-
Notifications
You must be signed in to change notification settings - Fork 2
List of Rules by Azure
GitHub Action edited this page Feb 17, 2025
·
6 revisions
| Name | Description | Service Section | Category |
|---|---|---|---|
| ecc-azure-002-cis_iam_owner_roles | Custom role with Owner privileges on a subscription scope is created | Identity and Access Management | Access control |
| ecc-azure-004-cis_sec_auto_provisioning | Automatic provisioning is set to "Off" in Security Center (Microsoft Defender for Cloud) | Microsoft Defender for Cloud | Detection services |
| ecc-azure-005-cis_sec_email | 'Additional email addresses' is not configured in Microsoft Defender for Cloud | Microsoft Defender for Cloud | Detection services |
| ecc-azure-006-cis_sec_high_sev_notifications | Notification alerts are disabled in Security Center (Microsoft Defender for Cloud) | Microsoft Defender for Cloud | Detection services |
| ecc-azure-007-cis_sec_owners_email_notifications | Notification alerts to admins or subscription owners are disabled in Microsoft Defender for Cloud | Microsoft Defender for Cloud | Detection services |
| ecc-azure-008-cis_sa_sec_transfer_req | Storage account that allows http traffic | Storage | Encryption of data in transit |
| ecc-azure-009-cis_sa_private | Storage Account with publicly accessed blobs | Storage | Resources not publicly accessible |
| ecc-azure-010-cis_sa_net_defaultAction | Storage Account accepted connections from public network | Storage | Resources not publicly accessible |
| ecc-azure-011-cis_sa_soft_del | Soft delete for Azure Storage Blobs is disabled | Storage | Backups enabled |
| ecc-azure-012-cis_sa_enc | Azure Storage account data is encrypted with Microsoft Managed Key | Storage | Encryption of data at rest |
| ecc-azure-013-cis_db_auditing_on | Azure SQL Database Auditing is set to "Off" | Databases | Logging |
| ecc-azure-014-cis_db_sql_db_encryption_on | Transparent Data Encryption is disabled on SQL Database | Databases | Encryption of data at rest |
| ecc-azure-015-cis_db_auditing_90d | Azure SQL Database Auditing retention policy set to less than 90 days | Databases | Logging |
| ecc-azure-016-cis_db_sql_ads_atp | Advanced Threat Protection is disabled on SQL server | Databases | Monitoring |
| ecc-azure-024-cis_db_postgresql_ssl | SSL connection is disabled on PostgreSQL servers | Databases | Encryption of data in transit |
| ecc-azure-025-cis_db_mysql_ssl | SSL connection is disabled on MySQL servers | Databases | Encryption of data in transit |
| ecc-azure-026-cis_db_postgresql_log_checkpoints | PostgreSQL instance with server parameter 'log_checkpoints' disabled | Databases | Logging |
| ecc-azure-027-cis_db_postgresql_log_connections | PostgreSQL instance with server parameter 'log_connections' disabled | Databases | Logging |
| ecc-azure-028-cis_db_postgresql_log_disconnections | PostgreSQL instance with server parameter 'log_disconnections' disabled | Databases | Logging |
| ecc-azure-030-cis_db_postgresql_connection_throttling | PostgreSQL instance with server parameter 'connection_throttling' disabled | Databases | Logging |
| ecc-azure-031-cis_db_postgresql_log_retention_days | PostgreSQL instance with server parameter 'log_retention_days' is set to less than 4 days | Databases | Logging |
| ecc-azure-032-cis_db_aad_admin | Azure Active Directory admin is not configured for Azure SQL | Databases | Root user access restrictions |
| ecc-azure-033-cis_db_sql_tde_protector | Transparent Data Encryption protector is not encrypted with Customer Managed key | Databases | Encryption of data at rest |
| ecc-azure-036-cis_log_storage_cont_access | Monitor Log Profile has storage account that stores activity logs where allowed public access for containers. | Logging and Monitoring | Resources not publicly accessible |
| ecc-azure-037-cis_log_sa_activ_logs | Monitor Log Profile has storage account that contains a container with activity logs not encrypted with Customer Managed Key | Logging and Monitoring | Encryption of data at rest |
| ecc-azure-038-cis_log_keyvaults | Key Vault with logging disabled | Cryptography & PKI | Logging |
| ecc-azure-039-cis_log_create_policy | Subscription where Activity Log Alert does not exist for Create Policy Assignment | Logging and Monitoring | Monitoring |
| ecc-azure-042-cis_log_create_upd_nsg | Subscription does not contain Activity Log Alert with appropriate scope for Create or Update Network Security Group Rule | Logging and Monitoring | Monitoring |
| ecc-azure-043-cis_log_del_nsg | Subscription does not contain Activity Log Alert with appropriate scope for Delete Network Security Group Rule | Logging and Monitoring | Monitoring |
| ecc-azure-044-cis_log_create_upd_solutions | Subscription does not contain Activity Log Alert with appropriate scope for Create or Update Security Solution | Logging and Monitoring | Monitoring |
| ecc-azure-045-cis_log_del_solutions | Subscription does not contain Activity Log Alert with appropriate scope for Delete Security Solution | Logging and Monitoring | Monitoring |
| ecc-azure-046-cis_log_create_update_sql | Subscription does not contain Activity Log Alert with appropriate scope for Create or Update or Delete SQL Server Firewall Rule | Logging and Monitoring | Monitoring |
| ecc-azure-048-cis_net_rdp | Network Security Group with inbound rule that allows RDP traffic from the Internet | Networking & Content Delivery | Security group configuration |
| ecc-azure-049-cis_net_ssh | Network Security Group with inbound rule that allows SSH traffic from the Internet | Networking & Content Delivery | Security group configuration |
