Details of the CIS Microsoft Azure Foundations Benchmark 1.3.0 Regulatory Compliance built-in initiative
The following article details how the Azure Policy Regulatory Compliance built-in initiative definition maps to compliance domains and controls in CIS Microsoft Azure Foundations Benchmark 1.3.0. For more information about this compliance standard, see CIS Microsoft Azure Foundations Benchmark 1.3.0. To understand Ownership, see Azure Policy policy definition and Shared responsibility in the cloud.
The following mappings are to the CIS Microsoft Azure Foundations Benchmark 1.3.0 controls. Many of the controls are implemented with an Azure Policy initiative definition. To review the complete initiative definition, open Policy in the Azure portal and select the Definitions page. Then, find and select the CIS Microsoft Azure Foundations Benchmark v1.3.0 Regulatory Compliance built-in initiative definition.
Important
Each control below is associated with one or more Azure Policy definitions. These policies may help you assess compliance with the control; however, there often is not a one-to-one or complete match between a control and one or more policies. As such, Compliant in Azure Policy refers only to the policy definitions themselves; this doesn't ensure you're fully compliant with all requirements of a control. In addition, the compliance standard includes controls that aren't addressed by any Azure Policy definitions at this time. Therefore, compliance in Azure Policy is only a partial view of your overall compliance status. The associations between compliance domains, controls, and Azure Policy definitions for this compliance standard may change over time. To view the change history, see the GitHub Commit History.
1 Identity and Access Management
Ensure that multi-factor authentication is enabled for all privileged users
ID: CIS Microsoft Azure Foundations Benchmark recommendation 1.1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Accounts with owner permissions on Azure resources should be MFA enabled | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. | AuditIfNotExists, Disabled | 1.0.0 |
| Accounts with write permissions on Azure resources should be MFA enabled | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. | AuditIfNotExists, Disabled | 1.0.0 |
| Adopt biometric authentication mechanisms | CMA_0005 - Adopt biometric authentication mechanisms | Manual, Disabled | 1.1.0 |
Ensure that 'Users can add gallery apps to their Access Panel' is set to 'No'
ID: CIS Microsoft Azure Foundations Benchmark recommendation 1.10 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Authorize access to security functions and information | CMA_0022 - Authorize access to security functions and information | Manual, Disabled | 1.1.0 |
| Authorize and manage access | CMA_0023 - Authorize and manage access | Manual, Disabled | 1.1.0 |
| Enforce mandatory and discretionary access control policies | CMA_0246 - Enforce mandatory and discretionary access control policies | Manual, Disabled | 1.1.0 |
Ensure that 'Users can register applications' is set to 'No'
ID: CIS Microsoft Azure Foundations Benchmark recommendation 1.11 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Authorize access to security functions and information | CMA_0022 - Authorize access to security functions and information | Manual, Disabled | 1.1.0 |
| Authorize and manage access | CMA_0023 - Authorize and manage access | Manual, Disabled | 1.1.0 |
| Enforce mandatory and discretionary access control policies | CMA_0246 - Enforce mandatory and discretionary access control policies | Manual, Disabled | 1.1.0 |
Ensure that 'Guest user permissions are limited' is set to 'Yes'
ID: CIS Microsoft Azure Foundations Benchmark recommendation 1.12 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Authorize access to security functions and information | CMA_0022 - Authorize access to security functions and information | Manual, Disabled | 1.1.0 |
| Authorize and manage access | CMA_0023 - Authorize and manage access | Manual, Disabled | 1.1.0 |
| Design an access control model | CMA_0129 - Design an access control model | Manual, Disabled | 1.1.0 |
| Employ least privilege access | CMA_0212 - Employ least privilege access | Manual, Disabled | 1.1.0 |
| Enforce logical access | CMA_0245 - Enforce logical access | Manual, Disabled | 1.1.0 |
| Enforce mandatory and discretionary access control policies | CMA_0246 - Enforce mandatory and discretionary access control policies | Manual, Disabled | 1.1.0 |
| Require approval for account creation | CMA_0431 - Require approval for account creation | Manual, Disabled | 1.1.0 |
| Review user groups and applications with access to sensitive data | CMA_0481 - Review user groups and applications with access to sensitive data | Manual, Disabled | 1.1.0 |
Ensure that 'Members can invite' is set to 'No'
ID: CIS Microsoft Azure Foundations Benchmark recommendation 1.13 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Authorize access to security functions and information | CMA_0022 - Authorize access to security functions and information | Manual, Disabled | 1.1.0 |
| Authorize and manage access | CMA_0023 - Authorize and manage access | Manual, Disabled | 1.1.0 |
| Design an access control model | CMA_0129 - Design an access control model | Manual, Disabled | 1.1.0 |
| Employ least privilege access | CMA_0212 - Employ least privilege access | Manual, Disabled | 1.1.0 |
| Enforce logical access | CMA_0245 - Enforce logical access | Manual, Disabled | 1.1.0 |
| Enforce mandatory and discretionary access control policies | CMA_0246 - Enforce mandatory and discretionary access control policies | Manual, Disabled | 1.1.0 |
