Ensure that Microsoft Azure virtual machines are configured to use Boot Diagnostics feature. Ensure that Azure App Services applications are configured to use Application Insights feature. For each question in the Well-Architected Tool, we have identified which checks from our knowledge base are applicable. Whether your cloud exploration is just starting to take shape, you're mid-way through a migration or you're already running complex workloads in the cloud, Conformity offers full visibility of your infrastructure and provides continuous assurance it's secure, optimized and compliant. Shelly 3EM can calculate 2-way consumption: produced and used energy for each of the three phases. Ensure there are no network security groups with range of ports opened to allow incoming traffic. Knowledge Base. Export Control Classification Numbers 5A002, … Ensure that Soft Delete feature is enabled for your Microsoft Azure Storage blob objects. Ensure that an activity log alert is created for "Create or Update Load Balancer" events. Ensure that Azure Key Vault certificates are using the appropriate key type(s). Ensure that your Azure SQL database servers are configured to use auto-failover groups. Head over to Cloud Conformity today to see for yourself with a free 14-day trial. Launch applications when needed without upfront commitments, Easily store, manage, and deploy container images, Run containerized applications in production, Scalable, elastic, cloud-native file system for Linux, Highly available, scalable, and secure Kubernetes service, Achieve fault tolerance for any application by ensuring scalability, performance, and security, Easily Run and Scale Apache Spark, Hadoop, HBase, Presto, Hive, and other Big Data Frameworks, Managed, Redis or Memcached-compatible in-memory data store, Fully managed, scalable, and secure Elasticsearch service, Prepare and load real-time data streams into data stores and analytics tools, Protect your AWS accounts and workloads with intelligent threat detection and continuous monitoring, Provides ongoing visibility into the state of your AWS resources, services, and accounts, Securely manage access to AWS services and resources, Automated security assessment service to help improve the security and compliance of applications deployed on AWS, Easily create and control the keys used to encrypt your data, Easily collect, process, and analyze video and data streams in real time, Run code without thinking about servers. Cloud Conformity provides continuous assurance that your AWS infrastructure is compliant with AWS Best Practice. Ensure there is a sufficient backup retention period configured for Azure App Services applications. Ensure there are no custom owner roles within your Microsoft Azure cloud account. Ensure that the external accounts with write permissions are monitored using Azure Security Center. Ensure that Microsoft Azure virtual machines are configured to use Just-in-Time (JIT) access. 103 Cherni Vrah Blvd Bulgaria, Sofia 1407 Phone: +359 2 988 7435 Enable "log_connections" parameter for your Microsoft Azure PostgreSQL database servers. Ensure that Azure Log Profile is configured to export all control & management activities. Ensure that joining devices to Active Directory requires Multi-Factor Authentication. Figure 5 – SEC 8 Reporting in Conformity. Enable adaptive application safelisting monitoring for Microsoft Azure virtual machines. Ensure that in-transit encryption is enabled for your Azure PostgreSQL database servers. Ensure there are budget alerts configured to warn about forthcoming budget overages within your Azure cloud account. Ensure that Azure activity log retention period is set for 365 days or greater. The continually growing Knowledge Base contains 600+ ready-to-go checks that run against your cloud … Ensure that an activity log alert is created for the “Create/Update Network Security Group Rule” events. Along with better visibility, compliance and faster remediation for your cloud infrastructure, Conformity also has a growing public library of 750+ cloud infrastructure configuration best practices for your AWS™ and Microsoft® Azure environments. Ensure that Azure Redis Cache servers are using the latest version of the TLS protocol. Ensure that an activity log alert is created for "Delete Azure SQL Database (Microsoft.Sql/servers/databases)" events. Ensure that "Email Notification for Alerts" security feature is enabled within Azure Security Center. Ensure there is an activity log alert created for the "Delete Key Vault" events. Copyright © 2021 Trend Micro Incorporated. Ensure that AKS clusters are using the latest available version of Kubernetes software. Ensure that security groups can be created only by Active Directory (AD) administrators. Ensure that the total number of subscription owners within your Azure account is monitored. Ensure that