New feature motivation
#7384 requests GDPR compliance mappings for Azure (and GCP). Prowler currently ships a GDPR framework only for AWS (prowler/compliance/aws/gdpr_aws.json), covering three articles: Article 25 (data protection by design and by default), Article 30 (records of processing activities), and Article 32 (security of processing).
Solution Proposed
Add prowler/compliance/azure/gdpr_azure.json, following the same legacy schema/structure as the existing AWS file (same Framework: "GDPR", same three requirements: article_25, article_30, article_32, Generic_Compliance_Requirement_Attribute), mapped to existing Azure checks. This follows the documented convention for extending a legacy framework to a new provider ("ship one JSON file per provider").
Scoping this to Azure only (GCP would be a separate follow-up, per the existing "one file per provider" convention).
Draft mapping (all checks verified to exist under prowler/providers/azure/services/):
Article 25 — Data protection by design and by default (identity/access controls, change-monitoring, key hygiene)
entra_privileged_user_has_mfa, entra_non_privileged_user_has_mfa, entra_user_with_vm_access_has_mfaentra_conditional_access_policy_require_mfa_for_admin_portals, entra_conditional_access_policy_require_mfa_for_management_apientra_global_admin_in_less_than_five_users, entra_policy_guest_invite_only_for_admin_rolesiam_role_user_access_admin_restricted, iam_custom_role_has_permissions_to_administer_resource_locksmonitor_diagnostic_settings_exists, monitor_diagnostic_setting_with_appropriate_categoriesnetwork_watcher_enabled, network_flow_log_captured_sent, network_flow_log_more_than_90_daysmonitor_alert_create_policy_assignment, monitor_alert_delete_policy_assignment, monitor_alert_create_update_nsg, monitor_alert_delete_nsgstorage_key_rotation_90_days, keyvault_key_rotation_enabled
Article 30 — Records of processing activities (audit/diagnostic logging)
monitor_diagnostic_settings_exists, monitor_diagnostic_setting_with_appropriate_categories, monitor_storage_account_with_activity_logs_is_privatenetwork_flow_log_captured_sent, network_flow_log_more_than_90_dayskeyvault_logging_enabled, app_http_logs_enabledmysql_flexible_server_audit_log_enabled, mysql_flexible_server_audit_log_connection_activatedpostgresql_flexible_server_log_connections_on, postgresql_flexible_server_log_disconnections_on, postgresql_flexible_server_log_checkpoints_on, postgresql_flexible_server_log_retention_days_greater_3
Article 32 — Security of processing (encryption at rest/in transit, TLS, backups)
storage_ensure_encryption_with_customer_managed_keys, storage_infrastructure_encryption_is_enabled, storage_ensure_minimum_tls_version_12, storage_secure_transfer_required_is_enabled, storage_blob_public_access_level_is_disabled, storage_default_network_access_rule_is_deniedsqlserver_tde_encryption_enabled, sqlserver_tde_encrypted_with_cmk, sqlserver_recommended_minimal_tls_versionmysql_flexible_server_ssl_connection_enabled, mysql_flexible_server_minimum_tls_version_12, postgresql_flexible_server_enforce_ssl_enabledvm_ensure_attached_disks_encrypted_with_cmk, vm_ensure_unattached_disks_encrypted_with_cmk, vm_backup_enabled, vm_sufficient_daily_backup_retention_periodkeyvault_recoverable, keyvault_non_rbac_secret_expiration_set, keyvault_rbac_secret_expiration_setapp_ensure_http_is_redirected_to_https, app_minimum_tls_version_12databricks_workspace_cmk_encryption_enabled
Would also add the schema/content tests under tests/lib/check/universal_compliance_models_test.py (loading the legacy JSON via adapt_legacy_to_universal), following the same pattern used for #11579.
Describe alternatives you've considered
Could instead write this as a universal-schema framework with a different name (e.g. gdpr.json covering both AWS and Azure), but that would require migrating the existing AWS gdpr_aws.json, which is a larger and more disruptive change than additive per-provider extension.
Additional context
Opening this before coding to confirm the mapping/scope is acceptable. Happy to adjust the check list based on feedback.
