Azure security baseline for Azure Functions

This security baseline applies guidance from the Azure Security Benchmark version 2.0 to Azure Functions. The Azure Security Benchmark provides recommendations on how you can secure your cloud solutions on Azure. The content is grouped by the security controls defined by the Azure Security Benchmark and the related guidance applicable to Azure Functions.

Note

Controls not applicable to Azure Functions, and those for which the global guidance is recommended verbatim, have been excluded. To see how Azure Functions completely maps to the Azure Security Benchmark, see the full Azure Functions security baseline mapping file.

Network Security

For more information, see the Azure Security Benchmark: Network Security.

NS-1: Implement security for internal traffic

Guidance: When you deploy Azure Functions resources, create or use an existing virtual network. Ensure that all Azure virtual networks follow an enterprise segmentation principle that aligns with the business risks. Any system that might incur higher risk for the organization should be isolated within its own virtual network and sufficiently secured with a network security group (NSG) and/or Azure Firewall.

Use Azure Security Center Adaptive Network Hardening to recommend network security group configurations that limit ports and source IPs based with the reference to external network traffic rules.

Azure Functions has two primary ways to deploy resources within a network context. A function app may be created on the Elastic Premium plan with service endpoints or private endpoints for inbound requests virtual network integration with forced tunneling for outbound requests. A function app may also be deployed completely within a virtual network by running in an App Service Environment. When operating in these modes, networking rules and restrictions still need to be set for dependencies such as the storage account used by Functions, as well as any event or data sources.

Use Azure Sentinel to discover the use of legacy insecure protocols such as SSL/TLSv1, SMBv1, LM/NTLMv1, wDigest, Unsigned LDAP Binds, and weak ciphers in Kerberos.

Function apps are created by default to support TLS 1.2 as a minimum version, but an app can be configured with a lower version through a configuration setting. HTTPS is not required of incoming requests by default, but this can also be set via a configuration setting, at which point any HTTP request will be automatically redirected to use HTTPS.

Certain event sources consumed by an app may require opening of additional ports to or from the network, but in the default case this is not necessary.

Function apps can be configured with IP restrictions for inbound requests. These are set via a priority list of Allow or Deny rules over IP blocks, virtual network subnets, or service tags.

Responsibility: Customer

Azure Security Center monitoring: None

NS-2: Connect private networks together

Guidance: Use Azure ExpressRoute or Azure virtual private network (VPN) to create private connections between Azure datacenters and on-premises infrastructure in a colocation environment. ExpressRoute connections don't go over the public internet, and they offer more reliability, faster speeds, and lower latencies than typical internet connections. For point-to-site VPN and site-to-site VPN, you can connect on-premises devices or networks to a virtual network using any combination of these VPN options and Azure ExpressRoute.

To connect two or more virtual networks in Azure together, use virtual network peering. Network traffic between peered virtual networks is private and is kept on the Azure backbone network.

Responsibility: Customer

Azure Security Center monitoring: None

NS-3: Establish private network access to Azure services

Guidance: Use Azure Private Link to enable private access to Azure Functions from your virtual networks without crossing the internet.

Private access is an additional defense in depth measure to the authentication and traffic security offered by Azure services.

When creating an inbound private endpoint connection for functions, you will also need a DNS record to resolve the private address. By default a private DNS record will be created for you when creating a private endpoint using the Azure portal.

When unable to use private endpoints, use Azure Virtual Network service endpoints to provide secure access to Azure Functions via an optimized route over the Azure backbone network without crossing the internet. Service endpoints can be enabled both at the application and subnet level for Azure Functions.

You can't use service endpoints to restrict access to apps that run in an App Service Environment. When your app is in an App Service Environment, you can control access to it by applying IP access rules.

Responsibility: Customer

Azure Security Center monitoring: None

NS-4: Protect applications and services from external network attacks

Guidance: Protect your Azure Functions resources against attacks from external networks, including distributed denial of service (DDoS) attacks, application-specific attacks, and unsolicited and potentially malicious internet traffic. Use Azure Firewall to protect applications and services against potentially malicious traffic from the internet and other external locations. Protect your assets against DDoS attacks by enabling DDoS standard protection on your Azure virtual networks. Use Azure Security Center to detect misconfiguration risks to your network related resources.