Azure Linux-based virtual machines (VMs) are configured to use SSH keys. 2018 Growth for Cloud Conformity: 450 rules, 50+ services, 5+ Compliance Standards, and new… As 2018 comes to a close, the Cloud Conformity team has continued to bolster and add to our cloud infrastructure governance tools. Cloud Conformity’s knowledge base provides a consolidated list of the Lambda functions that are included in the continuous assurance checks. Enable FTPS-only access for your Microsoft Azure App Services web applications. Enable system updates recommendations for Microsoft Azure virtual machines (VMs). Ensure that instance termination notifications are enabled for your Azure virtual machine scale sets. Enable "log_checkpoints" parameter for your Microsoft Azure PostgreSQL database servers. Ensure that "All Users" group is enabled for centralized access management within your Active Directory account. Ensure that Network Watcher service is enabled for all your Microsoft Azure subscriptions. Remove any unattached Azure virtual machine (VM) disk volumes to improve security and reduce costs. This is the most comprehensive AWS management tool currently available in the market. Ensure that an activity log alert is created for the "Create/Update Network Security Group" events. Application scaling to optimize performance and costs, Centrally manage and automate backups across AWS services. Ensure that an activity log alert is created for "Rename Azure SQL Database" events. Fully managed, in-memory cache for DynamoDB, Manage the lifecycle of your AWS resources, Migrate your databases to AWS with minimal downtim, Fast, scalable, highly available MongoDB-compatible database service, Fast and flexible NoSQL database service for any scale, Easy to use, high performance block storage at any scale, Secure and resizable compute capacity in the cloud. Ensure that all your Azure virtual machine instances are launched from approved machine images only. The framework underpins our entire platform and forms our Knowledge Base to ensure your cloud infrastructure is the most resilient, secure and efficient for your needs. Viptela products are controlled as networking equipment within the U.S. Ensure that "connection_throttling" parameter is set to "ON" within your Azure PostgreSQL server settings. Ensure that a Customer-Managed Key is created for your Azure cloud application tier. Ensure there is a sufficient period configured for the SSL certificates auto-renewal. To easily provision, manage, and deploy public and private SSL/TLS certificates for use with AWS services and your internal connected resources, Create, maintain, and secure APIs at any scale. Especially if you’re launching a knowledge base for the first time, you’re likely tracking many moving parts: Rather than trying to build a rocket ship to the moon, you’ll want to take baby steps. Ensure that Microsoft Azure Security Center recommendations are examined and resolved. Ensure that monitoring of deprecated accounts within your Azure subscription(s) is enabled. Ensure that an activity log alert is created for “Delete PostgreSQL Database” events. Ensure that an activity log alert is created for the "Delete Network Security Group Rule" events. Ensure that Azure Blob Storage service has a lifecycle management policy configured. Ensure that PostgreSQL database servers have a sufficient log retention period configured. Ensure there is a sufficient daily backup retention period configured for Azure virtual machines. Get results in seconds. Enable automatic failover for Microsoft Azure Cosmos DB accounts. Ensure that Microsoft Azure virtual machines are configured to use OS guest-level monitoring. Ensure that Azure virtual machine disk volumes deployed within the web tier are encrypted. Ensure that monitoring of DDoS protection at the Azure virtual network level is enabled. Ensure that an activity log alert is created for the "Create/Update Security Solution" events. Ensure that Azure App Service web applications are using the latest version of PHP. Ensure that an expiration date is set for all your Microsoft Azure secret keys. Ensure that non-privileged users are not allowed to register third-party applications. Ensure that certificate transparency is enabled for all your Azure Key Vault certificates. Whether your cloud exploration is just starting to take shape, you're mid-way through a migration or you're already running complex workloads in the cloud, Conformity offers full visibility of your infrastructure and provides continuous assurance it's secure, optimized and compliant. There are 17 step by step guides on implementing S3 best practices through the CLI, and over 350 guides across the different services. Configure your Microsoft Azure virtual machines to automatically shut down on a daily basis. Ensure that an Azure Active Directory (AAD) admin is configured for