CloudWiki
Resource

Virtual Machine

Microsoft Azure
Compute
Azure Virtual Machine (VM) is a cloud-based computing instance that allows users to deploy and run a virtual server in the cloud. Azure VMs provide a range of operating systems and configurations, allowing users to run different applications and workloads in the cloud. Users can choose from a variety of preconfigured images, including Windows Server, Linux distributions, and other operating systems. Azure VMs are highly scalable and customizable, allowing users to add or remove resources as needed, such as CPU, memory, and storage, based on their workload requirements.They also provide high availability and reliability features, including fault tolerance and automatic failover.
Terraform Name
terraform
azurerm_virtual_machine
Config.
Costs
Best Practices
Blogs
Virtual Machine
attributes:

The following arguments are supported:

  • name - (Required) Specifies the name of the Virtual Machine. Changing this forces a new resource to be created.
  • resource_group_name - (Required) Specifies the name of the Resource Group in which the Virtual Machine should exist. Changing this forces a new resource to be created.
  • location - (Required) Specifies the Azure Region where the Virtual Machine exists. Changing this forces a new resource to be created.
  • network_interface_ids - (Required) A list of Network Interface IDs which should be associated with the Virtual Machine.
  • os_profile_linux_config - (Optional) (Required, when a Linux machine) An os_profile_linux_config block as defined below.
  • os_profile_windows_config - (Optional) (Required, when a Windows machine) An os_profile_windows_config block as defined below.
  • vm_size - (Required) Specifies the size of the Virtual Machine. See also Azure VM Naming Conventions.
  • availability_set_id - (Optional) The ID of the Availability Set in which the Virtual Machine should exist. Changing this forces a new resource to be created.
  • boot_diagnostics - (Optional) A boot_diagnostics block as defined below.
  • additional_capabilities - (Optional) An additional_capabilities block as defined below.
  • delete_os_disk_on_termination - (Optional) Should the OS Disk (either the Managed Disk / VHD Blob) be deleted when the Virtual Machine is destroyed? Defaults to false.

Note:

This setting works when instance is deleted via Terraform only and don't forget to delete disks manually if you deleted VM manually. It can increase spending.

  • delete_data_disks_on_termination - (Optional) Should the Data Disks (either the Managed Disks / VHD Blobs) be deleted when the Virtual Machine is destroyed? Defaults to false.

Note:

This setting works when instance is deleted via Terraform only and don't forget to delete disks manually if you deleted VM manually. It can increase spending.

  • identity - (Optional) An identity block as defined below.
  • license_type - (Optional) Specifies the BYOL Type for this Virtual Machine. This is only applicable to Windows Virtual Machines. Possible values are Windows_Client and Windows_Server.
  • os_profile - (Optional) An os_profile block as defined below. Required when create_option in the storage_os_disk block is set to FromImage.
  • os_profile_secrets - (Optional) One or more os_profile_secrets blocks as defined below.
  • plan - (Optional) A plan block as defined below.
  • primary_network_interface_id - (Optional) The ID of the Network Interface (which must be attached to the Virtual Machine) which should be the Primary Network Interface for this Virtual Machine.
  • proximity_placement_group_id - (Optional) The ID of the Proximity Placement Group to which this Virtual Machine should be assigned. Changing this forces a new resource to be created
  • storage_data_disk - (Optional) One or more storage_data_disk blocks as defined below.

Please Note:

Data Disks can also be attached either using this block or the azurerm_ virtual_machine_data_disk_attachment resource - but not both.

  • storage_image_reference - (Optional) A storage_image_reference block as defined below. Changing this forces a new resource to be created.
  • storage_os_disk - (Required) A storage_os_disk block as defined below.
  • tags - (Optional) A mapping of tags to assign to the Virtual Machine.
  • zones - (Optional) A list of a single item of the Availability Zone which the Virtual Machine should be allocated in. Changing this forces a new resource to be created.

Please Note:

Availability Zones are only supported in several regions at this time.

For more information on the different example configurations, please check out the Azure documentation

An additional_unattend_config block supports the following:

  • pass - (Required) Specifies the name of the pass that the content applies to. The only allowable value is oobeSystem.
  • component - (Required) Specifies the name of the component to configure with the added content. The only allowable value is Microsoft-Windows-Shell-Setup.
  • setting_name - (Required) Specifies the name of the setting to which the content applies. Possible values are: FirstLogonCommands and AutoLogon.
  • content - (Required) Specifies the base-64 encoded XML formatted content that is added to the unattend.xml file for the specified path and component.

