Source from repo

Azure Compliance & Security Auditing

Audit Azure resources for compliance, security best practices, and Key Vault expiration monitoring

microsoftGitHub microsoftOfficialSource repo Original GitHub link Publisher page

Files

Skill

n/a

Size

47.5 KB

Entrypoint

SKILL.md

Format

git-repo

Open file

references/azqr-recommendations.md

Syntax-highlighted preview of this file as included in the skill package.

Rendered Source

markdown175 linesFree

references/azqr-recommendations.md

1# azqr Recommendation Categories
2 
3This document describes how to interpret azqr recommendations and prioritize remediation.
4 
5## Recommendation Sources
6 
7azqr aggregates recommendations from multiple sources:
8 
9| Source | Description | Priority |
10|--------|-------------|----------|
11| **APRL** | Azure Proactive Resiliency Library - reliability-focused best practices | High |
12| **Orphaned Resources** | Resources that are unused or disconnected | Medium |
13| **Azure Advisor** | Microsoft's built-in recommendation engine | Medium |
14| **Defender for Cloud** | Security-focused recommendations | Critical |
15| **Azure Policy** | Governance compliance status | Varies |
16 
17## Impact Categories
18 
19### Reliability
20 
21Recommendations that affect service availability and resiliency:
22 
23| Issue | Risk | Example Resources |
24|-------|------|-------------------|
25| No zone redundancy | Single zone failure causes outage | VMs, Storage, SQL, AKS |
26| Single instance | No failover capability | App Service, Redis, VMs |
27| No backup configured | Data loss risk | VMs, SQL, Cosmos DB |
28| No disaster recovery | Regional failure exposure | Storage, SQL, Key Vault |
29 
30### Security
31 
32Recommendations that affect security posture:
33 
34| Issue | Risk | Example Resources |
35|-------|------|-------------------|
36| Public endpoint exposed | Attack surface exposure | Storage, SQL, Key Vault |
37| Missing encryption | Data exposure risk | Storage, Disks, SQL |
38| No private endpoint | Traffic on public internet | PaaS services |
39| Weak TLS version | Protocol vulnerabilities | App Service, API Management |
40| No managed identity | Credential management risk | App Service, Functions, AKS |
41 
42### Operational Excellence
43 
44Recommendations for better operations:
45 
46| Issue | Risk | Example Resources |
47|-------|------|-------------------|
48| No diagnostic settings | Blind to failures | All resources |
49| Missing alerts | Delayed incident response | All resources |
50| No tags | Governance/cost tracking gaps | All resources |
51| Outdated SKU/version | Missing features/security fixes | All resources |
52 
53### Cost Optimization
54 
55Recommendations to reduce spending:
56 
57| Issue | Risk | Example Resources |
58|-------|------|-------------------|
59| Orphaned disk | Paying for unused storage | Managed Disks |
60| Orphaned public IP | Paying for unused IP | Public IP |
61| Oversized SKU | Excess capacity cost | VMs, SQL, App Service |
62| No reserved capacity | Missing discounts | VMs, SQL, Cosmos DB |
63 
64## Severity Levels
65 
66Prioritize remediation using this severity matrix:
67 
68| Severity | Criteria | Response Time |
69|----------|----------|---------------|
70| **Critical** | Security vulnerability with active exploit risk | Immediate |
71| **High** | Reliability risk affecting availability | Within 1 week |
72| **Medium** | Best practice violation with moderate risk | Within 1 month |
73| **Low** | Optimization opportunity | As capacity allows |
74 
75## Excel Report Columns
76 
77### Recommendations Sheet
78 
79| Column | Description |
80|--------|-------------|
81| Recommendation ID | Unique identifier for the recommendation |
82| Category | Reliability, Security, Cost, etc. |
83| Recommendation | Description of the issue |
84| Learn More | Link to documentation |
85| Impacted Resources | Count of affected resources |
86 
87### ImpactedResources Sheet
88 
89| Column | Description |
90|--------|-------------|
91| Subscription | Subscription ID (may be masked) |
92| Resource Group | Resource group name |
93| Type | Azure resource type |
94| Name | Resource name |
95| Recommendation ID | Links to Recommendations sheet |
96| Recommendation | Issue description |
97| Learn More | Documentation link |
98| Param1-5 | Additional context (varies by recommendation) |
99 
100### Inventory Sheet
101 
102| Column | Description |
103|--------|-------------|
104| Subscription | Subscription ID |
105| Resource Group | Resource group name |
106| Location | Azure region |
107| Type | Resource type |
108| Name | Resource name |
109| SKU | SKU tier/name |
110| SLA | Calculated SLA percentage |
111| Availability Zones | Zone configuration |
112| Private Endpoint | Private endpoint status |
113| Diagnostic Settings | Diagnostic configuration status |
114 
115## Common Recommendation IDs
116 
117High-impact recommendations to prioritize:
118 
119### Storage Accounts
120 
121| ID | Issue |
122|----|-------|
123| `st-001` | Enable soft delete for blobs |
124| `st-002` | Enable soft delete for containers |
125| `st-003` | Enable versioning |
126| `st-004` | Use private endpoints |
127| `st-005` | Disable public blob access |
128 
129### Virtual Machines
130 
131| ID | Issue |
132|----|-------|
133| `vm-001` | Enable Azure Backup |
134| `vm-002` | Use managed disks |
135| `vm-003` | Deploy in availability zones |
136| `vm-004` | Enable boot diagnostics |
137| `vm-005` | Use managed identity |
138 
139### Azure Kubernetes Service
140 
141| ID | Issue |
142|----|-------|
143| `aks-001` | Enable Azure Policy |
144| `aks-002` | Use managed identity |
145| `aks-003` | Enable Defender for Containers |
146| `aks-004` | Use availability zones |
147| `aks-005` | Enable cluster autoscaler |
148 
149### Key Vault
150 
151| ID | Issue |
152|----|-------|
153| `kv-001` | Enable soft delete |
154| `kv-002` | Enable purge protection |
155| `kv-003` | Use private endpoints |
156| `kv-004` | Enable diagnostic logging |
157| `kv-005` | Use RBAC for data plane |
158 
159### SQL Database
160 
161| ID | Issue |
162|----|-------|
163| `sql-001` | Enable Transparent Data Encryption |
164| `sql-002` | Enable auditing |
165| `sql-003` | Use private endpoints |
166| `sql-004` | Enable zone redundancy |
167| `sql-005` | Enable Advanced Threat Protection |
168 
169## Additional Resources
170 
171- [Azure Proactive Resiliency Library](https://aka.ms/aprl)
172- [Azure Orphaned Resources](https://github.com/dolevshor/azure-orphan-resources)
173- [Azure Advisor Documentation](https://learn.microsoft.com/azure/advisor/)
174- [Defender for Cloud Recommendations](https://learn.microsoft.com/azure/defender-for-cloud/recommendations-reference)
175

