Governance Policies Security Data Protection

Data Protection

Governance policies for Data Protection

Domain: security

Patterns

Name	Description
Key Vault reference in Container Apps	Reference a Key Vault secret from Container App environment variable

Anti-Patterns

Description	Instead
Do not hardcode secrets, API keys, or connection strings in application code or config files	Use Key Vault references or managed identity for credential-free access
Do not disable TDE or encryption at rest on any data service	Leave default encryption settings enabled; use customer-managed keys only if required

References

• Azure encryption at rest overview
• Key Vault references for App Service

---

Checks (4)

Check	Severity	Description
WAF-SEC-DP-001	Required	Enable encryption at rest for all data services (TDE, SSE, or service-managed keys)
WAF-SEC-DP-002	Required	Enforce TLS 1.2+ for all data-in-transit connections
WAF-SEC-DP-003	Recommended	Store application secrets and connection configuration in Azure Key Vault, not in code or environment variables
WAF-SEC-DP-004	Recommended	Use Azure Key Vault references in App Service and Container Apps configuration instead of plaintext secrets

---

WAF-SEC-DP-001

Enable encryption at rest for all data services (TDE, SSE, or service-managed keys)

Severity: Required
Rationale: Encryption at rest is enabled by default on most Azure services; ensure it is not disabled
Agents: cloud-architect, terraform-agent, bicep-agent, biz-analyst

Targets

• Microsoft.Sql/servers/databases
• Microsoft.DocumentDB/databaseAccounts
• Microsoft.Storage/storageAccounts
• Microsoft.KeyVault/vaults
• Microsoft.Cache/redis
• Microsoft.DBforPostgreSQL/flexibleServers
• Microsoft.DBforMySQL/flexibleServers
• Microsoft.ServiceBus/namespaces
• Microsoft.EventHub/namespaces
• Microsoft.Search/searchServices
• Microsoft.CognitiveServices/accounts

---

WAF-SEC-DP-002

Enforce TLS 1.2+ for all data-in-transit connections

Severity: Required
Rationale: Older TLS versions have known vulnerabilities
Agents: cloud-architect, terraform-agent, bicep-agent

Targets

• Microsoft.Sql/servers/databases
• Microsoft.DocumentDB/databaseAccounts
• Microsoft.Storage/storageAccounts
• Microsoft.KeyVault/vaults
• Microsoft.App/containerApps
• Microsoft.Web/sites
• Microsoft.Cache/redis
• Microsoft.DBforPostgreSQL/flexibleServers
• Microsoft.DBforMySQL/flexibleServers
• Microsoft.ServiceBus/namespaces
• Microsoft.EventHub/namespaces
• Microsoft.Search/searchServices
• Microsoft.CognitiveServices/accounts
• Microsoft.ContainerRegistry/registries

---

WAF-SEC-DP-003

Store application secrets and connection configuration in Azure Key Vault, not in code or environment variables

Severity: Recommended
Rationale: Key Vault provides auditing, rotation support, and access control for secrets
Agents: cloud-architect, app-developer, csharp-developer, python-developer, biz-analyst

Targets

• Microsoft.Sql/servers/databases
• Microsoft.DocumentDB/databaseAccounts
• Microsoft.Storage/storageAccounts
• Microsoft.KeyVault/vaults
• Microsoft.App/containerApps
• Microsoft.Web/sites
• Microsoft.Cache/redis
• Microsoft.DBforPostgreSQL/flexibleServers
• Microsoft.DBforMySQL/flexibleServers
• Microsoft.ServiceBus/namespaces
• Microsoft.EventHub/namespaces
• Microsoft.CognitiveServices/accounts

---

WAF-SEC-DP-004

Use Azure Key Vault references in App Service and Container Apps configuration instead of plaintext secrets

Severity: Recommended
Rationale: Key Vault references are resolved at runtime, avoiding secret sprawl
Agents: cloud-architect, terraform-agent, bicep-agent, app-developer, csharp-developer, python-developer

Targets

• Microsoft.App/containerApps
• Microsoft.Web/sites
• Microsoft.KeyVault/vaults
• Microsoft.Sql/servers/databases
• Microsoft.DocumentDB/databaseAccounts
• Microsoft.Storage/storageAccounts
• Microsoft.Cache/redis
• Microsoft.ServiceBus/namespaces
• Microsoft.EventHub/namespaces
• Microsoft.CognitiveServices/accounts

---