Azure STRIDE Threat Matrix
Explore the STRIDE threat matrices for different Azure services, including associated threats and mitigations.
Azure Virtual Machines (VMs)
| STRIDE Category |
Threat Description |
VM Components |
Mitigations |
| Spoofing |
Unauthorized VM access through identity spoofing or password theft. |
VMs, VM network access |
Multi-Factor Authentication (MFA) and Conditional AccessEnforce MFA and Conditional Access policies |
| Spoofing |
SSH/RDP credential theft due to insecure configurations. |
VM login |
Azure Key Vault, secure login methodsStore secrets in Azure Key Vault, limit to SSH keys or Windows Hello |
| Tampering |
VM disk tampering, unauthorized data or OS disk modifications. |
VM disks |
Azure Disk EncryptionEncrypt disks with customer-managed keys |
| Tampering |
Altering NSG rules, potentially exposing VMs. |
VM network interfaces |
Restrict NSG modificationLimit NSG changes to authorized users |
| Repudiation |
Lack of logging for actions on VMs. |
VM access and configuration logs |
Azure Monitor, XDR, SIEMEnable detailed audit logging |
| Information Disclosure |
Exposure of sensitive data via unmanaged snapshots. |
VM snapshots and images |
Limit access, audit snapshotsRestrict storage account access and audit permissions |
| Denial of Service |
Service interruption through resource exhaustion. |
VM compute and network resources |
DDoS Protection, AutoscaleEnable Azure DDoS Protection and Autoscale |
| Elevation of Privilege |
Privilege escalation due to misconfigured permissions. |
VM permissions |
Principle of Least Privilege (PoLP), PIMApply PoLP, enforce PIM for elevated access |
Azure SQL Database
| STRIDE Category |
Threat Description |
SQL Components |
Mitigations |
| Spoofing |
Unauthorized access by impersonating users. |
SQL database access |
Azure AD and MFAEnforce MFA and Azure AD for authentication |
| Tampering |
Unauthorized data modification in SQL tables. |
SQL data |
Transparent Data Encryption (TDE)Encrypt data at rest with TDE |
| Repudiation |
Lack of logging, making it difficult to trace actions. |
SQL activity logs |
SQL Database AuditingEnable auditing to capture all actions |
| Information Disclosure |
Data leaks via unencrypted backups. |
SQL backups |
Encryption at RestEnable encryption for backups |
| Denial of Service |
Overloading connections causing unavailability. |
SQL compute and networking |
Auto-Scale, DDoS ProtectionEnable Auto-Scale and DDoS protection |
| Elevation of Privilege |
Escalation via misconfigured SQL roles. |
SQL roles and permissions |
Principle of Least Privilege (PoLP)Enforce PoLP and RBAC |
Azure Kubernetes Service (AKS)
| STRIDE Category |
Threat Description |
AKS Components |
Mitigations |
| Spoofing |
Unauthorized access to AKS clusters by impersonating users or applications. |
AKS cluster access |
Azure AD IntegrationIntegrate AKS with Azure AD and enforce MFA |
| Tampering |
Modification of Kubernetes configurations or network policies. |
AKS cluster and network policies |
Pod Security and Network PoliciesEnforce secure policies and limit RBAC roles |
| Repudiation |
Lack of audit trails for actions performed in the AKS cluster. |
AKS access and action logs |
Kubernetes Audit LoggingEnable Kubernetes Audit Logging |
| Information Disclosure |
Exposure of sensitive information through Kubernetes secrets. |
AKS secrets and config maps |
Azure Key VaultStore sensitive data in Azure Key Vault |
| Denial of Service |
Resource exhaustion attacks on cluster nodes or network. |
AKS nodes and networking |
Azure DDoS ProtectionEnable DDoS Protection for public applications |
| Elevation of Privilege |
Unauthorized access to cluster resources via compromised roles. |
AKS RBAC and IAM roles |
PoLP for RBACLimit access with RBAC using PoLP |
Azure App Service
| STRIDE Category |
Threat Description |