| ecc-azure-050-cis_net_db_firewall | SQL instances accessible from the Internet or Azure services | Networking & Content Delivery | Security group configuration |
| ecc-azure-052-cis_net_udp | Network Security Group with inbound rule that allows UDP traffic from the Internet | Networking & Content Delivery | Security group configuration |
| ecc-azure-053-cis_vm_attached_disks | Managed disk attached to a VM that is not encrypted with Customer Managed Key | Storage | Encryption of data at rest |
| ecc-azure-054-cis_vm_unattached_disks | Unattached managed disks not encrypted with Customer Managed Key | Storage | Encryption of data at rest |
| ecc-azure-055-cis_key_exp_on | Key without expiration date set | Cryptography & PKI | Key, Secrets, and Certificate management |
| ecc-azure-056-cis_secret_exp | Secret without expiration date set | Cryptography & PKI | Key, Secrets, and Certificate management |
| ecc-azure-057-cis_key_recoverable | Key vault without Soft Delete or Purge Protection enabled | Cryptography & PKI | Secure configuration |
| ecc-azure-058-cis_aks_rbac | Kubernetes cluster without RBAC enabled | Kubernetes Engine | Access control |
| ecc-azure-059-cis_app_auth_set | App Service without App Service Authentication enabled | AppService | Access control |
| ecc-azure-060-cis_app_https | App Service that allows http traffic | AppService | Encryption of data in transit |
| ecc-azure-061-11_cis_app_last_tls | App Service that uses TLS version before 1.3 | AppService | Vulnerability, patch, and version management |
| ecc-azure-061-51_cis_app_last_tls | App Service that uses TLS version before 1.3 | AppService | Protocols |
| ecc-azure-064-cis_app_ftp_disabled | App Service that allows FTP deployments | AppService | Secure configuration |
| ecc-azure-065-11_cis_app_last_http | App Service without HTTP 2.0 is enabled | AppService | Vulnerability, patch, and version management |
| ecc-azure-065-51_cis_app_last_http | App Service without HTTP 2.0 is enabled | AppService | Protocols |
| ecc-azure-066-cis_log_delete_policy | Subscription does not contain Activity Log Alert with appropriate scope for Delete Policy Assignment | Logging and Monitoring | Monitoring |
| ecc-azure-067-cis_log_create_upd_nsg_rule | Subscription does not contain Activity Log Alert with appropriate scope for Create or Update Network Security Group Rule (securityRules) | Logging and Monitoring | Monitoring |
| ecc-azure-068-cis_log_del_nsg_rule | Subscription does not contain Activity Log Alert with appropriate scope for the Delete Network Security Group Rule | Logging and Monitoring | Monitoring |
| ecc-azure-069-11_cis_app_last_java | App Service with outdated Java version | AppService | Vulnerability, patch, and version management |
| ecc-azure-069-51_cis_app_last_java | App Service with outdated Java version | AppService | Runtime version |
| ecc-azure-070-11_cis_app_last_python | App Service with outdated Python version | AppService | Vulnerability, patch, and version management |
| ecc-azure-070-51_cis_app_last_python | App Service with outdated Python version | AppService | Runtime version |
| ecc-azure-071-11_cis_app_last_php | App Service with outdated PHP version | AppService | Vulnerability, patch, and version management |
| ecc-azure-071-51_cis_app_last_php | App Service with outdated PHP version | AppService | Runtime version |
| ecc-azure-072-cis-app-keyvaults | Azure Web App without Key Vault reference configured | AppService | Credentials not hardcoded |
| ecc-azure-094-cis_sec_defender_servers | Azure Defender for Servers is set to "Off" | Microsoft Defender for Cloud | Monitoring |
| ecc-azure-095-cis_sec_defender_app | Azure Defender for App Service is set to "Off" | Microsoft Defender for Cloud | Monitoring |
| ecc-azure-096-cis_sec_defender_azure_sql | Azure Defender for SQL database servers is set to "Off" | Microsoft Defender for Cloud | Monitoring |
| ecc-azure-097-cis_sec_defender_sql_machines | Azure Defender for SQL servers on machines is set to "Off" | Microsoft Defender for Cloud | Monitoring |
| ecc-azure-098-cis_sec_defender_storages | Azure Defender for Storage is set to "Off" | Microsoft Defender for Cloud | Monitoring |
| ecc-azure-099-cis_sec_defender_aks | Azure Defender for Kubernetes is set to "Off" | Microsoft Defender for Cloud | Monitoring |
| ecc-azure-100-cis_sec_defender_acr | Azure Defender for Container Registries is set to "Off" | Microsoft Defender for Cloud | Monitoring |
| ecc-azure-101-cis_sec_defender_keyvaults | Azure Defender for Key Vault is set to "Off" | Microsoft Defender for Cloud | Detection services |
| ecc-azure-102-cis_sec_defender_wdatp | WDATP integration is disabled in Microsoft Defender for Cloud | Microsoft Defender for Cloud | Detection services |
| ecc-azure-103-cis_sec_mcas | MCAS integration is disabled in Security Center (Microsoft Defender for Cloud) | Microsoft Defender for Cloud | Detection services |
| ecc-azure-105-cis_sa_keys_regen | Storage account without recently regenerated access keys | Storage | Inventory |
| ecc-azure-106-cis_sa_logging_queue | Storage account without logging enabled for Queues | Storage | Logging |
| ecc-azure-108-cis_sa_tms | Storage account without access from/to "Trusted Microsoft Services" | Storage | Access control |
| ecc-azure-109-cis_sa_logging_blob | Storage account without logging enabled for Blobs | Storage | Logging |
| ecc-azure-110-cis_sa_logging_table | Storage account without logging enabled for Tables | Storage | Logging |
| ecc-azure-111-cis_db_postgre_access | PostgreSQL Database Server with 'Allow access to Azure services' enabled | Databases | Access control |
