Add Azure.Pillar.Security.L2 maturity baseline

docs/changelog.md

@@ -30,6 +30,10 @@ See [upgrade notes][1] for helpful information when upgrading from previous vers
 
 ## Unreleased
 
+- New features:
+  - Added `Azure.Pillar.Security.L2` experimental baseline for the Security pillar Level 2 maturity.
+    [#3726](https://github.com/Azure/PSRule.Rules.Azure/issues/3726)
+    - Added `Azure.WAF/maturity: L2` labels to Security pillar rules covering network ingress, authentication controls, workload hardening, deployment practices, and maintenance.
 - Updated rules:
   - Azure Kubernetes Service:
     - Updated `Azure.AKS.Version` to use `1.33.7` as the minimum version by @BernieWhite.

docs/en/rules/Azure.ACR.AnonymousAccess.md

@@ -143,6 +143,7 @@ For example: You are a software vendor and intend to distribute container images
 ## LINKS
 
 - [SE:05 Identity and access management](https://learn.microsoft.com/azure/well-architected/security/identity-access)
+- [Security: Level 1](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level1)
 - [Make your container registry content publicly available](https://learn.microsoft.com/azure/container-registry/anonymous-pull-access)
 - [Azure security baseline for Container Registry](https://learn.microsoft.com/security/benchmark/azure/baselines/container-registry-security-baseline)
 - [IM-1: Use centralized identity and authentication system](https://learn.microsoft.com/security/benchmark/azure/baselines/container-registry-security-baseline#im-1-use-centralized-identity-and-authentication-system)

docs/en/rules/Azure.ACR.ContainerScan.md

@@ -99,6 +99,7 @@ This rule applies when analyzing resources deployed (in-flight) to Azure and doe
 ## LINKS
 
 - [SE:10 Monitoring and threat detection](https://learn.microsoft.com/azure/well-architected/security/monitor-threats)
+- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2)
 - [Introduction to Microsoft Defender for container registries](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-container-registries-introduction)
 - [Container security in Microsoft Defender for Cloud](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction)
 - [Secure the images and run time](https://learn.microsoft.com/azure/aks/operator-best-practices-container-image-management#secure-the-images-and-run-time)

docs/en/rules/Azure.ACR.ContentTrust.md

@@ -118,6 +118,7 @@ resource registry 'Microsoft.ContainerRegistry/registries@2023-08-01-preview' =
 ## LINKS
 
 - [SE:02 Secured development lifecycle](https://learn.microsoft.com/azure/well-architected/security/secure-development-lifecycle)
+- [Security: Level 5](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level5)
 - [Content trust in Azure Container Registry](https://learn.microsoft.com/azure/container-registry/container-registry-content-trust)
 - [Content trust in Docker](https://docs.docker.com/engine/security/trust/content_trust/)
 - [Overview of customer-managed keys](https://learn.microsoft.com/azure/container-registry/tutorial-customer-managed-keys#before-you-enable-a-customer-managed-key)

docs/en/rules/Azure.ACR.ExportPolicy.md

@@ -153,6 +153,7 @@ such as in the case of public registries.
 ## LINKS
 
 - [SE:08 Hardening resources](https://learn.microsoft.com/azure/well-architected/security/harden-resources)
+- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2)
 - [Data loss prevention for Azure Container Registry](https://learn.microsoft.com/azure/container-registry/data-loss-prevention)
 - [Azure Security Benchmark - Monitor anomalies and threats targeting sensitive data](https://learn.microsoft.com/security/benchmark/azure/baselines/container-registry-security-baseline#dp-2-monitor-anomalies-and-threats-targeting-sensitive-data)
 - [Azure Policy - Container registries should have exports disabled](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_ExportPolicy_AuditDeny.json)

docs/en/rules/Azure.ACR.Firewall.md

@@ -107,6 +107,7 @@ you must enable trusted Microsoft services for the vulnerability assessment feat
 ## LINKS
 
