Azure Landing Zone Review Checklist – Security, governance and compliance
| Question | Severity | Comment | Link to more information |
| Azure Key Vault | |||
| Use a federated Azure Key Vault model to avoid transaction scale limits. | Medium | Best Practices to use Key Vault – Azure Key Vault | Microsoft Docs | |
| Provision Azure Key Vault with the soft delete and purge policies enabled to allow retention protection for deleted objects. | Medium | Best Practices to use Key Vault – Azure Key Vault | Microsoft Docs | |
| Follow a least privilege model by limiting authorization to permanently delete keys, secrets, and certificates to specialized custom Azure Active Directory (Azure AD) roles. | Medium | Best Practices to use Key Vault – Azure Key Vault | Microsoft Docs | |
| Automate the certificate management and renewal process with public certificate authorities to ease administration. | Medium | Best Practices to use Key Vault – Azure Key Vault | Microsoft Docs | |
| Establish an automated process for key and certificate rotation. | Medium | Best Practices to use Key Vault – Azure Key Vault | Microsoft Docs | |
| Enable firewall and virtual network service endpoint on the vault to control access to the key vault. | Medium | Best Practices to use Key Vault – Azure Key Vault | Microsoft Docs | |
| Use the platform-central Azure Monitor Log Analytics workspace to audit key, certificate, and secret usage within each instance of Key Vault. | Medium | Best Practices to use Key Vault – Azure Key Vault | Microsoft Docs | |
| Delegate Key Vault instantiation and privileged access and use Azure Policy to enforce a consistent compliant configuration. | Medium | Best Practices to use Key Vault – Azure Key Vault | Microsoft Docs | |
| Default to Microsoft-managed keys for principal encryption functionality and use customer-managed keys when required. | Medium | Best Practices to use Key Vault – Azure Key Vault | Microsoft Docs | |
| Don’t share Key Vault instances between applications to avoid secret sharing across environments. | Medium | Best Practices to use Key Vault – Azure Key Vault | Microsoft Docs | |
| Don’t use centralized instances of Key Vault for application keys or secrets. | Medium | Best Practices to use Key Vault – Azure Key Vault | Microsoft Docs | |
| If you want to bring your own keys, this might not be supported across all considered services. Implement relevant mitigation so that inconsistencies don’t hinder desired outcomes. Choose appropriate region pairs and disaster recovery regions that minimize latency. | Medium | Best Practices to use Key Vault – Azure Key Vault | Microsoft Docs | |
| Azure Policy | |||
| Identify required Azure tags and use the append policy mode to enforce usage. | Medium | Resource naming and tagging decision guide – Cloud Adoption Framework | Microsoft Docs | |
| Map regulatory and compliance requirements to Azure Policy definitions and Azure role assignments. | Medium | Overview of Azure Policy – Azure Policy | Microsoft Docs | |
| Establish Azure Policy definitions at the top-level root management group so that they can be assigned at inherited scopes. | Medium | Overview of Azure Policy – Azure Policy | Microsoft Docs | |
| Manage policy assignments at the highest appropriate level with exclusions at bottom levels, if required. | Medium | Overview of Azure Policy – Azure Policy | Microsoft Docs | |
| Use Azure Policy to control resource provider registrations at the subscription and/or management group levels. | Medium | Overview of Azure Policy – Azure Policy | Microsoft Docs | |
| Use built-in policies where possible to minimize operational overhead. | Medium | Overview of Azure Policy – Azure Policy | Microsoft Docs | |
| Assign the built-in Policy Contributor role at a particular scope to enable application-level governance. | Medium | Overview of Azure Policy – Azure Policy | Microsoft Docs | |
| Limit the number of Azure Policy assignments made at the root management group scope to avoid managing through exclusions at inherited scopes. | Medium | Overview of Azure Policy – Azure Policy | Microsoft Docs | |
| Use Azure policies to automatically deploy software configurations through VM extensions and enforce a compliant baseline VM configuration. | Medium | Overview of Azure Policy – Azure Policy | Microsoft Docs | |
| Monitor VM security configuration drift via Azure Policy. | Medium | Overview of Azure Policy – Azure Policy | Microsoft Docs | |
| Use Azure AD reporting capabilities to generate access control audit reports. | Medium | What are Azure Active Directory reports? | Microsoft Docs | |
| Export Azure activity logs to Azure Monitor Logs for long-term data retention. Export to Azure Storage for long-term storage beyond two years, if necessary. | Medium | Log Analytics workspace data export in Azure Monitor (preview) – Azure Monitor | Microsoft Docs | |
| Enable Security Center Standard for all subscriptions, and use Azure Policy to ensure compliance. | Medium | Azure Security Center documentation | Microsoft Docs | |
| Monitor base operating system patching drift via Azure Monitor Logs and Azure Security Center. | Medium | Azure Security Center documentation | Microsoft Docs | |
| Connect default resource configurations to a centralized Azure Monitor Log Analytics workspace. | Medium | Designing your Azure Monitor Logs deployment – Azure Monitor | Microsoft Docs | |
| Determine the incident response plan for Azure services before allowing it into production. | Medium | Azure Security Control – Incident Response | Microsoft Docs | |
| Implement a zero-trust approach for access to the Azure platform, where appropriate. | Medium | Implementing a Zero Trust security model at Microsoft | |
| Plan how new azure services will be implemented | Medium | Azure Security Control – Incident Response | Microsoft Docs | |
| Plan how service requests will be fulfilled for Azure services | Medium | Azure Security Control – Incident Response | Microsoft Docs |
Thank you for your precious time.
