You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/security-center/recommendations-reference.md
+7-2Lines changed: 7 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -21,11 +21,11 @@ This article lists the recommendations you might see in Azure Security Center. T
21
21
22
22
To learn about how to respond to these recommendations, see [Remediate recommendations in Azure Security Center](security-center-remediate-recommendations.md).
23
23
24
-
Your secure score is based on how many Security Center recommendations you have mitigated. To prioritize the recommendations to resolve first, consider the severity of each, as well as the Security Controls described in [Secure Score and Security Controls]().
24
+
Your secure score is based on how many Security Center recommendations you have mitigated. To prioritize the recommendations to resolve first, consider the severity of each, as well as the Security Controls described in [Secure Score and Security Controls](secure-score-security-controls.md#security-controls-and-their-recommendations).
25
25
26
26
## Azure Security Center recommendations
27
27
28
-
||Description & related policy|Severity|[Quick fix enabled](https://docs.microsoft.com/azure/security-center/security-center-remediate-recommendations#recommendations-with-quick-fix-remediation)|Resource type|
28
+
||Description & related policy|Severity|Quick fix enabled?([Learn more](https://docs.microsoft.com/azure/security-center/security-center-remediate-recommendations#recommendations-with-quick-fix-remediation))|Resource type|
29
29
|----|----|----|----|----|
30
30
||<aname="recs-network"></a><h3>Network recommendations - regarding your network's topology and internet facing endpoints|
31
31
|**Just-in-time network access control should be applied on virtual machines**|Apply just-in-time (JIT) virtual machine (VM) access control to permanently lock down access to selected ports, and enable authorized users to open them, via JIT, for a limited amount of time only.<br>(Related policy: Just-In-Time network access control should be applied on virtual machines)|High|N|Virtual machine|
@@ -58,6 +58,11 @@ Your secure score is based on how many Security Center recommendations you have
58
58
|**Diagnostic logs in Search services should be enabled**|Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.<br>(Related policy: Diagnostic logs in Search services should be enabled)|Low|**Y**|Compute resources (search)|
59
59
|**Diagnostic logs in Service Bus should be enabled**|Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.<br>(Related policy: Diagnostic logs in Service Bus should be enabled)|Low|**Y**|Compute resources (service bus)|
60
60
|**Diagnostic logs in Virtual Machine Scale Sets should be enabled**|Enable logs and retain them for up to a year. This enables you to recreate activity trails for investigation purposes. This is useful when a security incident occurs, or your network is compromised.<br>(Related policy: Diagnostic logs in Virtual Machine Scale Sets should be enabled)|Low|N|Virtual machine scale set|
61
+
|**Role-Based Access Control should be used to restrict access to a Kubernetes Service Cluster (Preview)**|To provide granular filtering of the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. For more information see [Azure role-based access control](https://docs.microsoft.com/azure/aks/concepts-identity#role-based-access-controls-rbac).<br>(Related policy: [Preview]: Role-Based Access Control (RBAC) should be used on Kubernetes Services)|Medium|N|Compute resources (Containers)|
62
+
|**The Kubernetes Service should be upgraded to the latest Kubernetes version (Preview)**|Upgrade Azure Kubernetes Service clusters to the latest Kubernetes version in order to benefit from up-to-date vulnerability patches. For details regarding specific Kubernetes vulnerabilities see [Kubernetes CVEs](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=kubernetes).<br>(Related policy: [Preview]: Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version)|High|N|Compute resources (Containers)|
63
+
|**Pod Security Policies should be defined to reduce the attack vector by removing unnecessary application privileges (Preview)**|Define Pod Security Policies to reduce the attack vector by removing unnecessary application privileges. It is recommended to configure pod security policies so pods can only access resources which they are allowed to access.<br>(Related policy: [Preview]: Pod Security Policies should be defined on Kubernetes Services)|Medium|N|Compute resources (Containers)|
64
+
|**Access to a Kubernetes Service Management API should be limited by authorizing specific IP ranges only (Preview)**|Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to configure authorized IP ranges so only applications from allowed networks can access the cluster.<br>(Related policy: [Preview]: Authorized IP ranges should be defined on Kubernetes Services)|High|N|Compute resources (Containers)|
65
+
|**Vulnerabilities in Azure Container Registry images should be remediated (powered by Qualys) (Preview)**|Container image vulnerability assessment scans your registry for security vulnerabilities on each pushed container image and exposes detailed findings per image. Resolving the vulnerabilities can greatly improve your containers’ security posture and protect them from attacks.<br>(No related policy)|High|N|Compute resources (Containers)|
61
66
|**Service Fabric clusters should only use Azure Active Directory for client authentication**|Perform Client authentication only via Azure Active Directory in Service Fabric.<br>(Related policy: Service Fabric clusters should only use Azure Active Directory for client authentication)|High|N|Compute resources (service fabric)|
62
67
|**Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign**|Service Fabric provides three levels of protection (None, Sign, and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed.<br>(Related policy: The ClusterProtectionLevel property to EncryptAndSign in Service Fabric should be set)|High|N|Compute resources (service fabric)|
63
68
|**All authorization rules except RootManageSharedAccessKey should be removed from Service Bus namespace**|Service Bus clients should not use a namespace level access policy that provides access to all queues and topics in a namespace. To align with the least privilege security model, you should create access policies at the entity level for queues and topics to provide access to only the specific entity.<br>(Related policy: All authorization rules except RootManageSharedAccessKey should be removed from Service Bus namespace)|Low|N|Compute resources (service bus)|
0 commit comments