| ecc-azure-112-cis_net_netwatcher | Network Watcher is disabled across the subscription | Networking & Content Delivery | Detection services |
| ecc-azure-113-cis_vm_utilizing_managed_disks | Virtual machine that utilizes unmanaged disks | Compute | Encryption of data at rest |
| ecc-azure-116-cis_vm_endpoint_protection | Virtual machine without endpoint protection installed | Compute | Vulnerability, patch, and version management |
| ecc-azure-117-cis_vm_vhd_encrypted | [Legacy] Virtual machine utilizes unmanaged disks without encryption | Compute | Encryption of data at rest |
| ecc-azure-119-nsg_all | Network Security Group with inbound rule that allows all traffic from the Internet | Networking & Content Delivery | Security group configuration |
| ecc-azure-120-nsg_dns | Network Security Group with inbound rule that allows DNS traffic from the Internet | Networking & Content Delivery | Security group configuration |
| ecc-azure-121-nsg_ftp | Network Security Group with inbound rule that allows FTP traffic from the Internet | Networking & Content Delivery | Security group configuration |
| ecc-azure-122-cis_nsg_http | Network Security Group with inbound rule that allows HTTP traffic from the Internet | Networking & Content Delivery | Security group configuration |
| ecc-azure-123-nsg_microsoft_ds | Network Security Group with inbound rule that allows SMB traffic from the Internet | Networking & Content Delivery | Security group configuration |
| ecc-azure-124-nsg_mongo_db | Network Security Group with inbound rule that allows MySQL traffic from the Internet | Networking & Content Delivery | Security group configuration |
| ecc-azure-125-nsg_mysql | Network Security Group with inbound rule that allows MongoDB traffic from the Internet | Networking & Content Delivery | Security group configuration |
| ecc-azure-126-nsg_netbios | Network Security Group with inbound rule that allows NetBIOS traffic from the Internet | Networking & Content Delivery | Security group configuration |
| ecc-azure-127-nsg_oracle_db | Network Security Group with inbound rule that allows OracleDB traffic from the Internet | Networking & Content Delivery | Security group configuration |
| ecc-azure-128-nsg_pop3 | Network Security Group with inbound rule that allows POP3 traffic from the Internet | Networking & Content Delivery | Security group configuration |
| ecc-azure-129-nsg_postgresql | Network Security Group with inbound rule that allows PostgreSQL traffic from the Internet | Networking & Content Delivery | Security group configuration |
| ecc-azure-130-nsg_smtp | Network Security Group with inbound rule that allows SMTP traffic from the Internet | Networking & Content Delivery | Security group configuration |
| ecc-azure-131-nsg_telnet | Network Security Group with inbound rule that allows Telnet traffic from the Internet | Networking & Content Delivery | Security group configuration |
| ecc-azure-132-vm_wo_del_lock | Instance without deletion protection | Security & Compliance | Data deletion protection |
| ecc-azure-133-vm_wo_tags | Instance Without Any Tags | Security & Compliance | Tagging |
| ecc-azure-137-storage_replication | Storage account without replication enabled | Storage | High availability |
| ecc-azure-142-asb_vm_net_ports_restrict | Network Security Group assigned to network interface or subnet with inbound rule that allows all traffic from the Internet | Networking & Content Delivery | Security group configuration |
| ecc-azure-143-asb_api_mgmt_vnet | API Management service without virtual network configured | Networking & Content Delivery | Resources within VPC |
| ecc-azure-144-asb_aks_auth_ip_ranges | Kubernetes cluster without authorized IP access or/and exposed to the public Internet | Kubernetes Engine | Security group configuration |
| ecc-azure-145-asb_cosmosdb_fw_rules | Cosmos DB accounts without firewall rules | Databases | Security group configuration |
| ecc-azure-146-asb_keyvault_disable_public_access | Key Vault with enabled public access | Cryptography & PKI | Resources not publicly accessible |
| ecc-azure-147-asb_cognitive_disable_public_access | Cognitive service with enabled public access | Networking & Content Delivery | Resources not publicly accessible |
| ecc-azure-148-asb_cognitive_disable_net_access | Cognitive service with defaultAction set to "Allow" | Networking & Content Delivery | Resources not publicly accessible |
| ecc-azure-149-asb_acs_not_allow_unrestr_access | Azure Container Registry which accepts connections over the Internet from hosts on any network. | Containers | Resources not publicly accessible |
| ecc-azure-150-asb_vm_net_access_protected_by_nsg | Primary virtual machine network interface with public ip assigned without Network Security Group assignment | Compute | Security group configuration |
| ecc-azure-151-asb_vm_disable_ip_forward | Virtual machine network interface with IP Forwarding enabled | Compute | Secure network configuration |
| ecc-azure-152-asb_vm_jit_port_protection | VM without JIT policy enabled for SSH or RDP ports | Compute | Access control |
| ecc-azure-155-asb_mssql_public_access_disabled | Azure SQL instance with public access enabled | Databases | Resources not publicly accessible |
| ecc-azure-157-asb_mysql_public_access_disabled | MySQL instance with public access enabled | Databases | Resources not publicly accessible |
| ecc-azure-158-asb_postgresql_public_access_disabled | PostgreSQL instance with public access enabled | Databases | Resources not publicly accessible |
| ecc-azure-159-asb_sa_restrict_net_access_vnet_rules | Storage accounts without virtual network IP rules | Storage | Resources within VPC |
