AzSKStaging

4.6.7

Framework/Configurations/SVT/Services/RedisCache.json

                                {

  "FeatureName": "RedisCache",

  "Reference": "aka.ms/azsktcp/rediscache",

  "IsMaintenanceMode": false,

  "Controls": [

    {

      "ControlID": "Azure_RedisCache_AuthZ_Grant_Min_RBAC_Access",

      "Description": "All users/identities must be granted minimum required permissions using Role Based Access Control (RBAC)",

      "Id": "RedisCache110",

      "ControlSeverity": "Medium",

      "Automated": "Yes",

      "MethodName": "CheckRBACAccess",

      "Rationale": "Granting minimum access by leveraging RBAC feature ensures that users are granted just enough permissions to perform their tasks. This minimizes exposure of the resources in case of user/service account compromise.",

      "Recommendation": "Remove any excessive privileges granted on the Redis Cache. Assign 'Redis Cache Contributor' RBAC role to developers who manages Redis Cache configurations. Run command: Remove-AzRoleAssignment -SignInName '{signInName}' -Scope '{scope}' -RoleDefinitionName '{role definition name}'. Run 'Get-Help Remove-AzRoleAssignment -full' for more help. Refer: https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-control-manage-access-powershell",

      "Tags": [

        "SDL",

        "TCP",

        "Automated",

        "AuthZ",

        "RBAC",

        "RedisCache"

      ],

      "Enabled": true

    },

    {

      "ControlID": "Azure_RedisCache_Audit_Enable_Diagnostics_Log",

      "Description": "Diagnostics logs must be enabled with a retention period of at least $($this.ControlSettings.Diagnostics_RetentionPeriod_Min) days.",

      "Id": "RedisCache120",

      "ControlSeverity": "Medium",

      "Automated": "No",

      "MethodName": "",

      "Rationale": "Logs should be retained for a long enough period so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. A period of 1 year is typical for several compliance requirements as well.",

      "Recommendation": "You can change the diagnostic settings from the Azure Portal by following the steps given here: https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/monitoring-archive-diagnostic-logs#archive-diagnostic-logs-using-the-portal",

      "Tags": [

        "SDL",

        "TCP",

        "Manual",

        "Audit",

        "Diagnostics",

        "RedisCache"

      ],

      "Enabled": true

    },

    {

      "ControlID": "Azure_RedisCache_AuthZ_Configure_IP_Range",

      "Description": "Configure Redis Cache firewall settings for additional protection",

      "Id": "RedisCache130",

      "ControlSeverity": "Medium",

      "Automated": "Yes",

      "MethodName": "CheckRedisCacheFirewallIPAddressRange",

      "Rationale": "Using the firewall feature ensures that access to the data or the service is restricted to a specific set/group of clients. NOTE: While this control does provide an extra layer of access control protection, it may not always be feasible to implement in all scenarios.",

      "Recommendation": "Enable firewall and add rules specifying permitted IPs/ranges. Do not add IP range $($this.ControlSettings.UniversalIPRange) as that allows access to all possible IPs. Refer: https://docs.microsoft.com/en-us/azure/redis-cache/cache-configure#firewall, (REST API) https://docs.microsoft.com/en-in/rest/api/redis/redisfirewallrule.  Note: In case the IP range is indeterminate (for instance, if the client is a PaaS endpoint), you may need to attest this control.",

      "Tags": [

        "SDL",

        "Best Practice",

        "Automated",

        "AuthZ",

        "RedisCache"

      ],

      "Enabled": true

    },

    {

      "ControlID": "Azure_RedisCache_BCDR_Use_RDB_Backup",

      "Description": "Redis Data Persistence should be enabled to back up Redis Cache data",

      "Id": "RedisCache140",

      "ControlSeverity": "Medium",

      "Automated": "Yes",

      "MethodName": "CheckRedisCacheRDBBackup",

      "Rationale": "Enabling backup on Redis Cache ensures that there is always a previous snapshot of data that can be leveraged towards recovery scenarios.",