 - [SE:06 Network controls](https://learn.microsoft.com/azure/well-architected/security/networking)
+- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2)
 - [Restrict access using private endpoint](https://learn.microsoft.com/azure/container-registry/container-registry-private-link)
 - [Restrict access using firewall rules](https://learn.microsoft.com/azure/container-registry/container-registry-access-selected-networks)
 - [Allow trusted services to securely access a network-restricted container registry](https://learn.microsoft.com/azure/container-registry/allow-access-trusted-services)

docs/en/rules/Azure.ACR.Quarantine.md

@@ -120,6 +120,7 @@ Image quarantine for Azure Container Registry is currently in preview.
 ## LINKS
 
 - [Monitor Azure resources in Microsoft Defender for Cloud](https://learn.microsoft.com/azure/architecture/framework/security/monitor-resources#containers)
+- [Security: Level 5](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level5)
 - [How do I enable automatic image quarantine for a registry?](https://learn.microsoft.com/azure/container-registry/container-registry-faq#how-do-i-enable-automatic-image-quarantine-for-a-registry-)
 - [Quarantine Pattern](https://github.com/Azure/acr/tree/main/docs/preview/quarantine)
 - [Secure the images and run time](https://learn.microsoft.com/azure/aks/operator-best-practices-container-image-management#secure-the-images-and-run-time)

docs/en/rules/Azure.AI.PrivateEndpoints.md

@@ -96,6 +96,7 @@ resource account 'Microsoft.CognitiveServices/accounts@2023-05-01' = {
 ## LINKS
 
 - [SE:06 Network controls](https://learn.microsoft.com/azure/well-architected/security/networking)
+- [Security: Level 4](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level4)
 - [Configure Azure AI services virtual networks](https://learn.microsoft.com/azure/ai-services/cognitive-services-virtual-networks)
 - [Azure Policy built-in policy definitions for Azure AI services](https://learn.microsoft.com/azure/ai-services/policy-reference)
 - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.cognitiveservices/accounts)

docs/en/rules/Azure.AI.PublicAccess.md

@@ -96,6 +96,7 @@ resource account 'Microsoft.CognitiveServices/accounts@2023-05-01' = {
 ## LINKS
 
 - [SE:06 Network controls](https://learn.microsoft.com/azure/well-architected/security/networking)
+- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2)
 - [Configure Azure AI services virtual networks](https://learn.microsoft.com/azure/ai-services/cognitive-services-virtual-networks)
 - [Azure Policy built-in policy definitions for Azure AI services](https://learn.microsoft.com/azure/ai-services/policy-reference)
 - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.cognitiveservices/accounts)

docs/en/rules/Azure.AKS.AuthorizedIPs.md

@@ -200,6 +200,7 @@ Set-AzAksCluster -Name '<name>' -ResourceGroupName '<resource_group>' -ApiServer
 ## LINKS
 
 - [SE:06 Network controls](https://learn.microsoft.com/azure/well-architected/security/networking)
+- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2)
 - [Secure access to the API server using authorized IP address ranges in Azure Kubernetes Service (AKS)](https://learn.microsoft.com/azure/aks/api-server-authorized-ip-ranges)
 - [Best practices for cluster security and upgrades in Azure Kubernetes Service (AKS)](https://learn.microsoft.com/azure/aks/operator-best-practices-cluster-security#secure-access-to-the-api-server-and-cluster-nodes)
 - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.containerservice/managedclusters)

docs/en/rules/Azure.AKS.AutoUpgrade.md

@@ -199,6 +199,7 @@ To address this issue at runtime use the following policies:
 ## LINKS
 