| Require approval for account creation | CMA_0431 - Require approval for account creation | Manual, Disabled | 1.1.0 |
| Review user groups and applications with access to sensitive data | CMA_0481 - Review user groups and applications with access to sensitive data | Manual, Disabled | 1.1.0 |
Ensure that 'Guests can invite' is set to 'No'
ID: CIS Microsoft Azure Foundations Benchmark recommendation 1.14 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Authorize access to security functions and information | CMA_0022 - Authorize access to security functions and information | Manual, Disabled | 1.1.0 |
| Authorize and manage access | CMA_0023 - Authorize and manage access | Manual, Disabled | 1.1.0 |
| Design an access control model | CMA_0129 - Design an access control model | Manual, Disabled | 1.1.0 |
| Employ least privilege access | CMA_0212 - Employ least privilege access | Manual, Disabled | 1.1.0 |
| Enforce logical access | CMA_0245 - Enforce logical access | Manual, Disabled | 1.1.0 |
| Enforce mandatory and discretionary access control policies | CMA_0246 - Enforce mandatory and discretionary access control policies | Manual, Disabled | 1.1.0 |
| Require approval for account creation | CMA_0431 - Require approval for account creation | Manual, Disabled | 1.1.0 |
| Review user groups and applications with access to sensitive data | CMA_0481 - Review user groups and applications with access to sensitive data | Manual, Disabled | 1.1.0 |
Ensure that 'Restrict access to Azure AD administration portal' is set to 'Yes'
ID: CIS Microsoft Azure Foundations Benchmark recommendation 1.15 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Authorize access to security functions and information | CMA_0022 - Authorize access to security functions and information | Manual, Disabled | 1.1.0 |
| Authorize and manage access | CMA_0023 - Authorize and manage access | Manual, Disabled | 1.1.0 |
| Enforce logical access | CMA_0245 - Enforce logical access | Manual, Disabled | 1.1.0 |
| Enforce mandatory and discretionary access control policies | CMA_0246 - Enforce mandatory and discretionary access control policies | Manual, Disabled | 1.1.0 |
| Require approval for account creation | CMA_0431 - Require approval for account creation | Manual, Disabled | 1.1.0 |
| Review user groups and applications with access to sensitive data | CMA_0481 - Review user groups and applications with access to sensitive data | Manual, Disabled | 1.1.0 |
Ensure that 'Restrict user ability to access groups features in the Access Pane' is set to 'No'
ID: CIS Microsoft Azure Foundations Benchmark recommendation 1.16 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Authorize access to security functions and information | CMA_0022 - Authorize access to security functions and information | Manual, Disabled | 1.1.0 |
| Authorize and manage access | CMA_0023 - Authorize and manage access | Manual, Disabled | 1.1.0 |
| Enforce mandatory and discretionary access control policies | CMA_0246 - Enforce mandatory and discretionary access control policies | Manual, Disabled | 1.1.0 |
| Establish and document change control processes | CMA_0265 - Establish and document change control processes | Manual, Disabled | 1.1.0 |
Ensure that 'Users can create security groups in Azure Portals' is set to 'No'
ID: CIS Microsoft Azure Foundations Benchmark recommendation 1.17 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Authorize access to security functions and information | CMA_0022 - Authorize access to security functions and information | Manual, Disabled | 1.1.0 |
| Authorize and manage access | CMA_0023 - Authorize and manage access | Manual, Disabled | 1.1.0 |
| Enforce mandatory and discretionary access control policies | CMA_0246 - Enforce mandatory and discretionary access control policies | Manual, Disabled | 1.1.0 |
| Establish and document change control processes | CMA_0265 - Establish and document change control processes | Manual, Disabled | 1.1.0 |
Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No'
ID: CIS Microsoft Azure Foundations Benchmark recommendation 1.18 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Authorize access to security functions and information | CMA_0022 - Authorize access to security functions and information | Manual, Disabled | 1.1.0 |
| Authorize and manage access | CMA_0023 - Authorize and manage access | Manual, Disabled | 1.1.0 |
| Enforce mandatory and discretionary access control policies | CMA_0246 - Enforce mandatory and discretionary access control policies | Manual, Disabled | 1.1.0 |
| Establish and document change control processes | CMA_0265 - Establish and document change control processes | Manual, Disabled | 1.1.0 |
Ensure that 'Users can create Microsoft 365 groups in Azure Portals' is set to 'No'
ID: CIS Microsoft Azure Foundations Benchmark recommendation 1.19 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Authorize access to security functions and information | CMA_0022 - Authorize access to security functions and information | Manual, Disabled | 1.1.0 |
| Authorize and manage access | CMA_0023 - Authorize and manage access | Manual, Disabled | 1.1.0 |
| Enforce mandatory and discretionary access control policies | CMA_0246 - Enforce mandatory and discretionary access control policies | Manual, Disabled | 1.1.0 |
| Establish and document change control processes | CMA_0265 - Establish and document change control processes | Manual, Disabled | 1.1.0 |
Ensure that multi-factor authentication is enabled for all non-privileged users
ID: CIS Microsoft Azure Foundations Benchmark recommendation 1.2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Accounts with read permissions on Azure resources should be MFA enabled | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. | AuditIfNotExists, Disabled | 1.0.0 |
