Source from repo
Azure Compliance & Security Auditing

Audit Azure resources for compliance, security best practices, and Key Vault expiration monitoring
microsoftGitHub microsoftOfficialSource repo Original GitHub link Publisher page
Files
Skill
n/a
Size
47.5 KB
Entrypoint
SKILL.md
Format
git-repo
Open file
references/azqr-remediation-patterns.md

Syntax-highlighted preview of this file as included in the skill package.
Rendered Source
markdown378 linesFree
references/azqr-remediation-patterns.md
1# Remediation Patterns for Common azqr Findings
2 
3This document provides remediation templates for frequently identified compliance issues.
4 
5## Storage Account Issues
6 
7### Enable Private Endpoints
8 
9**Issue:** Storage account accessible via public endpoint
10 
11**Azure CLI:**
12```bash
13# Create private endpoint
14az network private-endpoint create \
15  --name pe-storage \
16  --resource-group <rg-name> \
17  --vnet-name <vnet-name> \
18  --subnet <subnet-name> \
19  --private-connection-resource-id $(az storage account show -n <storage-name> -g <rg-name> --query id -o tsv) \
20  --group-id blob \
21  --connection-name pe-storage-connection
22 
23# Disable public access
24az storage account update \
25  --name <storage-name> \
26  --resource-group <rg-name> \
27  --public-network-access Disabled
28```
29 
30**Bicep:**
31```bicep
32resource privateEndpoint 'Microsoft.Network/privateEndpoints@2023-05-01' = {
33  name: 'pe-${storageAccount.name}'
34  location: location
35  properties: {
36    subnet: {
37      id: subnet.id
38    }
39    privateLinkServiceConnections: [
40      {
41        name: 'pe-${storageAccount.name}-connection'
42        properties: {
43          privateLinkServiceId: storageAccount.id
44          groupIds: ['blob']
45        }
46      }
47    ]
48  }
49}
50```
51 
52### Enable Soft Delete
53 
54**Issue:** No soft delete protection for blobs
55 
56**Azure CLI:**
57```bash
58az storage account blob-service-properties update \
59  --account-name <storage-name> \
60  --resource-group <rg-name> \
61  --enable-delete-retention true \
62  --delete-retention-days 7 \
63  --enable-container-delete-retention true \
64  --container-delete-retention-days 7
65```
66 
67**Bicep:**
68```bicep
69resource blobServices 'Microsoft.Storage/storageAccounts/blobServices@2023-01-01' = {
70  parent: storageAccount
71  name: 'default'
72  properties: {
73    deleteRetentionPolicy: {
74      enabled: true
75      days: 7
76    }
77    containerDeleteRetentionPolicy: {
78      enabled: true
79      days: 7
80    }
81  }
82}
83```
84 
85---
86 
87## Key Vault Issues
88 
89### Enable Purge Protection
90 
91**Issue:** Key Vault can be permanently deleted
92 
93**Azure CLI:**
94```bash
95az keyvault update \
96  --name <vault-name> \
97  --resource-group <rg-name> \
98  --enable-purge-protection true
99```
100 
101**Bicep:**
102```bicep
103resource keyVault 'Microsoft.KeyVault/vaults@2023-07-01' = {
104  name: keyVaultName
105  location: location
106  properties: {
107    enableSoftDelete: true
108    softDeleteRetentionInDays: 90
109    enablePurgeProtection: true
110    // ... other properties
111  }
112}
113```
114 
115### Use RBAC for Data Plane
116 
117**Issue:** Using access policies instead of RBAC
118 
119**Azure CLI:**
120```bash
121az keyvault update \
122  --name <vault-name> \
123  --resource-group <rg-name> \
124  --enable-rbac-authorization true
125```
126 
127---
128 
129## Virtual Machine Issues
130 
131### Enable Diagnostic Settings
132 
133**Issue:** No diagnostics configured for VM
134 
135**Azure CLI:**
136```bash
137# Create Log Analytics workspace (if needed)
138az monitor log-analytics workspace create \
139  --resource-group <rg-name> \
140  --workspace-name <workspace-name>
141 
142# Enable diagnostics
143az monitor diagnostic-settings create \
144  --name diag-vm \
145  --resource $(az vm show -g <rg-name> -n <vm-name> --query id -o tsv) \
146  --workspace $(az monitor log-analytics workspace show -g <rg-name> -n <workspace-name> --query id -o tsv) \
147  --metrics '[{"category": "AllMetrics", "enabled": true}]'
148```
149 
150**Bicep:**
151```bicep
152resource diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {
153  name: 'diag-${vm.name}'
154  scope: vm
155  properties: {
156    workspaceId: logAnalyticsWorkspace.id
157    metrics: [
158      {
159        category: 'AllMetrics'
160        enabled: true
161      }
162    ]
163  }
164}
165```
166 
167### Enable Azure Backup
168 
169**Issue:** VM not protected by Azure Backup
170 
171**Azure CLI:**
172```bash
173# Create Recovery Services vault (if needed)
174az backup vault create \
175  --resource-group <rg-name> \
176  --name <vault-name> \
177  --location <location>
178 
179# Enable backup with default policy
180az backup protection enable-for-vm \