App Service Components |
Mitigations |
| Spoofing |
Impersonation of legitimate users to access App Services. |
App Service access |
Azure AD and MFAUse Azure AD authentication with MFA |
| Tampering |
Tampering with application files or configurations. |
App Service code and configuration |
Application InsightsEnable monitoring and auditing of configurations |
| Repudiation |
Lack of traceability in app access, making auditing difficult. |
App Service logs |
App Service LoggingEnable logging to Log Analytics |
| Information Disclosure |
Data exposure from permissive API permissions or storage misconfigurations. |
App Service endpoints and storage |
API Management and VNet IntegrationLimit permissions with API Management |
| Denial of Service |
Resource exhaustion or excessive request overload on App Service. |
App Service compute resources |
Autoscale and DDoS ProtectionEnable Autoscale and DDoS Protection |
| Elevation of Privilege |
Access to sensitive resources due to permissive roles. |
App Service RBAC |
PoLP in IAMApply PoLP with RBAC for App Service |
Azure Functions
| STRIDE Category |
Threat Description |
Azure Functions Components |
Mitigations |
| Spoofing |
Unauthorized access to functions via impersonation. |
Function access |
Azure AD AuthenticationEnable Azure AD for function access |
| Tampering |
Unauthorized modification of function code or configuration. |
Function code and configuration |
Azure DevOps CI/CDUse DevOps pipelines for secure deployment |
| Repudiation |
Lack of audit logs for function invocations. |
Function logs |
Application InsightsUse Application Insights for logging |
| Information Disclosure |
Exposure of sensitive data in function logs or outputs. |
Function output |
Data MaskingMask sensitive data in logs |
| Denial of Service |
Resource exhaustion through excessive function invocations. |
Function resources |
Autoscale and Rate LimitsEnable Autoscale and limit public access |
| Elevation of Privilege |
Unauthorized access to resources via over-permissive function roles. |
Function RBAC |
PoLP with Managed IdentityLimit function roles using PoLP and Managed Identity |
Azure Cosmos DB
| STRIDE Category |
Threat Description |
Cosmos DB Components |
Mitigations |
| Spoofing |
Unauthorized access to Cosmos DB by impersonating users. |
Cosmos DB accounts |
Azure AD and Managed IdentitiesEnforce Azure AD authentication and managed identities |
| Tampering |
Unauthorized data modifications within Cosmos DB. |
Cosmos DB data |
Data Encryption at RestEncrypt data and limit modification access |
| Repudiation |
Lack of logging for actions on Cosmos DB data. |
Cosmos DB activity logs |
Diagnostic LoggingEnable Diagnostic Logging and monitor access |
| Information Disclosure |
Sensitive data exposure due to over-permissive access keys. |
Cosmos DB data |
RBAC and VNet IntegrationUse VNet Integration and configure RBAC |
| Denial of Service |
Resource exhaustion due to excessive requests. |
Cosmos DB request units |
Monitor RUs and Optimize QueriesOptimize query usage and monitor for spikes |
| Elevation of Privilege |
Unauthorized escalation of privileges to access data. |
Cosmos DB permissions |
PoLP and PIMEnforce PoLP and use PIM for privileged access |
Azure Key Vault
| STRIDE Category |
Threat Description |
Key Vault Components |
Mitigations |
| Spoofing |
Unauthorized access to secrets in Key Vault. |
Key Vault access |
Azure AD and MFAUse Azure AD with MFA for access control |
| Tampering |
Modification of Key Vault secrets. |
Key Vault data |
Immutable PoliciesEnable Immutable Policies for added security |
| Repudiation |
Lack of logging for Key Vault access changes. |
Key Vault logs |
Diagnostic LoggingEnable Diagnostic Logging for access monitoring |
| Information Disclosure |
Exposure of sensitive data due to misconfigured access policies. |