Marketplace

Source from repo

Azure Compliance & Security Auditing

Audit Azure resources for compliance, security best practices, and Key Vault expiration monitoring

microsoftGitHub microsoftOfficialSource repo Original GitHub link Publisher page

Files

Skill

n/a

Size

47.5 KB

Entrypoint

SKILL.md

Format

git-repo

Open file

references/azqr-recommendations.md

Syntax-highlighted preview of this file as included in the skill package.

Rendered Source

markdown175 linesFree

references/azqr-recommendations.md

1# azqr Recommendation Categories
2 
3This document describes how to interpret azqr recommendations and prioritize remediation.
4 
5## Recommendation Sources
6 
7azqr aggregates recommendations from multiple sources:
8 
9| Source | Description | Priority |
10|--------|-------------|----------|
11| **APRL** | Azure Proactive Resiliency Library - reliability-focused best practices | High |
12| **Orphaned Resources** | Resources that are unused or disconnected | Medium |
13| **Azure Advisor** | Microsoft's built-in recommendation engine | Medium |
14| **Defender for Cloud** | Security-focused recommendations | Critical |
15| **Azure Policy** | Governance compliance status | Varies |
16 
17## Impact Categories
18 
19### Reliability
20 
21Recommendations that affect service availability and resiliency:
22 
23| Issue | Risk | Example Resources |
24|-------|------|-------------------|
25| No zone redundancy | Single zone failure causes outage | VMs, Storage, SQL, AKS |
26| Single instance | No failover capability | App Service, Redis, VMs |
27| No backup configured | Data loss risk | VMs, SQL, Cosmos DB |
28| No disaster recovery | Regional failure exposure | Storage, SQL, Key Vault |
29 
30### Security
31 
32Recommendations that affect security posture:
33 
34| Issue | Risk | Example Resources |
35|-------|------|-------------------|
36| Public endpoint exposed | Attack surface exposure | Storage, SQL, Key Vault |
37| Missing encryption | Data exposure risk | Storage, Disks, SQL |
38| No private endpoint | Traffic on public internet | PaaS services |
39| Weak TLS version | Protocol vulnerabilities | App Service, API Management |
40| No managed identity | Credential management risk | App Service, Functions, AKS |
41 
42### Operational Excellence
43 
44Recommendations for better operations:
45 
46| Issue | Risk | Example Resources |
47|-------|------|-------------------|
48| No diagnostic settings | Blind to failures | All resources |
49| Missing alerts | Delayed incident response | All resources |
50| No tags | Governance/cost tracking gaps | All resources |
51| Outdated SKU/version | Missing features/security fixes | All resources |
52 
53### Cost Optimization
54 
55Recommendations to reduce spending:
56 
57| Issue | Risk | Example Resources |
58|-------|------|-------------------|
59| Orphaned disk | Paying for unused storage | Managed Disks |
60| Orphaned public IP | Paying for unused IP | Public IP |
61| Oversized SKU | Excess capacity cost | VMs, SQL, App Service |
62| No reserved capacity | Missing discounts | VMs, SQL, Cosmos DB |
63 
64## Severity Levels
65 
66Prioritize remediation using this severity matrix:
67 
68| Severity | Criteria | Response Time |
69|----------|----------|---------------|
70| **Critical** | Security vulnerability with active exploit risk | Immediate |
71| **High** | Reliability risk affecting availability | Within 1 week |
72| **Medium** | Best practice violation with moderate risk | Within 1 month |