| ecc-azure-160-asb_nsg_assoc_subnet | Virtual network with network security groups not assigned to subnets | Networking & Content Delivery | Security group configuration |
| ecc-azure-161-asb_appconfig_private_link | App Configuration service without Private Endpoint connection configured | Networking & Content Delivery | Resources within VPC |
| ecc-azure-162-asb_redis_cache_reside_vnet | Redis cache that does not reside in a subnet | Databases | Resources within VPC |
| ecc-azure-163-asb_eg_domains_private_link | Event Grid Domains service without Private Endpoint connection configured | Networking & Content Delivery | Resources within VPC |
| ecc-azure-164-asb_eg_topics_private_link | Event Grid Topics service without Private Endpoint connection configured | Networking & Content Delivery | Resources within VPC |
| ecc-azure-165-asb_ml_workspaces_private_link | Machine Learning workspace without Private Endpoint connection configured | Machine Learning | Resources within VPC |
| ecc-azure-166-asb_signalr_private_link | SignalR service without Private Endpoint connection configured | Networking & Content Delivery | Resources within VPC |
| ecc-azure-167-asb_spring_cloud_net_injection | Spring Cloud service without runtime subnet configured | Networking & Content Delivery | Resources within VPC |
| ecc-azure-168-asb_acs_private_link | Container Registry without Private Endpoint connection configured | Containers | Resources within VPC |
| ecc-azure-170-asb_keyvault_private_endpoint | Key Vault without Private Endpoint connection configured | Cryptography & PKI | Resources within VPC |
| ecc-azure-172-asb_mysql_private_endpoint | MySQL instance without Private Endpoint connection configured | Databases | Resources within VPC |
| ecc-azure-173-asb_postgresql_private_endpoint | PostgreSQL instance without Private Endpoint connection configured | Databases | Resources within VPC |
| ecc-azure-174-asb_sa_private_link | Storage Account without Private Endpoint connection configured | Storage | Resources within VPC |
| ecc-azure-176-asb_ddos_protection_enabled | Virtual network without DDoS protection enabled which contains application gateway subnet | Networking & Content Delivery | Detection services |
| ecc-azure-177-asb_waf_enabled_for_app_gateway | Application Gateway without Web Application Firewall enabled | Networking & Content Delivery | Protective services |
| ecc-azure-178-asb_waf_enabled_for_front_door | Azure Front Door service without Web Application Firewall enabled | Networking & Content Delivery | Protective services |
| ecc-azure-180-asb_func_app_managed_identity | Function app without Managed identity configured (both SystemAssigned and UserAssigned) | AppService | Access control |
| ecc-azure-181-asb_web_app_managed_identity | Web app without Managed identity configured (both SystemAssigned and UserAssigned) | AppService | Access control |
| ecc-azure-182-asb_service_fabric_aad_auth | Service Frabric clusters without AAD client authentication | Identity and Access Management | Access control |
| ecc-azure-184-asb_vm_linux_ssh_auth_req | Linux virtual machine without SSH authentication method as primary configured (Allows password authentication) | Compute | Passwordless authentication |
| ecc-azure-197-asb_vm_disk_encryption_on | Virtual machine without Azure Disk Encryption configured | Compute | Encryption of data at rest |
| ecc-azure-199-asb_redis_ssl | SSL connection is disabled on Redis Cache | Databases | Encryption of data in transit |
| ecc-azure-200-asb_auto_acc_encrypted | Automation account with unencrypted variable | Security & Compliance | Encryption of data at rest |
| ecc-azure-201-asb_cosmosdb_encrypt_cmk | Cosmos DB accounts without CMK encryption configured | Databases | Encryption of data at rest |
| ecc-azure-202-asb_azl_encrypt_cmk | Machine Learning workspace without CMK encryption configured | Security & Compliance | Encryption of data at rest |
| ecc-azure-203-asb_postgresql_encrypt_cmk | PostgreSQL instance without CMK encryption configured | Databases | Encryption of data at rest |
| ecc-azure-204-asb_cognitive_sa_encrypt_cmk | Cognitive Services without CMK encryption configured | Security & Compliance | Encryption of data at rest |
| ecc-azure-205-asb_acs_ecnrypted_cmk | Container Registry without CMK encryption configured | Containers | Encryption of data at rest |
| ecc-azure-206-asb_service_fabric_property | Service Fabric cluster without configured ClusterProtectionLevel property set to EncryptAndSign | Security & Compliance | Encryption of data in transit |
| ecc-azure-213-asb_lt_defender_dns | Azure Defender for DNS is set to "Off" | Microsoft Defender for Cloud | Monitoring |
| ecc-azure-214-asb_defender_arm | Azure Defender for Resource Manager is set to "Off" | Microsoft Defender for Cloud | Monitoring |
| ecc-azure-215-asb_networktraffic_linuxvm | Linux virtual machines without Dependency Agent installed | Compute | Detection services |
| ecc-azure-216-asb_networktraffic_winvm | Windows virtual machines without Dependency Agent installed | Compute | Logging |
| ecc-azure-218-asb_reslogs_stream | Azure Stream with logging disabled | Logging and Monitoring | Logging |
| ecc-azure-219-asb_reslogs_batch | Batch account with logging disabled | Logging and Monitoring | Logging |
| ecc-azure-220-asb_reslogs_synapseanalytics | Azure Synapse Analytics with logging disabled | Logging and Monitoring | Logging |
| ecc-azure-222-asb_reslogs_iot | IoT Hub with logging disabled | Logging and Monitoring | Logging |
| ecc-azure-224-asb_reslogs_logicapps | Logic Apps service with logging disabled | Logging and Monitoring | Logging |
