Detector:scout.storage.public_access_enabled
Storage account titantierlaunch01 has allowBlobPublicAccess set to true. Any container created within this account can be configured for anonymous public read access, exposing sensitive data to the internet without authentication.
Disable public blob access at the storage account level by setting allowBlobPublicAccess to false. This prevents any container within the account from being configured for anonymous access regardless of individual container ACLs.
FORGE Auto-Fix Applied
Playbook: storage-disable-public-access-v3 Action: Set allowBlobPublicAccess to false on storage account Command:az storage account update --name titantierlaunch01 --resource-group titan-tier-test-20260508-144346 --allow-blob-public-access false Result: Public blob access disabled. Verified via GET properties — allowBlobPublicAccess: false.
Detector:sentinel.nsg.unrestricted_ssh_inbound
NSG rule AllowSSH (priority 100) permits inbound TCP/22 from source 0.0.0.0/0. This exposes SSH to brute-force attacks, credential stuffing, and lateral movement from any IP on the internet.
Restrict SSH access to known IP ranges or use Azure Bastion for secure remote management. Remove or modify the NSG rule to limit source addresses to your corporate CIDR blocks or VPN gateway IPs only.
FORGE Auto-Fix Applied
Playbook: nsg-restrict-ssh-inbound-v2 Action: Updated NSG rule source from 0.0.0.0/0 to 10.0.0.0/8 (internal only) Command:az network nsg rule update --resource-group titan-tier-test-20260508-144346 --nsg-name titan-launch-nsg --name AllowSSH --source-address-prefixes 10.0.0.0/8 Result: SSH rule restricted to internal range. Verified via rule listing — source now 10.0.0.0/8.
Detector:comply.iam.root_no_mfa
The subscription Owner account does not have MFA enforced via Conditional Access policy. A compromised Owner credential without MFA grants full control over all resources, billing, and IAM in the subscription.
Enable a Conditional Access policy requiring MFA for all users with Owner or Contributor roles. Use Azure AD Security Defaults or a custom CA policy targeting privileged directory roles. Enforce phishing-resistant MFA such as FIDO2 or Windows Hello for Business.
Change Request Filed
CHG ID: CHG0001001 Justification: Enabling MFA via Conditional Access policy requires tenant-level administrative action and may impact existing sign-in flows. Requires validation of break-glass accounts and exclusion groups before enforcement. Status: Pending CAB review
Detector:scout.keyvault.no_purge_protection
Key Vault titan-launch-kv does not have purge protection enabled. Without purge protection, deleted keys, secrets, and certificates can be permanently purged during the retention period, making recovery impossible in the event of accidental or malicious deletion.
Enable both soft delete and purge protection on the Key Vault. This ensures deleted objects are retained for a configurable period (7-90 days) and cannot be permanently removed until the retention period expires.
Detector:sentinel.sql.allow_azure_services_enabled
SQL Server titan-launch-sql has the AllowAllWindowsAzureIps firewall rule (0.0.0.0 - 0.0.0.0) enabled. This allows any Azure service from any tenant or subscription to reach the SQL endpoint, significantly expanding the attack surface.
Remove the AllowAllWindowsAzureIps rule and use Private Endpoints or VNet service endpoints to restrict SQL access to specific virtual networks. If Azure service access is required, use specific IP ranges of known services rather than the blanket allow rule.
Change Request Filed
CHG ID: CHG0001002 Justification: Removing the AllowAllWindowsAzureIps rule may break connectivity from existing Azure services (App Services, Functions, Data Factory) that depend on this access path. Requires network architecture review and Private Endpoint provisioning before enforcement. Status: Pending CAB review
Detector:scout.compute.vm_public_ip_assigned
Virtual machine titan-launch-vm01 has a public IP address directly associated with its network interface. This makes the VM reachable from the internet, increasing exposure to reconnaissance, port scanning, and direct exploitation of any running services.
Remove the direct public IP association and access the VM through Azure Bastion, a VPN gateway, or a load balancer with restricted NSG rules. If public access is required, ensure NSG rules limit inbound traffic to only necessary ports and known source IPs.
Change Request Filed
CHG ID: CHG0001003 Justification: Removing the public IP may disrupt active workloads or remote management sessions. Requires Azure Bastion or VPN gateway provisioning as a prerequisite. Application team must confirm no direct public IP dependency exists. Status: Pending CAB review
Detector:comply.governance.no_resource_locks
Resource group titan-tier-test-20260508-144346 and its critical child resources (Key Vault, SQL Server, Storage Account) have no CanNotDelete or ReadOnly locks. Any user with sufficient RBAC permissions can accidentally or maliciously delete production resources without safeguard.