Use Web Application Firewall (WAF) capabilities in the Azure Application Gateway, Azure Front Door, and Azure Content Delivery Network (CDN) to protect your applications running on Azure Functions against application layer attacks.

Introduction of a Web Application Firewall requires either an App Service Environment or use of private endpoints.

Responsibility: Customer

Azure Security Center monitoring: None

NS-6: Simplify network security rules

Guidance: Use Azure Virtual Network Service Tags to define network access controls on network security groups or Azure Firewall configured for your Azure Functions resources. You can use service tags in place of specific IP addresses when creating security rules. By specifying the service tag name in the appropriate source or destination field of a rule, you can allow or deny the traffic for the corresponding service. Microsoft manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change.

The "AppService" service tag summarizes the IP ranges for the service and can be used in outbound rules.

The "AppServiceManagement" service tag summarizes management traffic for deployments dedicated to App Service Environment.

Responsibility: Customer

Azure Security Center monitoring: None

NS-7: Secure Domain Name Service (DNS)

Guidance: Follow the best practices for DNS security to mitigate against common attacks like dangling DNS, DNS amplifications attacks, DNS poisoning and spoofing, etc.

When Azure DNS is used as your authoritative DNS service, ensure DNS zones and records are protected from accidental or malicious modification using Azure RBAC and resource locks.

If the function app is running in an App Service Environment and the virtual network is configured with a customer-selected DNS server, the function app workloads use it. The DNS server must be reachable from the subnet that contains the App Service Environment. The environment itself still uses Azure DNS for management purposes.

Responsibility: Shared

Azure Security Center monitoring: None

Identity Management

For more information, see the Azure Security Benchmark: Identity Management.

IM-1: Standardize Azure Active Directory as the central identity and authentication system

Guidance: Azure Functions uses Azure Active Directory (Azure AD) as the default identity and access management service. You should standardize Azure AD to govern your organization's identity and access management in:

  • Microsoft Cloud resources, such as the Azure portal, Azure Storage, Azure Virtual Machine (Linux and Windows), Azure Key Vault, PaaS, and SaaS applications.
  • Your organization's resources, such as applications on Azure or your corporate network resources.

Securing Azure AD should be a high priority in your organization's cloud security practice. Azure AD provides an identity secure score to help you assess identity security posture relative to Microsoft's best practice recommendations. Use the score to gauge how closely your configuration matches best practice recommendations, and to make improvements in your security posture.

Note: Azure AD supports external identities that allows users without a Microsoft account to sign in to their applications and resources with their external identity.

Responsibility: Customer

Azure Security Center monitoring: The Azure Security Benchmark is the default policy initiative for Security Center and is the foundation for Security Center's recommendations. The Azure Policy definitions related to this control are enabled automatically by Security Center. Alerts related to this control may require an Azure Defender plan for the related services.

Azure Policy built-in definitions - Microsoft.Web:

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Managed identity should be used in your API App Use a managed identity for enhanced authentication security AuditIfNotExists, Disabled 2.0.0
Managed identity should be used in your Function App Use a managed identity for enhanced authentication security AuditIfNotExists, Disabled 2.0.0
Managed identity should be used in your Web App Use a managed identity for enhanced authentication security AuditIfNotExists, Disabled 2.0.0

IM-2: Manage application identities securely and automatically

Guidance: Azure Functions uses Azure-managed identities for non-human accounts such as services or automation, and it is recommended to use the Azure-managed identity feature instead of creating a more powerful human account to access or execute your resources. Azure Functions can natively authenticate to the Azure services/resources that supports Azure AD authentication through a pre-defined access grant rule without using credentials hard coded in source code or configuration files.

Azure Functions supports system-assigned and user-assigned managed identities. Managed identities may be leveraged by customer-deployed code for requesting tokens to other resources. The identities may also be used for service features such as resolving secrets from a key vault or pulling images from a container registry.

Responsibility: Customer

Azure Security Center monitoring: The Azure Security Benchmark is the default policy initiative for Security Center and is the foundation for Security Center's recommendations. The Azure Policy definitions related to this control are enabled automatically by Security Center. Alerts related to this control may require an Azure Defender plan for the related services.