73| **Low** | Optimization opportunity | As capacity allows |
74 
75## Excel Report Columns
76 
77### Recommendations Sheet
78 
79| Column | Description |
80|--------|-------------|
81| Recommendation ID | Unique identifier for the recommendation |
82| Category | Reliability, Security, Cost, etc. |
83| Recommendation | Description of the issue |
84| Learn More | Link to documentation |
85| Impacted Resources | Count of affected resources |
86 
87### ImpactedResources Sheet
88 
89| Column | Description |
90|--------|-------------|
91| Subscription | Subscription ID (may be masked) |
92| Resource Group | Resource group name |
93| Type | Azure resource type |
94| Name | Resource name |
95| Recommendation ID | Links to Recommendations sheet |
96| Recommendation | Issue description |
97| Learn More | Documentation link |
98| Param1-5 | Additional context (varies by recommendation) |
99 
100### Inventory Sheet
101 
102| Column | Description |
103|--------|-------------|
104| Subscription | Subscription ID |
105| Resource Group | Resource group name |
106| Location | Azure region |
107| Type | Resource type |
108| Name | Resource name |
109| SKU | SKU tier/name |
110| SLA | Calculated SLA percentage |
111| Availability Zones | Zone configuration |
112| Private Endpoint | Private endpoint status |
113| Diagnostic Settings | Diagnostic configuration status |
114 
115## Common Recommendation IDs
116 
117High-impact recommendations to prioritize:
118 
119### Storage Accounts
120 
121| ID | Issue |
122|----|-------|
123| `st-001` | Enable soft delete for blobs |
124| `st-002` | Enable soft delete for containers |
125| `st-003` | Enable versioning |
126| `st-004` | Use private endpoints |
127| `st-005` | Disable public blob access |
128 
129### Virtual Machines
130 
131| ID | Issue |
132|----|-------|
133| `vm-001` | Enable Azure Backup |
134| `vm-002` | Use managed disks |
135| `vm-003` | Deploy in availability zones |
136| `vm-004` | Enable boot diagnostics |
137| `vm-005` | Use managed identity |
138 
139### Azure Kubernetes Service
140 
141| ID | Issue |
142|----|-------|
143| `aks-001` | Enable Azure Policy |
144| `aks-002` | Use managed identity |
145| `aks-003` | Enable Defender for Containers |
146| `aks-004` | Use availability zones |
147| `aks-005` | Enable cluster autoscaler |
148 
149### Key Vault
150 
151| ID | Issue |
152|----|-------|
153| `kv-001` | Enable soft delete |
154| `kv-002` | Enable purge protection |
155| `kv-003` | Use private endpoints |
156| `kv-004` | Enable diagnostic logging |
157| `kv-005` | Use RBAC for data plane |
158 
159### SQL Database
160 
161| ID | Issue |
162|----|-------|
163| `sql-001` | Enable Transparent Data Encryption |
164| `sql-002` | Enable auditing |
165| `sql-003` | Use private endpoints |
166| `sql-004` | Enable zone redundancy |
167| `sql-005` | Enable Advanced Threat Protection |
168 
169## Additional Resources
170 
171- [Azure Proactive Resiliency Library](https://aka.ms/aprl)
172- [Azure Orphaned Resources](https://github.com/dolevshor/azure-orphan-resources)
173- [Azure Advisor Documentation](https://learn.microsoft.com/azure/advisor/)
174- [Defender for Cloud Recommendations](https://learn.microsoft.com/azure/defender-for-cloud/recommendations-reference)
175

Azure Compliance & Security Auditing

references/azqr-recommendations.md

Preparing the source view

Azure Compliance & Security Auditing

references/azqr-recommendations.md