The 64 Azure security checks Black Cat runs
Black Cat SSPM evaluates 64 security policies against your Azure configuration on every scan, classifies each finding by risk, and provides remediation steps. Below is the full list, grouped by category.
access control
Reduce the number of subscription Owners to three or fewer
Replace custom admin roles with built-in RBAC roles scoped to least privilege
Remove classic Co-Administrator and Service Administrator role assignments
Remove privileged role assignments from guest (external) user accounts
Switch the Key Vault permission model to Azure RBAC for centralized access control
Configure a Microsoft Entra ID administrator for the Azure SQL Server
Enable a system-assigned or user-assigned managed identity on the App Service
Enable App Service Authentication to require identity provider login for the application
audit
Enable NSG flow logs to capture network traffic metadata for security analysis
Enable diagnostic settings on the Key Vault to capture audit and request logs
Enable auditing on the Azure SQL Server to log all database events
Extend the SQL Server audit log retention period to at least 90 days
Enable application and HTTP logging on the App Service
Set the diagnostic setting log retention period to at least 365 days
Create an activity log alert for Azure Policy assignment create and update operations
Create an activity log alert for NSG create and update operations
Create an activity log alert for NSG delete operations
Create an activity log alert for security solution create and update operations
Create an activity log alert for security solution delete operations
Create an activity log alert for SQL Server firewall rule create, update, and delete operations
Enable the disabled activity log alert rule so it fires on matching events
configuration
Restrict inbound SSH (port 22) in the NSG to specific trusted IP ranges
Restrict inbound RDP (port 3389) in the NSG to specific trusted IP ranges
Remove or restrict NSG inbound rules that allow all ports from any source
Restrict or remove NSG inbound rules that allow UDP traffic from internet sources
Restrict overly permissive outbound NSG rules to only necessary destinations and ports
Enable Azure Network Watcher in all regions where virtual networks are deployed
Enable Secure transfer required on the storage account to enforce HTTPS-only access
Restrict storage account network access to selected virtual networks or disable public access
Set the minimum TLS version to 1.2 on the storage account
Create a new storage account with infrastructure encryption enabled (cannot be enabled post-creation)
Disable shared key (storage account key) access and require Azure AD authentication
Enable soft delete for blobs to allow recovery of accidentally deleted or overwritten data
Enable soft delete for containers to allow recovery of accidentally deleted containers
Enable soft delete on the Key Vault to allow recovery of deleted secrets, keys, and certificates
Enable purge protection on the Key Vault to prevent permanent deletion during the soft-delete retention period
Set the Key Vault network default action to Deny and allow only specific networks
Add a private endpoint to the Key Vault to restrict access to within the virtual network
Enable Microsoft Defender for Servers on the subscription
Enable Microsoft Defender for App Service on the subscription
Enable Microsoft Defender for SQL on the subscription
Enable Microsoft Defender for Storage on the subscription
Enable Microsoft Defender for Containers on the subscription
Enable Microsoft Defender for Key Vault on the subscription
Enable Microsoft Defender for Resource Manager on the subscription
Configure a security contact email address in Microsoft Defender for Cloud
Configure a security contact phone number in Microsoft Defender for Cloud
Enable email alert notifications for security contacts in Defender for Cloud
Enable automatic provisioning of the Log Analytics agent for Azure VMs
Enable Microsoft Defender for SQL to activate Advanced Threat Protection on the SQL Server
Enable Transparent Data Encryption (TDE) on the Azure SQL Database
Remove the firewall rule that allows all Azure services to connect to the SQL Server
Remove or restrict the SQL Server firewall rule that allows all IP addresses
Set the minimum TLS version to 1.2 on the Azure SQL Server
Enable SQL Vulnerability Assessment on the Azure SQL Server
Enable HTTPS Only on the App Service to redirect all HTTP traffic to HTTPS
Set the minimum TLS version to 1.2 on the App Service
Disable plain FTP or restrict to FTPS only on the App Service
Disable remote debugging on the App Service to remove the open debug port
Enable HTTP/2 on the App Service for improved performance and security
data exposure
Disable public blob access on the storage account to prevent anonymous data exposure
key management
Rotate storage account access keys that are older than 90 days
Set an expiration date on all Key Vault keys to enforce key rotation
Set an expiration date on all Key Vault secrets to enforce secret rotation