| ecc-azure-225-asb_reslogs_search | Azure Search with logging disabled | Logging and Monitoring | Logging |
| ecc-azure-226-asb_reslogs_servicebus | Service Bus with logging disabled | Logging and Monitoring | Logging |
| ecc-azure-227-asb_reslogs_vmss | Virtual machine scale sets without LinuxDiagnostic or IaaSDiangostics extension installed | Compute | Logging |
| ecc-azure-228-asb_guest_extension | Virtual machine without Guest Configuration extension installed | Compute | Secure configuration |
| ecc-azure-231-asb_vm_wo_ama | Virtual machine without AzureMonitorWindowsAgent or AzureMonitorLinuxAgent extension installed | Compute | Logging |
| ecc-azure-232-asb_vmss_wo_ama | Virtual machine scale sets without AzureMonitorWindowsAgent or AzureMonitorLinuxAgent extension installed | Compute | Logging |
| ecc-azure-234-asb_guest_extension_mi | Virtual machine with Guest Configuration extension installed without utilizing Managed Identity (SystemAssigned) | Compute | Secure configuration |
| ecc-azure-235-asb_k8s_policy | Kubernetes cluster with Azure Policy for AKS disabled | Kubernetes Engine | Secure configuration |
| ecc-azure-237-asb_cors_func | Function app with CORS rule that allows every resource to access the service | AppService | Secure access management |
| ecc-azure-238-asb_cors_web | Web app with CORS rule that allows every resource to access the service | AppService | Secure access management |
| ecc-azure-240-asb_certif_web | Web app with 'Incoming client certificates' disabled | AppService | Secure configuration |
| ecc-azure-241-asb_certif_func | Function app with 'Incoming client certificates' disabled | AppService | Secure configuration |
| ecc-azure-257-asb_remotedebug_func | Function app with Remote debugging enabled | AppService | Secure access management |
| ecc-azure-258-asb_remotedebug_web | Web app with Remote debugging enabled | AppService | Secure access management |
| ecc-azure-267-11_asb_java_funcapp | Function app has an outdated Java version | AppService | Vulnerability, patch, and version management |
| ecc-azure-267-51_asb_java_funcapp | Function app has an outdated Java version | AppService | Runtime version |
| ecc-azure-270-11_asb_python_funcapp | Function app has an outdated Python version | AppService | Vulnerability, patch, and version management |
| ecc-azure-270-51_asb_python_funcapp | Function app has an outdated Python version | AppService | Runtime version |
| ecc-azure-272-asb_scaleset | Virtual machine scale sets without endpoint protection installed | Compute | Secure configuration |
| ecc-azure-275-asb_vm_backup | Virtual machine without Backup configured | Compute | Backups enabled |
| ecc-azure-277-asb_geo_mysql | MySQL instance without Geo-redundant backup | Databases | High availability |
| ecc-azure-278-asb_geo_postgresql | PostgreSQL instance without Geo-redundant backup | Databases | High availability |
| ecc-azure-279-aks_local_auth_disabled | Kubernetes cluster with local authentication methods enabled | Kubernetes Engine | Access control |
| ecc-azure-280-aks_private_clusters | Kubernetes cluster with private cluster feature disabled | Kubernetes Engine | API private access |
| ecc-azure-281-11_aks_non_vulnerable_version | Kubernetes cluster that utilizes one of the vulnerable k8s versions | Kubernetes Engine | Vulnerability, patch, and version management |
| ecc-azure-281-51_aks_non_vulnerable_version | Kubernetes cluster that utilizes one of the vulnerable k8s versions | Kubernetes Engine | Engine version |
| ecc-azure-282-aks_temp_disks_and_cache_encryptedathost | Kubernetes cluster without EncryptionAtHost enabled | Kubernetes Engine | Encryption of data at rest |
| ecc-azure-283-aks_reslogs_aks | Kubernetes cluster with logging disabled | Kubernetes Engine | Logging |
| ecc-azure-284-aks_disks_encrypted | Kubernetes cluster without OS and Data disks CMK encryption configured | Kubernetes Engine | Encryption of data at rest |
| ecc-azure-286-aks_network_policy | A network policy is not in place to secure traffic between pods | Kubernetes Engine | Secure configuration |
| ecc-azure-287-aks_azure_cni_networking | Azure CNI Networking is disabled | Kubernetes Engine | Resource configuration |
| ecc-azure-288-aks_cluster_pool_contains_nodes | Cluster Pool contains less than 3 Nodes | Kubernetes Engine | High availability |
| ecc-azure-289-acr_admin_user_disabled | Admin user is enabled for Container Registry | Containers | Root user access restrictions |
| ecc-azure-290-acr_resource_locks | Container Registry has no locks | Containers | Data deletion protection |
| ecc-azure-291-storage_accounts_regions | Storage Accounts outside Europe | Storage | Resource configuration |
| ecc-azure-293-sql_data_replication_failover_groups | Azure SQL Server data replication with Failover groups | Databases | High availability |
| ecc-azure-294-vm_availability_set | Azure Virtual Machine is not assigned to an availability set | Compute | High availability |
| ecc-azure-295-sql_avoid_ad_admin_name | Name like 'Admin' for an Azure SQL Server Active Directory Administrator account is found | Databases | Secure configuration |
| ecc-azure-296-sql_avoid_local_admin_name | Name like 'Admin' for an Azure SQL Server Administrator account is found | Databases | Secure configuration |
| ecc-azure-298-function_app_service_logging | Application Service Logs are Disabled for Containerized Function Apps | AppService | Logging |
| ecc-azure-299-function_app_health_check | Health Check is disabled for your Function App | AppService | Resource configuration |
