How AZCheck evaluates
your environment
Every finding is backed by a structured check — with a rationale, plain-language explanation, remediation in your IaC of choice, and citations to every framework that applies. No black boxes. No magic numbers.
10
Storage Account
checks (v1)
checks (v1)
4
Compliance
frameworks
frameworks
5
Check
types
types
820+
Framework controls
mapped
mapped
The problem
What compliance tools get wrong
Most scanners hand you a finding ID, a severity score, and a link to a 200-page framework document. They stop there. You're left to answer the real questions: what exactly is wrong, why does it matter to your organisation, who in your team should act on it, and how.
What you usually get
A flag and a reference
A finding ID and a severity score
A link to the framework document — you find the relevant paragraph
Raw property names, not resource names
The same misconfiguration listed once per framework — three findings, one fix
No indication of who in your organisation should care or act
Remediation steps that don't match your IaC stack
What AZCheck gives you
A complete record
What is wrong, on which specific resource, right now
Why it matters — the actual attack scenario, in plain English
Who in your org should care — security, compliance, operations, and finance perspectives
One finding per issue — all framework citations attached, one fix closes all gaps
Environment-aware verdicts — dev and prod are not judged the same
Remediation in Portal, CLI, Terraform, and Pulumi — whichever you use
Who cares
Same finding. Four perspectives.
Every check knows who in your organisation is affected. Security, compliance, operations, and finance each get the message relevant to them — pulled from the same underlying check record.
HIGH
HTTP traffic allowed
stprodapp001 · microsoft.storage/storageaccounts
Security
Prevents man-in-the-middle and eavesdropping attacks on storage traffic. An attacker on the same network — or intercepting traffic between datacentres — can read or modify data without either side knowing.
Compliance
Required by CIS Azure 3.1, MCSB NS-3, PCI-DSS 4.2.1, and NZISM 17.1.51.C.01. Failing this will be flagged in any compliance audit. One fix closes all four controls simultaneously.
Operations
Enabling this causes no downtime. The only operational risk is if a legacy application is using HTTP — which is itself a problem worth surfacing and fixing before it becomes an incident.
Finance
Compliance violation penalties and audit remediation costs dwarf the zero-cost of enabling this setting. PCI-DSS 4.2.1 failure is a direct path to assessment surcharges. This is the highest-asymmetry fix in the audit.
Check types
Not every misconfiguration is binary
Some settings have no universal right answer. Some depend on your environment. Some sit on a spectrum. AZCheck uses five check types to give you the right verdict in the right context — not a false pass or a false positive.
binary
HTTPS enforced
Pass or fail. Applies universally — there is no legitimate reason to allow unencrypted traffic on a storage account, in any environment.
CIS 3.1 · MCSB NS-3 · NZISM 17.1.51
tiered
Minimum TLS version
Failing / compliant / recommended. You see where you are on the scale and what the next step is. TLS 1.2 is compliant; TLS 1.3 is the recommended upgrade path.
CIS 3.2 · MCSB NS-3
binary
Public blob access
Anonymous reads must be disabled at the account level. Publicly accessible blobs are the most common class of Azure storage data exposure incident.
CIS 3.5 · MCSB PA-7
binary
Shared key access
Static account keys are a credential leak vector with no per-operation audit trail. Azure AD authentication is safer, auditable, and supports least-privilege.
CIS 3.15 · MCSB IM-1
context-dependent
Network firewall default
Partial finding — the firewall setting is readable, but whether it is correctly configured depends on your network topology, which AZCheck cannot fully evaluate in v1.
CIS 3.7 · MCSB NS-1
org stance
Infrastructure encryption
Double-encryption at rest. Mandatory in some regulated environments, unnecessary overhead in others. Declare your organisation's position to get a relevant verdict — not a blanket flag.
CIS 3.3 · NZISM 17.1.46
bidirectional
Redundancy level
Can flag both under-provisioning (risk) and over-provisioning (unnecessary spend). GZRS on a dev account is waste. LRS on production financial data is a risk. Environment inference determines which applies.
