The Definition of Done of the AI-Gallery repo can be found Here.
Repository Management:
:x: README.md File. [How to fix?]
- Error: ## Features is missing in README.md.
- Error: ## Getting Started is missing in README.md.
- Error: ## Guidance is missing in README.md.
- Error: ## Resources is missing in README.md.
:heavy_check_mark: LICENSE File.:x: SECURITY.md File. [How to fix?]
- Error: SECURITY.md file is missing.
:x: .github/CODE_OF_CONDUCT.md File. [How to fix?]
- Error: .github/CODE_OF_CONDUCT.md file is missing.
:x: CONTRIBUTING.md File. [How to fix?]
- Error: CONTRIBUTING.md file is missing.
:x: .github/ISSUE_TEMPLATE.md File. [How to fix?]
- Error: .github/ISSUE_TEMPLATE.md file is missing.
:x: Topics on repo contains ['azd-templates', 'ai-azd-templates']. [How to fix?]
- Error: ai-azd-templates is missing in topics.
Source code structure and conventions:
:heavy_check_mark: .github/workflows/azure-dev.yml File.:x: .github/workflows/pr-gate.yml File. [How to fix?]
- Error: .github/workflows/pr-gate.yml file is missing.
:heavy_check_mark: azure.yaml File.:heavy_check_mark: infra Folder.:heavy_check_mark: .devcontainer Folder.
Functional Requirements:
:x: azd up. [How to fix?]
Error:
ERROR: no project exists; to create a new project, run `azd init`
:x: azd down. [How to fix?]
Error:
ERROR: no project exists; to create a new project, run `azd init`
Security Requirements:
:x: microsoft/security-devops-action is integrated to the CI/CD pipeline. [How to fix?]
- Error: microsoft/security-devops-action is missing in .github/workflows/azure-dev.yml.
- Error: github/codeql-action/upload-sarif is missing in .github/workflows/azure-dev.yml.
:warning: Security scan. [How to fix?]
- error: AZR-000095 - Cosmos DB provides two authorization options for interacting with the database:
- Azure Active Directory identity (Azure AD).
Can be used to authorize account and resource management operations.
- Keys and resource tokens.
Can be used to authorize resource management and data operations.
Resource management operations include management of databases, indexes, and containers. By default, keys are permitted to perform resource management operations. You can restrict these operations to Azure Resource Manager (ARM) calls only.
- error: AZR-000316 - Azure Bicep and Azure Resource Manager (ARM) templates can be used to deploy resources to Azure. When deploying Azure resources, sensitive values such as passwords, certificates, and keys should be passed as secure parameters. Secure parameters use the secureString or secureObject type.
Parameters that do not use secure types are recorded in logs and deployment history. These values can be retrieved by anyone with access to the deployment history.
- error: TA-000019 - For enhanced authentication security, use a managed identity. On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens.
- error: AZR-000202 - By default, storage accounts accept connections from clients on any network. To limit access to selected networks, you must first change the default action.
After changing the default action from Allow to Deny, configure one or more rules to allow traffic. Traffic can be allowed from:
- Azure services on the trusted service list.
- IP address or CIDR range.
- Private endpoint connections.
- Azure virtual network subnets with a Service Endpoint.
- error: AZR-000198 - Blob containers in Azure Storage Accounts can be configured for private or anonymous public access. By default, containers are private and only accessible with a credential or access token. When a container is configured with an access type other than private, anonymous access is permitted.
Anonymous access to blobs or containers can be restricted by setting allowBlobPublicAccess to false. This enhanced security setting for a storage account overrides the individual settings for blob containers. When you disallow public access for a storage account, blobs are no longer accessible anonymously.
- error: AZR-000355 - By default, Key Vault accept connections from clients on any network. To limit access to selected networks, you must first change the default action.
After changing the default action from Allow to Deny, configure one or more rules to allow traffic. Traffic can be allowed from:
- Azure services on the trusted service list.
- IP address or CIDR range.
- Private endpoint connections.
- Azure virtual network subnets with a Service Endpoint.
If any of the following options are enabled you must also enable Allow trusted Microsoft services to bypass this firewall:
- enabledForDeployment - Azure Virtual Machines for deployment.
- enabledForDiskEncryption - Azure Disk Encryption for volume encryption.
- enabledForTemplateDeployment - Azure Resource Manager for template deployment.
- error: AZR-000280 - By default, public network access is enabled for a Cognitive Service account. Service Endpoints and Private Link can be leveraged to restrict access to PaaS endpoints. When access is restricted, access by malicious actor is from an unauthorized virtual network is mitigated.