 - [OE:09 Task automation](https://learn.microsoft.com/azure/well-architected/operational-excellence/automate-tasks)
+- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2)
 - [Supported Kubernetes versions in Azure Kubernetes Service](https://learn.microsoft.com/azure/aks/supported-kubernetes-versions)
 - [Support policies for Azure Kubernetes Service](https://learn.microsoft.com/azure/aks/support-policies)
 - [Automatically upgrade an Azure Kubernetes Service (AKS) cluster](https://learn.microsoft.com/azure/aks/auto-upgrade-cluster)

docs/en/rules/Azure.AKS.AzurePolicyAddOn.md

@@ -247,6 +247,7 @@ Azure Policy for AKS Engine and Arc enabled Kubernetes are currently in preview.
 ## LINKS
 
 - [SE:08 Hardening resources](https://learn.microsoft.com/azure/well-architected/security/harden-resources)
+- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2)
 - [Understand Azure Policy for Kubernetes clusters](https://learn.microsoft.com/azure/governance/policy/concepts/policy-for-kubernetes)
 - [Secure your Azure Kubernetes Service (AKS) clusters with Azure Policy](https://learn.microsoft.com/azure/aks/use-azure-policy)
 - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.containerservice/managedclusters)

docs/en/rules/Azure.AKS.AzureRBAC.md

@@ -189,6 +189,7 @@ az aks update -n '<name>' -g '<resource_group>' --enable-azure-rbac
 ## LINKS
 
 - [SE:05 Identity and access management](https://learn.microsoft.com/azure/well-architected/security/identity-access)
+- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2)
 - [Use Azure RBAC for Kubernetes Authorization](https://learn.microsoft.com/azure/aks/manage-azure-rbac)
 - [Access and identity options for Azure Kubernetes Service (AKS)](https://learn.microsoft.com/azure/aks/concepts-identity#azure-rbac-for-kubernetes-authorization)
 - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.containerservice/managedclusters)

docs/en/rules/Azure.AKS.DefenderProfile.md

@@ -86,6 +86,7 @@ Outbound access so that the Defender profile can connect to Microsoft Defender f
 ## LINKS
 
 - [Monitor Azure resources in Microsoft Defender for Cloud](https://learn.microsoft.com/azure/architecture/framework/security/monitor-resources#containers)
+- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2)
 - [Introduction to Microsoft Defender for Containers](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction)
 - [Defender for Containers architecture](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-architecture?tabs=defender-for-container-arch-aks)
 - [Deploy the Defender profile](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?tabs=aks-deploy-arm%2Ck8s-deploy-asc%2Ck8s-verify-asc%2Ck8s-remove-arc%2Caks-removeprofile-api&pivots=defender-for-container-aks#deploy-the-defender-profile)

docs/en/rules/Azure.AKS.HttpAppRouting.md

@@ -190,6 +190,7 @@ resource cluster 'Microsoft.ContainerService/managedClusters@2021-07-01' = {
 ## LINKS
 
 - [SE:06 Network controls](https://learn.microsoft.com/azure/well-architected/security/networking)
+- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2)
 - [HTTP application routing](https://learn.microsoft.com/azure/aks/http-application-routing)
 - [Migrate from HTTP application routing to the application routing add-on](https://learn.microsoft.com/azure/aks/app-routing-migration)
 - [What is Application Gateway for Containers?](https://learn.microsoft.com/azure/application-gateway/for-containers/overview)

docs/en/rules/Azure.AKS.NetworkPolicy.md

@@ -245,6 +245,7 @@ Existing AKS clusters must be redeployed to enable Network Policy.
 ## LINKS
 
 - [SE:04 Segmentation](https://learn.microsoft.com/azure/well-architected/security/segmentation)
+- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2)
 - [NS-1: Establish network segmentation boundaries](https://learn.microsoft.com/security/benchmark/azure/baselines/azure-kubernetes-service-aks-security-baseline#ns-1-establish-network-segmentation-boundaries)
 - [Secure traffic between pods using network policies in Azure Kubernetes Service (AKS)](https://learn.microsoft.com/azure/aks/use-network-policies)
 - [Best practices for network connectivity and security in Azure Kubernetes Service (AKS)](https://learn.microsoft.com/azure/aks/operator-best-practices-network#control-traffic-flow-with-network-policies)

docs/en/rules/Azure.AKS.NodeAutoUpgrade.md

@@ -225,6 +225,7 @@ It also helps you to identify such fixes shipped to a core add-on, and node imag
 ## LINKS
 
