Set default values to a secure value - App Service

[elbatane]

All default values should comply with a security baseline, e.g. NIST 800

The build-in policies of Azure can be used as a reference.

The task would be to scan over each of the following policies and make sure, that the module is per default complying to them.

The following policies are the NIST 800 ones:

\built-in-policies\policyDefinitions\App Configuration\PrivateLink_Audit.json \built-in-policies\policyDefinitions\App Platform\Spring_VNETEnabled_Audit.json \built-in-policies\policyDefinitions\App Service\AppServiceApiApp_AuditHTTP_Audit.json \built-in-policies\policyDefinitions\App Service\AppServiceFunctionApp_AuditHTTP_Audit.json \built-in-policies\policyDefinitions\App Service\AppServiceWebapp_AuditHTTP_Audit.json \built-in-policies\policyDefinitions\App Service\AppService_ApiApp_Audit_ClientCert.json \built-in-policies\policyDefinitions\App Service\AppService_ApiApp_Audit_HTTP_Latest.json \built-in-policies\policyDefinitions\App Service\AppService_ApiApp_Audit_java_Latest.json \built-in-policies\policyDefinitions\App Service\AppService_ApiApp_Audit_PHP_Latest.json \built-in-policies\policyDefinitions\App Service\AppService_ApiApp_Audit_python_Latest.json \built-in-policies\policyDefinitions\App Service\AppService_AuditFTPS_ApiApp_Audit.json \built-in-policies\policyDefinitions\App Service\AppService_AuditFTPS_FunctionApp_Audit.json \built-in-policies\policyDefinitions\App Service\AppService_AuditFTPS_WebApp_Audit.json \built-in-policies\policyDefinitions\App Service\AppService_AuditLoggingMonitoring_Audit.json \built-in-policies\policyDefinitions\App Service\AppService_DisableRemoteDebugging_ApiApp_Audit.json \built-in-policies\policyDefinitions\App Service\AppService_DisableRemoteDebugging_FunctionApp_Audit.json \built-in-policies\policyDefinitions\App Service\AppService_DisableRemoteDebugging_WebApp_Audit.json \built-in-policies\policyDefinitions\App Service\AppService_FunctionApp_Audit_ClientCert.json \built-in-policies\policyDefinitions\App Service\AppService_FunctionApp_Audit_HTTP_Latest.json \built-in-policies\policyDefinitions\App Service\AppService_FunctionApp_Audit_java_Latest.json \built-in-policies\policyDefinitions\App Service\AppService_FunctionApp_Audit_python_Latest.json \built-in-policies\policyDefinitions\App Service\AppService_RequireLatestTls_ApiApp_Audit.json \built-in-policies\policyDefinitions\App Service\AppService_RequireLatestTls_FunctionApp_Audit.json \built-in-policies\policyDefinitions\App Service\AppService_RequireLatestTls_WebApp_Audit.json \built-in-policies\policyDefinitions\App Service\AppService_RestrictCORSAccess_ApiApp_Audit.json \built-in-policies\policyDefinitions\App Service\AppService_RestrictCORSAccess_FuntionApp_Audit.json \built-in-policies\policyDefinitions\App Service\AppService_RestrictCORSAccess_WebApp_Audit.json \built-in-policies\policyDefinitions\App Service\AppService_UseManagedIdentity_ApiApp_Audit.json \built-in-policies\policyDefinitions\App Service\AppService_UseManagedIdentity_FunctionApp_Audit.json \built-in-policies\policyDefinitions\App Service\AppService_UseManagedIdentity_WebApp_Audit.json \built-in-policies\policyDefinitions\App Service\AppService_Webapp_Audit_ClientCert.json \built-in-policies\policyDefinitions\App Service\AppService_WebApp_Audit_HTTP_Latest.json \built-in-policies\policyDefinitions\App Service\AppService_WebApp_Audit_java_Latest.json \built-in-policies\policyDefinitions\App Service\AppService_Webapp_Audit_PHP_Latest.json \built-in-policies\policyDefinitions\App Service\AppService_WebApp_Audit_python_Latest.json

[AlexanderSehr]

Hey @MattLeach25 are you still planning to work in this issue? Otherwise we can re-assign it? :)

[SeSeicht]

Compliance Result (NIST SP 800-53 Rev. 5) of KeyVault CARML Default (min) Deployment:

[SeSeicht]

Compliance Result (NIST SP 800-53 Rev. 5) of KeyVault CARML Default (min) Deployment:

with common parameters:

[microsoft-github-policy-service[bot]]

[!IMPORTANT] The "Needs: Triage :mag:" label must be removed once the triage process is complete!

[!TIP] For additional guidance on how to triage this issue/PR, see the BRM Issue Triage documentation.

[AlexanderSehr]

Hey @tsc-buddy , I just migrated this issue over from CARML. Please take a look and triage if still relevant :)

[microsoft-github-policy-service[bot]]

[!WARNING] Tagging the AVM Core Team (@Azure/avm-core-team-technical-bicep) due to a module owner or contributor having not responded to this issue within 3 business days. The AVM Core Team will attempt to contact the module owners/contributors directly.

[!TIP]

• To prevent further actions to take effect, the "Status: Response Overdue 🚩" label must be removed, once this issue has been responded to.
• To avoid this rule being (re)triggered, the ""Needs: Triage :mag:" label must be removed as part of the triage process (when the issue is first responded to)!