Key Vault data |
RBAC with PoLPUse RBAC with PoLP to limit access |
| Denial of Service |
Service disruption by exhausting API request limits. |
Key Vault API |
Rate LimitingImplement rate limiting for API requests |
| Elevation of Privilege |
Escalation of privileges in Key Vault. |
Key Vault access controls |
PoLP and PIMApply PoLP with PIM for sensitive access |
Azure Storage
| STRIDE Category |
Threat Description |
Storage Components |
Mitigations |
| Spoofing |
Unauthorized access to storage accounts via impersonation. |
Storage account access |
Azure AD and MFAUse Azure AD with MFA for storage access |
| Tampering |
Modification of storage data, such as adding or deleting blobs. |
Storage data |
Immutability PoliciesEnable Immutability Policies for Blob storage |
| Repudiation |
Lack of logging for storage data access. |
Storage logs |
Storage DiagnosticsEnable Azure Storage Diagnostics |
| Information Disclosure |
Exposure of sensitive data through public storage configurations. |
Storage access controls |
VNet Integration and TLSUse VNet and TLS for secure access |
| Denial of Service |
Service unavailability due to excessive requests. |
Storage resources |
DDoS ProtectionEnable DDoS Protection on storage accounts |
| Elevation of Privilege |
Unauthorized escalation via misconfigured roles. |
Storage RBAC and IAM |
PoLP in IAMEnforce PoLP for storage permissions |
Azure Synapse Analytics
| STRIDE Category |
Threat Description |
Synapse Components |
Mitigations |
| Spoofing |
Unauthorized access to Synapse by impersonating users. |
Synapse access |
Azure AD and RBACUse Azure AD with RBAC for secure access |
| Tampering |
Modification of data or configurations within Synapse Analytics. |
Synapse data and pipelines |
RBAC and Data EncryptionUse RBAC and encryption to secure data |
| Repudiation |
Lack of audit logging for data operations. |
Synapse logs |
Diagnostic LoggingEnable Diagnostic Logging for audits |
| Information Disclosure |
Data exposure due to over-permissive access policies. |
Synapse access policies |
PoLP and Private LinkEnforce PoLP and enable Private Link |
| Denial of Service |
Overloading resources due to high-volume queries. |
Synapse compute resources |
DDoS Protection and AutoscaleEnable DDoS Protection and Autoscale |
| Elevation of Privilege |
Unauthorized access to Synapse administrative roles. |
Synapse roles |
PIM and PoLPUse PIM and PoLP for role management |
Azure SQL Managed Instance
| STRIDE Category |
Threat Description |
SQL Instance Components |
Mitigations |
| Spoofing |
Unauthorized access by impersonating legitimate users. |
SQL Managed Instance access |
Azure AD and Conditional AccessUse Azure AD authentication with Conditional Access policies |
| Tampering |
Modification of database tables or schemas. |
SQL data |
Transparent Data Encryption (TDE)Encrypt data at rest with TDE |
| Repudiation |
Lack of logging for actions in SQL Managed Instance. |
SQL audit logs |
SQL AuditingEnable SQL Auditing to capture all actions |
| Information Disclosure |
Exposure of sensitive data due to public access or lack of encryption. |
SQL data and network access |
VNet Integration and TLSUse VNet and TLS for secure access |
| Denial of Service |
Resource exhaustion caused by excessive queries. |
SQL compute and storage resources |
Autoscale and DDoS ProtectionEnable Autoscale and DDoS protection |
| Elevation of Privilege |
Escalation of privileges due to misconfigured roles. |
SQL IAM roles |
PoLP and PIMApply PoLP with PIM for role management |
Azure Event Hubs
| STRIDE Category |
Threat Description |
Event Hubs Components |
Mitigations |
| Spoofing |
Unauthorized access to Event Hubs by impersonating users. |
Event Hub namespaces |
Azure AD and Managed IdentitiesUse Azure AD authentication with Managed Identities |
| Tampering |