| Adopt biometric authentication mechanisms | CMA_0005 - Adopt biometric authentication mechanisms | Manual, Disabled | 1.1.0 |
Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes'
ID: CIS Microsoft Azure Foundations Benchmark recommendation 1.20 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Adopt biometric authentication mechanisms | CMA_0005 - Adopt biometric authentication mechanisms | Manual, Disabled | 1.1.0 |
| Authorize remote access | CMA_0024 - Authorize remote access | Manual, Disabled | 1.1.0 |
| Document mobility training | CMA_0191 - Document mobility training | Manual, Disabled | 1.1.0 |
| Document remote access guidelines | CMA_0196 - Document remote access guidelines | Manual, Disabled | 1.1.0 |
| Identify and authenticate network devices | CMA_0296 - Identify and authenticate network devices | Manual, Disabled | 1.1.0 |
| Implement controls to secure alternate work sites | CMA_0315 - Implement controls to secure alternate work sites | Manual, Disabled | 1.1.0 |
| Provide privacy training | CMA_0415 - Provide privacy training | Manual, Disabled | 1.1.0 |
| Satisfy token quality requirements | CMA_0487 - Satisfy token quality requirements | Manual, Disabled | 1.1.0 |
Ensure that no custom subscription owner roles are created
ID: CIS Microsoft Azure Foundations Benchmark recommendation 1.21 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Authorize access to security functions and information | CMA_0022 - Authorize access to security functions and information | Manual, Disabled | 1.1.0 |
| Authorize and manage access | CMA_0023 - Authorize and manage access | Manual, Disabled | 1.1.0 |
| Design an access control model | CMA_0129 - Design an access control model | Manual, Disabled | 1.1.0 |
| Employ least privilege access | CMA_0212 - Employ least privilege access | Manual, Disabled | 1.1.0 |
| Enforce mandatory and discretionary access control policies | CMA_0246 - Enforce mandatory and discretionary access control policies | Manual, Disabled | 1.1.0 |
| Establish and document change control processes | CMA_0265 - Establish and document change control processes | Manual, Disabled | 1.1.0 |
Ensure Security Defaults is enabled on Azure Active Directory
ID: CIS Microsoft Azure Foundations Benchmark recommendation 1.22 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Adopt biometric authentication mechanisms | CMA_0005 - Adopt biometric authentication mechanisms | Manual, Disabled | 1.1.0 |
| Authenticate to cryptographic module | CMA_0021 - Authenticate to cryptographic module | Manual, Disabled | 1.1.0 |
| Authorize remote access | CMA_0024 - Authorize remote access | Manual, Disabled | 1.1.0 |
| Document mobility training | CMA_0191 - Document mobility training | Manual, Disabled | 1.1.0 |
| Document remote access guidelines | CMA_0196 - Document remote access guidelines | Manual, Disabled | 1.1.0 |
| Identify and authenticate network devices | CMA_0296 - Identify and authenticate network devices | Manual, Disabled | 1.1.0 |
| Implement controls to secure alternate work sites | CMA_0315 - Implement controls to secure alternate work sites | Manual, Disabled | 1.1.0 |
| Provide privacy training | CMA_0415 - Provide privacy training | Manual, Disabled | 1.1.0 |
| Satisfy token quality requirements | CMA_0487 - Satisfy token quality requirements | Manual, Disabled | 1.1.0 |
Ensure Custom Role is assigned for Administering Resource Locks
ID: CIS Microsoft Azure Foundations Benchmark recommendation 1.23 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Authorize access to security functions and information | CMA_0022 - Authorize access to security functions and information | Manual, Disabled | 1.1.0 |
| Authorize and manage access | CMA_0023 - Authorize and manage access | Manual, Disabled | 1.1.0 |
| Enforce mandatory and discretionary access control policies | CMA_0246 - Enforce mandatory and discretionary access control policies | Manual, Disabled | 1.1.0 |
| Establish and document change control processes | CMA_0265 - Establish and document change control processes | Manual, Disabled | 1.1.0 |
Ensure guest users are reviewed on a monthly basis
ID: CIS Microsoft Azure Foundations Benchmark recommendation 1.3 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Audit user account status | CMA_0020 - Audit user account status | Manual, Disabled | 1.1.0 |
| Guest accounts with owner permissions on Azure resources should be removed | External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. | AuditIfNotExists, Disabled | 1.0.0 |
| Guest accounts with read permissions on Azure resources should be removed | External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access. | AuditIfNotExists, Disabled | 1.0.0 |
| Guest accounts with write permissions on Azure resources should be removed | External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access. | AuditIfNotExists, Disabled | 1.0.0 |
| Reassign or remove user privileges as needed | CMA_C1040 - Reassign or remove user privileges as needed | Manual, Disabled | 1.1.0 |
| Review account provisioning logs | CMA_0460 - Review account provisioning logs | Manual, Disabled | 1.1.0 |
| Review user accounts | CMA_0480 - Review user accounts | Manual, Disabled | 1.1.0 |
| Review user privileges | CMA_C1039 - Review user privileges | Manual, Disabled | 1.1.0 |
Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is 'Disabled'
ID: CIS Microsoft Azure Foundations Benchmark recommendation 1.4 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Adopt biometric authentication mechanisms | CMA_0005 - Adopt biometric authentication mechanisms | Manual, Disabled | 1.1.0 |