Azure Policy built-in definitions - Microsoft.Web:

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Managed identity should be used in your API App Use a managed identity for enhanced authentication security AuditIfNotExists, Disabled 2.0.0
Managed identity should be used in your Function App Use a managed identity for enhanced authentication security AuditIfNotExists, Disabled 2.0.0
Managed identity should be used in your Web App Use a managed identity for enhanced authentication security AuditIfNotExists, Disabled 2.0.0

IM-3: Use Azure AD single sign-on (SSO) for application access

Guidance: Azure Functions uses Azure Active Directory to provide identity and access management to Azure resources, cloud applications, and on-premises applications. This includes enterprise identities, such as employees, as well as external identities like partners, vendors, and suppliers. This enables single sign-on (SSO) to manage and secure access to your organization's data and resources on-premises and in the cloud. Connect all your users, applications, and devices to the Azure AD for seamless, secure access and greater visibility and control.

Responsibility: Customer

Azure Security Center monitoring: None

IM-5: Monitor and alert on account anomalies

Guidance: Azure Functions is integrated with Azure Active Directory, which provides the following data sources:

  • Sign-ins - The sign-ins report provides information about the usage of managed applications and user sign-in activities.
  • Audit logs - Provides traceability through logs for all changes done by various features within Azure AD. Examples of audit logs include changes made to any resource within Azure AD, like adding or removing users, apps, groups, roles, and policies.
  • Risky sign-ins - A risky sign-in is an indicator for a sign-in attempt that might have been performed by someone who is not the legitimate owner of a user account.
  • Users flagged for risk - A risky user is an indicator for a user account that might have been compromised.

These data sources can be integrated with Azure Monitor, Azure Sentinel, or third-party SIEM systems.

Azure Security Center can also alert you about certain suspicious activities, such as an excessive number of failed authentication attempts or deprecated accounts in the subscription.

Azure Advanced Threat Protection (ATP) is a security solution that can use Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions.

Some operations exposed by the application runtime may be performed using an administrative key. This key can be stored in Azure Key Vault, and it can be regenerated at any time.

Responsibility: Customer

Azure Security Center monitoring: None

IM-7: Eliminate unintended credential exposure

Guidance: Azure Functions allows customers to deploy/run code, configurations, or persists data potentially with identities/secrets. It's recommended to implement Credential Scanner to identify credentials within your code, configurations, or persisted data. Credential Scanner will also encourage moving discovered credentials to more secure locations like Azure Key Vault.

For GitHub, you can use the native secret scanning feature to identify credentials or other forms of secrets within the code.

Azure Functions has a built-in feature for referencing secrets from Key Vault without requiring code changes.

Responsibility: Customer

Azure Security Center monitoring: None

Privileged Access

For more information, see the Azure Security Benchmark: Privileged Access.

PA-1: Protect and limit highly privileged users

Guidance: Create standard operating procedures around the use of dedicated administrative accounts.

Some administrative operations for the app can be performed using an administration key. This should be managed in a secure repository like Azure Key Vault.

Responsibility: Customer

Azure Security Center monitoring: None

PA-2: Restrict administrative access to business-critical systems

Guidance: Azure Functions uses Azure role-based access control (Azure RBAC) to isolate access to business-critical systems by restricting which accounts are granted privileged access to the subscriptions and management groups they are in.

Ensure that you also restrict access to the management, identity, and security systems that have administrative access to your business-critical access controls, such as Active Directory Domain Controllers (DCs), security tools, and system management tools with agents installed on business-critical systems. Attackers who compromise these management and security systems can immediately weaponize them to compromise business-critical assets.

All types of access controls should be aligned to your enterprise segmentation strategy to ensure consistent access control.

Accounts with deployment permissions over a function app have debugging access to it, and therefore access to any systems or data it works with. This permission is implied by the Contributor and Owner roles.

Responsibility: Customer

Azure Security Center monitoring: None

PA-3: Review and reconcile user access regularly

Guidance: Azure Functions uses Azure Active Directory (Azure AD) accounts to manage its resources, review user accounts, and access assignments regularly to ensure the accounts and their access are valid. You can use Azure AD and access reviews to review group memberships, access to enterprise applications, and role assignments. Azure AD reporting can provide logs to help discover stale accounts. You can also use Azure AD Privileged Identity Management (PIM) to create access review report workflows to facilitate the review process.

