Review target
skills/cloud/azure-review
Gap
The current Azure review checks that diagnostic settings exist and that required categories are enabled, but it does not force reviewers to prove the full diagnostic pipeline: resource coverage, category/category-group coverage, destination, retention, destination hardening, and sample delivery.
Why this matters
Azure diagnostic controls can produce false passes when an azurerm_monitor_diagnostic_setting exists but:
- the setting covers only the subscription Activity Log and not Key Vault, Storage, SQL, NSG, App Service, or other in-scope resources;
- security-relevant categories such as
Security, Policy, Administrative, or Key Vault AuditEvent are missing;
- resource diagnostics rely on partial categories instead of
category_group = "allLogs" where supported;
- logs are routed to a workspace/storage/event hub with insufficient retention;
- diagnostic storage is public, lacks CMK where required, or is broadly readable;
- Event Hub authorization or downstream consumer retention is not evidenced;
- no sample Activity Log or
AuditEvent is observed at the destination.
Proposed evidence gates
Add a focused diagnostic pipeline integrity step and concrete checklist patterns covering:
- subscription and resource diagnostic coverage;
- required category/category-group evidence;
- Log Analytics, Event Hub, or Storage Account destination evidence;
- destination retention and access hardening;
- CMK/private access checks where policy requires them;
- sample export validation or Not Evaluable status.
Suggested severity
- High: diagnostic settings omit security-relevant categories, resource diagnostics missing for critical services, or destination is broadly accessible.
- Medium: retention/export validation evidence missing for production or regulated subscriptions.
Bounty request
Reviewer tier ($25) if this review is accepted. I can provide payment details if accepted.
Review target
skills/cloud/azure-reviewGap
The current Azure review checks that diagnostic settings exist and that required categories are enabled, but it does not force reviewers to prove the full diagnostic pipeline: resource coverage, category/category-group coverage, destination, retention, destination hardening, and sample delivery.
Why this matters
Azure diagnostic controls can produce false passes when an
azurerm_monitor_diagnostic_settingexists but:Security,Policy,Administrative, or Key VaultAuditEventare missing;category_group = "allLogs"where supported;AuditEventis observed at the destination.Proposed evidence gates
Add a focused diagnostic pipeline integrity step and concrete checklist patterns covering:
Suggested severity
Bounty request
Reviewer tier ($25) if this review is accepted. I can provide payment details if accepted.