Cloud Security Baseline for Azure Logic Apps

Secure Azure Logic Apps with Public Access Enabled

1. Enable Managed Identities: Use managed identities to authenticate access and connections to Azure resources without needing to store credentials. This helps keep authentication information secure.

2. Use Network Security Groups (NSGs): Configure NSGs to restrict or monitor traffic by port, protocol, source IP address, or destination IP address. This helps prevent unauthorized access.

3. Enable Azure Role-Based Access Control (RBAC): Assign specific roles to users or groups to control their permissions. For example, you can use roles like "Logic App Contributor" or "Logic App Operator" to manage access

4. Use Azure Resource Locks: Prevent others from changing or deleting your logic app workflow by applying resource locks

5. Monitor with Microsoft Defender for Cloud: Use Microsoft Defender for Cloud to monitor security and compliance. This tool provides recommendations and helps measure compliance with security baselines

Logic Apps Best practices

Secure Azure Logic-Apps

1. All the inbound request receives request-based trigger encrypted using TLS 1.2

2. SAS or Microsoft Entra ID authentication.

3. IP Restriction - inbound and outbound where we need to trigger

4. Azure API Management

Cloud Security Baseline for Azure Logic Apps

1. Identity and Access Management

   1. Ensure to use Managed Service Identity (MSI) (System-assigned or User-assigned) for secure access to Azure resources (Key Vault, Azure Functions, etc.).

   2. Ensure to Azure Key Vault to avoid using hardcoded credentials within Logic Apps and manage secrets and API keys for custom connectors.

   3. Ensure to use Azure Role-Based Access Control (RBAC) to grant access only to required Azure resources.

   4. Ensure to assign roles such as Logic App Contributor, Logic App Operator, or Reader, depending on the requirements.

   5. Ensure to use Microsoft Entra ID/Azure Active Directory (AAD) to control access to the Logic App through Conditional Access policies.

   6. Ensure to configure connectors to use OAuth 2.0 with Azure AD for secure access.

2. Network Security

   1. Ensure to Integrate Logic Apps with a <cn>Virtual Network (VNet) using Private Endpoints to limit access over the public internet.

   2. Ensure to enable VNet Integration to restrict inbound and outbound traffic.

   3. Ensure to Use the IP Restrictions to allow traffic only from trusted IP addresses or specific VNets.

   4. Ensure to use Azure API Management (APIM) as a gateway in front of the Logic Apps to enforce API security and limit exposure.

   5. Ensure to Configure firewall settings to allow only necessary outbound traffic. Deny access from known malicious IP addresses.

3. Data Protection

   1. Ensure to enable Data Encryption at Rest using Customer Managed Keys (CMK) with Azure Managed HSM to store the keys securely.

   2. Ensure to use https/TLS 1.2 or higher is enforced for all data in transit.

   3. Ensure to Store sensitive data such as connection strings, credentials, or API keys in Azure Key Vault.

   4. Ensure to Mask the sensitive output data in Logic App run history using Secure Outputs.

   5. Ensure to use built-in data masking features in connectors and Logic Apps to limit the exposure of sensitive information.

4. Logging and Monitoring

   1. Ensure to enable Azure Monitor for insights and audit logs into Logic App performance and health.

   2. Ensure to use Azure Log Analytics to collect and analyze logs for troubleshooting.

   3. Ensure to store the logs to Azure Sentinel for centralized logging.