Azure VM 漏洞列表

Ensure that an Azure activity log alert is fired whenever "Create Virtual Machine" or "Update Virtual Machine" events are triggered in your Microsoft Azure cloud account. Activity log alerts get triggered when a new activity log event that matches the condition specified in the alert configuration occurs. This rule is crucial as it monitors for any administrative activity log related to "Create or Update Virtual Machine".

Ensure that user-defined tags are being used for labeling, collecting, and organizing cloud resources within your Microsoft Azure account. User-defined tags are name/value pairs that enable you to categorize resources and view consolidated billing by applying the same tag to multiple cloud resources. Trend Micro Cloud One™ – Conformity recommends the following tagging schema to help you identify and manage your Azure resources: Name, Role, Environment, and Owner.

Ensure that Accelerated Networking feature is enabled for your Azure virtual machines (VMs) in order to provide low latency and high throughput for the network interfaces (NICs) attached to the VMs. Accelerated networking enables single root input/output virtualization (SR-IOV) for virtual machines, vastly improving its networking performance. This high-performance pathway bypasses the host from the datapath, reducing latency, jitter and CPU utilization, so it can be used with the most demanding network workloads that can be installed on the supported VM types.

Ensure that Accelerated Networking feature is enabled for your Azure virtual machines (VMs) in order to provide low latency and high throughput for the network interfaces (NICs) attached to the VMs. Accelerated networking enables single root input/output virtualization (SR-IOV) for virtual machines, vastly improving its networking performance. This high-performance pathway bypasses the host from the datapath, reducing latency, jitter, and CPU utilization, so it can be used with the most demanding network workloads that can be installed on the supported VM types.

Ensure that Boot Diagnostics feature is enabled for your Azure virtual machines (VMs) in order to capture server serial console output and the operating system screenshots, required for diagnosing and troubleshooting VM startup issues.

Ensure that your Microsoft Azure virtual machine (VM) boot volumes are encrypted using Azure Disk Encryption in order to meet security and compliance requirements. ADE encrypts the OS and data disks of Azure virtual machines (VMs) using the CPU via the DM-Crypt feature for Linux or the BitLocker feature for Windows. ADE is integrated with Azure Key Vault to help you control and manage the disk encryption keys and secrets. The boot (OS) volumes encryption and decryption is handled transparently and does not require any additional action from you, your Azure virtual machine, or your cloud application.

Ensure that your Azure virtual machine disk volumes are using customer-managed keys (also known as Bring Your Own Keys - BYOKs) instead of service-managed keys (default keys used by Microsoft Azure for disk encryption), in order to have a more granular control over your VM data encryption/decryption process.

Ensure that all your Microsoft Azure virtual machines (VMs) have endpoint protection installed in order to help you identify and remove viruses, spyware, and other malicious software. The Azure Security Center service monitors the status of anti-malware protection for Azure virtual machines (VMs) and highlights if there is insufficient protection, marking the virtual machines without endpoint protection as vulnerable to malware threats.

Ensure that your Microsoft Azure virtual machines (VMs) are configured to use Microsoft Entra ID credentials for secure SSH/RDP access. Once enabled, you can use your corporate Microsoft Entra ID credentials to log in to your virtual machines, enforce Multi-Factor Authentication (MFA), or enable access via RBAC roles.

Ensure that Guest-Level Diagnostics feature is enabled for your Azure virtual machines (VMs) in order to gather diagnostic data useful to create notification alerts and get vital information about the state of your VM applications using advanced metrics.

Ensure that your Microsoft Azure virtual machines (VMs) have system-assigned managed identities enabled in order to allow secure virtual machine access to Azure resources such as key vaults and storage accounts.

Ensure that your production Microsoft Azure virtual machines are configured to use SSH keys instead of username/password credentials for SSH authentication. Using SSH keys enhances security by eliminating the risks associated with password-based authentication.

Ensure that your Microsoft Azure virtual machines (VMs) are using Standard SSD disk volumes instead of Premium SSD volumes for cost-effective storage that fits a broad range of workloads from web servers to enterprise applications that need consistent performance at lower IOPS levels. Unless you are running mission-critical applications or performance sensitive workloads that need more than 6000 IOPS or 750 MiB/s of throughput per VM disk volume, Cloud Conformity recommends converting your Premium SSD volumes to Standard SSD in order to lower the cost of your Azure monthly bill.

Ensure that the Trusted Launch security feature is enabled for Gen 2 virtual machines (VMs) in order to protect against persistent and advanced attacks with configurable capabilities such as Secure Boot and virtual Trusted Platform Module (vTPM).

Ensure that all the disk volumes attached to the Microsoft Azure virtual machines (VMs) launched within the web tier are encrypted to meet security and compliance requirements. This rule assumes all Azure cloud resources in the web tier are tagged with <web_tier_tag>:<web_tier_tag_value>. Tags must be configured on the Cloud Conformity dashboard prior to running this check.

Ensure that operating system (OS) upgrades are automatically applied to your Microsoft Azure virtual machine scale sets when a newer version of the OS image is released by the image publishers. Automatic OS Upgrades feature supports both Windows and Linux images, and can be enabled for all virtual machine sizes. An automatic OS upgrade works by replacing the boot (OS) disk of a virtual machine instance running within a scale set with a new disk created using the latest image version available. Any configured extensions and custom data scripts are run on the OS disk, while persisted data disks are retained. To minimize the application downtime, the upgrades take place in multiple batches, with a maximum of 20% of the scale set upgrading at any time.

Ensure that unhealthy virtual machine instances are automatically deleted from the scale sets and new ones are created, using the latest instance model settings. Automatic Instance Repairs feature relies on health checks performed for individual instances running in a scale set. These virtual machine instances can be configured to emit an application health status using the Azure Application Health extension or a load balancer health probe. If a VM instance is found to be unhealthy, as reported by the Application Health extension or by the associated load balancer health probe, then the scale set performs the repair action by deleting the unhealthy instance and creating a new one to replace it.

Ensure that Monitor Application Health feature is enabled for all the instances running within your Azure virtual machine scale set. Health monitoring via Application Health extension is required for OS upgrades and automatic instance repairs. The Azure Application Health extension reports on the application health from inside the virtual machine scale set instances. You can configure the health extension to probe on an application endpoint and update the status of the application on that instance. This status is checked by Microsoft Azure to determine whether the instance is eligible for upgrade or repair operations.

Ensure that each Microsoft Azure virtual machine scale set is integrated with a load balancer in order to distribute incoming traffic among healthy virtual machine instances running within the scale set. Azure load balancer is a layer 4 load balancer that provides low latency, high throughput, and scales up to millions of flows for all TCP and UDP web applications.

Ensure that your Microsoft Azure virtual machine scale sets are configured to receive instance termination notifications through the Azure Metadata service and have a predefined delay timeout configured for the "Terminate" operation (event). The termination notifications are delivered through Scheduled Events, an Azure Metadata feature which sends termination notifications, and can also be used to delay impactful operations such as reboots and redeployments. The delay associated with the "Terminate" event will depend on the delay limit specified in the VM scale set model configuration.

Ensure that all your Microsoft Azure virtual machine scale sets are using zone-redundant availability configurations instead of single-zone (zonal) configurations, to deploy and load balance virtual machines (VMs) across multiple Availability Zones (AZs) in order to protect the scale sets from datacenter-level failures.