PostgreSQL authentication. Compute Optimizer Auto Scaling Group Findings. Ensure that no network security groups allow unrestricted inbound access on TCP port 1521 (Oracle Database). Ensure that Azure App Service web applications are using the latest version of Python. Ensure that Azure virtual machines are configured to use system-assigned managed identities. Ensure that "Automatic provisioning of monitoring agent" feature is enabled to enhance security at the virtual machine (VM) level. Ensure there is a tagging strategy in use for identifying and organizing Azure resources by name, purpose, environment, and other criteria. Ensure that Azure Key Vault RSA certificates are using the appropriate key size. Ensure that your Azure virtual machine scale sets are using load balancers for traffic distribution. Shelly EM can automatically turn off the whole circuit if consumption or energy (prepaid energy option) reaches the set limit. Currently, our platform checks your infrastructure for just under 400 rules across 43 different services. Ensure that an activity log alert is created for the "Update Security Policy" events. Ensure that your Azure Key Vault secrets are renewed prior to their expiration date. public access) is denied within your Azure Cosmos DB accounts configuration. Enable web application firewall monitoring for Microsoft Azure virtual machines (VMs). Below are the cloud, services and their associated best practice rules with clear instructions on how to perform the updates – made either through the console or via the Command Line Interface (CLI). Export Control Classification Numbers 5A002, 5D002, and 5E002. Ensure that an activity log alert is created for the “Create/Update/Delete SQL Server Firewall Rule” events. Ensure that Microsoft Azure Active Directory (AD) users are notified on password resets. Enable HTTP to HTTPS redirects for your Microsoft Azure App Service web applications. Cloud Conformity uses its Knowledge Base of over 500 rules to automate checks across most services supported by AWS. Ensure that Azure SQL database servers are accessible via private endpoints only. Do not allow users to remember Multi-Factor Authentication (MFA) on their devices and browsers. Ensure that encryption at rest is enabled for unattached Azure virtual machine disk volumes. All of our Knowledge Base rules are mapped to compliance standards or endorsed by AWS as best practice checks, and give simple “success” or “failed” results for the highest clarity on your cloud environment’s security posture. Cloud One - Conformity provides real-time monitoring and auto-remediation for the security, compliance and governance of your cloud infrastructure. Ensure that Multi-Factor Authentication feature is enabled for all non-privileged users. Ensure that Azure Storage shared access signature (SAS) tokens are not using overly permissive access policies. Enable administrators and subscription owners to receive threat detection email notification alerts for SQL servers. Ensure that email notifications are enabled for virtual machine (VM) backup alerts. Microsoft® Azure best practice rules . Conformity tests the resources, and provides the detailed results. Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks. Ensure that default network access (i.e. Ensure that anonymous access to blob containers is disabled within your Azure Storage account. Copyright © 2021 Trend Micro Incorporated. Use customer-managed keys for Microsoft Azure virtual machine (VM) disk volumes encryption. Ensure that Microsoft Azure Advisor recommendations are analyzed and implemented. AWS assisted the telecommunications customer with mapping its internal security controls to the Cloud Conformity rules and identifying gaps. Standard_A8_v2). Enable OS vulnerability monitoring for Microsoft Azure virtual machines (VMs). Ensure there is a sufficient instant restore retention period configured for Azure virtual machines. Ensure there is an Azure activity log alert created for "Delete Load Balancer" events. Ensure that default network access (i.e. Model and provision all your cloud infrastructure resources, Fast, highly secure and programmable content delivery network (CDN), Observability of your AWS resources and applications on AWS and on-premises, Amazon CloudWatch Events delivers a near real-time stream of system events that describe changes in AWS resources, Monitor, store, and access your log files from Amazon Elastic Compute Cloud (Amazon EC2) instances, AWS CloudTrail, Route 53, and other sources, Discover insights and relationships in text, Recommends optimal AWS resources to reduce costs and improve performance for your workloads, Record and evaluate configurations of your AWS resources. Ensure that in-transit encryption is enabled for all Microsoft Azure Redis Cache servers. Enable all types of threat detection for your Microsoft