| ecc-azure-300-11_app_gateway_tls_version | Application Gateway with vulnerable and outdated TLS version | Networking & Content Delivery | Vulnerability, patch, and version management |
| ecc-azure-300-51_app_gateway_tls_version | Application Gateway with vulnerable and outdated TLS version | Networking & Content Delivery | Protocols |
| ecc-azure-301-redis_cache_fw_rules | Redis Cache without exposed to the public Internet | Databases | Security group configuration |
| ecc-azure-302-redis_cache_disabled_public_access | Redis Cache with enabled public access | Databases | Resources not publicly accessible |
| ecc-azure-304-app_gateway_https | Application Gateway is using Http protocol | Networking & Content Delivery | Encryption of data in transit |
| ecc-azure-305-11_cis_storage_account_minimum_tls | Storage account with vulnerable and outdated TLS version | Storage | Vulnerability, patch, and version management |
| ecc-azure-305-51_cis_storage_account_minimum_tls | Storage account with vulnerable and outdated TLS version | Storage | Protocols |
| ecc-azure-306-cis_postgresql_infrastructure_double_enc | PostgreSQL instance with disabled Infrastructure double encryption | Databases | Encryption of data at rest |
| ecc-azure-310-asb_defender_open_source_rds | Azure Defender for OpenSource Relational Databases is set to "Off" | Microsoft Defender for Cloud | Monitoring |
| ecc-azure-311-cis_postgresql_logging_collector | PostgreSQL instance with server parameter 'logging collector' disabled | Databases | Logging |
| ecc-azure-313-cis_postgresql_log_min_messages | PostgreSQL instance without server parameter 'log_min_messages' set to WARNING | Databases | Logging |
| ecc-azure-314-cis_postgresql_debug_print_plan_disabled | PostgreSQL instance with server parameter 'debug_print_plan' enabled | Databases | Logging |
| ecc-azure-317-cis_postgresql_log_error_verbosity_set_correctly | PostgreSQL instance without server parameter 'log_error_verbosity' set to VERBOSE | Databases | Logging |
| ecc-azure-318-cis_postgresql_log_line_prefix_set_correctly | PostgreSQL instance with server parameter 'log_line_prefix' set incorrectly | Databases | Logging |
| ecc-azure-319-cis_postgresql_log_min_error_statement | PostgreSQL instance without server parameter 'log_min_error_statement' set to ERROR | Databases | Logging |
| ecc-azure-321-cis_postgresql_log_statement_set_correctly | PostgreSQL instance with server parameter 'log_statement' set incorrectly | Databases | Logging |
| ecc-azure-323-linux_vmss_ssh | Azure Linux virtual machines scale set doesn't use an SSH key | Compute | Passwordless authentication |
| ecc-azure-324-data_explorer_double_encryption | Azure Kusto cluster without double encryption enabled | Analytics | Encryption of data at rest |
| ecc-azure-325-data_explorer_disc_encryption | Azure Kusto cluster without disk encryption | Analytics | Encryption of data at rest |
| ecc-azure-326-data_explorer_cmk | Azure Kusto cluster without CMK configured | Analytics | Encryption of data at rest |
| ecc-azure-327-data_factory_git_repo | Azure Data Factory doesn't use Git repository for source control | Analytics | Resource configuration |
| ecc-azure-328-data_factory_cmk | Azure data factories are not encrypted with a customer-managed key | Analytics | Encryption of data at rest |
| ecc-azure-329-batch_cmk | Azure Batch account doesn't use key vault to encrypt data | Security & Compliance | Encryption of data at rest |
| ecc-azure-331-app_service_detailed_error_messages | App service with disabled detailed logging of error messages | AppService | Logging |
| ecc-azure-332-app_service_request_tracing | App service without configured failed requests tracings | AppService | Logging |
| ecc-azure-333-iot_hub_public_access | Public network access enabled for Azure IoT Hub | Networking & Content Delivery | Resources not publicly accessible |
| ecc-azure-334-cosmosdb_priveleged_escalation | Cosmos DB account with unrestricted write access to the management plane | Databases | Access control |
| ecc-azure-336-vmss_encryption_at_host | Virtual machine scale sets without EncryptionAtHost enabled | Compute | Encryption of data at rest |
| ecc-azure-337-vm_antimalware_auto_updates | Microsoft Antimalware is not configured to automatically update Virtual Machines | Compute | Vulnerability, patch, and version management |
| ecc-azure-339-kv_secrets_content_type | Secret without 'content_type' set | Cryptography & PKI | Tagging |
| ecc-azure-340-appgw_waf_log4j | Application Gateway without Log4j WAF rule enabled or applied Ruleset version 3.0 or above | Networking & Content Delivery | Protective services |
| ecc-azure-341-front_door_waf_log4j | Azure Front Door without Log4j WAF rule enabled | Networking & Content Delivery | Protective services |
| ecc-azure-342-11_mssql_latest_tls | Azure SQL instance with vulnerable and outdated TLS version | Databases | Vulnerability, patch, and version management |
| ecc-azure-342-51_mssql_latest_tls | Azure SQL instance with vulnerable and outdated TLS version | Databases | Protocols |
| ecc-azure-343-postgresql_threat_detection_policy | Advanced Threat Protection is disabled on PostgreSQL server | Databases | Monitoring |
| ecc-azure-344-mysql_threat_detection_policy | Advanced Threat Protection is disabled on MySQL server | Databases | Monitoring |
| ecc-azure-345-mysql_infrastructure_encryption | MySQL instance with disabled Infrastructure double encryption | Databases | Encryption of data at rest |
| ecc-azure-346-11_mysql_latest_tls | MySQL instance with vulnerable and outdated TLS version | Databases | Vulnerability, patch, and version management |