Configure service endpoints and private links where appropriate.
- error: AZR-000282 - To send requests to Cognitive Services endpoints, each request must include an authentication header. Cognitive Services endpoints supports authentication with keys or tokens. Using an Azure AD token instead of a cryptographic key has some additional security benefits.
With Azure AD authentication, the identity is validated against Azure AD identity provider. Using Azure AD identities centralizes identity management and auditing.
Once you decide to use Azure AD authentication, you can disable authentication using keys.
- warning: AZR-000283 - By default, a public endpoint is enabled for Cognitive Services accounts. The public endpoint is used for all access except for requests that use a Private Endpoint. Access through the public endpoint can be disabled or restricted to authorized virtual networks.
Data exfiltration is an attack where an malicious actor does an unauthorized data transfer. Private Endpoints help prevent data exfiltration by an internal or external malicious actor. They do this by providing clear separation between public and private endpoints. As a result, broad access to public endpoints which could be operated by a malicious actor are not required.
- error: AZR-000291 - Every request to an Azure App Configuration resource must be authenticated. App Configuration supports authenticating requests using either Entra ID (previously Azure AD) identities or access keys. Using Entra ID identities:
- Centralizes identity management and auditing.
- Allows granting of permissions using role-based access control (RBAC).
- Provides support for advanced security features such as conditional access and multi-factor authentication (MFA) when applicable.
To require clients to use Entra ID to authenticate requests, you can disable the usage of access keys for an Azure App Configuration resource.
When you disable access key authentication for an Azure App Configuration resource, any existing access keys for that resource are deleted. Any subsequent requests to the resource using the previously existing access keys will be rejected. Only requests that are authenticated using Entra ID will succeed.
- error: AZR-000053 - API Management must authenticate to access Azure resources such as Key Vault. Use Key Vault to store certificates and secrets used within API Management.
- error: AZR-000055 - API Management provides support for weak or deprecated ciphers. These older versions are provided for compatibility with clients and backends but are not consider secure. These many of these ciphers are enabled by default and need to be set to 'False'.
The following ciphers are considered weak or deprecated:
- TripleDes168
- TLS_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_256_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_AES_128_GCM_SHA256.
- error: AZR-000361 - Using managed identities have the following benefits:
- Your app connects to resources with the managed identity. You don't need to manage credentials in your container app.
- You can use role-based access control to grant specific permissions to a managed identity.
- System-assigned identities are automatically created and managed. They're deleted when your container app is deleted.
- You can add and delete user-assigned identities and assign them to multiple resources. They're independent of your container app's life cycle.
- You can use managed identity to authenticate with a private Azure Container Registry without a username and password to pull containers for your Container App.
- You can use managed identity to create connections for Dapr-enabled applications via Dapr components.
- error: TA-000023 - To ensure that only applications from allowed networks, machines, or subnets can access your cluster, restrict access to your Kubernetes Service Management API server. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster.
- error: AZR-000022 - To capture security-based audit logs from AKS clusters, the following diagnostic log categories should be enabled:
- kube-audit or kube-audit-admin, or both.
- kube-audit - Contains all audit log data for every audit event, including get, list, create, update, delete, patch, and post.
- kube-audit-admin - Is a subset of the kube-audit log category.
kube-audit-admin reduces the number of logs significantly by excluding the get and list audit events from the log.
- guard - Contains logs for Azure Active Directory (AAD) authorization integration.
For managed Azure AD, this includes token in and user info out. For Azure RBAC, this includes access reviews in and out.
- error: AZR-000028 - AKS clusters support integration with Azure Policy using an Open Policy Agent (OPA). Azure Policy integration is provided by an optional add-on that can be enabled on AKS clusters. Once enabled and Azure policies assigned, AKS clusters will enforce the configured constraints.
Examples of policies include:
- Enforce HTTPS ingress in Kubernetes cluster.
- Do not allow privileged containers in Kubernetes cluster.
- Ensure container CPU and memory resource limits do not exceed the specified limits in Kubernetes cluster.
- error: AZR-000029 - AKS-managed integration provides an easy way to use Azure AD authorization for AKS. Previous Azure AD integration with AKS required app registration and management within Azure AD.
- error: AZR-000030 - In Kubernetes, the API server is the control plane of the cluster. Access to the API server is required by various cluster functions as well as all administrator activities.
All activities performed against the cluster require authorization. To improve cluster security, the API server can be restricted to a limited set of IP address ranges.