| Identify and authenticate network devices | CMA_0296 - Identify and authenticate network devices | Manual, Disabled | 1.1.0 |
| Satisfy token quality requirements | CMA_0487 - Satisfy token quality requirements | Manual, Disabled | 1.1.0 |
Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to "0"
ID: CIS Microsoft Azure Foundations Benchmark recommendation 1.6 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Automate account management | CMA_0026 - Automate account management | Manual, Disabled | 1.1.0 |
| Manage system and admin accounts | CMA_0368 - Manage system and admin accounts | Manual, Disabled | 1.1.0 |
| Monitor access across the organization | CMA_0376 - Monitor access across the organization | Manual, Disabled | 1.1.0 |
| Notify when account is not needed | CMA_0383 - Notify when account is not needed | Manual, Disabled | 1.1.0 |
Ensure that 'Notify users on password resets?' is set to 'Yes'
ID: CIS Microsoft Azure Foundations Benchmark recommendation 1.7 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Automate account management | CMA_0026 - Automate account management | Manual, Disabled | 1.1.0 |
| Implement training for protecting authenticators | CMA_0329 - Implement training for protecting authenticators | Manual, Disabled | 1.1.0 |
| Manage system and admin accounts | CMA_0368 - Manage system and admin accounts | Manual, Disabled | 1.1.0 |
| Monitor access across the organization | CMA_0376 - Monitor access across the organization | Manual, Disabled | 1.1.0 |
| Notify when account is not needed | CMA_0383 - Notify when account is not needed | Manual, Disabled | 1.1.0 |
Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes'
ID: CIS Microsoft Azure Foundations Benchmark recommendation 1.8 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Audit privileged functions | CMA_0019 - Audit privileged functions | Manual, Disabled | 1.1.0 |
| Automate account management | CMA_0026 - Automate account management | Manual, Disabled | 1.1.0 |
| Implement training for protecting authenticators | CMA_0329 - Implement training for protecting authenticators | Manual, Disabled | 1.1.0 |
| Manage system and admin accounts | CMA_0368 - Manage system and admin accounts | Manual, Disabled | 1.1.0 |
| Monitor access across the organization | CMA_0376 - Monitor access across the organization | Manual, Disabled | 1.1.0 |
| Monitor privileged role assignment | CMA_0378 - Monitor privileged role assignment | Manual, Disabled | 1.1.0 |
| Notify when account is not needed | CMA_0383 - Notify when account is not needed | Manual, Disabled | 1.1.0 |
| Restrict access to privileged accounts | CMA_0446 - Restrict access to privileged accounts | Manual, Disabled | 1.1.0 |
| Revoke privileged roles as appropriate | CMA_0483 - Revoke privileged roles as appropriate | Manual, Disabled | 1.1.0 |
| Use privileged identity management | CMA_0533 - Use privileged identity management | Manual, Disabled | 1.1.0 |
Ensure that 'Users can consent to apps accessing company data on their behalf' is set to 'No'
ID: CIS Microsoft Azure Foundations Benchmark recommendation 1.9 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Authorize access to security functions and information | CMA_0022 - Authorize access to security functions and information | Manual, Disabled | 1.1.0 |
| Authorize and manage access | CMA_0023 - Authorize and manage access | Manual, Disabled | 1.1.0 |
| Enforce mandatory and discretionary access control policies | CMA_0246 - Enforce mandatory and discretionary access control policies | Manual, Disabled | 1.1.0 |
2 Security Center
Ensure that Azure Defender is set to On for Servers
ID: CIS Microsoft Azure Foundations Benchmark recommendation 2.1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Azure Defender for servers should be enabled | Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. | AuditIfNotExists, Disabled | 1.0.3 |
| Block untrusted and unsigned processes that run from USB | CMA_0050 - Block untrusted and unsigned processes that run from USB | Manual, Disabled | 1.1.0 |
| Detect network services that have not been authorized or approved | CMA_C1700 - Detect network services that have not been authorized or approved | Manual, Disabled | 1.1.0 |
| Manage gateways | CMA_0363 - Manage gateways | Manual, Disabled | 1.1.0 |
| Perform a trend analysis on threats | CMA_0389 - Perform a trend analysis on threats | Manual, Disabled | 1.1.0 |
| Perform vulnerability scans | CMA_0393 - Perform vulnerability scans | Manual, Disabled | 1.1.0 |
| Review malware detections report weekly | CMA_0475 - Review malware detections report weekly | Manual, Disabled | 1.1.0 |
| Review threat protection status weekly | CMA_0479 - Review threat protection status weekly | Manual, Disabled | 1.1.0 |
| Update antivirus definitions | CMA_0517 - Update antivirus definitions | Manual, Disabled | 1.1.0 |
Ensure that Microsoft Cloud App Security (MCAS) integration with Security Center is selected
ID: CIS Microsoft Azure Foundations Benchmark recommendation 2.10 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Block untrusted and unsigned processes that run from USB | CMA_0050 - Block untrusted and unsigned processes that run from USB | Manual, Disabled | 1.1.0 |
| Detect network services that have not been authorized or approved | CMA_C1700 - Detect network services that have not been authorized or approved | Manual, Disabled | 1.1.0 |
| Manage gateways | CMA_0363 - Manage gateways | Manual, Disabled | 1.1.0 |
| Perform a trend analysis on threats | CMA_0389 - Perform a trend analysis on threats | Manual, Disabled | 1.1.0 |