| ecc-azure-346-51_mysql_latest_tls | MySQL instance with vulnerable and outdated TLS version | Databases | Protocols |
| ecc-azure-347-mysql_cmk | MySQL instance without CMK encryption configured | Databases | Encryption of data at rest |
| ecc-azure-348-mysql_harden_usage_for_local_infile | MySQL instance with server parameter 'local_infile' enabled | Databases | Resource configuration |
| ecc-azure-349-mysql_max_user_connections | MySQL instance without server setting "max_user_connections" limits | Databases | Resource configuration |
| ecc-azure-350-mysql_slow_query_log_permissions | MySQL instance with server parameter 'slow_query_log' disabled | Databases | Logging |
| ecc-azure-351-sql_mode | MySQL instance without sql_mode parameter set to "STRICT_ALL_TABLES" value | Databases | Resource configuration |
| ecc-azure-353-vmss_auto_image_patching | Virtual machine scale sets without OS image autoupgrade enabled | Compute | Vulnerability, patch, and version management |
| ecc-azure-354-acr_anonymous_pull | Container registry with anonymous pull enabled | Containers | Access control |
| ecc-azure-355-ml_min_cluster_nodes | Azure Machine Learning Compute cluster have minNodeCount property not equal to 0 | Security & Compliance | Autoscaling |
| ecc-azure-356-api_mgmt_client_cert | API Management service without configured client certificates | Security & Compliance | Key, Secrets, and Certificate management |
| ecc-azure-357-databricks_public_access | Azure Databricks workspace with enabled public access | Analytics | Resources not publicly accessible |
| ecc-azure-358-synapse_workspace_managed_vnet | Azure Synapse workspace without managed virtual network | Analytics | Resources within VPC |
| ecc-azure-359-synapse_workspace_data_exfiltration_protection | Azure Synapse workspace without data exfiltration enabled | Analytics | Secure configuration |
| ecc-azure-362-vm_without_va_extension | Azure Virtual Machines without Vulnerability Assessment solution | Compute | Secure configuration |
| ecc-azure-364-resource_tag_activity_log_alert | Activity Log Alert without tags | Security & Compliance | Tagging |
| ecc-azure-365-resource_tag_api_management | API Management without tags | Security & Compliance | Tagging |
| ecc-azure-367-vm_omi_vulnerability | Linux virtual machine affected to OMI vulnerability (CVE-2021-38645) | Compute | Vulnerability, patch, and version management |
| ecc-azure-368-vmss_omi_vulnerability | Linux virtual machine scale set affected to OMI vulnerability (CVE-2021-38645) | Compute | Vulnerability, patch, and version management |
| ecc-azure-369-cis_sa_infrastructure_encryption | Storage Account without Infrastructure Encryption enabled | Storage | Encryption of data at rest |
| ecc-azure-370-cis_cosmosdb_private_endpoint | CosmosDB account without Private Endpoint connection configured | Networking & Content Delivery | Resources within VPC |
| ecc-azure-371-cis_mysql_audit_log_enabled | MySQL instance with server setting "audit_log_enabled" set to "off" | Databases | Logging |
| ecc-azure-372-cis_mysql_audit_log_events | MySQL instance with server setting "audit_log_events" set to "off" | Databases | Logging |
| ecc-azure-373-cis_activity_log_alert_create_or_update_pip | Subscription where Activity Log Alert does not exist for Create or Update Public IP Address rule | Logging and Monitoring | Monitoring |
| ecc-azure-374-cis_activity_log_alert_delete_pip | Subscription where Activity Log Alert does not exist for Delete Public IP Address rule | Logging and Monitoring | Monitoring |
| ecc-azure-376-cis_defender_cosmodb | Azure Defender for Cosmos DB service is set to "Off" | Microsoft Defender for Cloud | Monitoring |
| ecc-azure-378-vnet_flow_log_analytics | Virtual network Flow Log Analytics disabled | Networking & Content Delivery | Logging |
| ecc-azure-379-cis_appservice_http_logs | App Service with web requests logging disabled | Logging and Monitoring | Logging |
| ecc-azure-412-cis_tpm_and_secure_boot | Azure virtual machine with Trusted Launch disabled | Compute | Secure configuration |
| ecc-azure-413-dep_vm_w_mma | Virtual machine with deprecated MicrosoftMonitoringAgent or OmsAgentForLinux extension installed | Compute | Other |
| ecc-azure-414-dep_vmss_w_mma | Virtual machine scale sets with deprecated MicrosoftMonitoringAgent or OmsAgentForLinux extension installed | Compute | Other |
| ecc-azure-415-dep_depr_mysql_instance | Deprecated Azure Database for MySQL - Single Server exist in subscription | Databases | Service |
| ecc-azure-416-dep_depr_postgresql_instance | Deprecated Azure Database for PostgreSQL - Single Server exist in subscription | Databases | Service |
| ecc-azure-417-cis_app_deprecated_java | App Service with deprecated Java version | AppService | Runtime version |
| ecc-azure-418-cis_app_deprecated_python | App Service with deprecated Python version | AppService | Runtime version |
| ecc-azure-419-cis_app_deprecated_php | App Service with deprecated PHP version | AppService | Runtime version |
| ecc-azure-420-asb_deprecated_java_funcapp | Function app has an deprecated Java version | AppService | Runtime version |
| ecc-azure-421-asb_deprecated_python_funcapp | Function app has an deprecated Python version | AppService | Runtime version |
| ecc-azure-422-dep_depr_mariadb_instance | Deprecated Azure Database for MariaDB exist in subscription | Databases | Service |
| ecc-azure-423-dep_retired_spring_instance | Deprecated Azure Spring Apps instance exist in subscription | AppService | Service |
| ecc-azure-424-dep_vm_w_diag_ext | Virtual machine with deprecated LinuxDiagnostic or IaaSDiangostics extension installed | Compute | Other |