      "Recommendation": "Configure data persistence. Refer: https://docs.microsoft.com/en-us/azure/redis-cache/cache-configure#redis-data-persistence",

      "Tags": [

        "SDL",

        "Best Practice",

        "Automated",

        "BCDR" ,

        "RedisCache"       

      ],

      "Enabled": true

    },

   {

      "ControlID": "Azure_RedisCache_DP_Use_SSL_Port",

      "Description": "Non-SSL port must not be enabled",

      "Id": "RedisCache150",

      "ControlSeverity": "High",

      "Automated": "Yes",

      "MethodName": "CheckRedisCacheSSLConfig",

      "Rationale": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer man-in-the-middle, eavesdropping, session-hijacking attacks.",

      "Recommendation": "To disable Non-SSL port for Redis Cache, run command : Set-AzRedisCache -ResourceGroupName <String> -Name <String> -EnableNonSslPort `$false",

      "Tags": [

         "SDL",

         "TCP",

         "Automated",

         "DP",

         "RedisCache"

      ],

      "Enabled": true,

      "FixControl": {

         "FixMethodName": "DisableNon_SSLport_RedisCache",

         "FixControlImpact": "High"

      },

      "PolicyDefinitionGuid": "22bee202-a82f-4305-9a2a-6d7f44d4dedb"

   },

    {

      "ControlID": "Azure_RedisCache_DP_Rotate_Keys",

      "Description": "Access keys must be rotated periodically",

      "Id": "RedisCache160",

      "ControlSeverity": "Medium",

      "Automated": "No",

      "MethodName": "",

      "Rationale": "Periodic key/password rotation is a good security hygiene practice as, over time, it minimizes the likelihood of data loss/compromise which can arise from key theft/brute forcing/recovery attacks.",

      "Recommendation": "Rotate keys at regular intervals. To generate a new key, run command 'New-AzRedisCacheKey'. Run 'Get-Help New-AzRedisCacheKey -full' for more help.",

      "Tags": [

        "SDL",

        "TCP",

        "Manual",

        "DP",

        "RedisCache"

      ],

      "Enabled": true

    },

    {

      "ControlID": "Azure_RedisCache_AuthN_Dont_Share_Cache_Instances",

      "Description": "Do not share cache instances across applications",

      "Id": "RedisCache170",

      "ControlSeverity": "High",

      "Automated": "No",

      "MethodName": "",

      "Rationale": "There is no access control within a cache. If multiple applications share the same cache they will be able to freely access each others cached data which may lead to compromise.",

      "Recommendation": "Create a separate Redis Cache instance for each application. Refer: https://docs.microsoft.com/en-us/azure/redis-cache/cache-web-app-howto#configure-the-application-to-use-redis-cache",

      "Tags": [

        "SDL",

        "TCP",

        "Manual",

        "AuthN",

        "RedisCache"

      ],

      "Enabled": true

    },

      {

      "ControlID": "Azure_RedisCache_NetSec_Configure_Virtual_Network_For_Domain_App",

      "Description": "Redis Cache instance should be confined within a virtual network for domain-joined scenarios",

      "Id": "RedisCache180",

      "ControlSeverity": "Medium",

      "Automated": "No",

      "MethodName": "",

      "Rationale": "Azure Virtual Network (VNet) deployment provides enhanced security and isolation for Azure Redis Cache, as well as subnets, access control policies, and other features to further restrict access.",

      "Recommendation": "For steps to configure Azure Redis Cache on a Virtual Network, refer: https://docs.microsoft.com/en-us/azure/redis-cache/cache-how-to-premium-vnet",

      "Tags": [

        "SDL",

        "TCP",

        "Manual",

        "NetSec",

        "RedisCache"

      ],

      "Enabled": true

    }

  ]

}