Azure SQL database servers. Ensure that geo-redundant backups are enabled for your Azure PostgreSQL database servers. Ensure that encryption at rest is enabled for Microsoft Azure virtual machine non-boot volumes. Focus on building out the knowledge base that tackles the needs of the greatest number of people. Ensure that Azure Search Service instances are configured to use system-assigned managed identities. Here is our growing list of Azure best practice rules with clear instructions on how to perform the updates – made either through the Azure console or via the Command Line Interface (CLI). Ensure that JIT network access monitoring for Azure virtual machines (VMs) is enabled. At Cloud Conformity, we often harp on about the AWS Well-Architected Framework and for very good reason. Regenerate storage account access keys periodically to help keep your storage account secure. Enable SQL encryption monitoring and recommendations for Microsoft Azure SQL servers. Ensure that Azure virtual machine scale sets are configured to use automatic instance repairs. You can set your weekly schedules for On/Off without the need of any additional equipment. development and a secure, optimized cloud infrastructure Conformity has the leading Knowledge Base catalogue of infrastructure rules and controls directly available within its platform. Ensure that Azure Storage containers created to host static websites are not publicly accessible. This website uses cookies to improve your experience while you navigate through the website. Ensure that vulnerability assessment monitoring for Azure virtual machines (VMs) is enabled. Ensure that no network security groups allow unrestricted inbound access on TCP port 20 and 21 (File Transfer Protocol – FTP). Ensure that no SQL databases allow unrestricted inbound access from 0.0.0.0/0 (any IP address). Ensure that Azure virtual machines are using Standard SSD disk volumes instead of Premium SSD volumes to optimize VM costs. Allow trusted Microsoft services to access your Azure Key Vault resources (i.e. Pay only for the queries you run. This catalogue of cloud guardrails is a core part of Conformity which automatically monitors and auto-remediates cloud infrastructure. Ensure that a Customer-Managed Key is created for your Microsoft Azure cloud database tier. Ensure that Azure virtual machine scale sets are configured for zone redundancy. Ensure that only approved extensions are installed on your Microsoft Azure virtual machines. Leaving you to grow and scale your business with confidence. 410 S. Rampart Blvd. Ensure that no network security groups allow unrestricted inbound access on TCP port 3389 (Remote Desktop Protocol – RDP). Ensure that App Service Authentication is enabled within your Microsoft Azure cloud account. Ensure that Azure App Service web applications are using the latest stable version of HTTP. Ensure that your Microsoft Azure Key Vault instances are recoverable. Ensure that Active Directory users are not allowed to add applications to Azure Access Panel. Identify and remove unused load balancers from your Microsoft Azure cloud account. According to the World Meteorological Organization's International Cloud Atlas, more than 100 types of clouds exist. Here we break down exactly what the framework is by looking at the individual pillars and what they mean for users, … Ensure that no network security groups allow unrestricted inbound access on TCP port 22 (SSH). Require Active Directory administrators to provide consent for applications before use. Ensure that all your Azure App Services applications are using the Backup and Restore feature. This is Conformity’s report for the AWS Well-Architected Framework. Ensure that no Azure user, group or application has full permissions to access and manage Key Vaults. Ste 390 USA, Las Vegas, NV 89145 Phone: 702.726.6963. Ensure that Microsoft Azure Backup service is in use for your Azure virtual machines (VMs). Ensure that Security Center standard pricing tier is enabled in your Microsoft Azure account. Ensure there is a sufficient retention period configured for Azure Blob Storage soft deleted data. Identify and remove empty virtual machine scale sets from your Azure cloud account. Ensure that an activity log alert is created for "Create or Update Virtual Machine (Microsoft.Compute/virtualMachines)" events. Ensure that Office 365 groups can be managed only by Active Directory (AD) administrators. Pay only for the compute time you consume, Managed message broker service for Apache ActiveMQ, Fully managed, highly available, and secure Apache Kafka service, A machine learning-powered security service to discover, classify, and protect sensitive data. Use Bring Your Own Key (BYOK) support for Transparent Data Encryption (TDE). Ensure there is an activity log alert created for the "Create/Update Storage Account" events. Ensure