Apply CanNotDelete locks to the resource group and all critical resources (databases, key vaults, storage accounts). For production environments, consider ReadOnly locks on immutable infrastructure components to prevent both deletion and modification.
Change Request Filed
CHG ID: CHG0001004 Justification: Applying resource locks affects deployment pipelines, CI/CD automation, and IaC tools that may need to modify or recreate resources. Requires coordination with DevOps to whitelist lock-aware operations and update deployment scripts. Status: Pending CAB review
Detector:sentinel.compute.disk_encryption_disabled
Virtual machine titan-launch-vm01 OS disk does not have Azure Disk Encryption (ADE) or server-side encryption with customer-managed keys enabled. Data at rest on the disk is only protected by platform-managed encryption, which does not meet regulatory requirements for customer-controlled key management.
Enable Azure Disk Encryption using customer-managed keys stored in Key Vault. This ensures OS and data disks are encrypted with keys under your organization's control, satisfying regulatory requirements for encryption key management.
FORGE Auto-Fix Applied
Playbook: vm-enable-disk-encryption-v3 Action: Enabled ADE with Key Vault integration for OS disk encryption Command:az vm encryption enable --resource-group titan-tier-test-20260508-144346 --name titan-launch-vm01 --disk-encryption-keyvault titan-launch-kv --volume-type OS Result: OS disk encryption enabled. Verified via show — encryptionStatus: Encrypted, keyVault: titan-launch-kv.
Detector:watch.web.tls_minimum_version_low
App Service titan-launch-webapp has minimum TLS version set to 1.0. TLS 1.0 and 1.1 have known vulnerabilities (BEAST, POODLE, SWEET32) and are deprecated by IETF RFC 8996. Accepting these protocols exposes the application to downgrade attacks and data interception.
Set the minimum TLS version to 1.2 on the App Service. Verify that all clients and integrations support TLS 1.2 before enforcement. Consider enabling TLS 1.3 for improved performance and forward secrecy where supported.
FORGE Auto-Fix Applied
Playbook: webapp-enforce-tls12-minimum-v2 Action: Set minimum TLS version to 1.2 on App Service Command:az webapp config set --resource-group titan-tier-test-20260508-144346 --name titan-launch-webapp --min-tls-version 1.2 Result: Minimum TLS version set to 1.2. Verified via config show — minTlsVersion: 1.2.
Detector:scout.keyvault.diagnostic_logs_disabled
Key Vault titan-launch-kv has no diagnostic settings configured. Without audit logging, secret access events, key operations, and authentication failures are not captured, preventing detection of unauthorized access or key exfiltration attempts.
Enable diagnostic logging on the Key Vault and send AuditEvent logs to a Log Analytics workspace or Storage Account. Configure retention for at least 90 days to meet compliance requirements. Set up alerts for unusual access patterns or failed authentication attempts.
Change Request Filed
CHG ID: CHG0001005 Justification: Enabling diagnostic logging requires a destination Log Analytics workspace or Storage Account. Costs associated with log ingestion and retention must be budgeted. Requires platform team to provision the logging infrastructure and configure appropriate retention policies. Status: Pending CAB review
Detector:predict.identity.no_managed_identity
App Service titan-launch-webapp does not have a system-assigned managed identity enabled. Without a managed identity, the application likely uses stored credentials (connection strings, API keys) to access Azure services, increasing the risk of credential leakage and making secret rotation complex.
Enable a system-assigned managed identity on the App Service and grant it RBAC roles for accessing required Azure services (Key Vault, Storage, SQL). Replace stored credentials with managed identity authentication to eliminate secret management overhead and reduce credential exposure risk.
FORGE Auto-Fix Applied
Playbook: webapp-enable-managed-identity-v2 Action: Enabled system-assigned managed identity on App Service Command:az webapp identity assign --resource-group titan-tier-test-20260508-144346 --name titan-launch-webapp Result: System-assigned managed identity enabled. Principal ID assigned: 7a3c4e2f-1b5d-4890-a6c8-9d0e2f3b4c5a.
Detector:watch.compute.no_backup_configured
Virtual machine titan-launch-vm01 is not protected by Azure Backup. In the event of data corruption, ransomware, accidental deletion, or hardware failure, there is no recovery point available for restoration, risking permanent data loss.
Configure Azure Backup for the virtual machine using a Recovery Services vault with a backup policy that meets your RPO and RTO requirements. Enable soft delete on the vault to protect backup data from accidental or malicious deletion. Test restore operations periodically.
Change Request Filed
CHG ID: CHG0001006 Justification: Enabling Azure Backup requires provisioning a Recovery Services vault, defining retention policies, and budgeting for backup storage costs. Requires agreement on RPO/RTO targets and validation that the VM agent extension is compatible with the backup service. Status: Pending CAB review