Restricting authorized IP addresses for the API server has the following limitations:
- Requires AKS clusters configured with a Standard Load Balancer SKU.
- This feature is not compatible with clusters that use Public IP per Node.
- This feature is not compatible with AKS private clusters.
When configuring this feature, you must specify the IP address ranges that will be authorized. To allow only the outbound public IP of the Standard SKU load balancer, use 0.0.0.0/32.
You should add these ranges to the allow list:
- Include output IP addresses for cluster nodes
- Any range where administration will connect to the API server, including CI/CD systems, monitoring, and management systems.
- error: AZR-000032 - Azure Kubernetes Service (AKS) supports Role-based Access Control (RBAC). RBAC is supported using Kubernetes RBAC and optionally Azure RBAC.
- Using Kubernetes RBAC, you can grant users, groups, and service accounts access to cluster resources.
- Additionally AKS supports granting Azure AD identities access to cluster resources using Azure RBAC.
Using authorization provided by Azure RBAC simplifies and centralizes authorization of Azure AD principals. Access to Kubernetes resource can be managed using Azure Resource Manager (ARM).
When Azure RBAC is enabled:
- Azure AD principals will be validated exclusively by Azure RBAC.
- Kubernetes users and service accounts are exclusively validated by Kubernetes RBAC.
- error: AZR-000033 - AKS clusters may need to store and retrieve secrets, keys, and certificates. The Secrets Store CSI Driver provides cluster support to integrate with Key Vault. When enabled and configured secrets, keys, and certificates can be securely accessed from a pod.
The Secrets Store CSI Driver can automatically refresh secrets and keys periodically from Key Vault. To enable this feature, enable Secrets Store CSI Driver autorotation.
Avoid storing secrets to access Azure resources. Use a Managed Identity when possible instead of cryptographic keys or a regular service principal.
- error: AZR-000363 - Container apps environments allows you to expose your container app to the Internet.
Container apps environments deployed as external resources are available for public requests. External environments are deployed with a virtual IP on an external, public facing IP address.
Disable public network access to improve security by exposing the Container Apps environment through an internal load balancer.
This removes the need for a public IP address and prevents internet access to all Container Apps within the environment.
To provide secure access, instead consider using an Application Gateway or Azure Front Door premium in front of your Container Apps on your private VNET.
- error: TA-000019 - For enhanced authentication security, use a managed identity. On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens.
- error: AZR-000363 - Container apps environments allows you to expose your container app to the Internet.
Container apps environments deployed as external resources are available for public requests. External environments are deployed with a virtual IP on an external, public facing IP address.
Disable public network access to improve security by exposing the Container Apps environment through an internal load balancer.
This removes the need for a public IP address and prevents internet access to all Container Apps within the environment.
To provide secure access, instead consider using an Application Gateway or Azure Front Door premium in front of your Container Apps on your private VNET.
- error: AZR-000095 - Cosmos DB provides two authorization options for interacting with the database:
- Azure Active Directory identity (Azure AD).
Can be used to authorize account and resource management operations.
- Keys and resource tokens.
Can be used to authorize resource management and data operations.
Resource management operations include management of databases, indexes, and containers. By default, keys are permitted to perform resource management operations. You can restrict these operations to Azure Resource Manager (ARM) calls only.
- error: AZR-000186 - Enable Microsoft Defender for Azure SQL logical server.
- error: AZR-000187 - Auditing for Azure SQL Database tracks database events and writes them to an audit log. Audit logs help you find suspicious events, unusual activity, and trends.
- error: AZR-000188 - Azure SQL Database offer two authentication models, Azure Active Directory (AAD) and SQL authentication. AAD authentication supports centralized identity management in addition to modern password protections. Some of the benefits of AAD authentication over SQL authentication including:
- Support for Azure Multi-Factor Authentication (MFA).
- Conditional-based access with Conditional Access.
It is also possible to disable SQL authentication entirely and only use AAD authentication.
- error: AZR-000316 - Azure Bicep and Azure Resource Manager (ARM) templates can be used to deploy resources to Azure. When deploying Azure resources, sensitive values such as passwords, certificates, and keys should be passed as secure parameters. Secure parameters use the secureString or secureObject type.
Parameters that do not use secure types are recorded in logs and deployment history. These values can be retrieved by anyone with access to the deployment history.
- error: AZR-000316 - Azure Bicep and Azure Resource Manager (ARM) templates can be used to deploy resources to Azure. When deploying Azure resources, sensitive values such as passwords, certificates, and keys should be passed as secure parameters. Secure parameters use the secureString or secureObject type.