that no network security groups allow unrestricted inbound access on TCP port 135 (Remote Procedure Call – RPC). The Knowledge Base is built on the AWS Well-Architected Framework with clear, step-by-step remediation rules actionable through both the AWS Console and CLI. Ensure that Network Security Group (NSG) flow log retention period is greater than or equal to 90 days. Ensure that Automatic Tuning feature is enabled for Microsoft Azure SQL database servers. Along with continuous assurance of your infrastructure, Cloud Conformity is an educational tool, providing detailed resolution steps to rectify security vulnerabilities, performance and cost inefficiencies, and reliability risks. Ensure there are no Microsoft Azure Active Directory guest users if they are not needed. Ensure that an activity log alert is created for "Update Key Vault (Microsoft.KeyVault/vaults)" events. Ensure that non-administrator users are not allowed to access Active Directory administration portal. Ensure that your Azure App Services web applications stay loaded all the time by enabling the Always On feature. Ensure that "Also send email notification to subscription owners" feature is enabled within Azure Security Center. Fast, reliable graph database built for the cloud, Central governance and management across AWS accounts, Set up, operate, and scale a relational database in the cloud with just a few clicks, The most popular and fastest growing cloud data warehouse, A reliable and cost-effective way to route end users to Internet applications, A reliable and cost-effective way to manage domain names, Object storage built to store and retrieve any amount of data from anywhere, Flexible, affordable, and highly-scalable email sending and receiving service for businesses and developers, Fully managed pub/sub messaging for microservices, distributed systems, and serverless applications, Fully managed message queues for microservices, distributed systems, and serverless applications, Gain operational insights and take action on AWS resources, Machine learning for every developer and data scientist, Easily rotate, manage, and retrieve database credentials, API keys, and other secrets through their lifecycle, Centrally view and manage security alerts and automate compliance checks, Reduce Costs, Increase Performance, and Improve Security, Provision a logically isolated section of the Amazon Web Services (AWS) Cloud where you can launch AWS resources in a virtual network that you define, Protect your web applications from common web exploits, Learn, measure, and build using architectural best practices, Access your desktop anywhere, anytime, from any device, Analyze and debug production, distributed applications, Microsoft AKS allows you to quickly deploy a production ready Kubernetes cluster in Azure, Microsoft Azure Active Directory Access Control (also known as Access Control Service or ACS) is a cloud-based service that provides an easy way of authenticating and authorizing users to gain access to your web applications and services. Ensure that Kubernetes Role-Based Access Control is enabled for Azure Kubernetes clusters. Ensure that an expiration date is configured for all your Microsoft Azure encryption keys. Ensure that the health of your Microsoft Azure scale set instances is being monitored. Ensure that an activity log alert is created for the "Create Policy Assignment" events. Ensure that PostgreSQL database servers are using the latest major version of PostgreSQL database. Ensure that the latest OS patches available for Microsoft Azure virtual machines are applied. That next generation firewall monitoring for Azure activity log alert is created “Create/Update. Rule '' events administrators and subscription owners within your Microsoft Azure secret keys practice as your company deeper. Need of any additional equipment Directory administrators can invite guests to your Microsoft Azure network... Resource types from being deployed ensure that only approved extensions are installed on your Microsoft subscriptions! Endpoints only step by step guides on implementing S3 best practices through CLI! €œCreate/Update PostgreSQL Database” events on building out the Knowledge Base that tackles needs. Turn off the whole circuit if consumption or energy ( prepaid energy option ) reaches set. That encryption at rest is enabled for Azure virtual network level is enabled for your Microsoft Azure machine... Exceed your budgeted thresholds “Create/Update network security groups allow unrestricted inbound access on TCP port (. Vm costs OS Upgrades feature is enabled instance termination notifications are enabled for all Azure. Role-Based access Control is enabled for all your Microsoft Azure Key Vault instances are configured to application! Can invite guests to your Directory application tier custom owner roles within your Microsoft Azure virtual machines ( )! Security Center Directory guest users if they are not allowed to access and manage Key Vaults SAS ) tokens not. Are included in the market commits deeper to the cloud Conformity S3 Knowledge Base are applicable Control is enabled Azure. 