Modifying or deleting events in Event Hubs. |
Event data |
Immutable Storage PoliciesEnable Immutable Storage Policies |
| Repudiation |
Lack of logging for Event Hub access actions. |
Event Hub activity logs |
Diagnostic LoggingEnable Diagnostic Logging for access tracking |
| Information Disclosure |
Exposure of sensitive data via misconfigured public endpoints. |
Event Hub access controls |
TLS and RBACEnforce TLS and RBAC for secure access |
| Denial of Service |
Service disruption by exceeding Event Hub capacity limits. |
Event Hub resources |
Autoscale and DDoS ProtectionEnable Autoscale and DDoS Protection |
| Elevation of Privilege |
Privilege escalation to Event Hub control via misconfigured roles. |
Event Hub RBAC |
PoLP and PIMApply PoLP with PIM for role management |
Azure Logic Apps
| STRIDE Category |
Threat Description |
Logic Apps Components |
Mitigations |
| Spoofing |
Unauthorized execution of Logic Apps workflows by impersonating users. |
Logic Apps access |
Azure AD and API ManagementUse Azure AD with API Management for secure access |
| Tampering |
Modification of workflow definitions or configurations. |
Logic Apps workflows |
RBAC and Azure PolicyRestrict access to configurations with RBAC |
| Repudiation |
Lack of audit logs for workflow actions. |
Logic Apps activity logs |
Diagnostic LoggingEnable Diagnostic Logging for monitoring |
| Information Disclosure |
Exposure of sensitive data through unsecured API connectors. |
Logic Apps connectors |
RBAC and VNet IntegrationLimit access to connectors with RBAC |
| Denial of Service |
Service disruption due to excessive Logic Apps executions. |
Logic Apps compute resources |
Autoscale and ThrottlingSet up Autoscale and API rate limits |
| Elevation of Privilege |
Privilege escalation by gaining access to Logic Apps management. |
Logic Apps permissions |
PoLP and PIMUse PoLP and PIM for privileged management |
Azure Data Factory
| STRIDE Category |
Threat Description |
Data Factory Components |
Mitigations |
| Spoofing |
Unauthorized access to data pipelines by impersonating users. |
Data Factory pipelines |
Azure AD and RBACUse Azure AD with RBAC for secure pipeline access |
| Tampering |
Unauthorized modification of pipeline configurations. |
Data Factory pipeline configurations |
RBAC and Azure PolicyLimit configuration access with RBAC |
| Repudiation |
Lack of logging for pipeline executions. |
Data Factory activity logs |
Diagnostic LoggingEnable Diagnostic Logging for audit trails |
| Information Disclosure |
Data exposure due to misconfigured access policies. |
Data Factory data flows |
VNet Integration and TLSUse VNet Integration and TLS for secure data transfer |
| Denial of Service |
Service interruptions from excessive pipeline executions. |
Data Factory compute resources |
Throttling and AutoscaleUse Autoscale and set up rate limits |
| Elevation of Privilege |
Privilege escalation via excessive permissions in Data Factory. |
Data Factory roles and permissions |
PoLP and PIMApply PoLP and use PIM for elevated access |
Azure IoT Hub
| STRIDE Category |
Threat Description |
IoT Hub Components |
Mitigations |
| Spoofing |
Unauthorized access to IoT Hub data by impersonating devices. |
IoT Hub devices |
Azure AD and X.509 CertificatesUse X.509 certificates for device authentication |
| Tampering |
Modifying device data or commands in transit. |
IoT Hub telemetry and commands |
Message EncryptionEncrypt messages to protect telemetry |
| Repudiation |
Lack of audit logs for device actions. |
IoT Hub activity logs |
Diagnostic LoggingEnable Diagnostic Logging for monitoring |
| Information Disclosure |
Exposure of sensitive data through unprotected device identities. |
IoT Hub device identities |
PoLP and Managed IdentitiesApply PoLP and Managed Identities for access |
| Denial of Service |
