-
Notifications
You must be signed in to change notification settings - Fork 7
Governance Policies Security Authentication
Governance policies for Authentication
Domain: security
| Name | Description |
|---|---|
| Managed identity for service-to-service | Use managed identity to avoid storing credentials |
| Key Vault for external secrets | Store third-party API keys or connection strings in Key Vault |
| Description | Instead |
|---|---|
| Do not embed API keys or passwords in application source code | Use managed identity for Azure services or Key Vault for external secrets |
| Do not assign Owner or Contributor roles at subscription or resource group scope | Use the most specific built-in role at the narrowest scope possible |
| Check | Severity | Description |
|---|---|---|
| WAF-SEC-AUTH-001 | Required | Never hardcode credentials, API keys, or secrets in source code, config files, or environment variables |
| WAF-SEC-AUTH-002 | Recommended | Assign least-privilege RBAC roles for all service principals and user accounts |
| WAF-SEC-AUTH-003 | Recommended | Prefer app registrations with scoped permissions over shared API keys for client authentication |
Never hardcode credentials, API keys, or secrets in source code, config files, or environment variables
Severity: Required
Rationale: Hardcoded secrets leak through source control, logs, and error messages
Agents: cloud-architect, app-developer, csharp-developer, python-developer, terraform-agent, bicep-agent, biz-analyst
- Microsoft.App/containerApps
- Microsoft.Web/sites
- Microsoft.ApiManagement/service
- Microsoft.Sql/servers/databases
- Microsoft.DocumentDB/databaseAccounts
- Microsoft.Storage/storageAccounts
- Microsoft.KeyVault/vaults
- Microsoft.Cache/redis
- Microsoft.DBforPostgreSQL/flexibleServers
- Microsoft.DBforMySQL/flexibleServers
- Microsoft.ServiceBus/namespaces
- Microsoft.EventHub/namespaces
- Microsoft.CognitiveServices/accounts
- Microsoft.Search/searchServices
- Microsoft.ContainerRegistry/registries
- Microsoft.ContainerService/managedClusters
Assign least-privilege RBAC roles for all service principals and user accounts
Severity: Recommended
Rationale: Principle of least privilege limits blast radius of compromised credentials
Agents: cloud-architect, terraform-agent, bicep-agent, biz-analyst
- Microsoft.App/containerApps
- Microsoft.Web/sites
- Microsoft.ApiManagement/service
- Microsoft.Sql/servers/databases
- Microsoft.DocumentDB/databaseAccounts
- Microsoft.Storage/storageAccounts
- Microsoft.KeyVault/vaults
- Microsoft.Cache/redis
- Microsoft.DBforPostgreSQL/flexibleServers
- Microsoft.DBforMySQL/flexibleServers
- Microsoft.ServiceBus/namespaces
- Microsoft.EventHub/namespaces
- Microsoft.CognitiveServices/accounts
- Microsoft.Search/searchServices
- Microsoft.ContainerRegistry/registries
- Microsoft.ContainerService/managedClusters
Prefer app registrations with scoped permissions over shared API keys for client authentication
Severity: Recommended
Rationale: App registrations support scoped permissions, token expiry, and audit logging
Agents: cloud-architect, app-developer, csharp-developer, python-developer, biz-analyst
- Microsoft.App/containerApps
- Microsoft.Web/sites
- Microsoft.ApiManagement/service
- Microsoft.Sql/servers/databases
- Microsoft.DocumentDB/databaseAccounts
- Microsoft.Storage/storageAccounts
- Microsoft.KeyVault/vaults
- Microsoft.Cache/redis
- Microsoft.ServiceBus/namespaces
- Microsoft.EventHub/namespaces
- Microsoft.CognitiveServices/accounts
- Microsoft.Search/searchServices
Getting Started
Stages
Interfaces
Configuration
Agent System
Features
- Backlog Generation
- Cost Analysis
- Error Analysis
- Docs & Spec Kit
- MCP Integration
- Knowledge System
- Escalation
Quality
Help
Policies — Azure
AI Services
Compute
Data Services
- Azure SQL
- Backup Vault
- Cosmos Db
- Data Factory
- Databricks
- Event Grid
- Event Hubs
- Fabric
- IoT Hub
- Mysql Flexible
- Postgresql Flexible
- Recovery Services
- Redis Cache
- Service Bus
- Stream Analytics
- Synapse Workspace
Identity
Management
Messaging
Monitoring
Networking
- Application Gateway
- Bastion
- CDN
- DDoS Protection
- DNS Zones
- Expressroute
- Firewall
- Load Balancer
- Nat Gateway
- Network Interface
- Private Endpoints
- Public Ip
- Route Tables
- Traffic Manager
- Virtual Network
- Vpn Gateway
- WAF Policy
Security
Storage
Web & App
Policies — Well-Architected
Reliability
Security
Cost Optimization
Operational Excellence
Performance Efficiency
Integration