| Perform vulnerability scans | CMA_0393 - Perform vulnerability scans | Manual, Disabled | 1.1.0 |
| Review malware detections report weekly | CMA_0475 - Review malware detections report weekly | Manual, Disabled | 1.1.0 |
| Review threat protection status weekly | CMA_0479 - Review threat protection status weekly | Manual, Disabled | 1.1.0 |
| Update antivirus definitions | CMA_0517 - Update antivirus definitions | Manual, Disabled | 1.1.0 |
Ensure that 'Automatic provisioning of monitoring agent' is set to 'On'
ID: CIS Microsoft Azure Foundations Benchmark recommendation 2.11 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Auto provisioning of the Log Analytics agent should be enabled on your subscription | To monitor for security vulnerabilities and threats, Azure Security Center collects data from your Azure virtual machines. Data is collected by the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. We recommend enabling auto provisioning to automatically deploy the agent to all supported Azure VMs and any new ones that are created. | AuditIfNotExists, Disabled | 1.0.1 |
| Document security operations | CMA_0202 - Document security operations | Manual, Disabled | 1.1.0 |
| Turn on sensors for endpoint security solution | CMA_0514 - Turn on sensors for endpoint security solution | Manual, Disabled | 1.1.0 |
Ensure any of the ASC Default policy setting is not set to "Disabled"
ID: CIS Microsoft Azure Foundations Benchmark recommendation 2.12 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Configure actions for noncompliant devices | CMA_0062 - Configure actions for noncompliant devices | Manual, Disabled | 1.1.0 |
| Develop and maintain baseline configurations | CMA_0153 - Develop and maintain baseline configurations | Manual, Disabled | 1.1.0 |
| Enforce security configuration settings | CMA_0249 - Enforce security configuration settings | Manual, Disabled | 1.1.0 |
| Establish a configuration control board | CMA_0254 - Establish a configuration control board | Manual, Disabled | 1.1.0 |
| Establish and document a configuration management plan | CMA_0264 - Establish and document a configuration management plan | Manual, Disabled | 1.1.0 |
| Implement an automated configuration management tool | CMA_0311 - Implement an automated configuration management tool | Manual, Disabled | 1.1.0 |
Ensure 'Additional email addresses' is configured with a security contact email
ID: CIS Microsoft Azure Foundations Benchmark recommendation 2.13 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Subscriptions should have a contact email address for security issues | To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, set a security contact to receive email notifications from Security Center. | AuditIfNotExists, Disabled | 1.0.1 |
Ensure that 'Notify about alerts with the following severity' is set to 'High'
ID: CIS Microsoft Azure Foundations Benchmark recommendation 2.14 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Email notification for high severity alerts should be enabled | To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Security Center. | AuditIfNotExists, Disabled | 1.1.0 |
Ensure that Azure Defender is set to On for App Service
ID: CIS Microsoft Azure Foundations Benchmark recommendation 2.2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Azure Defender for App Service should be enabled | Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. | AuditIfNotExists, Disabled | 1.0.3 |
| Block untrusted and unsigned processes that run from USB | CMA_0050 - Block untrusted and unsigned processes that run from USB | Manual, Disabled | 1.1.0 |
| Detect network services that have not been authorized or approved | CMA_C1700 - Detect network services that have not been authorized or approved | Manual, Disabled | 1.1.0 |
| Manage gateways | CMA_0363 - Manage gateways | Manual, Disabled | 1.1.0 |
| Perform a trend analysis on threats | CMA_0389 - Perform a trend analysis on threats | Manual, Disabled | 1.1.0 |
| Perform vulnerability scans | CMA_0393 - Perform vulnerability scans | Manual, Disabled | 1.1.0 |
| Review malware detections report weekly | CMA_0475 - Review malware detections report weekly | Manual, Disabled | 1.1.0 |
| Review threat protection status weekly | CMA_0479 - Review threat protection status weekly | Manual, Disabled | 1.1.0 |
| Update antivirus definitions | CMA_0517 - Update antivirus definitions | Manual, Disabled | 1.1.0 |
Ensure that Azure Defender is set to On for Azure SQL database servers
ID: CIS Microsoft Azure Foundations Benchmark recommendation 2.3 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Azure Defender for Azure SQL Database servers should be enabled | Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. | AuditIfNotExists, Disabled | 1.0.2 |
| Block untrusted and unsigned processes that run from USB | CMA_0050 - Block untrusted and unsigned processes that run from USB | Manual, Disabled | 1.1.0 |
| Detect network services that have not been authorized or approved | CMA_C1700 - Detect network services that have not been authorized or approved | Manual, Disabled | 1.1.0 |
| Manage gateways | CMA_0363 - Manage gateways | Manual, Disabled | 1.1.0 |
| Perform a trend analysis on threats | CMA_0389 - Perform a trend analysis on threats | Manual, Disabled | 1.1.0 |
| Perform vulnerability scans | CMA_0393 - Perform vulnerability scans | Manual, Disabled | 1.1.0 |
| Review malware detections report weekly | CMA_0475 - Review malware detections report weekly | Manual, Disabled | 1.1.0 |
| Review threat protection status weekly | CMA_0479 - Review threat protection status weekly | Manual, Disabled | 1.1.0 |
| Update antivirus definitions | CMA_0517 - Update antivirus definitions | Manual, Disabled | 1.1.0 |