Resource exhaustion by overwhelming IoT Hub with high volumes of data. |
IoT Hub compute and storage |
Rate Limiting and DDoS ProtectionEnable rate limits and DDoS Protection |
| Elevation of Privilege |
Unauthorized access to IoT Hub by gaining elevated permissions. |
IoT Hub permissions |
PoLP and PIMApply PoLP and use PIM for privilege management |
Azure Cognitive Services
| STRIDE Category |
Threat Description |
Cognitive Services Components |
Mitigations |
| Spoofing |
Unauthorized access to APIs by impersonating users or applications. |
API access control |
Azure AD and Managed IdentitiesEnforce Azure AD and Managed Identities for API access |
| Tampering |
Modifying data inputs or outputs to impact AI model outcomes. |
Data inputs and outputs |
Application Gateway WAFUse WAF to secure data inputs |
| Repudiation |
Lack of logging for API calls, making it difficult to trace usage. |
API activity logs |
Azure Monitor LoggingEnable Azure Monitor to trace API calls |
| Information Disclosure |
Exposure of sensitive data in API responses due to lack of encryption. |
API data transfer |
Data Masking and EncryptionMask and encrypt sensitive data in responses |
| Denial of Service |
Service disruption by excessive API calls, impacting availability. |
API rate limiting and quotas |
Autoscale and QuotasEnable Autoscale and set API usage quotas |
| Elevation of Privilege |
Unauthorized elevation of privileges to access Cognitive Services configurations. |
API access roles |
PoLP and PIMApply PoLP and use PIM for access control |
Azure DevOps
| STRIDE Category |
Threat Description |
DevOps Components |
Mitigations |
| Spoofing |
Unauthorized access to DevOps resources by impersonating users. |
DevOps projects and repositories |
Azure AD and MFAUse Azure AD with MFA for secure access |
| Tampering |
Unauthorized modification of code in repositories or pipelines. |
Repositories and pipelines |
Branch Protection and Code ReviewsEnable branch protection policies and code reviews |
| Repudiation |
Insufficient logging, making it difficult to track actions in DevOps. |
DevOps activity logs |
Auditing and LoggingEnable Auditing and Diagnostic Logging |
| Information Disclosure |
Exposure of sensitive data in public repositories or pipeline outputs. |
DevOps repositories and artifacts |
RBAC and Private RepositoriesRestrict access and enforce RBAC |
| Denial of Service |
Overloading DevOps pipelines, resulting in reduced availability. |
DevOps pipelines and agents |
Autoscale and MonitoringEnable Autoscale and monitor usage |
| Elevation of Privilege |
Unauthorized access to sensitive DevOps configurations. |
DevOps roles and permissions |
PoLP and PIMEnforce PoLP and use PIM for roles |
Azure Virtual Network (VNet)
| STRIDE Category |
Threat Description |
VNet Components |
Mitigations |
| Spoofing |
Unauthorized access to VNet by impersonating network users or devices. |
VNet access |
Azure AD and MFAEnforce Azure AD with MFA for VNet access |
| Tampering |
Modifying NSG rules or VNet configurations. |
NSG and VNet configurations |
Azure Policy and RBACUse Azure Policy to enforce secure network configurations |
| Repudiation |
Lack of audit logging, making it hard to track actions in VNet. |
VNet activity logs |
Log Analytics and Azure MonitorEnable logging with Azure Monitor |
| Information Disclosure |
Exposure of sensitive network traffic due to permissive NSG rules. |
NSG rules and public endpoints |
Private Link and Restricted NSG RulesLimit public access with Private Link |
| Denial of Service |
Network performance issues due to high traffic volumes. |
VNet bandwidth and resources |
Autoscale and MonitoringEnable Autoscale and monitor network performance |
| Elevation of Privilege |
Unauthorized access to VNet configuration controls. |
VNet management roles |
PoLP and PIMApply PoLP and PIM for management roles |