Azure OpenAI

Microsoft Azure

Terraform Name

terraform

Azure OpenAI

attributes:

Associating resources with a

Azure OpenAI

Resources do not "belong" to a

Azure OpenAI

Rather, one or more Security Groups are associated to a resource.

Create

Azure OpenAI

via Terraform:

Syntax:

Create

Azure OpenAI

via CLI:

Parameters:

Example:

aws cost

Costs

Direct Cost

Indirect Cost

No items found.

Best Practices for

Azure OpenAI

Categorized by Availability, Security & Compliance and Cost

Low

Access allowed from VPN

Security & Compliance

No items found.

Medium

AMI (Amazon Machine Images) not in use

AWS Cost Optimization

AWS Well-Architected Framework

Medium

AMI (Amazon Machine Images) not in use (12 months)

AWS Cost Optimization

AWS Well-Architected Framework

Low

Auto Scaling Group not in use

Other

No items found.

High

AWS Config configuration changes alarm

Security & Compliance

AWS Well-Architected Framework

High

AWS DynamoDB Table Export

Threat Detection

No items found.

Medium

AWS EC2 VM Export Failure

Threat Detection

No items found.

High

AWS IAM Activity Using S3 Browser Utility

Threat Detection

No items found.

Medium

AWS IAM User Created Access Keys

Threat Detection

No items found.

High

AWS RDS Snapshot Export to S3

Threat Detection

No items found.

Low

Azure AD Privileged Role Changes

Threat Detection

No items found.

High

Azure/EntraID: Reset password for Global Admin user

Threat Detection

No items found.

Low

CloudTrail changes alarm

Security & Compliance

Medium

Connections towards DynamoDB should be via VPC endpoints

Security & Compliance

No items found.

Medium

Connections towards S3 should be via VPC endpoint

Security & Compliance

High

Container Escape Detection

Threat Detection

No items found.

Medium

Container in CrashLoopBackOff state

Availability

No items found.

Low

Cross peering connectivity is allowed by EC2

Security & Compliance

Low

Cross peering connectivity is allowed by ECS Task

Security & Compliance

Low

Cross peering connectivity is allowed by Lambda

Security & Compliance

Low

Cross peering connectivity is allowed by Pod

Security & Compliance

Low

Cross transit connectivity is allowed by EC2

Security & Compliance

Low

Cross transit connectivity is allowed by ECS

Security & Compliance

Low

Cross transit connectivity is allowed by Lambda

Security & Compliance

Low

Cross transit connectivity is allowed by Pod

Security & Compliance

Medium

DynamoDB tables not in use

AWS Cost Optimization

AWS Well-Architected Framework

Medium

EBS snapshots not in use

AWS Cost Optimization

AWS Well-Architected Framework

Medium

EBS volume not in use

AWS Cost Optimization

AWS Well-Architected Framework

Low

EC2 large instance create alarm

Security & Compliance

AWS Well-Architected Framework

Medium

EC2 should have a name set

Other

Critical

EC2 with Admin access (*:*)

Security & Compliance

Low

EC2 with GPU capabilities

AWS Cost Optimization

No items found.

Medium

EC2 with high privileged policies

Security & Compliance

No items found.

Medium

ECS cluster delete alarm

Availability

No items found.

Critical

ECS task with Admin access (*:*)

Security & Compliance

Medium

ECS task with high privileged policies

Security & Compliance

No items found.

Critical

EKS cluster delete alarm

Availability

No items found.

Medium

ElastiCache cluster delete alarm

Availability

No items found.

Medium

Elastic IP not in use

AWS Cost Optimization

AWS Well-Architected Framework

Medium

AWS Cost Optimization

AWS Well-Architected Framework

Critical

Ensure access keys are rotated every 90 days or less

Security & Compliance

Medium

Ensure all hosts in the target group are in healthy state

Availability

No items found.

Medium

Ensure all hosts in the target group are in use

Availability

No items found.

Critical

Ensure all IAM users with console access have MFA enabled

Security & Compliance

Medium

Ensure Amazon MQ broker instances are using desired instance types

Security & Compliance

AWS Well-Architected Framework

Medium

Ensure Amazon MQ brokers are not publicly accessible

Security & Compliance

Critical

Ensure Amazon MQ brokers are not publicly accessible

Security & Compliance

Low

Ensure Amazon MQ brokers are using the active/standby deployment mode

Availability

AWS Well-Architected Framework

Low

Ensure Amazon MQ brokers are using the latest engine version

Security & Compliance

Medium

Ensure Amazon MQ brokers Auto Minor Version Upgrade feature is enabled

Security & Compliance

Low

Ensure Amazon MQ brokers Log Exports feature is enabled

Security & Compliance

Medium

Ensure Amazon SageMaker Notebook Instance is in VPC

Security & Compliance

AWS Well-Architected Framework

Low

Ensure API Gateway has Content Encoding feature enabled

Other

Medium

Ensure Application Load Balancer (ALB) has access logging enabled

Security & Compliance

No items found.

