] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311

[34] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311

[35] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260.1 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[53] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[54] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[55] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Transport Layer Protection (WASC-04)

[56] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage

desc.structural.iac.misconfiguration_insecure_transport.base

Azure ARM Misconfiguration: Insecure Database for MySQL Storage

Bicep
JSON

Abstract

組態會建立一個沒有靜態加密的資源。

Explanation

未啟用靜態加密。如此會使資料暴露於未經授權存取和潛在竊取的風險。

References

[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.0

[2] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial

[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.5

[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality

[6] Standards Mapping - CIS Kubernetes Benchmark complete

[7] Standards Mapping - Common Weakness Enumeration CWE ID 311

[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475

[9] Standards Mapping - FIPS200 MP

[10] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection

[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-28 Protection of Information at Rest (P1)

[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-28 Protection of Information at Rest

[13] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage

[14] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage

[15] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage

[16] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure

[17] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure

[18] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures

[19] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[20] Standards Mapping - OWASP Application Security Verification Standard 4.0 6.1.1 Data Classification (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)

[21] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 3.5.1

[27] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography

[28] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design

[29] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design

[30] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311

[31] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311

[32] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3310 CAT I, APP3340 CAT I

[33] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I

[34] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I

[35] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I

[36] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I

[37] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I

[38] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I

[39] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II

[52] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)

desc.structural.iac.misconfiguration_insecure_storage.base

Abstract

組態會建立一個沒有靜態加密的資源。

Explanation

未啟用靜態加密。如此會使資料暴露於未經授權存取和潛在竊取的風險。

References

[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.0

[2] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial

[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.5

[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality

[6] Standards Mapping - CIS Kubernetes Benchmark complete

[7] Standards Mapping - Common Weakness Enumeration CWE ID 311

[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475

[9] Standards Mapping - FIPS200 MP

[10] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection

[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-28 Protection of Information at Rest (P1)

[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-28 Protection of Information at Rest

[13] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage

[14] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage

[15] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage

[16] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure

[17] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure

[18] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures

[19] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[20] Standards Mapping - OWASP Application Security Verification Standard 4.0 6.1.1 Data Classification (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)

[21] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 3.5.1

[27] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography

[28] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design

[29] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design

[30] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311

[31] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311

[32] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3310 CAT I, APP3340 CAT I

[33] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I

[34] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I

[35] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I

[36] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I

[37] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I

[38] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I

[39] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II

[52] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)

desc.structural.iac.misconfiguration_insecure_storage.base

<
2
3
4
5
6
7
8
9
10
>