Parameters that do not use secure types are recorded in logs and deployment history. These values can be retrieved by anyone with access to the deployment history.
- error: AZR-000316 - Azure Bicep and Azure Resource Manager (ARM) templates can be used to deploy resources to Azure. When deploying Azure resources, sensitive values such as passwords, certificates, and keys should be passed as secure parameters. Secure parameters use the secureString or secureObject type.
Parameters that do not use secure types are recorded in logs and deployment history. These values can be retrieved by anyone with access to the deployment history.
- error: AZR-000316 - Azure Bicep and Azure Resource Manager (ARM) templates can be used to deploy resources to Azure. When deploying Azure resources, sensitive values such as passwords, certificates, and keys should be passed as secure parameters. Secure parameters use the secureString or secureObject type.
Parameters that do not use secure types are recorded in logs and deployment history. These values can be retrieved by anyone with access to the deployment history.
- warning: AZR-000388 - Azure RBAC is the recommended authorization system for the Azure Key Vault data plane.
Azure RBAC allows users to manage key, secrets, and certificates permissions. It provides one place to manage all permissions across all Key Vaults.
Azure RBAC for Key Vault also allows users to have separate permissions on individual keys, secrets, and certificates.
The Azure RBAC permission model is not enabled by default.
- warning: AZR-000406 - Disabling public network access improves security by ensuring that the Machine Learning Workspaces aren't exposed on the public internet. You can control exposure of your workspaces by creating private endpoints instead. By default, a public endpoint is enabled for Machine Learning workspaces. The public endpoint is used for all access except for requests that use a Private Endpoint. Access through the public endpoint can be disabled or restricted to authorized virtual networks.
Data exfiltration is an attack where an malicious actor does an unauthorized data transfer. Private Endpoints help control exposure of a workspace to data exfiltration by an internal or external malicious actor. They do this by providing clear separation between public and private endpoints. As a result, broad access to public endpoints which could be operated by a malicious actor are not required.
- warning: AZR-000407 - Manange access to Azure ML workspace and associated resources, Azure Container Registry, KeyVault, Storage, and App Insights using user-assigned managed identity. By default, system-assigned managed identity is used by Azure ML workspace to access the associated resources. User-assigned managed identity allows you to create the identity as an Azure resource and maintain the life cycle of that identity.
- warning: AZR-000406 - Disabling public network access improves security by ensuring that the Machine Learning Workspaces aren't exposed on the public internet. You can control exposure of your workspaces by creating private endpoints instead. By default, a public endpoint is enabled for Machine Learning workspaces. The public endpoint is used for all access except for requests that use a Private Endpoint. Access through the public endpoint can be disabled or restricted to authorized virtual networks.
Data exfiltration is an attack where an malicious actor does an unauthorized data transfer. Private Endpoints help control exposure of a workspace to data exfiltration by an internal or external malicious actor. They do this by providing clear separation between public and private endpoints. As a result, broad access to public endpoints which could be operated by a malicious actor are not required.
- warning: AZR-000407 - Manange access to Azure ML workspace and associated resources, Azure Container Registry, KeyVault, Storage, and App Insights using user-assigned managed identity. By default, system-assigned managed identity is used by Azure ML workspace to access the associated resources. User-assigned managed identity allows you to create the identity as an Azure resource and maintain the life cycle of that identity.
- warning: AZR-000031 - AKS clusters support Role-based Access Control (RBAC) authorization. RBAC allows users, groups, and service accounts to be granted access to resources on an as needed basis. Actions performed by each identity can be logged for auditing with Kubernetes audit policies.
When a cluster is deployed, local accounts are enabled by default even when RBAC is enabled. These local accounts such as clusterAdmin and clusterUser are shared accounts that are not tied to an identity.
If local account credentials are used, Kubernetes auditing logs the local account instead of named accounts. Who performed an action cannot be determined from the audit logs, creating an audit log gap for privileged actions.
In an AKS cluster with local account disabled administrator will be unable to get the clusterAdmin credential. For example, using az aks get-credentials -g '' -n '' --admin will fail.
- warning: AZR-000370 - To collect and provide data plane protections of Microsoft Defender for Containers some additional daemon set and deployments needs to be deployed to the AKS clusters.
These components are installed when the Defender profile is enabled on the cluster.
The Defender profile deployed to each node provides the runtime protections and collects signals from nodes.