A boot_diagnostics block supports the following:

  • enabled - (Required) Should Boot Diagnostics be enabled for this Virtual Machine?
  • storage_uri - (Required) The Storage Account's Blob Endpoint which should hold the virtual machine's diagnostic files.

NOTE:

This needs to be the root of a Storage Account and not a Storage Container.

A additional_capabilities block supports the following:

  • ultra_ssd_enabled - (Required) Should Ultra SSD disk be enabled for this Virtual Machine? Changing this forces a new resource to be created.

Note:

Azure Ultra Disk Storage is only available in a region that support availability zones and can only enabled on the following VM series: ESv3, DSv3, FSv3, LSv2, M and Mv2. For more information see the Azure Ultra Disk Storage product documentation.

A identity block supports the following:

  • type - (Required) Specifies the type of Managed Service Identity that should be configured on this Virtual Machine. Possible values are SystemAssigned, UserAssigned, SystemAssigned, UserAssigned (to enable both).

NOTE:

Managed Service Identity previously required the installation of a VM Extension, but this information is now available via the Azure Instance Metadata Service.

NOTE:

When type is set to SystemAssigned, identity the Principal ID can be retrieved after the virtual machine has been created. More details are available below. See documentation for additional information.

  • identity_ids - (Optional) Specifies a list of User Assigned Managed Identity IDs to be assigned to this Virtual Machine.

NOTE:

This is required when type is set to UserAssigned or SystemAssigned, UserAssigned.

A os_profile block supports the following:

  • computer_name - (Required) Specifies the name of the Virtual Machine. Changing this forces a new resource to be created.
  • admin_username - (Required) Specifies the name of the local administrator account.
  • admin_password - (Optional) (Optional for Windows, Optional for Linux) The password associated with the local administrator account.

NOTE:

If using Linux, it may be preferable to use SSH Key authentication (available in the os_profile_linux_config block) instead of password authentication.

NOTE:

admin_password must be between 6-72 characters long and must satisfy at least 3 of password complexity requirements from the following:

  1. Contains an uppercase character
  2. Contains a lowercase character
  3. Contains a numeric digit
  4. Contains a special character
  • custom_data - (Optional) Specifies custom data to supply to the machine. On Linux-based systems, this can be used as a cloud-init script. On other systems, this will be copied as a file on disk. Internally, Terraform will base64 encode this value before sending it to the API. The maximum length of the binary array is 65535 bytes. Changing this forces a new resource to be created.

A os_profile_linux_config block supports the following:

  • disable_password_authentication - (Required) Specifies whether password authentication should be disabled. If set to false, an admin_password must be specified.
  • ssh_keys - (Optional) One or more ssh_keys blocks as defined below. This field is required if disable_password_authentication is set to true.

A os_profile_secrets block supports the following:

  • source_vault_id - (Required) Specifies the ID of the Key Vault to use.
  • vault_certificates - (Optional) One or more vault_certificates blocks as defined below.

A os_profile_windows_config block supports the following:

  • provision_vm_agent - (Optional) Should the Azure Virtual Machine Guest Agent be installed on this Virtual Machine? Defaults to false.

NOTE:

This is different from the Default value used for this field within Azure.

  • enable_automatic_upgrades - (Optional) Are automatic updates enabled on this Virtual Machine? Defaults to false.
  • timezone - (Optional) Specifies the time zone of the virtual machine, the possible values are defined here. Changing this forces a new resource to be created.
  • winrm - (Optional) One or more winrm blocks as defined below.
  • additional_unattend_config - (Optional) An additional_unattend_config block as defined below.

A plan block supports the following:

  • name - (Required) Specifies the name of the image from the marketplace.
  • publisher - (Required) Specifies the publisher of the image.
  • product - (Required) Specifies the product of the image from the marketplace.

A ssh_keys block supports the following:

  • key_data - (Required) The Public SSH Key which should be written to the path defined above.

Note:

Azure only supports RSA SSH2 key signatures of at least 2048 bits in length

NOTE:

Rather than defining this in-line you can source this from a local file using the file function - for example key_data = file("~/.ssh/id_rsa.pub").