In addition, Azure AD PIM can also be configured to alert you when an excessive number of administrator accounts are created, and to identify administrator accounts that are stale or improperly configured.

Note: Some Azure services support local users and roles which are not managed through Azure AD. You will need to manage these users separately.

Responsibility: Customer

Azure Security Center monitoring: None

PA-6: Use privileged access workstations

Guidance: Secured, isolated workstations are critically important for the security of sensitive roles like administrator, developer, and critical service operator. Use highly secured user workstations and/or Azure Bastion for administrative tasks. Use Azure Active Directory (Azure AD), Microsoft Defender Advanced Threat Protection (ATP), and/or Microsoft Intune to deploy a secure and managed user workstation for administrative tasks. The secured workstations can be centrally managed to enforce secured configuration including strong authentication, software and hardware baselines, and restricted logical and network access.

Responsibility: Customer

Azure Security Center monitoring: None

PA-7: Follow just enough administration (least privilege principle)

Guidance: Azure Functions is integrated with Azure role-based access control (Azure RBAC) to manage its resources. Azure RBAC allows you to manage Azure resource access through role assignments. You can assign these roles to users, groups service principals, and managed identities. There are pre-defined built-in roles for certain resources, and these roles can be inventoried or queried through tools such as Azure CLI, Azure PowerShell, or the Azure portal. The privileges you assign to resources through the Azure RBAC should be always limited to what is required by the roles. This complements the just-in-time (JIT) approach of Azure AD Privileged Identity Management (PIM) and should be reviewed periodically.

Use built-in roles to allocate permissions and only create custom roles when required.

Some operations are exposed by the app which may be controlled with an administrative key. Control access to this key using Azure Key Vault.

Responsibility: Customer

Azure Security Center monitoring: None

PA-8: Choose approval process for Microsoft support

Guidance: In support scenarios where Microsoft needs to access customer data, Azure Functions supports Customer Lockbox to provide an interface for you to review and approve or reject customer data access requests.

Responsibility: Customer

Azure Security Center monitoring: None

Data Protection

For more information, see the Azure Security Benchmark: Data Protection.

DP-2: Protect sensitive data

Guidance: Protect sensitive data by restricting access using Azure role-based access control (Azure RBAC), network-based access controls, and specific controls in Azure services (such as encryption).

To ensure consistent access control, all types of access control should be aligned with your enterprise segmentation strategy. The enterprise segmentation strategy should also be informed by the location of sensitive or business critical data and systems.

For the underlying platform (managed by Microsoft), Microsoft treats all customer content as sensitive and guards against customer data loss and exposure. To ensure customer data within Azure remains secure, Microsoft has implemented some default data protection controls and capabilities.

Responsibility: Customer

Azure Security Center monitoring: None

DP-3: Monitor for unauthorized transfer of sensitive data

Guidance: Monitor for unauthorized transfer of data to locations outside of enterprise visibility and control. This typically involves monitoring for anomalous activities (large or unusual transfers) that could indicate unauthorized data exfiltration. Enable Azure Defender for App Service to help alert on an anomalous activity related to your Azure Functions.

Azure Information Protection (AIP) provides monitoring capabilities for information that has been classified and labeled.

If required for compliance of data loss prevention (DLP), you can use a host-based DLP solution to enforce detective and/or preventative controls to prevent data exfiltration.

Responsibility: Customer

Azure Security Center monitoring: None

DP-4: Encrypt sensitive information in transit

Guidance: To complement access controls, data in transit should be protected against 'out of band' attacks (such as traffic capture) using encryption to ensure that attackers cannot easily read or modify the data.

Azure Functions supports data encryption in transit with TLS v1.2 or greater.

While this is optional for traffic on private networks, this is critical for traffic on external and public networks. For HTTP traffic, ensure that any clients connecting to your Azure resources can negotiate TLS v1.2 or greater. For remote management, use SSH (for Linux) or RDP/TLS (for Windows) instead of an unencrypted protocol. Obsolete SSL, TLS, SSH versions and protocols, and weak ciphers should be disabled.

By default, Azure provides encryption for data in transit between Azure data centers.

Configuration settings are available to use an earlier version of TLS if needed, but by default TLS 1.2 is the minimum version.