[microsoft-github-policy-service[bot]]

[!WARNING] Tagging the AVM Core Team (@Azure/avm-core-team-technical-bicep) due to a module owner or contributor having not responded to this issue within 3 business days. The AVM Core Team will attempt to contact the module owners/contributors directly.

[!TIP]

• To prevent further actions to take effect, the "Status: Response Overdue 🚩" label must be removed, once this issue has been responded to.
• To avoid this rule being (re)triggered, the ""Needs: Triage :mag:" label must be removed as part of the triage process (when the issue is first responded to)!

[microsoft-github-policy-service[bot]]

[!CAUTION] This issue requires the AVM Core Team's (@Azure/avm-core-team-technical-bicep) immediate attention as it hasn't been responded to within 6 business days.

[!TIP]

• To avoid this rule being (re)triggered, the "Needs: Triage :mag:" and "Status: Response Overdue :triangular_flag_on_post:" labels must be removed when the issue is first responded to!
• Remove the "Needs: Immediate Attention :bangbang:" label once the issue has been responded to.

[microsoft-github-policy-service[bot]]

[!WARNING] Tagging the AVM Core Team (@Azure/avm-core-team-technical-bicep) due to a module owner or contributor having not responded to this issue within 3 business days. The AVM Core Team will attempt to contact the module owners/contributors directly.

[!TIP]

• To prevent further actions to take effect, the "Status: Response Overdue 🚩" label must be removed, once this issue has been responded to.
• To avoid this rule being (re)triggered, the ""Needs: Triage :mag:" label must be removed as part of the triage process (when the issue is first responded to)!

[microsoft-github-policy-service[bot]]

[!CAUTION] This issue requires the AVM Core Team's (@Azure/avm-core-team-technical-bicep) immediate attention as it hasn't been responded to within 6 business days.

[!TIP]

• To avoid this rule being (re)triggered, the "Needs: Triage :mag:" and "Status: Response Overdue :triangular_flag_on_post:" labels must be removed when the issue is first responded to!
• Remove the "Needs: Immediate Attention :bangbang:" label once the issue has been responded to.

[microsoft-github-policy-service[bot]]

[!CAUTION] This issue requires the AVM Core Team's (@Azure/avm-core-team-technical-bicep) immediate attention as it hasn't been responded to within 6 business days.

[!TIP]

• To avoid this rule being (re)triggered, the "Needs: Triage :mag:" and "Status: Response Overdue :triangular_flag_on_post:" labels must be removed when the issue is first responded to!
• Remove the "Needs: Immediate Attention :bangbang:" label once the issue has been responded to.

[microsoft-github-policy-service[bot]]

[!WARNING] Tagging the AVM Core Team (@Azure/avm-core-team-technical-bicep) due to a module owner or contributor having not responded to this issue within 3 business days. The AVM Core Team will attempt to contact the module owners/contributors directly.

[!TIP]

• To prevent further actions to take effect, the "Status: Response Overdue 🚩" label must be removed, once this issue has been responded to.
• To avoid this rule being (re)triggered, the ""Needs: Triage :mag:" label must be removed as part of the triage process (when the issue is first responded to)!

[microsoft-github-policy-service[bot]]

[!CAUTION] This issue requires the AVM Core Team's (@Azure/avm-core-team-technical-bicep) immediate attention as it hasn't been responded to within 6 business days.

[!TIP]

• To avoid this rule being (re)triggered, the "Needs: Triage :mag:" and "Status: Response Overdue :triangular_flag_on_post:" labels must be removed when the issue is first responded to!
• Remove the "Needs: Immediate Attention :bangbang:" label once the issue has been responded to.

[microsoft-github-policy-service[bot]]

[!WARNING] Tagging the AVM Core Team (@Azure/avm-core-team-technical-bicep) due to a module owner or contributor having not responded to this issue within 3 business days. The AVM Core Team will attempt to contact the module owners/contributors directly.

[!TIP]

• To prevent further actions to take effect, the "Status: Response Overdue 🚩" label must be removed, once this issue has been responded to.
• To avoid this rule being (re)triggered, the ""Needs: Triage :mag:" label must be removed as part of the triage process (when the issue is first responded to)!

[microsoft-github-policy-service[bot]]

[!CAUTION] This issue requires the AVM Core Team's (@Azure/avm-core-team-technical-bicep) immediate attention as it hasn't been responded to within 6 business days.

[!TIP]

• To avoid this rule being (re)triggered, the "Needs: Triage :mag:" and "Status: Response Overdue :triangular_flag_on_post:" labels must be removed when the issue is first responded to!
• Remove the "Needs: Immediate Attention :bangbang:" label once the issue has been responded to.

[microsoft-github-policy-service[bot]]

[!CAUTION] This issue requires the AVM Core Team's (@Azure/avm-core-team-technical-bicep) immediate attention as it hasn't been responded to within 6 business days.

[!TIP]

• To avoid this rule being (re)triggered, the "Needs: Triage :mag:" and "Status: Response Overdue :triangular_flag_on_post:" labels must be removed when the issue is first responded to!
• Remove the "Needs: Immediate Attention :bangbang:" label once the issue has been responded to.