Determine App Service, Key Vault, and Resource Manager Security Posture Goals
Implementation Effort: Medium — Defining and aligning security posture goals requires collaboration across security, compliance, and platform teams, and may involve policy customization and continuous monitoring.
User Impact: Low — These goals are implemented and enforced by administrators and do not require end-user interaction.
Overview
Security posture goals in Microsoft Defender for Cloud help organizations define and maintain a secure baseline for critical Azure services like App Service, Key Vault, and Resource Manager. These goals are enforced through built-in policy initiatives and recommendations aligned with industry standards such as CIS and NIST 1.
App Service
Security posture goals for App Service include:
- Enforcing HTTPS-only traffic.
- Restricting cross-origin resource sharing (CORS).
- Enabling diagnostic logging.
- Using managed identities for secure access to other Azure resources 1.
These goals help ensure secure application hosting and align with the "Verify Explicitly" principle of Zero Trust.
Key Vault
For Key Vault, posture goals focus on:
- Enabling Defender for Key Vault to detect anomalous access attempts 2.
- Using RBAC instead of access policies.
- Enabling logging and diagnostics.
- Restricting public network access and using private endpoints 1.
These controls support the "Use Least Privilege Access" principle by minimizing exposure of sensitive secrets and keys.
Resource Manager
Security posture goals for Azure Resource Manager include:
- Monitoring control plane operations for suspicious activity.
- Enforcing RBAC and least privilege access.
- Auditing and logging all management operations.
- Preventing unauthorized deployments or role assignments 1.
These goals align with the "Assume Breach" principle by ensuring visibility and control over infrastructure-level changes.
Failing to define and enforce these posture goals can lead to misconfigurations, increased attack surface, and undetected malicious activity across your Azure environment.