181  --resource-group <rg-name> \
182  --vault-name <vault-name> \
183  --vm $(az vm show -g <rg-name> -n <vm-name> --query id -o tsv) \
184  --policy-name DefaultPolicy
185```
186 
187---
188 
189## AKS Issues
190 
191### Enable Defender for Containers
192 
193**Issue:** No security monitoring for AKS
194 
195**Azure CLI:**
196```bash
197az aks update \
198  --resource-group <rg-name> \
199  --name <cluster-name> \
200  --enable-defender
201```
202 
203**Bicep:**
204```bicep
205resource aksCluster 'Microsoft.ContainerService/managedClusters@2024-01-01' = {
206  name: clusterName
207  location: location
208  properties: {
209    securityProfile: {
210      defender: {
211        securityMonitoring: {
212          enabled: true
213        }
214        logAnalyticsWorkspaceResourceId: logAnalyticsWorkspace.id
215      }
216    }
217    // ... other properties
218  }
219}
220```
221 
222### Use Managed Identity
223 
224**Issue:** AKS using service principal instead of managed identity
225 
226**Azure CLI:**
227```bash
228az aks update \
229  --resource-group <rg-name> \
230  --name <cluster-name> \
231  --enable-managed-identity
232```
233 
234---
235 
236## SQL Database Issues
237 
238### Enable Auditing
239 
240**Issue:** SQL Server auditing not enabled
241 
242**Azure CLI:**
243```bash
244# Enable to Log Analytics
245az sql server audit-policy update \
246  --resource-group <rg-name> \
247  --name <server-name> \
248  --state Enabled \
249  --lats Enabled \
250  --lawri $(az monitor log-analytics workspace show -g <rg-name> -n <workspace-name> --query id -o tsv)
251```
252 
253**Bicep:**
254```bicep
255resource sqlAudit 'Microsoft.Sql/servers/auditingSettings@2023-05-01-preview' = {
256  parent: sqlServer
257  name: 'default'
258  properties: {
259    state: 'Enabled'
260    isAzureMonitorTargetEnabled: true
261    retentionDays: 90
262  }
263}
264```
265 
266### Enable Private Endpoint
267 
268**Issue:** SQL Server accessible via public endpoint
269 
270**Azure CLI:**
271```bash
272# Create private endpoint
273az network private-endpoint create \
274  --name pe-sql \
275  --resource-group <rg-name> \
276  --vnet-name <vnet-name> \
277  --subnet <subnet-name> \
278  --private-connection-resource-id $(az sql server show -g <rg-name> -n <server-name> --query id -o tsv) \
279  --group-id sqlServer \
280  --connection-name pe-sql-connection
281 
282# Disable public access
283az sql server update \
284  --resource-group <rg-name> \
285  --name <server-name> \
286  --enable-public-network false
287```
288 
289---
290 
291## App Service Issues
292 
293### Use Managed Identity
294 
295**Issue:** App Service not using managed identity
296 
297**Azure CLI:**
298```bash
299az webapp identity assign \
300  --resource-group <rg-name> \
301  --name <app-name>
302```
303 
304**Bicep:**
305```bicep
306resource webApp 'Microsoft.Web/sites@2023-01-01' = {
307  name: appName
308  location: location
309  identity: {
310    type: 'SystemAssigned'
311  }
312  properties: {
313    // ... other properties
314  }
315}
316```
317 
318### Enforce HTTPS Only
319 
320**Issue:** HTTP traffic allowed
321 
322**Azure CLI:**
323```bash
324az webapp update \
325  --resource-group <rg-name> \
326  --name <app-name> \
327  --https-only true
328```
329 
330### Set Minimum TLS Version
331 
332**Issue:** TLS version below 1.2
333 
334**Azure CLI:**
335```bash
336az webapp config set \
337  --resource-group <rg-name> \
338  --name <app-name> \
339  --min-tls-version 1.2
340```
341 
342---
343 
344## Bulk Remediation Script
345 
346For multiple resources of the same type, use a loop:
347 
348```powershell
349# Example: Enable soft delete on all storage accounts
350$storageAccounts = az storage account list --query "[].{name:name, rg:resourceGroup}" -o json | ConvertFrom-Json
351 
352foreach ($sa in $storageAccounts) {
353    Write-Host "Enabling soft delete on $($sa.name)..."
354    az storage account blob-service-properties update `
355        --account-name $sa.name `
356        --resource-group $sa.rg `
357        --enable-delete-retention true `
358        --delete-retention-days 7
359}
360```
361 
362---
363 
364## Remediation Validation
365 
366After applying fixes, re-run the azqr scan using the Azure MCP tool to verify the issues have been resolved:
367 
368```
369mcp_azure_mcp_extension_azqr
370  subscription: <subscription-id>
371```
372 
373## Additional Resources
374 
375- [Azure CLI Reference](https://learn.microsoft.com/cli/azure/)
376- [Bicep Documentation](https://learn.microsoft.com/azure/azure-resource-manager/bicep/)
377- [Azure Policy Built-in Definitions](https://learn.microsoft.com/azure/governance/policy/samples/built-in-policies)
378
Preparing the source view

Azure Compliance & Security Auditing

references/azqr-remediation-patterns.md
