Add Azure.Pillar.Security.L2 maturity baseline#3727
Conversation
- Add Azure.Pillar.Security.L2 baseline to WAF.Rule.yaml - Add 'Azure.WAF/maturity' = 'L2' labels to PS1 rule files covering: NSG, VNET, FrontDoor, EventHub, MariaDB, MySQL, PostgreSQL, Redis, SQL, ContainerApp, LogicApp, VMSS, VM, Subscription/RBAC, APIM, Defender, Storage, Cosmos, Arc, AppService, Automation, KeyVault, DNS, Deployment, AppConfig, ACR rules - Add Azure.WAF/maturity: L2 labels to YAML rule files covering: ACR, AI, AKS, AppGw, AppGwWAF, BV, CDN, ContainerApp, Cosmos, Databricks, Defender, EventGrid, Firewall, FrontDoor, FrontDoorWAF, ImageBuilder, ML, Redis rules Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…ntation updates Co-authored-by: BernieWhite <13513058+BernieWhite@users.noreply.github.com> Agent-Logs-Url: https://github.com/Azure/PSRule.Rules.Azure/sessions/cb5289a6-ff5c-4508-a616-491e22344823
|
@copilot Add a link to maturity model level to for each updated rule. Use this link: - [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) |
…on files Agent-Logs-Url: https://github.com/Azure/PSRule.Rules.Azure/sessions/cf754a70-bcce-449c-95ef-ef1709ce2eca Co-authored-by: BernieWhite <13513058+BernieWhite@users.noreply.github.com>
Added |
|
@copilot Update the classification of the following rules: Level 1: Azure.ACR.AnonymousAccess Level 4: Azure.AI.PrivateEndpoints Level 5: Azure.ACR.Quarantine |
…s, AppConfig.SecretLeak (L1), AI.PrivateEndpoints (L4), ACR.Quarantine/ContentTrust (L5) Agent-Logs-Url: https://github.com/Azure/PSRule.Rules.Azure/sessions/5915218c-ac34-4966-b7db-04037485eb09 Co-authored-by: BernieWhite <13513058+BernieWhite@users.noreply.github.com>
Updated in commit
Maturity model links in each rule's documentation updated accordingly. |
Implements the WAF Security pillar Level 2 maturity baseline, assigning
Azure.WAF/maturity: L2to rules across the Security pillar and introducing theAzure.Pillar.Security.L2baseline that selects them.New baseline
Added
Azure.Pillar.Security.L2(experimental) toWAF.Rule.yaml— mirrors the L1 pattern, filtering GA Security pillar rules by theL2maturity label.L2 label assignments
Labels added to ~135 rules across PS1 and YAML rule files, grouped by L2 guidance themes:
Azure.Deployment.*secret/secure rules, APIM sample products and policy baseMaturity label corrections
The following rules were reclassified to a more appropriate maturity level:
Azure.ACR.AnonymousAccess,Azure.APIM.EncryptValues,Azure.AppConfig.SecretLeakAzure.AI.PrivateEndpointsAzure.ACR.Quarantine,Azure.ACR.ContentTrustDocs
LINKSsection.working-with-baselines.md: added L2 baseline entrychangelog.md: added entry under UnreleasedOriginal prompt
This section details on the original issue you should resolve
<issue_title>[FEATURE] Maturity Level 2 - WAF Security</issue_title>
<issue_description>### Your suggestion
Just like the existing baseline for level 1
Azure.Pillar.Security.L1, we need to identify rules that should be included in the Level 2 baseline that are not already assigned a level. Some rules have already been labeled forAzure.WAF/maturity=L2, however others have not.We need to initially identify the rules that should be included in level 2 based on the following guidance.
In Level 2 of the Security pillar, you build on your baseline security configuration to further reduce potential threats during workload deployment. This stage emphasizes strengthening deployment practices, establishing a maintenance plan for code assets and workload components, developing a data classification framework, securing network ingress points, and hardening workload components—all essential steps to enhance your overall security posture.
Level 1 of the Security pillar focuses on securing the development phase of your SDLC. Level 2 assumes that you established baseline security measures for the development phase and that you're ready to deploy the first iterations of your workload or components of your workload.
In this phase, focus on building your deployment automation to optimize efficiency and security. Use deployment pipelines like Azure Pipelines or GitHub Actions and standardize using these pipelines exclusively for all changes to your workload. Routinely perform good code hygiene practices to ensure that your code base is free of defects and code that might introduce risks. Finally, familiarize your team with the Microsoft Security Development Lifecycle. As your workload evolves, regularly revisit the recommendations in this guidance to ensure that your SDLC remains optimized for security.
Develop a maintenance plan:
In the context of security, a maintenance plan refers to standard practices that you adopt to maintain the security of your code and workload components throughout their life cycles. Build mechanisms and processes to handle emergency fixes in your deployment pipeline. For example, you might accelerate deployments through quality gates by using direct communication between teams and developing expedited roll-back and roll-forward plans.
Include software, libraries, and infrastructure patching in your standard processes to ensure that all components of your workload are always up to date. Keep a catalog of versioned assets to help during incident response, problem resolution, and system recovery. You can also use automation to compare these versions with known vulnerabilities in the Common Vulnerabilities and Exposures program.
Classify data based on sensitivity needs
Adopt a data classification system and its supporting processes to help ensure that you maintain confidentiality and integrity. Start with broad categories like Public, General, Confidential, and Highly Confidential, and apply appropriate levels of security to protect those categories throughout your data stores. Consider investing in tooling like Microsoft Purview to govern your data. For detailed best practices, see the data classification guidance in the Microsoft compliance documentation.
Apply authorization and authentication controls
As part of your IdP solution implementation, you can start applying controls related to authorization and authentication. Use role-based access controls to help limit access to workload components by applying granular permissions to resources based on user roles. Apply these permissions based on the principle of least access.
Further enhance your controls by using conditional access policies. These policies grant or deny access to resources based on specific conditions like a user's geographic location or whether a user's device complies with security policies. You can also take advantage of features like just-in-time access to lock down access to sensitive components.
Secure your network ingress
Secure your network ingress as much as practical to improve your overall security posture. A secure network ingress is your first line of defense against outside attackers. Your cloud provider might have various tools that you can use in your specific environment, but be sure to understand all possible ingress points in your workload. You might add a firewall to a virtual network or its subnets, like network security groups in Azure virtual networks. If you use platform resources like Azure SQL Database, you might have opti...
⚡ Quickly spin up Copilot coding agent tasks from anywhere on your macOS or Windows machine with Raycast.