Azure Advisor Security Recommendations.

Azure Advisor provides you with a consistent, consolidated view of recommendations for all your Azure resources. It integrates with Azure Security Center to bring you security recommendations. You can leverage Azure advisor to get security recommendations on the following grounds: Identity management, access control, application security, and encryption recommendations. 

Azure Advisor Security Best Practices; To robustly protect your Azure Resources adopt these best practices.

COMPUTE

• Enable adaptive application controls for defining safe applications.
• Update allowlist rules in your adaptive application control policy. 
• Encrypt automation account variables. 
• Enable Azure Defender and file integrity monitoring for servers.
• Use disk encryption on virtual machines.
• Use endpoint protection on your machines and VM scale sets. 
• Install the Log Analytics agent on your Azure Arc machines, virtual machines, and machine scale sets.
• Protect management ports for VMs with just-in-time network access control. 

CONTAINERS

• Enable Azure Defender for Kubernetes and container registries.
• Deploy from trusted registries only. 
• Avoid running containers as a root user.
• Use Role-Based Access Control (RBAC) for all Kubernetes services.
• Install Azure Policy Addon-on for Kubernetes on your clusters. 
• Ensure clusters are only accessible over HTTPS. 
• Avoid overriding or disabling container AppArmor profiles. 

App Services

• Enable Azure Defender for App Service.
• Require FTPS in your API app, function app, and web app.
• Use the latest version of TLS in your function app and web app. 

Data

• Provision Azure Active Directory for SQL servers.
• Install the Azure Defender extension on Azure Arc clusters.
• Use customer-managed keys to encrypt data at rest for Azure Cosmos DB accounts.
• Enable Azure Defender for SQL Database servers, DNS, Resource Manager, and storage. 

Identity & Access

• Have at least 2 but no more than 3 owners per subscription. 
• Enable Azure Defender for Key Vault. 
• Remove deprecated and external accounts with owner permissions, read permissions, and write permissions. 
• Use expirations for keys and secrets in your Key Vault.
• Enable MFA across all accounts with the owner, read, and write permissions.

IoT

• Apply adaptive network hardening recommendations on internet-facing VMs.
• Restrict network ports with network security groups. 
• Enable secure transfer to storage accounts. 
• Protect VM management ports with just-in-time network access control.