  • path - (Required) The path of the destination file on the virtual machine

NOTE:

Due to a limitation in the Azure VM Agent the only allowed path is /home/{username}/.ssh/authorized_keys.

A storage_image_reference block supports the following:

This block provisions the Virtual Machine from one of two sources: an Azure Platform Image (e.g. Ubuntu/Windows Server) or a Custom Image.

To provision from an Azure Platform Image, the following fields are applicable:

  • publisher - (Optional) Specifies the publisher of the image used to create the virtual machine. Changing this forces a new resource to be created.
  • offer - (Optional) Specifies the offer of the image used to create the virtual machine. Changing this forces a new resource to be created.
  • sku - (Optional) Specifies the SKU of the image used to create the virtual machine. Changing this forces a new resource to be created.
  • version - (Optional) Specifies the version of the image used to create the virtual machine. Changing this forces a new resource to be created.

To provision a Custom Image, the following fields are applicable:

  • id - (Optional) Specifies the ID of the Custom Image which the Virtual Machine should be created from. Changing this forces a new resource to be created.

NOTE:

An example of how to use this is available within the ./examples/virtual-machines/virtual_machine/managed-disks/from-custom-image directory within the GitHub Repository

A storage_data_disk block supports the following:

NOTE:

Data Disks can also be attached either using this block or the azurerm_virtual_machine_data_disk_attachment resource - but not both.

  • name - (Required) The name of the Data Disk.
  • caching - (Optional) Specifies the caching requirements for the Data Disk. Possible values include None, ReadOnly and ReadWrite.
  • create_option - (Required) Specifies how the data disk should be created. Possible values are Attach, FromImage and Empty.

NOTE:

If using an image that does not have data to be written to the Data Disk, use Empty as the create option in order to create the desired disk without any data.

  • disk_size_gb - (Optional) Specifies the size of the data disk in gigabytes.
  • lun - (Required) Specifies the logical unit number of the data disk. This needs to be unique within all the Data Disks on the Virtual Machine.
  • write_accelerator_enabled - (Optional) Specifies if Write Accelerator is enabled on the disk. This can only be enabled on Premium_LRS managed disks with no caching and M-Series VMs. Defaults to false.

The following properties apply when using Managed Disks:

  • managed_disk_type - (Optional) Specifies the type of managed disk to create. Possible values are either Standard_LRS, StandardSSD_LRS, Premium_LRS or UltraSSD_LRS.

Note:

managed_disk_type of type UltraSSD_LRS is currently in preview and are not available to subscriptions that have not requested onboarding to Azure Ultra Disk Storage preview. Azure Ultra Disk Storage is only available in East US 2, North Europe, and Southeast Asia regions. For more information see the Azure Ultra Disk Storage product documentation, product blog and FAQ. You must also set additional_capabilities.ultra_ssd_enabled to true.

  • managed_disk_id - (Optional) Specifies the ID of an Existing Managed Disk which should be attached to this Virtual Machine. When this field is set create_option must be set to Attach.

The following properties apply when using Unmanaged Disks:

  • vhd_uri - (Optional) Specifies the URI of the VHD file backing this Unmanaged Data Disk.

A storage_os_disk block supports the following:

  • name - (Required) Specifies the name of the OS Disk.
  • create_option - (Required) Specifies how the OS Disk should be created. Possible values are Attach (managed disks only) and FromImage.
  • caching - (Optional) Specifies the caching requirements for the OS Disk. Possible values include None, ReadOnly and ReadWrite.
  • disk_size_gb - (Optional) Specifies the size of the OS Disk in gigabytes.
  • image_uri - (Optional) Specifies the Image URI in the format publisherName:offer:skus:version. This field can also specify the VHD URI of a custom VM image to clone. When cloning a Custom (Unmanaged) Disk Image the os_type field must be set.
  • os_type - (Optional) Specifies the Operating System on the OS Disk. Possible values are Linux and Windows.
  • write_accelerator_enabled - (Optional) Specifies if Write Accelerator is enabled on the disk. This can only be enabled on Premium_LRS managed disks with no caching and M-Series VMs. Defaults to false.