New feature motivation
#7384 requests GDPR compliance mappings for Azure (and GCP). Prowler currently ships a GDPR framework only for AWS (
prowler/compliance/aws/gdpr_aws.json), covering three articles: Article 25 (data protection by design and by default), Article 30 (records of processing activities), and Article 32 (security of processing).Solution Proposed
Add
prowler/compliance/azure/gdpr_azure.json, following the same legacy schema/structure as the existing AWS file (sameFramework: "GDPR", same three requirements:article_25,article_30,article_32,Generic_Compliance_Requirement_Attribute), mapped to existing Azure checks. This follows the documented convention for extending a legacy framework to a new provider ("ship one JSON file per provider").Scoping this to Azure only (GCP would be a separate follow-up, per the existing "one file per provider" convention).
Draft mapping (all checks verified to exist under
prowler/providers/azure/services/):Article 25 — Data protection by design and by default (identity/access controls, change-monitoring, key hygiene)
entra_privileged_user_has_mfa,entra_non_privileged_user_has_mfa,entra_user_with_vm_access_has_mfaentra_conditional_access_policy_require_mfa_for_admin_portals,entra_conditional_access_policy_require_mfa_for_management_apientra_global_admin_in_less_than_five_users,entra_policy_guest_invite_only_for_admin_rolesiam_role_user_access_admin_restricted,iam_custom_role_has_permissions_to_administer_resource_locksmonitor_diagnostic_settings_exists,monitor_diagnostic_setting_with_appropriate_categoriesnetwork_watcher_enabled,network_flow_log_captured_sent,network_flow_log_more_than_90_daysmonitor_alert_create_policy_assignment,monitor_alert_delete_policy_assignment,monitor_alert_create_update_nsg,monitor_alert_delete_nsgstorage_key_rotation_90_days,keyvault_key_rotation_enabledArticle 30 — Records of processing activities (audit/diagnostic logging)
monitor_diagnostic_settings_exists,monitor_diagnostic_setting_with_appropriate_categories,monitor_storage_account_with_activity_logs_is_privatenetwork_flow_log_captured_sent,network_flow_log_more_than_90_dayskeyvault_logging_enabled,app_http_logs_enabledmysql_flexible_server_audit_log_enabled,mysql_flexible_server_audit_log_connection_activatedpostgresql_flexible_server_log_connections_on,postgresql_flexible_server_log_disconnections_on,postgresql_flexible_server_log_checkpoints_on,postgresql_flexible_server_log_retention_days_greater_3Article 32 — Security of processing (encryption at rest/in transit, TLS, backups)
storage_ensure_encryption_with_customer_managed_keys,storage_infrastructure_encryption_is_enabled,storage_ensure_minimum_tls_version_12,storage_secure_transfer_required_is_enabled,storage_blob_public_access_level_is_disabled,storage_default_network_access_rule_is_deniedsqlserver_tde_encryption_enabled,sqlserver_tde_encrypted_with_cmk,sqlserver_recommended_minimal_tls_versionmysql_flexible_server_ssl_connection_enabled,mysql_flexible_server_minimum_tls_version_12,postgresql_flexible_server_enforce_ssl_enabledvm_ensure_attached_disks_encrypted_with_cmk,vm_ensure_unattached_disks_encrypted_with_cmk,vm_backup_enabled,vm_sufficient_daily_backup_retention_periodkeyvault_recoverable,keyvault_non_rbac_secret_expiration_set,keyvault_rbac_secret_expiration_setapp_ensure_http_is_redirected_to_https,app_minimum_tls_version_12databricks_workspace_cmk_encryption_enabledWould also add the schema/content tests under
tests/lib/check/universal_compliance_models_test.py(loading the legacy JSON viaadapt_legacy_to_universal), following the same pattern used for #11579.Describe alternatives you've considered
Could instead write this as a universal-schema framework with a different name (e.g.
gdpr.jsoncovering both AWS and Azure), but that would require migrating the existing AWSgdpr_aws.json, which is a larger and more disruptive change than additive per-provider extension.Additional context
Opening this before coding to confirm the mapping/scope is acceptable. Happy to adjust the check list based on feedback.