- warning: AZR-000390 - Azure Database for PostgreSQL supports authentication with PostgreSQL logins and Azure AD authentication.
By default, authentication with PostgreSQL logins is enabled. PostgreSQL logins are unable to provide sufficient protection for identities. Azure AD authentication provides strong protection controls including conditional access, identity governance, and privileged identity management.
Once you decide to use Azure AD authentication, you can disable authentication with PostgreSQL logins.
Azure AD-only authentication is only supported for the flexible server deployment model.
AI Gallery Standard Validation: FAILED
The Definition of Done of the AI-Gallery repo can be found Here.
Repository Management:
:x: README.md File. [How to fix?]
- Error: ## Features is missing in README.md. - Error: ## Getting Started is missing in README.md. - Error: ## Guidance is missing in README.md. - Error: ## Resources is missing in README.md.:heavy_check_mark: LICENSE File.
:x: SECURITY.md File. [How to fix?]
- Error: SECURITY.md file is missing.:x: .github/CODE_OF_CONDUCT.md File. [How to fix?]
- Error: .github/CODE_OF_CONDUCT.md file is missing.:x: CONTRIBUTING.md File. [How to fix?]
- Error: CONTRIBUTING.md file is missing.:x: .github/ISSUE_TEMPLATE.md File. [How to fix?]
- Error: .github/ISSUE_TEMPLATE.md file is missing.:x: Topics on repo contains ['azd-templates', 'ai-azd-templates']. [How to fix?]
- Error: ai-azd-templates is missing in topics.Source code structure and conventions:
:heavy_check_mark: .github/workflows/azure-dev.yml File.
:x: .github/workflows/pr-gate.yml File. [How to fix?]
- Error: .github/workflows/pr-gate.yml file is missing.:heavy_check_mark: azure.yaml File.
:heavy_check_mark: infra Folder.
:heavy_check_mark: .devcontainer Folder.
Functional Requirements:
:x: azd up. [How to fix?]
Error: ERROR: no project exists; to create a new project, run `azd init`:x: azd down. [How to fix?]
Error: ERROR: no project exists; to create a new project, run `azd init`Security Requirements:
:x: microsoft/security-devops-action is integrated to the CI/CD pipeline. [How to fix?]
- Error: microsoft/security-devops-action is missing in .github/workflows/azure-dev.yml. - Error: github/codeql-action/upload-sarif is missing in .github/workflows/azure-dev.yml.:warning: Security scan. [How to fix?]
- error: AZR-000095 - Cosmos DB provides two authorization options for interacting with the database: - Azure Active Directory identity (Azure AD). Can be used to authorize account and resource management operations. - Keys and resource tokens. Can be used to authorize resource management and data operations. Resource management operations include management of databases, indexes, and containers. By default, keys are permitted to perform resource management operations. You can restrict these operations to Azure Resource Manager (ARM) calls only. - error: AZR-000316 - Azure Bicep and Azure Resource Manager (ARM) templates can be used to deploy resources to Azure. When deploying Azure resources, sensitive values such as passwords, certificates, and keys should be passed as secure parameters. Secure parameters use the secureString or secureObject type. Parameters that do not use secure types are recorded in logs and deployment history. These values can be retrieved by anyone with access to the deployment history. - error: TA-000019 - For enhanced authentication security, use a managed identity. On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens. - error: AZR-000202 - By default, storage accounts accept connections from clients on any network. To limit access to selected networks, you must first change the default action. After changing the default action from Allow to Deny, configure one or more rules to allow traffic. Traffic can be allowed from: - Azure services on the trusted service list. - IP address or CIDR range. - Private endpoint connections. - Azure virtual network subnets with a Service Endpoint. - error: AZR-000198 - Blob containers in Azure Storage Accounts can be configured for private or anonymous public access. By default, containers are private and only accessible with a credential or access token. When a container is configured with an access type other than private, anonymous access is permitted. Anonymous access to blobs or containers can be restricted by setting allowBlobPublicAccess to false. This enhanced security setting for a storage account overrides the individual settings for blob containers. When you disallow public access for a storage account, blobs are no longer accessible anonymously. - error: AZR-000355 - By default, Key Vault accept connections from clients on any network. To limit access to selected networks, you must first change the default action. After changing the default action from Allow to Deny, configure one or more rules to allow traffic. Traffic can be allowed from: - Azure services on the trusted service list. - IP address or CIDR range. - Private endpoint connections. - Azure virtual network subnets with a Service Endpoint. If any of the following options are enabled you must also enable Allow trusted Microsoft services to bypass this firewall: - enabledForDeployment - Azure Virtual Machines for deployment. - enabledForDiskEncryption - Azure Disk Encryption for volume encryption. - enabledForTemplateDeployment - Azure Resource Manager for template deployment. - error: AZR-000280 - By default, public network access is enabled for a Cognitive Service account. Service Endpoints and Private Link can be leveraged to restrict access to PaaS