Ensure that Azure Defender is set to On for SQL servers on machines
ID: CIS Microsoft Azure Foundations Benchmark recommendation 2.4 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Azure Defender for SQL servers on machines should be enabled | Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. | AuditIfNotExists, Disabled | 1.0.2 |
| Block untrusted and unsigned processes that run from USB | CMA_0050 - Block untrusted and unsigned processes that run from USB | Manual, Disabled | 1.1.0 |
| Detect network services that have not been authorized or approved | CMA_C1700 - Detect network services that have not been authorized or approved | Manual, Disabled | 1.1.0 |
| Manage gateways | CMA_0363 - Manage gateways | Manual, Disabled | 1.1.0 |
| Perform a trend analysis on threats | CMA_0389 - Perform a trend analysis on threats | Manual, Disabled | 1.1.0 |
| Perform vulnerability scans | CMA_0393 - Perform vulnerability scans | Manual, Disabled | 1.1.0 |
| Review malware detections report weekly | CMA_0475 - Review malware detections report weekly | Manual, Disabled | 1.1.0 |
| Review threat protection status weekly | CMA_0479 - Review threat protection status weekly | Manual, Disabled | 1.1.0 |
| Update antivirus definitions | CMA_0517 - Update antivirus definitions | Manual, Disabled | 1.1.0 |
Ensure that Azure Defender is set to On for Storage
ID: CIS Microsoft Azure Foundations Benchmark recommendation 2.5 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Block untrusted and unsigned processes that run from USB | CMA_0050 - Block untrusted and unsigned processes that run from USB | Manual, Disabled | 1.1.0 |
| Detect network services that have not been authorized or approved | CMA_C1700 - Detect network services that have not been authorized or approved | Manual, Disabled | 1.1.0 |
| Manage gateways | CMA_0363 - Manage gateways | Manual, Disabled | 1.1.0 |
| Microsoft Defender for Storage should be enabled | Microsoft Defender for Storage detects potential threats to your storage accounts. It helps prevent the three major impacts on your data and workload: malicious file uploads, sensitive data exfiltration, and data corruption. The new Defender for Storage plan includes Malware Scanning and Sensitive Data Threat Detection. This plan also provides a predictable pricing structure (per storage account) for control over coverage and costs. | AuditIfNotExists, Disabled | 1.0.0 |
| Perform a trend analysis on threats | CMA_0389 - Perform a trend analysis on threats | Manual, Disabled | 1.1.0 |
| Perform vulnerability scans | CMA_0393 - Perform vulnerability scans | Manual, Disabled | 1.1.0 |
| Review malware detections report weekly | CMA_0475 - Review malware detections report weekly | Manual, Disabled | 1.1.0 |
| Review threat protection status weekly | CMA_0479 - Review threat protection status weekly | Manual, Disabled | 1.1.0 |
| Update antivirus definitions | CMA_0517 - Update antivirus definitions | Manual, Disabled | 1.1.0 |
Ensure that Azure Defender is set to On for Kubernetes
ID: CIS Microsoft Azure Foundations Benchmark recommendation 2.6 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Block untrusted and unsigned processes that run from USB | CMA_0050 - Block untrusted and unsigned processes that run from USB | Manual, Disabled | 1.1.0 |
| Detect network services that have not been authorized or approved | CMA_C1700 - Detect network services that have not been authorized or approved | Manual, Disabled | 1.1.0 |
| Manage gateways | CMA_0363 - Manage gateways | Manual, Disabled | 1.1.0 |
| Microsoft Defender for Containers should be enabled | Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. | AuditIfNotExists, Disabled | 1.0.0 |
| Perform a trend analysis on threats | CMA_0389 - Perform a trend analysis on threats | Manual, Disabled | 1.1.0 |
| Perform vulnerability scans | CMA_0393 - Perform vulnerability scans | Manual, Disabled | 1.1.0 |
| Review malware detections report weekly | CMA_0475 - Review malware detections report weekly | Manual, Disabled | 1.1.0 |
| Review threat protection status weekly | CMA_0479 - Review threat protection status weekly | Manual, Disabled | 1.1.0 |
| Update antivirus definitions | CMA_0517 - Update antivirus definitions | Manual, Disabled | 1.1.0 |
Ensure that Azure Defender is set to On for Container Registries
ID: CIS Microsoft Azure Foundations Benchmark recommendation 2.7 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Block untrusted and unsigned processes that run from USB | CMA_0050 - Block untrusted and unsigned processes that run from USB | Manual, Disabled | 1.1.0 |
| Detect network services that have not been authorized or approved | CMA_C1700 - Detect network services that have not been authorized or approved | Manual, Disabled | 1.1.0 |
| Manage gateways | CMA_0363 - Manage gateways | Manual, Disabled | 1.1.0 |
| Microsoft Defender for Containers should be enabled | Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. | AuditIfNotExists, Disabled | 1.0.0 |
| Perform a trend analysis on threats | CMA_0389 - Perform a trend analysis on threats | Manual, Disabled | 1.1.0 |
| Perform vulnerability scans | CMA_0393 - Perform vulnerability scans | Manual, Disabled | 1.1.0 |
| Review malware detections report weekly | CMA_0475 - Review malware detections report weekly | Manual, Disabled | 1.1.0 |
| Review threat protection status weekly | CMA_0479 - Review threat protection status weekly | Manual, Disabled | 1.1.0 |
| Update antivirus definitions | CMA_0517 - Update antivirus definitions | Manual, Disabled | 1.1.0 |
Ensure that Azure Defender is set to On for Key Vault