ISO 27001 · SOC 2
binary
Cross-tenant replication
A data exfiltration vector. An attacker who compromises your account can silently copy all storage data to their own tenant. This should be disabled unless explicitly required.
CIS 3.12 · NZISM 20.4.4
binary
Blob soft delete
Without a retention window, ransomware-deleted data is permanently unrecoverable. Soft delete costs almost nothing and is the difference between recovery and catastrophe.
CIS 3.11
informational
Lifecycle policy
Shown as informational in v1. Lifecycle settings require an additional ARM API call not yet evaluated in-browser. Will be promoted to a full check in a future version.
NZISM 20.4.6 · GDPR Art. 5
Framework deduplication
One misconfiguration. Multiple frameworks. One finding.
When CIS Azure and MCSB both care about the same misconfiguration, traditional tools show two findings. AZCheck shows one — with all framework citations attached. Fix it once, close every gap.
CIS AZURE v2.1
Center for Internet Security
CIS Benchmarks
110 controls
MCSB v1
Microsoft Cloud Security
Microsoft
180 controls
NZISM v3.7
NZ Information Security
GCSB · New Zealand
330+ controls
PCI-DSS v4.0.1
Payment Card Industry
PCI SSC
200 controls
Without deduplication — three findings
HTTPS not enforced (CIS finding)
CIS 3.1
Secure transfer required (MCSB finding)
MCSB NS-3
Encrypted comms required (NZISM finding)
NZISM 17.1.51
Three tickets. Three reviews. One fix. This is noise.
AZCheck — one finding
HTTP traffic allowed on stprodapp001
CIS 3.1
MCSB NS-3
NZISM 17.1.51
az storage account update --name stprodapp001 --https-only true
One finding. Three citations. One fix. All gaps closed.
Schema
Checks are data, not black boxes.
Every check is a structured JSON document. The evaluation logic, finding text, remediation steps, and framework citations are all readable, versionable, and auditable — not compiled away into an opaque binary.
azure-sa-net-https.json — every check follows this schema
// azure-sa-net-https.json — one check, fully structured { "id": "99976e7c-69f1-41ee-896f-7f99022553c0", "slug": "azure-sa-net-https", "checkType": "binary", // binary · tiered · context-dependent · org-stance · bidirectional "identity": { "title": "Storage accounts must use HTTPS only", "rationale": "Without HTTPS, data moving between applications and Azure storage travels unencrypted...", "whoCares": { "security": "Prevents man-in-the-middle and eavesdropping attacks on storage traffic.", "compliance": "Required by CIS Azure 3.1, MCSB NS-3, PCI-DSS 4.2.1, NZISM 17.1.51.C.01.", "operations": "Enabling causes no downtime. Only risk is legacy HTTP applications.", "finance": null // not all checks have a finance angle — never invented, never dimmed } }, "evaluation": { "method": "arm_property", "field": "properties.supportsHttpsTrafficOnly", "operator": "equals", "expected": true }, "remediation": { "portalSteps": "Storage Account → Configuration → Secure transfer required → Enabled → Save", "cli": "az storage account update --name <name> --resource-group <rg> --https-only true", "terraform": "https_traffic_only_enabled = true", "pulumi": null }, "references": [ { "framework": "cis-azure", "control": "3.1", "controlTitle": "Ensure Secure transfer required is Enabled" }, { "framework": "mcsb", "control": "NS-3", "controlTitle": "Deploy firewall at edge of enterprise network" }, { "framework": "nzism", "control": "17.1.51.C.01", "controlTitle": "Encrypted communications" } ], "metadata": { "authoredBy": "lensory", "authoredDate": "2026-05-02", "deprecated": false } }
Live check catalogue
Browse all checks
Every check loaded below is the actual data AZCheck uses to evaluate your resources — not marketing copy. Filter by resource type or framework to narrow the view.
All services
Storage Accounts
Key Vault
SQL Server
App Services
NSGs
All frameworks
CIS Azure
MCSB
NZISM
Loading checks…
Ready to run your first compliance audit?
Paste a Cloud Shell token and see your first findings in under five minutes. Or read the help docs to understand the full workflow.