There are a number of configurations in NMM that are not in compliance with CIS Azure Foundations (and a few others) benchmarks out of the box. This would be incredibly beneficial to make appropriate adjustments internal to the deployment and ongoing configuration of NMM to achieve this out of the box. Any deviations or exceptions could be noted in a KB article. My scope in this request is on the Azure Subscription hosting NMM
Brownie points? Offer a method to bring existing installs (often from a few years ago now) into compliance. Or at least a KB page on various known issues and guidance for partners to manually bring them into spec.
Icing on the brownie points? An option to maintain compliance with CIS Controls in the customer subscription (paired with CIS Hardened images, now we are really impressing auditors). Probably a bit more challenging, but just putting it out there.
An org audited for CIS Controls (level 1 required, 2 is appreciated but much more challenging) has to create risk exceptions for a wide variety of items, most of them less than critical, but creates work and burden to maintain that compliance.
A few control examples
- Key Vaults require all secrets to have an expiration date - While NMM maintains the secrets in working order, the lack of the field being filled in is not in compliance with the standards
- Storage accounts with public internet access - NMM leverages a handful of accounts at the partner level depending on the usage, but most of them are only ever access by the NMM application before content like scripted actions is fed elsewhere by the app.
- Storage accounts with cross tenant replication enabled - I am not aware of a need for any of the NMM storage accounts to have this enabled, so it seems easy to ensure it is disabled right from the deployment.
Comments (1 comment)