Responsibility: Shared

Azure Security Center monitoring: The Azure Security Benchmark is the default policy initiative for Security Center and is the foundation for Security Center's recommendations. The Azure Policy definitions related to this control are enabled automatically by Security Center. Alerts related to this control may require an Azure Defender plan for the related services.

Azure Policy built-in definitions - Microsoft.Web:

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
API App should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Audit, Disabled 1.0.0
FTPS only should be required in your API App Enable FTPS enforcement for enhanced security AuditIfNotExists, Disabled 2.0.0
FTPS only should be required in your Function App Enable FTPS enforcement for enhanced security AuditIfNotExists, Disabled 2.0.0
FTPS should be required in your Web App Enable FTPS enforcement for enhanced security AuditIfNotExists, Disabled 2.0.0
Function App should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Audit, Disabled 1.0.0
Latest TLS version should be used in your API App Upgrade to the latest TLS version AuditIfNotExists, Disabled 1.0.0
Latest TLS version should be used in your Function App Upgrade to the latest TLS version AuditIfNotExists, Disabled 1.0.0
Latest TLS version should be used in your Web App Upgrade to the latest TLS version AuditIfNotExists, Disabled 1.0.0
Web Application should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Audit, Disabled 1.0.0

DP-5: Encrypt sensitive data at rest

Guidance: To complement access controls, Azure Functions encrypts data at rest to protect against 'out of band' attacks (such as accessing underlying storage) using encryption. This helps ensure that attackers cannot easily read or modify the data.

The storage account used by Azure Functions may be configured with additional encryption options.

Secrets used for configuration of the app can be stored in Azure Key Vault for additional encryption options.

Responsibility: Shared

Azure Security Center monitoring: None

Asset Management

For more information, see the Azure Security Benchmark: Asset Management.

AM-1: Ensure security team has visibility into risks for assets

Guidance: Ensure security teams are granted Security Reader permissions in your Azure tenant and subscriptions so they can monitor for security risks using Azure Security Center.

Depending on how security team responsibilities are structured, monitoring for security risks could be the responsibility of a central security team or a local team. That said, security insights and risks must always be aggregated centrally within an organization.

Security Reader permissions can be applied broadly to an entire tenant (Root Management Group) or scoped to management groups or specific subscriptions.

Note: Additional permissions might be required to get visibility into workloads and services.

Responsibility: Customer

Azure Security Center monitoring: None

AM-2: Ensure security team has access to asset inventory and metadata

Guidance: Apply tags to your Azure resources, resource groups, and subscriptions to logically organize them into a taxonomy. Each tag consists of a name and a value pair. For example, you can apply the name "Environment" and the value "Production" to all the resources in production.

Responsibility: Customer

Azure Security Center monitoring: None

AM-3: Use only approved Azure services

Guidance: Use Azure Policy to audit and restrict which services users can provision in your environment. Use Azure Resource Graph to query for and discover resources within their subscriptions. You can also use Azure Monitor to create rules to trigger alerts when a non-approved service is detected.

Responsibility: Customer

Azure Security Center monitoring: None

AM-6: Use only approved applications in compute resources

Guidance: Restrict deployment permissions and use a CI/CD system to deploy code to your function apps.

Responsibility: Customer

Azure Security Center monitoring: None

Logging and Threat Detection

For more information, see the Azure Security Benchmark: Logging and Threat Detection.

LT-1: Enable threat detection for Azure resources

Guidance: Use the Azure Security Center built-in threat detection capability and enable Azure Defender (formerly Azure Advanced Threat Protection) for your Azure Functions resources. Azure Defender for Azure Functions provides an additional layer of security intelligence that detects unusual and potentially harmful attempts to access or exploit your Azure Functions resources.

Forward any logs from Azure Functions to your SIEM, which can be used to set up custom threat detections. Ensure that you are monitoring different types of Azure assets for potential threats and anomalies. Focus on getting high-quality alerts to reduce false positives for analysts to sort through. Alerts can be sourced from log data, agents, or other data.