endpoints. When access is restricted, access by malicious actor is from an unauthorized virtual network is mitigated. Configure service endpoints and private links where appropriate. - error: AZR-000282 - To send requests to Cognitive Services endpoints, each request must include an authentication header. Cognitive Services endpoints supports authentication with keys or tokens. Using an Azure AD token instead of a cryptographic key has some additional security benefits. With Azure AD authentication, the identity is validated against Azure AD identity provider. Using Azure AD identities centralizes identity management and auditing. Once you decide to use Azure AD authentication, you can disable authentication using keys. - warning: AZR-000283 - By default, a public endpoint is enabled for Cognitive Services accounts. The public endpoint is used for all access except for requests that use a Private Endpoint. Access through the public endpoint can be disabled or restricted to authorized virtual networks. Data exfiltration is an attack where an malicious actor does an unauthorized data transfer. Private Endpoints help prevent data exfiltration by an internal or external malicious actor. They do this by providing clear separation between public and private endpoints. As a result, broad access to public endpoints which could be operated by a malicious actor are not required. - error: AZR-000291 - Every request to an Azure App Configuration resource must be authenticated. App Configuration supports authenticating requests using either Entra ID (previously Azure AD) identities or access keys. Using Entra ID identities: - Centralizes identity management and auditing. - Allows granting of permissions using role-based access control (RBAC). - Provides support for advanced security features such as conditional access and multi-factor authentication (MFA) when applicable. To require clients to use Entra ID to authenticate requests, you can disable the usage of access keys for an Azure App Configuration resource. When you disable access key authentication for an Azure App Configuration resource, any existing access keys for that resource are deleted. Any subsequent requests to the resource using the previously existing access keys will be rejected. Only requests that are authenticated using Entra ID will succeed. - error: AZR-000053 - API Management must authenticate to access Azure resources such as Key Vault. Use Key Vault to store certificates and secrets used within API Management. - error: AZR-000055 - API Management provides support for weak or deprecated ciphers. These older versions are provided for compatibility with clients and backends but are not consider secure. These many of these ciphers are enabled by default and need to be set to 'False'. The following ciphers are considered weak or deprecated: - TripleDes168 - TLS_RSA_WITH_AES_128_CBC_SHA - TLS_RSA_WITH_AES_256_CBC_SHA - TLS_RSA_WITH_AES_128_CBC_SHA256 - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - TLS_RSA_WITH_AES_256_CBC_SHA256 - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - TLS_RSA_WITH_AES_128_GCM_SHA256. - error: AZR-000361 - Using managed identities have the following benefits: - Your app connects to resources with the managed identity. You don't need to manage credentials in your container app. - You can use role-based access control to grant specific permissions to a managed identity. - System-assigned identities are automatically created and managed. They're deleted when your container app is deleted. - You can add and delete user-assigned identities and assign them to multiple resources. They're independent of your container app's life cycle. - You can use managed identity to authenticate with a private Azure Container Registry without a username and password to pull containers for your Container App. - You can use managed identity to create connections for Dapr-enabled applications via Dapr components. - error: TA-000023 - To ensure that only applications from allowed networks, machines, or subnets can access your cluster, restrict access to your Kubernetes Service Management API server. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. - error: AZR-000022 - To capture security-based audit logs from AKS clusters, the following diagnostic log categories should be enabled: - kube-audit or kube-audit-admin, or both. - kube-audit - Contains all audit log data for every audit event, including get, list, create, update, delete, patch, and post. - kube-audit-admin - Is a subset of the kube-audit log category. kube-audit-admin reduces the number of logs significantly by excluding the get and list audit events from the log. - guard - Contains logs for Azure Active Directory (AAD) authorization integration. For managed Azure AD, this includes token in and user info out. For Azure RBAC, this includes access reviews in and out. - error: AZR-000028 - AKS clusters support integration with Azure Policy using an Open Policy Agent (OPA). Azure Policy integration is provided by an optional add-on that can be enabled on AKS clusters. Once enabled and Azure policies assigned, AKS clusters will enforce the configured constraints. Examples of policies include: - Enforce HTTPS ingress in Kubernetes cluster. - Do not allow privileged containers in Kubernetes cluster. - Ensure container CPU and memory resource limits do not exceed the specified limits in Kubernetes cluster. - error: AZR-000029 - AKS-managed integration provides an easy way to use Azure AD authorization for AKS. Previous Azure AD integration with AKS required app