 - [SE:01-Security Baseline](https://learn.microsoft.com/azure/well-architected/security/establish-baseline)
+- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2)
 - [Automatically upgrade AKS cluster node OS images](https://learn.microsoft.com/azure/aks/auto-upgrade-node-os-image?tabs=azure-cli)
 - [Upgrade Azure Kubernetes Service (AKS) node images](https://learn.microsoft.com/azure/aks/node-image-upgrade)
 - [Apply security and kernel updates to Linux nodes in Azure Kubernetes Service (AKS)](https://learn.microsoft.com/azure/aks/node-updates-kured)

docs/en/rules/Azure.AKS.SecretStore.md

@@ -190,6 +190,7 @@ az aks enable-addons --addons azure-keyvault-secrets-provider -n '<name>' -g '<r
 ## LINKS
 
 - [Key and secret management considerations in Azure](https://learn.microsoft.com/azure/architecture/framework/security/design-storage-keys#operational-considerations)
+- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2)
 - [Operational considerations](https://learn.microsoft.com/azure/architecture/framework/security/design-storage-keys#operational-considerations)
 - [Use the Azure Key Vault Provider for Secrets Store CSI Driver in an AKS cluster](https://learn.microsoft.com/azure/aks/csi-secrets-store-driver)
 - [Automate the rotation of a secret for resources that use one set of authentication credentials](https://learn.microsoft.com/azure/key-vault/secrets/tutorial-rotation)

docs/en/rules/Azure.AKS.SecretStoreRotation.md

@@ -192,6 +192,7 @@ az aks update --enable-secret-rotation -n '<name>' -g '<resource_group>'
 ## LINKS
 
 - [Key and secret management considerations in Azure](https://learn.microsoft.com/azure/architecture/framework/security/design-storage-keys#operational-considerations)
+- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2)
 - [Operational considerations](https://learn.microsoft.com/azure/architecture/framework/security/design-storage-keys#operational-considerations)
 - [Use the Azure Key Vault Provider for Secrets Store CSI Driver in an AKS cluster](https://learn.microsoft.com/azure/aks/csi-secrets-store-driver)
 - [Automate the rotation of a secret for resources that use one set of authentication credentials](https://learn.microsoft.com/azure/key-vault/secrets/tutorial-rotation)

docs/en/rules/Azure.AKS.UseRBAC.md

@@ -29,6 +29,7 @@ Consider redeploying the AKS cluster with RBAC enabled.
 ## LINKS
 
 - [Access and identity options for Azure Kubernetes Service (AKS)](https://learn.microsoft.com/azure/aks/concepts-identity#azure-ad-integration)
+- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2)
 - [Authorization with Azure AD](https://learn.microsoft.com/azure/architecture/framework/security/design-identity-authorization)
 - [Best practices for authentication and authorization in Azure Kubernetes Service (AKS)](https://learn.microsoft.com/azure/aks/operator-best-practices-identity#use-azure-active-directory)
 - [Using RBAC Authorization](https://kubernetes.io/docs/reference/access-authn-authz/rbac/)

docs/en/rules/Azure.APIM.DefenderCloud.md

@@ -87,6 +87,7 @@ This rule may currently generate false positive results for APIs only hosted on
 ## LINKS
 