Responsibility: Customer

Azure Security Center monitoring: None

LT-2: Enable threat detection for Azure identity and access management

Guidance: Azure Active Directory (Azure AD) provides the following user logs, which can be viewed in Azure AD reporting or integrated with Azure Monitor, Azure Sentinel, or other SIEM/monitoring tools for more sophisticated monitoring and analytics use cases:

  • Sign-ins - The sign-ins report provides information about the usage of managed applications and user sign-in activities.
  • Audit logs - Provides traceability through logs for all changes done by various features within Azure AD. Examples of audit logs include changes made to any resources within Azure AD, like adding or removing users, apps, groups, roles, and policies.
  • Risky sign-ins - A risky sign-in is an indicator for a sign-in attempt that might have been performed by someone who is not the legitimate owner of a user account.
  • Users flagged for risk - A risky user is an indicator for a user account that might have been compromised.

Azure Security Center can also trigger alerts on certain suspicious activities, such as excessive number of failed authentication attempts or deprecated accounts in the subscription. In addition to the basic security hygiene monitoring, Azure Security Center's Threat Protection module can also collect more in-depth security alerts from individual Azure compute resources (virtual machines, containers, app service), data resources (SQL DB and storage), and Azure service layers. This capability allows you to have visibility on account anomalies inside individual resources.

Responsibility: Customer

Azure Security Center monitoring: None

LT-3: Enable logging for Azure network activities

Guidance: Enable and collect network security group (NSG) resource logs, NSG flow logs, Azure Firewall logs, and Web Application Firewall (WAF) logs for security analysis to support incident investigations, threat hunting, and security alert generation. You can send the flow logs to an Azure Monitor Log Analytics workspace and then use Traffic Analytics to provide insights.

Ensure that you are collecting DNS query logs to assist in correlating other network data. Implement a third-party solution from Azure Marketplace for DNS logging as per your organization's need.

Function apps configured with Application Insights or Log Analytics will be able to view the resources the app is attempting to interact with.

Responsibility: Customer

Azure Security Center monitoring: None

LT-4: Enable logging for Azure resources

Guidance: Activity logs, which are automatically available, contain all write operations (PUT, POST, DELETE) for your Azure Functions resources except read operations (GET). Activity logs can be used to find an error when troubleshooting or to monitor how a user in your organization modified a resource.

Enable Azure resource logs for Azure Functions. You can use Azure Security Center and Azure Policy to enable resource logs and log data collecting. These logs can be critical for investigating security incidents and performing forensic exercises.

Responsibility: Shared

Azure Security Center monitoring: The Azure Security Benchmark is the default policy initiative for Security Center and is the foundation for Security Center's recommendations. The Azure Policy definitions related to this control are enabled automatically by Security Center. Alerts related to this control may require an Azure Defender plan for the related services.

Azure Policy built-in definitions - Microsoft.Web:

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Diagnostic logs in App Services should be enabled Audit enabling of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised AuditIfNotExists, Disabled 2.0.0

LT-5: Centralize security log management and analysis

Guidance: Centralize logging storage and analysis to enable correlation. For each log source, ensure that you have assigned a data owner, access guidance, storage location, what tools are used to process and access the data, and data retention requirements.

Ensure that you are integrating Azure activity logs into your central logging. Ingest logs via Azure Monitor to aggregate security data generated by endpoint devices, network resources, and other security systems. In Azure Monitor, use Log Analytics workspaces to query and perform analytics, and use Azure Storage accounts for long term and archival storage.

In addition, enable and onboard data to Azure Sentinel or a third-party SIEM.

Many organizations choose to use Azure Sentinel for 'hot' data that is used frequently and Azure Storage for 'cold' data that is used less frequently.

For applications that may run on Azure Functions, forward all security-related logs to your SIEM for centralized management.

Responsibility: Customer

Azure Security Center monitoring: None

LT-6: Configure log storage retention

Guidance: Ensure that any storage accounts or Log Analytics workspaces used for storing Azure Functions logs have the log retention period set according to your organization's compliance regulations.

Responsibility: Customer

Azure Security Center monitoring: None

LT-7: Use approved time synchronization sources

Guidance: Azure Functions does not support configuring your own time synchronization sources.

Azure Functions service relies on Microsoft time synchronization sources, and is not exposed to customers for configuration.

Responsibility: Microsoft

Azure Security Center monitoring: None

Posture and Vulnerability Management

For more information, see the Azure Security Benchmark: Posture and Vulnerability Management.

PV-1: Establish secure configurations for Azure services

Guidance: You can use Azure Blueprints to automate deployment and configuration of services and application environments including Azure Resources Manager templates, Azure RBAC controls, and policies, in a single blueprint definition.