The following properties apply when using Managed Disks:

  • managed_disk_id - (Optional) Specifies the ID of an existing Managed Disk which should be attached as the OS Disk of this Virtual Machine. If this is set then the create_option must be set to Attach. Changing this forces a new resource to be created.
  • managed_disk_type - (Optional) Specifies the type of Managed Disk which should be created. Possible values are Standard_LRS, StandardSSD_LRS or Premium_LRS.

The following properties apply when using Unmanaged Disks:

  • vhd_uri - (Optional) Specifies the URI of the VHD file backing this Unmanaged OS Disk. Changing this forces a new resource to be created.

A vault_certificates block supports the following:

  • certificate_url - (Required) The ID of the Key Vault Secret. Stored secret is the Base64 encoding of a JSON Object that which is encoded in UTF-8 of which the contents need to be:

{
 "data":"",
 "dataType":"pfx",
 "password":""
}

NOTE:

If your certificate is stored in Azure Key Vault - this can be sourced from the secret_id property on the azurerm_key_vault_certificate resource.

  • certificate_store - (Optional) (Required, on windows machines) Specifies the certificate store on the Virtual Machine where the certificate should be added to, such as My.

A winrm block supports the following:

  • protocol - (Required) Specifies the protocol of listener. Possible values are HTTP or HTTPS.
  • certificate_url - (Optional) The ID of the Key Vault Secret which contains the encrypted Certificate which should be installed on the Virtual Machine. This certificate must also be specified in the vault_certificates block within the os_profile_secrets block.

NOTE:

This can be sourced from the secret_id field on the azurerm_key_vault_certificate resource.

Associating resources with a
Virtual Machine
Resources do not "belong" to a
Virtual Machine
Rather, one or more Security Groups are associated to a resource.
Create
Virtual Machine
via Terraform:
The following HCL provisions a Virtual Machine with Managed Disks
Syntax:

variable "prefix" {
 default = "tfvmex"
}

resource "azurerm_resource_group" "example" {
 name     = "${var.prefix}-resources"
 location = "West Europe"
}

resource "azurerm_virtual_network" "main" {
 name                = "${var.prefix}-network"
 address_space       = ["10.0.0.0/16"]
 location            = azurerm_resource_group.example.location
 resource_group_name = azurerm_resource_group.example.name
}

resource "azurerm_subnet" "internal" {
 name                 = "internal"
 resource_group_name  = azurerm_resource_group.example.name
 virtual_network_name = azurerm_virtual_network.main.name
 address_prefixes     = ["10.0.2.0/24"]
}

resource "azurerm_network_interface" "main" {
 name                = "${var.prefix}-nic"
 location            = azurerm_resource_group.example.location
 resource_group_name = azurerm_resource_group.example.name

 ip_configuration {
   name                          = "testconfiguration1"
   subnet_id                     = azurerm_subnet.internal.id
   private_ip_address_allocation = "Dynamic"
 }
}

resource "azurerm_virtual_machine" "main" {
 name                  = "${var.prefix}-vm"
 location              = azurerm_resource_group.example.location
 resource_group_name   = azurerm_resource_group.example.name
 network_interface_ids = [azurerm_network_interface.main.id]
 vm_size               = "Standard_DS1_v2"

 # Uncomment this line to delete the OS disk automatically when deleting the VM
 # delete_os_disk_on_termination = true

 # Uncomment this line to delete the data disks automatically when deleting the VM
 # delete_data_disks_on_termination = true

 storage_image_reference {
   publisher = "Canonical"
   offer     = "UbuntuServer"
   sku       = "16.04-LTS"
   version   = "latest"
 }
 storage_os_disk {
   name              = "myosdisk1"
   caching           = "ReadWrite"
   create_option     = "FromImage"
   managed_disk_type = "Standard_LRS"
 }
 os_profile {
   computer_name  = "hostname"
   admin_username = "testadmin"
   admin_password = "Password1234!"
 }
 os_profile_linux_config {
   disable_password_authentication = false
 }
 tags = {
   environment = "staging"
 }
}