ID: CIS Microsoft Azure Foundations Benchmark recommendation 2.8 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Azure Defender for Key Vault should be enabled | Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. | AuditIfNotExists, Disabled | 1.0.3 |
| Block untrusted and unsigned processes that run from USB | CMA_0050 - Block untrusted and unsigned processes that run from USB | Manual, Disabled | 1.1.0 |
| Detect network services that have not been authorized or approved | CMA_C1700 - Detect network services that have not been authorized or approved | Manual, Disabled | 1.1.0 |
| Manage gateways | CMA_0363 - Manage gateways | Manual, Disabled | 1.1.0 |
| Perform a trend analysis on threats | CMA_0389 - Perform a trend analysis on threats | Manual, Disabled | 1.1.0 |
| Perform vulnerability scans | CMA_0393 - Perform vulnerability scans | Manual, Disabled | 1.1.0 |
| Review malware detections report weekly | CMA_0475 - Review malware detections report weekly | Manual, Disabled | 1.1.0 |
| Review threat protection status weekly | CMA_0479 - Review threat protection status weekly | Manual, Disabled | 1.1.0 |
| Update antivirus definitions | CMA_0517 - Update antivirus definitions | Manual, Disabled | 1.1.0 |
Ensure that Windows Defender ATP (WDATP) integration with Security Center is selected
ID: CIS Microsoft Azure Foundations Benchmark recommendation 2.9 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Block untrusted and unsigned processes that run from USB | CMA_0050 - Block untrusted and unsigned processes that run from USB | Manual, Disabled | 1.1.0 |
| Detect network services that have not been authorized or approved | CMA_C1700 - Detect network services that have not been authorized or approved | Manual, Disabled | 1.1.0 |
| Manage gateways | CMA_0363 - Manage gateways | Manual, Disabled | 1.1.0 |
| Perform a trend analysis on threats | CMA_0389 - Perform a trend analysis on threats | Manual, Disabled | 1.1.0 |
| Perform vulnerability scans | CMA_0393 - Perform vulnerability scans | Manual, Disabled | 1.1.0 |
| Review malware detections report weekly | CMA_0475 - Review malware detections report weekly | Manual, Disabled | 1.1.0 |
| Review threat protection status weekly | CMA_0479 - Review threat protection status weekly | Manual, Disabled | 1.1.0 |
| Update antivirus definitions | CMA_0517 - Update antivirus definitions | Manual, Disabled | 1.1.0 |
3 Storage Accounts
Ensure that 'Secure transfer required' is set to 'Enabled'
ID: CIS Microsoft Azure Foundations Benchmark recommendation 3.1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Configure workstations to check for digital certificates | CMA_0073 - Configure workstations to check for digital certificates | Manual, Disabled | 1.1.0 |
| Protect data in transit using encryption | CMA_0403 - Protect data in transit using encryption | Manual, Disabled | 1.1.0 |
| Protect passwords with encryption | CMA_0408 - Protect passwords with encryption | Manual, Disabled | 1.1.0 |
| Secure transfer to storage accounts should be enabled | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Audit, Deny, Disabled | 2.0.0 |
Ensure Storage logging is enabled for Blob service for read, write, and delete requests
ID: CIS Microsoft Azure Foundations Benchmark recommendation 3.10 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Audit privileged functions | CMA_0019 - Audit privileged functions | Manual, Disabled | 1.1.0 |
| Audit user account status | CMA_0020 - Audit user account status | Manual, Disabled | 1.1.0 |
| Configure Azure Audit capabilities | CMA_C1108 - Configure Azure Audit capabilities | Manual, Disabled | 1.1.1 |
| Determine auditable events | CMA_0137 - Determine auditable events | Manual, Disabled | 1.1.0 |
| Review audit data | CMA_0466 - Review audit data | Manual, Disabled | 1.1.0 |
Ensure Storage logging is enabled for Table service for read, write, and delete requests
ID: CIS Microsoft Azure Foundations Benchmark recommendation 3.11 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Audit privileged functions | CMA_0019 - Audit privileged functions | Manual, Disabled | 1.1.0 |
| Audit user account status | CMA_0020 - Audit user account status | Manual, Disabled | 1.1.0 |
| Configure Azure Audit capabilities | CMA_C1108 - Configure Azure Audit capabilities | Manual, Disabled | 1.1.1 |
| Determine auditable events | CMA_0137 - Determine auditable events | Manual, Disabled | 1.1.0 |
| Review audit data | CMA_0466 - Review audit data | Manual, Disabled | 1.1.0 |
Ensure that storage account access keys are periodically regenerated
ID: CIS Microsoft Azure Foundations Benchmark recommendation 3.2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Define a physical key management process | CMA_0115 - Define a physical key management process | Manual, Disabled | 1.1.0 |
| Define cryptographic use | CMA_0120 - Define cryptographic use | Manual, Disabled | 1.1.0 |
| Define organizational requirements for cryptographic key management | CMA_0123 - Define organizational requirements for cryptographic key management | Manual, Disabled | 1.1.0 |
| Determine assertion requirements | CMA_0136 - Determine assertion requirements | Manual, Disabled | 1.1.0 |
| Issue public key certificates | CMA_0347 - Issue public key certificates | Manual, Disabled | 1.1.0 |
| Manage symmetric cryptographic keys | CMA_0367 - Manage symmetric cryptographic keys | Manual, Disabled | 1.1.0 |
| Restrict access to private keys | CMA_0445 - Restrict access to private keys | Manual, Disabled | 1.1.0 |
Ensure Storage logging is enabled for Queue service for read, write, and delete requests
ID: CIS Microsoft Azure Foundations Benchmark recommendation 3.3 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Audit privileged functions | CMA_0019 - Audit privileged functions | Manual, Disabled | 1.1.0 |