All Azure Functions plans except the Consumption plan are supported by Azure Defender for App Service.

Some security settings in Azure Functions exist as part of child configuration resources in Azure Resource Manager and are not controlled by Azure Policy applied to function apps.

Responsibility: Customer

Azure Security Center monitoring: None

PV-2: Sustain secure configurations for Azure services

Guidance: Use Azure Security Center to monitor your configuration baseline and enforce using Azure Policy [deny] and [deploy if not exist] to enforce secure configuration across Azure compute resources including VMs, containers, and others.

All Azure Functions plans except the Consumption plan are supported by Azure Defender for App Service.

Some security settings in Azure Functions exist as part of child configuration resources in Azure Resource Manager and are not controlled by Azure Policy applied to function apps.

Responsibility: Customer

Azure Security Center monitoring: The Azure Security Benchmark is the default policy initiative for Security Center and is the foundation for Security Center's recommendations. The Azure Policy definitions related to this control are enabled automatically by Security Center. Alerts related to this control may require an Azure Defender plan for the related services.

Azure Policy built-in definitions - Microsoft.Web:

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
CORS should not allow every resource to access your API App Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API app. Allow only required domains to interact with your API app. AuditIfNotExists, Disabled 1.0.0
CORS should not allow every resource to access your Function Apps Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app. AuditIfNotExists, Disabled 1.0.0
CORS should not allow every resource to access your Web Applications Cross-Origin Resource Sharing (CORS) should not allow all domains to access your web application. Allow only required domains to interact with your web app. AuditIfNotExists, Disabled 1.0.0
Ensure API app has 'Client Certificates (Incoming client certificates)' set to 'On' Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. Audit, Disabled 1.0.0
Ensure WEB app has 'Client Certificates (Incoming client certificates)' set to 'On' Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. Audit, Disabled 1.0.0
Function apps should have 'Client Certificates (Incoming client certificates)' enabled Client certificates allow for the app to request a certificate for incoming requests. Only clients with valid certificates will be able to reach the app. Audit, Disabled 1.0.1
Remote debugging should be turned off for API Apps Remote debugging requires inbound ports to be opened on API apps. Remote debugging should be turned off. AuditIfNotExists, Disabled 1.0.0
Remote debugging should be turned off for Function Apps Remote debugging requires inbound ports to be opened on function apps. Remote debugging should be turned off. AuditIfNotExists, Disabled 1.0.0
Remote debugging should be turned off for Web Applications Remote debugging requires inbound ports to be opened on a web application. Remote debugging should be turned off. AuditIfNotExists, Disabled 1.0.0

PV-3: Establish secure configurations for compute resources

Guidance: Use Azure Security Center and Azure Policy to establish secure configurations on all compute resources including VMs, containers, and others.

Responsibility: Customer

Azure Security Center monitoring: None

PV-4: Sustain secure configurations for compute resources

Guidance: Use Azure Security Center and Azure Policy to regularly assess and remediate configuration risks on your Azure compute resources such as virtual machines (VMs), containers, and others. In addition, you can use Azure Resource Manager templates, custom operating system images, or Azure Automation State Configuration to maintain the security configuration of the operating system required by your organization. Use the Azure Security Center recommendations page to view recommendations and remediate issues.

Responsibility: Shared

Azure Security Center monitoring: None

PV-5: Securely store custom operating system and container images

Guidance: Azure Functions allows customers to manage any container images they use with the service. Use Azure role-based access control (RBAC) to ensure that only authorized users can access your custom images. Store container images in Azure Container Registry and use Azure RBAC to ensure that only authorized users have access.

Responsibility: Customer

Azure Security Center monitoring: None

PV-6: Perform software vulnerability assessments

Guidance: Azure Functions allows running containers deployed through container registries.

Follow recommendations from Azure Security Center for performing vulnerability assessments on your Azure container images. Azure Security Center has a built-in vulnerability scanner for container images.

As required, export scan results at consistent intervals and compare the results with previous scans to verify that vulnerabilities have been remediated. When using vulnerability management recommendations suggested by Azure Security Center, you can pivot into the selected solution's portal to view historical scan data.

Microsoft performs vulnerability management on the underlying systems that support Azure Functions.