 - [SE:10 Monitoring and threat detection](https://learn.microsoft.com/azure/well-architected/security/monitor-threats)
+- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2)
 - [What is Microsoft Defender for Cloud?](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-cloud-introduction)
 - [Overview of Microsoft Defender for APIs](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-apis-introduction)
 - [Support and prerequisites for Defender for APIs](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-apis-prepare)

docs/en/rules/Azure.APIM.EncryptValues.md

@@ -94,5 +94,6 @@ The identity needs permissions to get and list secrets from the Key Vault. Also
 ## LINKS
 
 - [Key storage](https://learn.microsoft.com/azure/architecture/framework/security/design-storage-keys#key-storage)
+- [Security: Level 1](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level1)
 - [Prerequisites for key vault integration](https://learn.microsoft.com/azure/api-management/api-management-howto-properties?tabs=azure-portal#prerequisites-for-key-vault-integration)
 - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.apimanagement/service/namedvalues#keyvaultcontractcreatepropertiesorkeyvaultcontractpr)

docs/en/rules/Azure.APIM.ProductApproval.md

@@ -98,6 +98,7 @@ resource product 'Microsoft.ApiManagement/service/products@2022-08-01' = {
 ## LINKS
 
 - [SE:05 Identity and access management](https://learn.microsoft.com/azure/well-architected/security/identity-access#protect-nonidentity-based-secrets)
+- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2)
 - [Create and publish a product](https://learn.microsoft.com/azure/api-management/api-management-howto-add-products)
 - [Subscriptions in Azure API Management](https://learn.microsoft.com/azure/api-management/api-management-subscriptions)
 - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.apimanagement/service/products)

docs/en/rules/Azure.APIM.ProductSubscription.md

@@ -98,6 +98,7 @@ resource product 'Microsoft.ApiManagement/service/products@2022-08-01' = {
 ## LINKS
 
 - [SE:05 Identity and access management](https://learn.microsoft.com/azure/well-architected/security/identity-access#protect-nonidentity-based-secrets)
+- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2)
 - [Create and publish a product](https://learn.microsoft.com/azure/api-management/api-management-howto-add-products)
 - [Subscriptions in Azure API Management](https://learn.microsoft.com/azure/api-management/api-management-subscriptions)
 - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.apimanagement/service/products)

docs/en/rules/Azure.APIM.SampleProducts.md

@@ -35,4 +35,5 @@ This rule applies when analyzing API Management Services (in-flight) and running
 ## LINKS
 
 - [SE:08 Hardening resources](https://learn.microsoft.com/azure/well-architected/security/harden-resources)
+- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2)
 - [Create and publish a product](https://learn.microsoft.com/azure/api-management/api-management-howto-add-products)

docs/en/rules/Azure.AppConfig.SecretLeak.md

@@ -111,6 +111,7 @@ For example:
 ## LINKS
 
 - [SE:09 Application secrets](https://learn.microsoft.com/azure/well-architected/security/application-secrets)
+- [Security: Level 1](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level1)
 - [IM-8: Restrict the exposure of credential and secrets](https://learn.microsoft.com/security/benchmark/azure/baselines/azure-app-configuration-security-baseline#im-8-restrict-the-exposure-of-credential-and-secrets)
 - [Use Key Vault references in an ASP.NET Core app](https://learn.microsoft.com/azure/azure-app-configuration/use-key-vault-references-dotnet-core)
 - [Reload secrets and certificates from Key Vault automatically](https://learn.microsoft.com/azure/azure-app-configuration/reload-key-vault-secrets-dotnet)

docs/en/rules/Azure.AppGw.OWASP.md

@@ -102,5 +102,6 @@ Set-AzApplicationGatewayWebApplicationFirewallConfiguration -ApplicationGateway
 ## LINKS
 
 - [Best practices for endpoint security on Azure](https://learn.microsoft.com/azure/architecture/framework/security/design-network-endpoints)
+- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2)
 - [OWASP ModSecurity Core Rule Set](https://owasp.org/www-project-modsecurity-core-rule-set/)
 - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.network/applicationgateways)