Sttor Documentation

Appearance

Arm Rules

IaC rules for Arm that identify insecure configurations in infrastructure and cloud resources.

Arm Rule Catalog

IDTitleSeverity
IAC-0520Azure RDP Internet access is not restrictedHIGH
IAC-0522Azure SQL Servers Firewall rule allow ingress access from 0.0.0.0/0HIGH
IAC-0535Azure SQL Server audit log retention is not greater than 90 daysHIGH
IAC-0536Azure SQL Server threat detection alerts are not enabled for all threat typesHIGH
IAC-0537Azure SQL server send alerts to field value is not setHIGH
IAC-0545Azure storage account has a blob container that is publicly accessibleHIGH
IAC-0550Azure subscriptions with custom roles does not have minimum permissionsHIGH
IAC-0552Azure Key Vault secrets does not have expiration dateHIGH
IAC-0559Azure Linux scale set does not use an SSH keyHIGH
IAC-0806Azure Machine learning workspace configured with overly permissive network accessHIGH
IAC-0516Azure AKS enable role-based access control (RBAC) not enforcedMEDIUM
IAC-0525Azure App Service Web app doesn't redirect HTTP to HTTPSMEDIUM
IAC-0527App Service is not registered with an Azure Active Directory accountMEDIUM
IAC-0746Azure Machine learning workspace is not configured with private endpointMEDIUM
IAC-0512Azure Virtual Machine (Linux) does not authenticate using SSH keysLOW
IAC-0517Azure AKS cluster configured with overly permissive API server accessLOW
IAC-0518Azure AKS cluster network policies are not enforcedLOW
IAC-0519Kubernetes dashboard is not disabledLOW
IAC-0523Azure Network Watcher Network Security Group (NSG) flow logs retention is less than 90 daysLOW
IAC-0524Azure App Service Web app authentication is offLOW
IAC-0526Azure App Service Web app doesn't use latest TLS versionLOW
IAC-0534Azure SQL Server auditing policy is disabledLOW
IAC-0539Azure MySQL Database Server SSL connection is disabledLOW
IAC-0540Azure PostgreSQL database server with SSL connection disabledLOW
IAC-0547Azure Storage Account 'Trusted Microsoft Services' access not enabledLOW
IAC-0557Azure MariaDB database server with SSL connection disabledLOW
IAC-0639Azure Cosmos DB key based authentication is enabledLOW
IAC-0805Azure Databricks Workspaces not using customer-managed key for root DBFS encryptionLOW
IAC-0513Azure VM data disk is not encrypted with ADE/CMKINFO
IAC-0515Azure AKS cluster monitoring not enabledINFO
IAC-0521Azure Network Security Group allows all traffic on SSH port 22INFO
IAC-0528Azure App Service Web app client certificate is disabledINFO
IAC-0529Azure App Service Web app doesn't use HTTP 2.0INFO
IAC-0530Azure Microsoft Defender for Cloud Defender plans is set to OffINFO
IAC-0531Azure Microsoft Defender for Cloud security contact phone number is not setINFO
IAC-0533Azure Microsoft Defender for Cloud email notification for subscription owner is not setINFO
IAC-0538Azure SQL Databases with disabled Email service and co-administrators for Threat DetectionINFO
IAC-0541Azure PostgreSQL database server with log checkpoints parameter disabledINFO
IAC-0542Azure PostgreSQL database server with log connections parameter disabledINFO
IAC-0543Azure PostgreSQL database server with connection throttling parameter is disabledINFO
IAC-0544Azure storage account logging for queues is disabledINFO
IAC-0546Azure Storage Account default network access is set to 'Allow'INFO
IAC-0548Azure Activity Log retention should not be set to less than 365 daysINFO
IAC-0549Azure Monitor log profile does not capture all activitiesINFO
IAC-0553Azure Key Vault is not recoverableINFO
IAC-0638Azure Microsoft Defender for Cloud security alert email notifications is not setINFO
IAC-0745Azure Cognitive Services account is not configured with managed identityINFO

Total Rules: 47

Click on any rule ID to view detailed information, examples, and remediation guidance.

Copyright © 2026 Sttor