Responsibility: Shared

Azure Security Center monitoring: None

PV-7: Rapidly and automatically remediate software vulnerabilities

Guidance: Prioritize using a common risk scoring program (for example, Common Vulnerability Scoring System) or the default risk ratings provided by your third-party scanning tool, and then tailor your environment using context for which applications present a high security risk and which ones require high uptime.

Azure Functions allows users to deploy applications via custom images deployed through container registries in its environment.

For third-party software, use a third-party patch management solution or System Center Updates Publisher for Configuration Manager.

For third-party software, use a third-party patch management solution or System Center Updates Publisher for Configuration Manager.

Responsibility: Shared

Azure Security Center monitoring: The Azure Security Benchmark is the default policy initiative for Security Center and is the foundation for Security Center's recommendations. The Azure Policy definitions related to this control are enabled automatically by Security Center. Alerts related to this control may require an Azure Defender plan for the related services.

Azure Policy built-in definitions - Microsoft.Web:

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Ensure that 'Java version' is the latest, if used as a part of the API app Periodically, newer versions are released for Java either due to security flaws or to include additional functionality. Using the latest Python version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. AuditIfNotExists, Disabled 2.0.0
Ensure that 'Java version' is the latest, if used as a part of the Function app Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. AuditIfNotExists, Disabled 2.0.0
Ensure that 'Java version' is the latest, if used as a part of the Web app Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. AuditIfNotExists, Disabled 2.0.0
Ensure that 'PHP version' is the latest, if used as a part of the API app Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. AuditIfNotExists, Disabled 2.1.0
Ensure that 'PHP version' is the latest, if used as a part of the WEB app Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. AuditIfNotExists, Disabled 2.1.0
Ensure that 'Python version' is the latest, if used as a part of the API app Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. AuditIfNotExists, Disabled 3.0.0
Ensure that 'Python version' is the latest, if used as a part of the Function app Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. AuditIfNotExists, Disabled 3.0.0
Ensure that 'Python version' is the latest, if used as a part of the Web app Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. AuditIfNotExists, Disabled 3.0.0

PV-8: Conduct regular attack simulation

Guidance: As required, conduct penetration testing or red team activities on your Azure resources and ensure remediation of all critical security findings.

Follow the Microsoft Cloud Penetration Testing Rules of Engagement to ensure your penetration tests are not in violation of Microsoft policies. Use Microsoft's strategy and execution of Red Teaming and live site penetration testing against Microsoft-managed cloud infrastructure, services, and applications.

Responsibility: Shared

Azure Security Center monitoring: None

Endpoint Security

For more information, see the Azure Security Benchmark: Endpoint Security.

ES-1: Use Endpoint Detection and Response (EDR)

Guidance: Microsoft manages the underlying platform components of Azure Functions. Azure Functions goes through vigorous compliance checks on a continuous basis to make sure that 24-hour threat management protects the infrastructure and platform against malware, distributed denial-of-service (DDoS), man-in-the-middle (MITM), and other threats. Microsoft anti-malware is enabled on the underlying host that supports Azure services (for example, Azure Functions). However it does not run on your content.

Responsibility: Microsoft

Azure Security Center monitoring: None

ES-2: Use centrally managed modern anti-malware software

Guidance: Azure Functions maintains and runs anti-malware for system resources and runtime. For custom container images or for the storage leveraged by your application, you should consider leveraging a centrally managed modern anti-malware solution.

Responsibility: Shared

Azure Security Center monitoring: None

ES-3: Ensure anti-malware software and signatures are updated

Guidance: Microsoft manages the underlying platform components of Azure Functions. Azure Functions goes through vigorous compliance checks on a continuous basis to make sure that 24-hour threat management protects the infrastructure and platform against malware, distributed denial-of-service (DDoS), man-in-the-middle (MITM), and other threats. Microsoft anti-malware is enabled on the underlying host that supports Azure services (for example, Azure Functions). However it does not run on your content.

Responsibility: Microsoft

Azure Security Center monitoring: None

Backup and Recovery

For more information, see the Azure Security Benchmark: Backup and Recovery.

BR-4: Mitigate risk of lost keys

Guidance: Ensure that you have measures in place to prevent and recover from the loss of keys. Enable soft delete and purge protection in Azure Key Vault to protect keys against accidental or malicious deletion.

Responsibility: Customer

Azure Security Center monitoring: None

Next steps