Create
Virtual Machine
via CLI:
Parameters:

az vm create --name
            --resource-group
            [--accelerated-networking {false, true}]
            [--accept-term]
            [--admin-password]
            [--admin-username]
            [--asgs]
            [--assign-identity]
            [--attach-data-disks]
            [--attach-os-disk]
            [--authentication-type {all, password, ssh}]
            [--availability-set]
            [--boot-diagnostics-storage]
            [--capacity-reservation-group]
            [--computer-name]
            [--count]
            [--custom-data]
            [--data-disk-caching]
            [--data-disk-delete-option]
            [--data-disk-encryption-sets]
            [--data-disk-sizes-gb]
            [--disable-integrity-monitoring]
            [--disk-controller-type {NVMe, SCSI}]
            [--edge-zone]
            [--enable-agent {false, true}]
            [--enable-auto-update {false, true}]
            [--enable-hibernation {false, true}]
            [--enable-hotpatching {false, true}]
            [--enable-secure-boot {false, true}]
            [--enable-vtpm {false, true}]
            [--encryption-at-host {false, true}]
            [--ephemeral-os-disk {false, true}]
            [--ephemeral-os-disk-placement {CacheDisk, ResourceDisk}]
            [--eviction-policy {Deallocate, Delete}]
            [--generate-ssh-keys]
            [--host]
            [--host-group]
            [--image]
            [--license-type {None, RHEL_BASE, RHEL_BASESAPAPPS, RHEL_BASESAPHA, RHEL_BYOS, RHEL_ELS_6, RHEL_EUS, RHEL_SAPAPPS, RHEL_SAPHA, SLES, SLES_BYOS, SLES_HPC, SLES_SAP, SLES_STANDARD, Windows_Client, Windows_Server}]
            [--location]
            [--max-price]
            [--nic-delete-option]
            [--nics]
            [--no-wait]
            [--nsg]
            [--nsg-rule {NONE, RDP, SSH}]
            [--os-disk-caching {None, ReadOnly, ReadWrite}]
            [--os-disk-delete-option {Delete, Detach}]
            [--os-disk-encryption-set]
            [--os-disk-name]
            [--os-disk-secure-vm-disk-encryption-set]
            [--os-disk-security-encryption-type {DiskWithVMGuestState, VMGuestStateOnly}]
            [--os-disk-size-gb]
            [--os-type {linux, windows}]
            [--patch-mode {AutomaticByOS, AutomaticByPlatform, ImageDefault, Manual}]
            [--plan-name]
            [--plan-product]
            [--plan-promotion-code]
            [--plan-publisher]
            [--platform-fault-domain]
            [--ppg]
            [--priority {Low, Regular, Spot}]
            [--private-ip-address]
            [--public-ip-address]
            [--public-ip-address-allocation {dynamic, static}]
            [--public-ip-address-dns-name]
            [--public-ip-sku {Basic, Standard}]
            [--role]
            [--scope]
            [--secrets]
            [--security-type {ConfidentialVM, TrustedLaunch}]
            [--size]
            [--specialized {false, true}]
            [--ssh-dest-key-path]
            [--ssh-key-name]
            [--ssh-key-values]
            [--storage-account]
            [--storage-container-name]
            [--storage-sku]
            [--subnet]
            [--subnet-address-prefix]
            [--tags]
            [--ultra-ssd-enabled {false, true}]
            [--use-unmanaged-disk]
            [--user-data]
            [--v-cpus-available]
            [--v-cpus-per-core]
            [--validate]
            [--vmss]
            [--vnet-address-prefix]
            [--vnet-name]
            [--workspace]
            [--zone {1, 2, 3}]

Example:

az vm create -n MyVm -g MyResourceGroup --image /SharedGalleries/{gallery_unique_name}/Images/{image}/Versions/{version}

aws cost
Costs
Direct Cost
Indirect Cost
No items found.
Best Practices for
Virtual Machine