registration and management within Azure AD. - error: AZR-000030 - In Kubernetes, the API server is the control plane of the cluster. Access to the API server is required by various cluster functions as well as all administrator activities. All activities performed against the cluster require authorization. To improve cluster security, the API server can be restricted to a limited set of IP address ranges. Restricting authorized IP addresses for the API server has the following limitations: - Requires AKS clusters configured with a Standard Load Balancer SKU. - This feature is not compatible with clusters that use Public IP per Node. - This feature is not compatible with AKS private clusters. When configuring this feature, you must specify the IP address ranges that will be authorized. To allow only the outbound public IP of the Standard SKU load balancer, use 0.0.0.0/32. You should add these ranges to the allow list: - Include output IP addresses for cluster nodes - Any range where administration will connect to the API server, including CI/CD systems, monitoring, and management systems. - error: AZR-000032 - Azure Kubernetes Service (AKS) supports Role-based Access Control (RBAC). RBAC is supported using Kubernetes RBAC and optionally Azure RBAC. - Using Kubernetes RBAC, you can grant users, groups, and service accounts access to cluster resources. - Additionally AKS supports granting Azure AD identities access to cluster resources using Azure RBAC. Using authorization provided by Azure RBAC simplifies and centralizes authorization of Azure AD principals. Access to Kubernetes resource can be managed using Azure Resource Manager (ARM). When Azure RBAC is enabled: - Azure AD principals will be validated exclusively by Azure RBAC. - Kubernetes users and service accounts are exclusively validated by Kubernetes RBAC. - error: AZR-000033 - AKS clusters may need to store and retrieve secrets, keys, and certificates. The Secrets Store CSI Driver provides cluster support to integrate with Key Vault. When enabled and configured secrets, keys, and certificates can be securely accessed from a pod. The Secrets Store CSI Driver can automatically refresh secrets and keys periodically from Key Vault. To enable this feature, enable Secrets Store CSI Driver autorotation. Avoid storing secrets to access Azure resources. Use a Managed Identity when possible instead of cryptographic keys or a regular service principal. - error: AZR-000363 - Container apps environments allows you to expose your container app to the Internet. Container apps environments deployed as external resources are available for public requests. External environments are deployed with a virtual IP on an external, public facing IP address. Disable public network access to improve security by exposing the Container Apps environment through an internal load balancer. This removes the need for a public IP address and prevents internet access to all Container Apps within the environment. To provide secure access, instead consider using an Application Gateway or Azure Front Door premium in front of your Container Apps on your private VNET. - error: TA-000019 - For enhanced authentication security, use a managed identity. On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens. - error: AZR-000363 - Container apps environments allows you to expose your container app to the Internet. Container apps environments deployed as external resources are available for public requests. External environments are deployed with a virtual IP on an external, public facing IP address. Disable public network access to improve security by exposing the Container Apps environment through an internal load balancer. This removes the need for a public IP address and prevents internet access to all Container Apps within the environment. To provide secure access, instead consider using an Application Gateway or Azure Front Door premium in front of your Container Apps on your private VNET. - error: AZR-000095 - Cosmos DB provides two authorization options for interacting with the database: - Azure Active Directory identity (Azure AD). Can be used to authorize account and resource management operations. - Keys and resource tokens. Can be used to authorize resource management and data operations. Resource management operations include management of databases, indexes, and containers. By default, keys are permitted to perform resource management operations. You can restrict these operations to Azure Resource Manager (ARM) calls only. - error: AZR-000186 - Enable Microsoft Defender for Azure SQL logical server. - error: AZR-000187 - Auditing for Azure SQL Database tracks database events and writes them to an audit log. Audit logs help you find suspicious events, unusual activity, and trends. - error: AZR-000188 - Azure SQL Database offer two authentication models, Azure Active Directory (AAD) and SQL authentication. AAD authentication supports centralized identity management in addition to modern password protections. Some of the benefits of AAD authentication over SQL authentication including: - Support for Azure Multi-Factor Authentication (MFA). - Conditional-based access with Conditional Access. It is also possible to disable SQL authentication entirely and only use AAD authentication. - error: AZR-000316 - Azure Bicep and Azure Resource Manager (ARM) templates can be used to deploy resources to Azure. When deploying Azure resources, sensitive values such as passwords, certificates, and keys should be passed as secure parameters. Secure parameters use the secureString or