Medium

Ensure Application Load Balancers (ALB) are configured to drop HTTP headers

Security & Compliance

AWS Foundational Security Best Practices Controls

Low

Ensure Auto-Tune feature is enabled in OpenSearch clusters

Other

No items found.

Medium

Ensure AWS Config is configured to include global resources

Security & Compliance

AWS Well-Architected Framework

Medium

Ensure AWS EKS cluster has secrets encryption enabled

Security & Compliance

Medium

Ensure both VPN tunnels are up

Availability

AWS Well-Architected Framework

Medium

Ensure CloudFormation stacks are sending event notifications to an SNS topic

Security & Compliance

AWS Well-Architected Framework

Medium

Ensure CloudFormation stacks Termination Protection feature is enabled

Security & Compliance

AWS Well-Architected Framework

Medium

Ensure CloudFront distribution enforce HTTPS protocol for data in-transit

Security & Compliance

AWS Well-Architected Framework

Medium

Ensure CloudFront distributions use a security policy with minimum TLSv1.1 or TLSv1.2

Security & Compliance

Medium

Ensure CloudFront has WAF attached

Security & Compliance

AWS Foundational Security Best Practices Controls

Medium

Ensure CloudFront web distributions are configured to compress objects (files) automatically

AWS Cost Optimization

Medium

Ensure CloudFront web distributions enforce field-level encryption

Security & Compliance

AWS Well-Architected Framework

High

Ensure CloudTrail buckets are configured to use MFA

Security & Compliance

Medium

Ensure CloudTrail Log File Integrity Validation is enabled

Security & Compliance

Medium

Ensure CloudTrail logs are encrypted at rest

Security & Compliance

High

Ensure CloudTrail trails have multi-region enabled

Security & Compliance

High

Ensure CloudTrail trails record global service events

Security & Compliance

Medium

Ensure CloudWatch Logs service is configured to monitor CloudTrail trail logs

Security & Compliance

Medium

Ensure communication between CloudFront distributions and their origins is encrypted using HTTPS

Security & Compliance

AWS Well-Architected Framework

Medium

Ensure container is not privileged

Security & Compliance

No items found.

Medium

Ensure Container liveness probe is configured

Availability

No items found.

Low

Ensure Container readiness probe is configured

Availability

No items found.

Medium

Ensure containers do not run with AllowPrivilegeEscalation

Security & Compliance

No items found.

Low

Ensure containers run with a high GID to avoid host conflict

Security & Compliance

No items found.

Low

Ensure containers run with a high UID to avoid host conflict

Security & Compliance

No items found.

High

Ensure Database Migration Service (DMS) are not publicly accessible

Security & Compliance

Medium

Ensure Database Migration Service (DMS) replication instances are using Multi-AZ deployment configurations

Availability

Medium

Ensure Database Migration Service (DMS) replication instances have Auto Minor Version Upgrade feature enabled

Security & Compliance

Medium

Ensure data stored in the S3 bucket is securely encrypted at rest

Security & Compliance

Critical

Ensure default security groups are not in use by ALB

Security & Compliance

Critical

Ensure default security groups are not in use by EC2

Security & Compliance

Critical

Ensure default security groups are not in use by ECS

Security & Compliance

Critical

Ensure default security groups are not in use by ElastiCache

Security & Compliance

Critical

Ensure default security groups are not in use by ELB

Security & Compliance

Critical

Ensure default security groups are not in use by Lambda

Security & Compliance

Critical

Ensure default security groups are not in use by MSK

Security & Compliance

Critical

Ensure default security groups are not in use by OpenSearch

Security & Compliance

Critical

Ensure default security groups are not in use by RDS

Security & Compliance

Critical

Ensure default security groups are not in use by VPC Endpoints

Security & Compliance

Medium

Ensure default security groups do not allow unrestricted traffic

Security & Compliance

Medium

Ensure default service accounts are not actively used

Security & Compliance

No items found.

Critical

Ensure DMS instances are not accessible via Internet (Network and API)

Security & Compliance

AWS Well-Architected Framework

Low

Ensure DocumentDB clusters have Log Exports feature enabled

Security & Compliance

Medium

Ensure DocumentDB database clusters have a minimum backup retention period

Other

AWS Well-Architected Framework

Critical

Ensure DocumentDB database instances are not accessible via Internet (Network and API)

Security & Compliance

Critical

Ensure DocumentDB database instances have storage encryption enabled

Security & Compliance

From Shadow Runtime AI to Complete Visibility, Detection and Response.