Categorized by Availability, Security & Compliance and Cost

Medium
AMI (Amazon Machine Images) not in use
AWS Cost Optimization
APRA
AWS Well-Architected Framework
MAS
Medium
AMI (Amazon Machine Images) not in use (12 months)
AWS Cost Optimization
APRA
AWS Well-Architected Framework
MAS
High
AWS Config configuration changes alarm
Security & Compliance
APRA
MAS
NIST4
AWS Well-Architected Framework
Low
Access allowed from VPN
Security & Compliance
No items found.
Low
Auto Scaling Group not in use
Other
No items found.
Low
CloudTrail changes alarm
Security & Compliance
CIS
CISAWSF
APRA
MAS
NIST4
Medium
Connections towards DynamoDB should be via VPC endpoints
Security & Compliance
No items found.
Medium
Connections towards S3 should be via VPC endpoint
Security & Compliance
CCPA
Medium
Container in CrashLoopBackOff state
Availability
No items found.
Low
Cross peering connectivity is allowed by EC2
Security & Compliance
CISAWSF
Low
Cross peering connectivity is allowed by ECS Task
Security & Compliance
CISAWSF
Low
Cross peering connectivity is allowed by Lambda
Security & Compliance
CISAWSF
Low
Cross peering connectivity is allowed by Pod
Security & Compliance
CISAWSF
Low
Cross transit connectivity is allowed by EC2
Security & Compliance
CISAWSF
Low
Cross transit connectivity is allowed by ECS
Security & Compliance
CISAWSF
Low
Cross transit connectivity is allowed by Lambda
Security & Compliance
CISAWSF
Low
Cross transit connectivity is allowed by Pod
Security & Compliance
CISAWSF
Medium
DynamoDB tables not in use
AWS Cost Optimization
AWS Well-Architected Framework
CIS 8
HITRUST
GDPR
Medium
EBS snapshots not in use
AWS Cost Optimization
AWS Well-Architected Framework
Medium
EBS volume not in use
AWS Cost Optimization
MAS
NIST4
AWS Well-Architected Framework
Low
EC2 large instance create alarm
Security & Compliance
PCI-DSS
APRA
MAS
NIST4
AWS Well-Architected Framework
Medium
EC2 should have a name set
Other
APRA
MAS
Critical
EC2 with Admin access (*:*)
Security & Compliance
CIS
GDPR
HITRUST
NIST 800-53
ISO 27701
Low
EC2 with GPU capabilities
AWS Cost Optimization
No items found.
Medium
EC2 with high privileged policies
Security & Compliance
No items found.
Medium
ECS cluster delete alarm
Availability
No items found.
Critical
ECS task with Admin access (*:*)
Security & Compliance
CIS
Medium
ECS task with high privileged policies
Security & Compliance
No items found.
Critical
EKS cluster delete alarm
Availability
No items found.
Medium
ELB not in use
AWS Cost Optimization
AWS Well-Architected Framework
Medium
ElastiCache cluster delete alarm
Availability
No items found.
Medium
Elastic IP not in use
AWS Cost Optimization
AWS Well-Architected Framework
CISAWSF
PCI-DSS
MAS
NIST4
Low
Ensure API Gateway has Content Encoding feature enabled
Other
MAS
NIST 800-53
NIST4
Medium
Ensure AWS Config is configured to include global resources
Security & Compliance
APRA
GDPR
MAS
NIST4
AWS Well-Architected Framework
Medium
Ensure AWS EKS cluster has secrets encryption enabled
Security & Compliance
CIS
CISAWSF
CIS EKS
HITRUST
NIST 800-53
Medium
Ensure Amazon MQ broker instances are using desired instance types
Security & Compliance
AWS Well-Architected Framework
Medium
Ensure Amazon MQ brokers Auto Minor Version Upgrade feature is enabled
Security & Compliance
APRA
CCPA
HITRUST
ISO 27001
MAS
Low
Ensure Amazon MQ brokers Log Exports feature is enabled
Security & Compliance
APRA
CSA CCM
GDPR
HITRUST
ISO 27001
Medium
Ensure Amazon MQ brokers are not publicly accessible
Security & Compliance
APRA
CCPA
CIS 8
GDPR
HIPAA
Critical
Ensure Amazon MQ brokers are not publicly accessible
Security & Compliance
APRA
CCPA
CIS 8
GDPR
HIPAA
Low
Ensure Amazon MQ brokers are using the active/standby deployment mode
Availability
CCPA
ISO 27001
NIST4
NIST 800-53
AWS Well-Architected Framework
