Azure- Cloud Custodian Policies for Azure WebApp

policies:
- name: webapp-alwayson-is-not-enabled
resource: azure.webapp
comment: |
Find all Azure App Services Web Applications where AlwaysOn has
not been turned ON. Ensure that your Microsoft Azure App
Services web applications have Always On feature enabled in
order to prevent applications from being idled out due to
inactivity. Always On keeps your websites/web applications
loaded even when there's no traffic. False = AlwaysOn is
disabled True = AlwaysOn is enabled. This policy runs every
Sunday at 9:15AM UTC (CST time: 3:15AM) to check for AlwaysOn
settings.
filters:
- type: configuration
key: alwayson
op: eq
value: false
mode:
schedule: 0 15 9 * * 0
type: azure-periodic
provision-options:
identity:
type: UserAssigned
id: exampleid
execution-options:
output_dir: azure://example.blob.abcd.windows.net/{account_id}
policies:
- name: webapp-authentication-service-not-enforced
resource: azure.webapp
comment: |
Find all Azure Application Services - Web Applications that are
NOT configured to use Service Authentication. By default, App
Service Authentication feature is disabled when a new web
application is created using the Azure Command Line Interface
(CLI) or Azure Management Console. Therefore, all new
applications have anonymous access enabled and this allows users
to log in without being prompted for login. By enabling Azure
App Service Authentication, every incoming HTTP request
passes through it before being handled by the web application
code. This policy runs every Sunday at 9:15AM UTC (CST time:
3:15AM) to check for authentication service enforcement.
filters:
- type: configuration
key: enabled
op: eq
value: false
mode:
schedule: 0 15 9 * * 0
type: azure-periodic
provision-options:
identity:
type: UserAssigned
id: exampleid
execution-options:
output_dir: azure://example.blob.abcd.windows.net/{account_id}
policies:
- name: webapp-ftps-only-not-enforced
resource: azure.webapp
comment: |
Find all Azure Application Services - Web Applications that are
NOT configured to use FTPS-only access (do not enforced FTPS-
only). With FTP, the transmission of data between the web
application and the FTP client is unencrypted, leaving the data
vulnerable to being intercepted and read. Enforcing FTPS-only
access for your Azure App Services applications, can guarantee
that the encrypted traffic between the web application servers
and the FTP clients cannot be decrypted by malicious actors in
case they are able to intercept packets sent across the FTP
connection. If value = AllAllowed = Does not enforce FTPS-only
access for the selected Web Application. This policy runs every
Sunday at 9:45AM UTC (CST time: 3:45AM) to check for FTPS-only
State.
filters:
- type: configuration
key: ftpsState
op: eq
value: AllAllowed
mode:
schedule: 0 15 9 * * 0
type: azure-periodic
provision-options:
identity:
type: UserAssigned
id: exampleid
execution-options:
output_dir: azure://example.blob.abcd.windows.net/{account_id}
policies:
- name: webapp-http2-not-enabled
resource: azure.webapp
comment: |
Find all Azure App Services Web Apps that are not using HTTP
version 2.0. There are two HTTP version that's available- v1.1
and v2.0. This policy runs every Sunday at 9:15AM UTC (CST time:
3:15AM) to check for HTTP version.
filters:
- type: configuration
key: http20Enabled
op: eq
value: false
mode:
schedule: 0 15 9 * * 0
type: azure-periodic
provision-options:
identity:
type: UserAssigned
id: exampleid
execution-options:
output_dir: azure://example.blob.abcd.windows.net/{account_id}
policies:
- name: webapp-https-only-not-enforced
resource: azure.webapp
comment: |
Find all Azure Application Services - Web Applications that are
NOT configured to use HTTPS-Only traffic. Enforcing HTTPS-only
traffic for your Azure App Service applications, can guarantee
that the encrypted traffic between the web application servers
and the application clients cannot be decrypted by malicious
users in case they are able to intercept packets sent across the
Internet. True = Enabled (Enforce HTTPS redirection) and False =
Disabled (Does not enforce HTTPS). This policy runs every Sunday
at 9:15AM UTC (CST time: 3:15AM) to check for HTTPS-Only
settings.
filters:
- type: configuration
key: httpsOnly
op: eq
value: false
mode:
schedule: 0 15 9 * * 0
type: azure-periodic
provision-options:
identity:
type: UserAssigned
id: exampleid
execution-options:
output_dir: azure://example.blob.abcd.windows.net/{account_id}
policies:
- name: webapp-remote-debugging-not-disabled
resource: azure.webapp
comment: |
Find all Azure App Services Web Apps that are configured to use
