This implementation automates reporting to verify compliance with GC Cloud Guardrails. SSC and TBS review the results. Cette mise en œuvre automatise la production de rapports afin de vérifier la conformité aux mesures de sécurité infonuagique du GC. SPC et SCT examinent les résultats.
Description: The following are some new controls for the CaC Solution's Guardrail 7. The goal is to determine if TLS1.2+ or HTTPS encryption is being used for all cloud services including publicly accessible sites and external communications. The first check will focus on Storage Accounts while the second will look at Other Cloud Apps. The final check will consider firewall configurations. These are built-in policies provided by MS. Note: we will not be able to achieve this check entirely due to the limits in seeing configurations of non-native tools or virtual machines to host websites etc.,
This check uses built-in Azure Policies and their evaluation to determine compliance. The following check is inside the Canada Federal PBMM:
App Service apps should only be accessible over HTTPS
If the PBMM initiative has been applied to the subscription, and the following policy has not been excluded, and the policy compliance results show all compliant resources then check is compliant. If there are no applicable resources in the environment default pass.
**ItemName: App Service TLS Configuration (R)
This check uses built-in Azure Policies and their evaluation to determine compliance. This is not mandatory as per the Canada Federal PBMM at this time.
App Service apps should use the latest TLS version
App Service Environment should be configured with strongest TLS Cipher suites
App Service Environment should have TLS 1.0 and 1.1 disabled
If the following policies have been applied across the tenant, it has not been excluded, and the policy compliance results show all compliant resources then check is compliant. If there are no applicable resources in the environment default pass.
ItemName: Function App HTTPS Configuration (M)
This check uses built-in Azure Policies and their evaluation to determine compliance. The following check is inside the Canada Federal PBMM:
Function apps should only be accessible over HTTPS
If the PBMM initiative has been applied to the subscription, and the following policy has not been excluded, and the policy compliance results show all compliant resources then check is compliant. If there are no applicable resources in the environment default pass.
**ItemName: Function App TLS Configuration (R)
This check uses built-in Azure Policies and their evaluation to determine compliance. This is not mandatory as per the Canada Federal PBMM at this time.
Configure Function app slots to use the latest TLS version
Configure Function apps to use the latest TLS version
If the following policies have been applied across the tenant, it has not been excluded, and the policy compliance results show all compliant resources then check is compliant. If there are no applicable resources in the environment default pass.
**ItemName: Azure SQL Database TLS Configuration (R)
This check uses built-in Azure Policies and their evaluation to determine compliance. This is not mandatory as per the Canada Federal PBMM at this time.
Azure SQL Database should be running TLS version 1.2 or newer
If the following policy has been applied across the tenant, it has not been excluded, and the policy compliance results show all compliant resources then check is compliant. If there are no applicable resources in the environment default pass.
**ItemName: Application Gateway WAF (R)
This check uses a built-in Azure Policy and their evaluation to determine compliance. This is not mandatory/ part of the Canada Federal PBMM at this time.
If the following policy has been applied across the tenant, it has not been excluded, and the policy compliance results show all compliant resources then check is compliant. If there are no applicable resources in the environment default pass.
TLS/ HTTPS Policy Checks
Description: The following are some new controls for the CaC Solution's Guardrail 7. The goal is to determine if TLS1.2+ or HTTPS encryption is being used for all cloud services including publicly accessible sites and external communications. The first check will focus on Storage Accounts while the second will look at Other Cloud Apps. The final check will consider firewall configurations. These are built-in policies provided by MS. Note: we will not be able to achieve this check entirely due to the limits in seeing configurations of non-native tools or virtual machines to host websites etc.,
ItemName: Storage Accounts TLS 1.2 (M)
ItemName: App Service HTTPS Configuration (M)
If the PBMM initiative has been applied to the subscription, and the following policy has not been excluded, and the policy compliance results show all compliant resources then check is compliant. If there are no applicable resources in the environment default pass.
**ItemName: App Service TLS Configuration (R) This check uses built-in Azure Policies and their evaluation to determine compliance. This is not mandatory as per the Canada Federal PBMM at this time.
If the following policies have been applied across the tenant, it has not been excluded, and the policy compliance results show all compliant resources then check is compliant. If there are no applicable resources in the environment default pass.
ItemName: Function App HTTPS Configuration (M)
If the PBMM initiative has been applied to the subscription, and the following policy has not been excluded, and the policy compliance results show all compliant resources then check is compliant. If there are no applicable resources in the environment default pass.
**ItemName: Function App TLS Configuration (R) This check uses built-in Azure Policies and their evaluation to determine compliance. This is not mandatory as per the Canada Federal PBMM at this time.
If the following policies have been applied across the tenant, it has not been excluded, and the policy compliance results show all compliant resources then check is compliant. If there are no applicable resources in the environment default pass.
**ItemName: Azure SQL Database TLS Configuration (R) This check uses built-in Azure Policies and their evaluation to determine compliance. This is not mandatory as per the Canada Federal PBMM at this time.
If the following policy has been applied across the tenant, it has not been excluded, and the policy compliance results show all compliant resources then check is compliant. If there are no applicable resources in the environment default pass.
**ItemName: Application Gateway WAF (R)
This check uses a built-in Azure Policy and their evaluation to determine compliance. This is not mandatory/ part of the Canada Federal PBMM at this time.
• Web Application Firewall (WAF) should be enabled for Application Gateway
If the following policy has been applied across the tenant, it has not been excluded, and the policy compliance results show all compliant resources then check is compliant. If there are no applicable resources in the environment default pass.