Low
Ensure Amazon MQ brokers are using the latest engine version
Security & Compliance
APRA
HITRUST
MAS
PCI-DSS
Medium
Ensure Amazon SageMaker Notebook Instance is in VPC
Security & Compliance
APRA
AWS Well-Architected Framework
MAS
PCI-DSS
Medium
Ensure Application Load Balancer (ALB) has access logging enabled
Security & Compliance
No items found.
Medium
Ensure Application Load Balancers (ALB) are configured to drop HTTP headers
Security & Compliance
NIST 800-53
CSA CCM
AWS Foundational Security Best Practices Controls
Low
Ensure Auto-Tune feature is enabled in OpenSearch clusters
Other
No items found.
Medium
Ensure CloudFormation stacks Termination Protection feature is enabled
Security & Compliance
APRA
MAS
AWS Well-Architected Framework
Medium
Ensure CloudFormation stacks are sending event notifications to an SNS topic
Security & Compliance
APRA
MAS
NIST4
AWS Well-Architected Framework
Medium
Ensure CloudFront distribution enforce HTTPS protocol for data in-transit
Security & Compliance
AWS Well-Architected Framework
HIPAA
NIST4
PCI-DSS
CIS 8
Medium
Ensure CloudFront distributions use a security policy with minimum TLSv1.1 or TLSv1.2
Security & Compliance
PCI-DSS
HIPAA
Medium
Ensure CloudFront has WAF attached
Security & Compliance
NIST 800-53
AWS Foundational Security Best Practices Controls
Medium
Ensure CloudFront web distributions are configured to compress objects (files) automatically
AWS Cost Optimization
GDPR
NIST4
Medium
Ensure CloudFront web distributions enforce field-level encryption
Security & Compliance
APRA
AWS Well-Architected Framework
GDPR
HIPAA
NIST4
Medium
Ensure CloudTrail Log File Integrity Validation is enabled
Security & Compliance
CISAWSF
PCI-DSS
HIPAA
GDPR
APRA
High
Ensure CloudTrail buckets are configured to use MFA
Security & Compliance
APRA
MAS
NIST4
GDPR
HIPAA
Medium
Ensure CloudTrail logs are encrypted at rest
Security & Compliance
CISAWSF
SOC2
PCI-DSS
GDPR
HIPAA
High
Ensure CloudTrail trails have multi-region enabled
Security & Compliance
APRA
MAS
CISAWSF
PCI-DSS
HIPAA
High
Ensure CloudTrail trails record global service events
Security & Compliance
APRA
PCI-DSS
GDPR
NIST4
MAS
Medium
Ensure CloudWatch Logs service is configured to monitor CloudTrail trail logs
Security & Compliance
CISAWSF
PCI-DSS
GDPR
APRA
MAS
Medium
Ensure Container liveness probe is configured
Availability
No items found.
Low
Ensure Container readiness probe is configured
Availability
No items found.
Critical
Ensure DMS instances are not accessible via Internet (Network and API)
Security & Compliance
CIS
SOC2
PCI-DSS
FedRAMP
AWS Well-Architected Framework
High
Ensure Database Migration Service (DMS) are not publicly accessible
Security & Compliance
APRA
GDPR
HIPAA
NIST4
PCI-DSS
Medium
Ensure Database Migration Service (DMS) replication instances are using Multi-AZ deployment configurations
Availability
NIST4
Medium
Ensure Database Migration Service (DMS) replication instances have Auto Minor Version Upgrade feature enabled
Security & Compliance
APRA
MAS
NIST4
Low
Ensure DocumentDB clusters have Log Exports feature enabled
Security & Compliance
APRA
Medium
Ensure DocumentDB database clusters have a minimum backup retention period
Other
NIST4
AWS Well-Architected Framework
Critical
Ensure DocumentDB database instances are not accessible via Internet (Network and API)
Security & Compliance
CIS
SOC2
PCI-DSS
Critical
Ensure DocumentDB database instances have storage encryption enabled
Security & Compliance
GDPR
NIST4
NIST 800-53
HIPAA
MAS
High
Ensure DocumentDB volumes are of type gp3 (General Purpose SSD) instead of gp2
AWS Cost Optimization
AWS Well-Architected Framework
Low
Ensure DynamoDB Tables are encrypted with customer managed key
Security & Compliance
APRA
AWS Well-Architected Framework
GDPR
NIST4
HITRUST
Medium