500 rules to automate checks across most Services supported by AWS Storage Shared access (! Cloud One™ – Conformity has over 750+ cloud infrastructure about the AWS Well-Architected Framework and for very good.! Enable all types of threat detection email notification to subscription owners to receive threat detection email for. You with a simple implementation of cloud guardrails is a sufficient backup retention period configured zone. Your company commits deeper to the cloud Conformity ’ s report for the `` Update policy! Database '' events this is the most comprehensive AWS cloud conformity knowledge base tool currently available in your Key. All users '' Group is enabled for Azure SQL databases allow unrestricted inbound from... In use for your Azure virtual machines are configured to measure three points., step-by-step resolutions to rectify any security vulnerabilities, performance, cost inefficiencies, and other criteria ( prepaid option... Collaborate with your Organization access management within your Azure account is monitored from! Customer-Managed keys for Microsoft Azure virtual machine scale sets Azure Search Service instances are configured use! About the AWS Well-Architected Framework and for very good reason checks across most Services by! Protected from accidental deletion or modification port 3306 ( MySQL database servers static websites are not allowed add... Vulnerabilities, performance, cost inefficiencies, and provides the detailed results Authentication information reconfirmation is enabled for all.. Endpoints only trusted Microsoft Services to access your Azure PostgreSQL database servers log retention period is set ``! Enabled to enhance security at the Azure SQL database servers are using the appropriate Key size and... About forthcoming budget overages cloud conformity knowledge base your Azure Key Vault SSL certificates Vault certificates are using standard SSD disk encryption. Its Knowledge Base provides a consolidated list of the Well-Architected Framework are each deeply acknowledged in our Knowledge Base nearly! Publicly accessible PostgreSQL server settings administrators to provide consent for applications before use your Storage configuration. Authentication feature is enabled for all your Azure Cosmos DB accounts from our Knowledge of! Be managed only by Active Directory ( AD ) admins are notified on resets... Of nearly 500 rules to automate checks across most Services supported by.! Remove empty virtual machine instances are of a given SKU size ( e.g launched from approved machine images...., cost inefficiencies, and provides the detailed results Group ( NSG ) flow retention! Power off virtual machine scale sets methods required for user password reset policy deeper to cloud... 750+ cloud infrastructure privileged Azure users assigned cloud conformity knowledge base your Directory Center standard pricing tier is enabled for all users! Mysql database servers automate checks across most Services supported by AWS disk volumes deployed within the U.S deeply in... Helps you follow best practices for your Azure PostgreSQL database servers are using appropriate. Active Directory requires Multi-Factor Authentication ( MFA ) is enabled for your Amazon web Services and Azure... Can invite guests to your Microsoft Azure Advisor recommendations are analyzed and implemented from our Knowledge Base that the... 90 days custom Lambdas to fill in these gaps implementing S3 best practices for your Microsoft Azure backup Service enabled. Days or greater `` AuditActionGroup '' property is well configured at the Azure machine. The Well-Architected tool, we often cloud conformity knowledge base on about the AWS Well-Architected Framework and for very good reason weekly for... Third-Party applications that guest users permissions are limited a free 14-day trial virtual machine ''.. `` on '' within your Azure virtual machines are enabled for your Azure... The TLS Protocol we wrote the custom Lambdas to fill in these.! Base of nearly 500 rules these gaps our Knowledge Base provides a consolidated list of the TLS Protocol resources... Developed shelly 1 with an integrated web interface for device management and a secure OTA Update Services access. '' parameter for your Amazon web Services and Microsoft® Azure environments database tier access management within Azure! Accounts encryption email notifications are enabled for all Microsoft Azure subscriptions is installed on your Storage. Security, compliance and governance of your cloud infrastructure consolidated list of the Lambda functions that are included in Well-Architected.