| ecc-azure-425-dep_vmss_w_diag_ext | Virtual machine scale sets with deprecated LinuxDiagnostic or IaaSDiangostics extension installed | Compute | Other |
| ecc-azure-426-dep_nsg_w_flow_logs | Network security group with retired flow logs feature | Networking & Content Delivery | Feature |
| ecc-azure-427-dep_powershell_funcapp | Function app has an deprecated PowerShell version | AppService | Runtime version |
| ecc-azure-428-11_dep_eventgrid_latest_tls | Event Grid Domains service has an deprecated TLS version | Networking & Content Delivery | Vulnerability, patch, and version management |
| ecc-azure-428-51_dep_eventgrid_latest_tls | Event Grid Domains service has an deprecated TLS version | Networking & Content Delivery | Protocols |
| ecc-azure-429-dep_retired_vm_skus | Azure Virtual Machine is using retired VM size | Compute | Instance generation |
| ecc-azure-430-dep_dotNet_funcapp | Function app has an deprecated .NET version | AppService | Runtime version |
| ecc-azure-431-dep_retired_frontdoor_classic | Retired Azure Front Door (classic) instance exist in subscription | Networking & Content Delivery | Service |
| ecc-azure-432-dep_frontdoor_latest_tls | Azure Front Door instance with outdated TLS version | Networking & Content Delivery | Protocols |
| ecc-azure-433-11_dep_appenv_latest_tls | App Service Environment that uses TLS version before 1.2 | AppService | Vulnerability, patch, and version management |
| ecc-azure-433-51_dep_appenv_latest_tls | App Service Environment that uses TLS version before 1.2 | AppService | Protocols |
| ecc-azure-434-dep_retired_storage_classic | Retired classic storage account instance exist in subscription | Storage | Service |
| ecc-azure-435-dep_retired_appgw_conf | Application Gateway with retired Web Application Firewall V2 Configuration enabled | Networking & Content Delivery | Feature |
| ecc-azure-436-dep_retired_unmanaged_disk | Azure Virtual Machine is using retired unmanaged disk | Compute | Feature |
| ecc-azure-437-11_dep_redis_latest_tls | Redis cache with deprecated TLS version | Databases | Vulnerability, patch, and version management |
| ecc-azure-437-51_dep_redis_latest_tls | Redis cache with deprecated TLS version | Databases | Protocols |
| ecc-azure-439-disable_premium_ssd | Virtual machine with Premium SSD volumes | Storage | Storage optimization |
| ecc-azure-440-enable_lifecycle_sa | Storage Account lifecycle is not configured | Storage | Lifecycle management |
| ecc-azure-441-delete_empty_vmss | Empty virtual machine scale sets available within your Microsoft Azure cloud account | Compute | Unutilized resources |
| ecc-azure-442-delete_unused_lb | Unused load balancers available within your Azure cloud account | Networking & Content Delivery | Unutilized resources |
| ecc-azure-444-00_delete_old_snapshot | Old Azure virtual machine (VM) disks snapshots exist in subscription | Storage | Unutilized resources |
| ecc-azure-444-11_delete_old_snapshot | Old Azure virtual machine (VM) disks snapshots exist in subscription | Storage | Data protection |
| ecc-azure-445-00_delete_unattached_disk | Unattached (unused) Microsoft Azure virtual machine disk volumes available within your subscription | Storage | Unutilized resources |
| ecc-azure-445-11_delete_unattached_disk | Unattached (unused) Microsoft Azure virtual machine disk volumes available within your subscription | Storage | Data protection |
| ecc-azure-446-delete_unused_ip | Unused Public IP Addresses available within your Azure cloud account | Networking & Content Delivery | Unutilized resources |
| ecc-azure-447-mcsb_ml_idle_shutdown | Azure Machine Learning Compute Instance without idle shutdown configuration | Machine Learning | Idle and underutilized resources |
| ecc-azure-448-00_vm_stopped_instance | Stopped Azure VM instances are not removed after a specified time period | Compute | Unutilized resources |
| ecc-azure-448-11_vm_stopped_instance | Stopped Azure VM instances are not removed after a specified time period | Compute | Vulnerability, patch, and version management |
| ecc-azure-449-vm_idle_cpu_utilization | Idle Azure VM instances | Compute | Idle and underutilized resources |
| ecc-azure-451-00_delete_unused_waf | An Application Gateway WAF policy in disabled state | Networking & Content Delivery | Unutilized resources |
| ecc-azure-451-11_delete_unused_waf | An Application Gateway WAF policy in disabled state | Networking & Content Delivery | Protective services |
| ecc-azure-452-delete_unused_appserviceplan | Unused App Service Plan available within your subscription | AppService | Unutilized resources |
| ecc-azure-453-00_vm_deallocated_instance | Deallocated Azure VM instances are not removed after a specified time period | Compute | Unutilized resources |
| ecc-azure-453-11_vm_deallocated_instance | Deallocated Azure VM instances are not removed after a specified time period | Compute | Vulnerability, patch, and version management |
| ecc-azure-454-11_last_powershell_funcapp | Function app has an outdated PowerShell version | AppService | Vulnerability, patch, and version management |
| ecc-azure-454-51_last_powershell_funcapp | Function app has an outdated PowerShell version | AppService | Runtime version |
| ecc-azure-455-11_last_dotNet_funcapp | Function app has an outdated .NET version | AppService | Vulnerability, patch, and version management |
| ecc-azure-455-51_last_dotNet_funcapp | Function app has an outdated .NET version | AppService | Runtime version |
| ecc-azure-456-cis_db_postgresql_res_logs | PostgreSQL instance with logging disabled | Databases | Logging |