Ensure DynamoDB tables have point in time recovery enabled
Availability
SOC2
GDPR
HITRUST
NIST 800-53
NIST4
Medium
Ensure EBS snapshots are encrypted
Security & Compliance
PCI-DSS
GDPR
HIPAA
NIST4
HITRUST
Critical
Ensure EBS snapshots are not publicly accessible
Security & Compliance
GDPR
NIST4
PCI-DSS
AWS Well-Architected Framework
HITRUST
Medium
Ensure EBS volumes are encrypted
Security & Compliance
APRA
MAS
NIST4
CIS
ISO 27001
Medium
Ensure EBS volumes are of type gp3 (General Purpose SSD) instead of gp2
AWS Cost Optimization
AWS Well-Architected Framework
Medium
Ensure EBS volumes are of type gp3 (General Purpose SSD) instead of io1
AWS Cost Optimization
AWS Well-Architected Framework
Critical
Ensure EC2 AMIs are not publicly accessible
Security & Compliance
GDPR
APRA
MAS
NIST4
CIS 8
Medium
Ensure EC2 instance uses an IAM profile
Security & Compliance
APRA
CISAWSF
MAS
NIST4
Medium
Ensure EC2 instances use Instance Metadata Service Version 2 (IMDSv2)
Security & Compliance
AWS Foundational Security Best Practices Controls
NIST 800-53
HITRUST
Medium
Ensure ECS task definition has memory limit
Availability
No items found.
High
Ensure EFS file systems are encrypted
APRA
MAS
NIST4
GDPR
HIPAA
High
Ensure EFS file systems are encrypted using KMS CMK customer-managed keys
APRA
MAS
NIST4
GDPR
AWS Well-Architected Framework
Low
Ensure EKS Private access is enabled
Security & Compliance
APRA
CIS
CISAWSF
CIS EKS
GDPR
Medium
Ensure EKS Public access is disabled
Security & Compliance
APRA
CIS
CISAWSF
CIS EKS
GDPR
Critical
Ensure EKS Public access is restricted to specific sources
Security & Compliance
ISO 27001
Low
Ensure EMR cluster archive log files to S3
Other
APRA
AWS Well-Architected Framework
GDPR
MAS
NIST4
Critical
Ensure EMR cluster master nodes are not publicly accessible
Security & Compliance
No items found.
Medium
Ensure EMR clusters are encrypted in-transit and at-rest
Security & Compliance
APRA
AWS Well-Architected Framework
GDPR
HIPAA
MAS
Critical
Ensure ElastiCache Redis clusters are encrypted at-rest
Security & Compliance
HIPAA
GDPR
NIST4
APRA
HITRUST
Critical
Ensure ElastiCache Redis clusters are encrypted in-transit
Security & Compliance
HIPAA
GDPR
HITRUST
NIST 800-53
APRA
Low
Ensure ElastiCache Redis clusters have automatic backup turned on
Availability
No items found.
Medium
Ensure Geo-Restriction is enabled within CloudFront distribution
Security & Compliance
GDPR
Medium
Ensure IAM Group has no inline policy
Security & Compliance
APRA
MAS
NIST4
FedRAMP
Medium
Ensure IAM Role has no inline policy
Security & Compliance
APRA
AWS Well-Architected Framework
MAS
NIST4
FedRAMP
Medium
Ensure IAM User has no inline policy
Security & Compliance
APRA
AWS Well-Architected Framework
CISAWSF
SOC2
MAS
Critical
Ensure IAM password policy expires passwords within 90 days or less
Security & Compliance
ISO 27001
CSA CCM
SOC2
PCI-DSS
APRA
Low
Ensure IAM password policy has expiration period
Security & Compliance
CIS 8
NIST 800-53
GDPR
HITRUST
CSA CCM
Medium
Ensure IAM password policy prevents password reuse
Security & Compliance
CIS
ISO 27001
SOC2
GDPR
PCI-DSS
Medium
Ensure IAM password policy require at least one lowercase letter
Security & Compliance
APRA
AWS Well-Architected Framework
CISAWSF
PCI-DSS
ISO 27001
We haven't write about
Virtual Machine
yet.
View all blog posts ->
More from
Microsoft Azure
PostgreSQL
AKS
Cosmos DB
Cache for Redis
Queue Storage
Files
Data Lake Storage
Blob Storage
Function App
Front Door
Firewall Policy Rule Collection Group
Firewall Policy
Firewall
CDN Profile
Bot
App-Service Plan
SQL Server
SQL Database
Domain Service
User
Group
Role Definition
Active Directory
Disk Storage
Image
Storage Account
Snapshot
Network Interface
Network Security Group
Resource Group
Route Table
Subnet
Virtual Network
Virtual Machine