remote debugging. Ensure that your Azure App Services web
applications have remote debugging disabled in order to enhance
security and protect the applications from unauthorized access.
True=Enabled and False=Disabled. Remote Debugging feature is
available for web applications (e.g. ASP.NET, ASP.NET Core,
Node.js, Python). This policy runs every Sunday at 9:15AM UTC
(CST time: 3:15AM) to check for remote debugging settings.
filters:
- type: configuration
key: remoteDebuggingEnabled
op: eq
value: true
mode:
schedule: 0 15 9 * * 0
type: azure-periodic
provision-options:
identity:
type: UserAssigned
id: exampleid
execution-options:
output_dir: azure://example.blob.abcd.windows.net/{account_id}
policies:
- name: webapp-tls-not-latest-version
resource: azure.webapp
comment: |
Find all Web Apps with minimum TLS encryption version is not
equals to 1.2. The Transport Layer Security (TLS) protocol
secures transmission of data between servers and web browsers,
over the Internet, using standard encryption technology. This
policy runs every Sunday at 9:15AM UTC (CST time: 3:15AM) to
check for TLS version.
filters:
- type: configuration
key: minTlsVersion
op: ne
value: '1.2'
mode:
schedule: 0 15 9 * * 0
type: azure-periodic
provision-options:
identity:
type: UserAssigned
id: exampleid
execution-options:
output_dir: azure://example.blob.abcd.windows.net/{account_id}
policies:
- name: webapp-websocket-not-disabled
resource: azure.webapp
comment: |
Find all Azure App Services Web Apps that are configured to use
websockets (Meaning Websockets is ON). Web sockets feature is
available for web applications where you can either turn ON /
True or OFF / False. This policy runs every Sunday at 9:15AM UTC
(CST time: 3:15AM) to check for WebSockets configuration.
filters:
- type: configuration
key: webSocketsEnabled
op: eq
value: true
mode:
schedule: 0 15 9 * * 0
type: azure-periodic
provision-options:
identity:
type: UserAssigned
id: exampleid
execution-options:
output_dir: azure://example.blob.abcd.windows.net/{account_id}
policies:
- name: webapp-wildcard-cors-config-allowed
resource: azure.webapp
comment: |
Find all Application Services (Web Apps and Functions) with a
Cross-Origin Resource Sharing (CORS) configuration set to allow
all origins. In other words, get all wildcard CORS
configurations. This policy runs every Sunday at 9:15AM UTC (CST
time: 3:15AM).
filters:
- type: configuration
key: webSocketsEnabled
op: eq
value: true
mode:
schedule: 0 15 9 * * 0
type: azure-periodic
provision-options:
identity:
type: UserAssigned
id: exampleid
execution-options:
output_dir: azure://example.blob.abcd.windows.net/{account_id}
policies:
- name: webapp-fewer-messages-in-last-72hrs
resource: azure.webapp
comment: |
Find all Application Services that are receiving 10 or fewer
messages in the last 72 hours. This policy runs every Sunday at
9:15AM UTC (CST time: 3:15AM). This policy helps in cost saving.
filters:
- type: metric
metric: Requests
aggregation: total
op: le
threshold: 10
timeframe: 72
mode:
schedule: 0 15 9 * * 0
type: azure-periodic
provision-options:
identity:
type: UserAssigned
id: exampleid
execution-options:
output_dir: azure://example.blob.abcd.windows.net/{account_id}
policies:
- name: webapp-huge-error-count-in-last-72hrs
resource: azure.webapp
comment: |
Find all Application Services with huge server error messages
count in the last 72 hours. This policy runs every Sunday at
9:15AM UTC (CST time: 3:15AM). This policy helps in cost saving.
filters:
- type: metric
metric: Http5xxx
aggregation: total
op: ge
threshold: 1000
timeframe: 72
mode:
schedule: 0 15 9 * * 0
type: azure-periodic
provision-options:
identity:
type: UserAssigned
id: exampleid
execution-options:
output_dir: azure://example.blob.abcd.windows.net/{account_id}
vars:
absent-tags-filter: &absent-tags
- "tag:owner": absent
- "tag:service": absent
policies:
- name: webapp-missing-tags
resource: azure.webapp
comment: |
Find all Application Services with missing tag. This policy runs
every Sunday at 9:15AM UTC (CST time: 3:15AM).
filters:
- or: *absent-tags
mode:
schedule: 0 15 9 * * 0
type: azure-periodic
provision-options:
identity:
type: UserAssigned
id: exampleid
execution-options:
output_dir: azure://example.blob.abcd.windows.net/{account_id}

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Aakif Shaikh, CISSP, CEH, CHFI, CISA, GWAPT

Aakif Shaikh, CISSP, CEH, CHFI, CISA, GWAPT

67 Followers

Over 18 years of experience in a wide variety of technical domains within information security including information assurance, compliance, and risk management.