secureObject type. Parameters that do not use secure types are recorded in logs and deployment history. These values can be retrieved by anyone with access to the deployment history. - error: AZR-000316 - Azure Bicep and Azure Resource Manager (ARM) templates can be used to deploy resources to Azure. When deploying Azure resources, sensitive values such as passwords, certificates, and keys should be passed as secure parameters. Secure parameters use the secureString or secureObject type. Parameters that do not use secure types are recorded in logs and deployment history. These values can be retrieved by anyone with access to the deployment history. - error: AZR-000316 - Azure Bicep and Azure Resource Manager (ARM) templates can be used to deploy resources to Azure. When deploying Azure resources, sensitive values such as passwords, certificates, and keys should be passed as secure parameters. Secure parameters use the secureString or secureObject type. Parameters that do not use secure types are recorded in logs and deployment history. These values can be retrieved by anyone with access to the deployment history. - error: AZR-000316 - Azure Bicep and Azure Resource Manager (ARM) templates can be used to deploy resources to Azure. When deploying Azure resources, sensitive values such as passwords, certificates, and keys should be passed as secure parameters. Secure parameters use the secureString or secureObject type. Parameters that do not use secure types are recorded in logs and deployment history. These values can be retrieved by anyone with access to the deployment history. - warning: AZR-000388 - Azure RBAC is the recommended authorization system for the Azure Key Vault data plane. Azure RBAC allows users to manage key, secrets, and certificates permissions. It provides one place to manage all permissions across all Key Vaults. Azure RBAC for Key Vault also allows users to have separate permissions on individual keys, secrets, and certificates. The Azure RBAC permission model is not enabled by default. - warning: AZR-000406 - Disabling public network access improves security by ensuring that the Machine Learning Workspaces aren't exposed on the public internet. You can control exposure of your workspaces by creating private endpoints instead. By default, a public endpoint is enabled for Machine Learning workspaces. The public endpoint is used for all access except for requests that use a Private Endpoint. Access through the public endpoint can be disabled or restricted to authorized virtual networks. Data exfiltration is an attack where an malicious actor does an unauthorized data transfer. Private Endpoints help control exposure of a workspace to data exfiltration by an internal or external malicious actor. They do this by providing clear separation between public and private endpoints. As a result, broad access to public endpoints which could be operated by a malicious actor are not required. - warning: AZR-000407 - Manange access to Azure ML workspace and associated resources, Azure Container Registry, KeyVault, Storage, and App Insights using user-assigned managed identity. By default, system-assigned managed identity is used by Azure ML workspace to access the associated resources. User-assigned managed identity allows you to create the identity as an Azure resource and maintain the life cycle of that identity. - warning: AZR-000406 - Disabling public network access improves security by ensuring that the Machine Learning Workspaces aren't exposed on the public internet. You can control exposure of your workspaces by creating private endpoints instead. By default, a public endpoint is enabled for Machine Learning workspaces. The public endpoint is used for all access except for requests that use a Private Endpoint. Access through the public endpoint can be disabled or restricted to authorized virtual networks. Data exfiltration is an attack where an malicious actor does an unauthorized data transfer. Private Endpoints help control exposure of a workspace to data exfiltration by an internal or external malicious actor. They do this by providing clear separation between public and private endpoints. As a result, broad access to public endpoints which could be operated by a malicious actor are not required. - warning: AZR-000407 - Manange access to Azure ML workspace and associated resources, Azure Container Registry, KeyVault, Storage, and App Insights using user-assigned managed identity. By default, system-assigned managed identity is used by Azure ML workspace to access the associated resources. User-assigned managed identity allows you to create the identity as an Azure resource and maintain the life cycle of that identity. - warning: AZR-000031 - AKS clusters support Role-based Access Control (RBAC) authorization. RBAC allows users, groups, and service accounts to be granted access to resources on an as needed basis. Actions performed by each identity can be logged for auditing with Kubernetes audit policies. When a cluster is deployed, local accounts are enabled by default even when RBAC is enabled. These local accounts such as clusterAdmin and clusterUser are shared accounts that are not tied to an identity. If local account credentials are used, Kubernetes auditing logs the local account instead of named accounts. Who performed an action cannot be determined from the audit logs, creating an audit log gap for privileged actions. In an AKS cluster with local account disabled administrator will be unable to get the clusterAdmin credential. For example, using az aks get-credentials -g '