| Audit user account status | CMA_0020 - Audit user account status | Manual, Disabled | 1.1.0 |
| Configure Azure Audit capabilities | CMA_C1108 - Configure Azure Audit capabilities | Manual, Disabled | 1.1.1 |
| Determine auditable events | CMA_0137 - Determine auditable events | Manual, Disabled | 1.1.0 |
| Review audit data | CMA_0466 - Review audit data | Manual, Disabled | 1.1.0 |
Ensure that shared access signature tokens expire within an hour
ID: CIS Microsoft Azure Foundations Benchmark recommendation 3.4 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Disable authenticators upon termination | CMA_0169 - Disable authenticators upon termination | Manual, Disabled | 1.1.0 |
| Revoke privileged roles as appropriate | CMA_0483 - Revoke privileged roles as appropriate | Manual, Disabled | 1.1.0 |
| Terminate user session automatically | CMA_C1054 - Terminate user session automatically | Manual, Disabled | 1.1.0 |
Ensure that 'Public access level' is set to Private for blob containers
ID: CIS Microsoft Azure Foundations Benchmark recommendation 3.5 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| [Preview]: Storage account public access should be disallowed | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | audit, Audit, deny, Deny, disabled, Disabled | 3.1.0-preview |
| Authorize access to security functions and information | CMA_0022 - Authorize access to security functions and information | Manual, Disabled | 1.1.0 |
| Authorize and manage access | CMA_0023 - Authorize and manage access | Manual, Disabled | 1.1.0 |
| Enforce logical access | CMA_0245 - Enforce logical access | Manual, Disabled | 1.1.0 |
| Enforce mandatory and discretionary access control policies | CMA_0246 - Enforce mandatory and discretionary access control policies | Manual, Disabled | 1.1.0 |
| Require approval for account creation | CMA_0431 - Require approval for account creation | Manual, Disabled | 1.1.0 |
| Review user groups and applications with access to sensitive data | CMA_0481 - Review user groups and applications with access to sensitive data | Manual, Disabled | 1.1.0 |
Ensure default network access rule for Storage Accounts is set to deny
ID: CIS Microsoft Azure Foundations Benchmark recommendation 3.6 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Storage accounts should restrict network access | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Audit, Deny, Disabled | 1.1.1 |
| Storage accounts should restrict network access using virtual network rules | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Audit, Deny, Disabled | 1.0.1 |
Ensure 'Trusted Microsoft Services' is enabled for Storage Account access
ID: CIS Microsoft Azure Foundations Benchmark recommendation 3.7 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Control information flow | CMA_0079 - Control information flow | Manual, Disabled | 1.1.0 |
| Employ flow control mechanisms of encrypted information | CMA_0211 - Employ flow control mechanisms of encrypted information | Manual, Disabled | 1.1.0 |
| Establish firewall and router configuration standards | CMA_0272 - Establish firewall and router configuration standards | Manual, Disabled | 1.1.0 |
| Establish network segmentation for card holder data environment | CMA_0273 - Establish network segmentation for card holder data environment | Manual, Disabled | 1.1.0 |
| Identify and manage downstream information exchanges | CMA_0298 - Identify and manage downstream information exchanges | Manual, Disabled | 1.1.0 |
| Storage accounts should allow access from trusted Microsoft services | Some Microsoft services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules. These services will then use strong authentication to access the storage account. | Audit, Deny, Disabled | 1.0.0 |
Ensure storage for critical data are encrypted with Customer Managed Key
ID: CIS Microsoft Azure Foundations Benchmark recommendation 3.9 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Establish a data leakage management procedure | CMA_0255 - Establish a data leakage management procedure | Manual, Disabled | 1.1.0 |
| Implement controls to secure all media | CMA_0314 - Implement controls to secure all media | Manual, Disabled | 1.1.0 |
| Protect data in transit using encryption | CMA_0403 - Protect data in transit using encryption | Manual, Disabled | 1.1.0 |
| Protect special information | CMA_0409 - Protect special information | Manual, Disabled | 1.1.0 |
| Storage accounts should use customer-managed key for encryption | Secure your blob and file storage account with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data. | Audit, Disabled | 1.0.3 |
4 Database Services
Ensure that 'Auditing' is set to 'On'
ID: CIS Microsoft Azure Foundations Benchmark recommendation 4.1.1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Audit privileged functions | CMA_0019 - Audit privileged functions | Manual, Disabled | 1.1.0 |
| Audit user account status | CMA_0020 - Audit user account status | Manual, Disabled | 1.1.0 |
| Auditing on SQL server should be enabled | Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. | AuditIfNotExists, Disabled | 2.0.0 |
| Determine auditable events | CMA_0137 - Determine auditable events | Manual, Disabled | 1.1.0 |
| Review audit data | CMA_0466 - Review audit data | Manual, Disabled | 1.1.0 |
Ensure that 'Data encryption' is set to 'On' on a SQL Database
ID: CIS Microsoft Azure Foundations Benchmark recommendation 4.1.2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Establish a data leakage management procedure | CMA_0255 - Establish a data leakage management procedure | Manual, Disabled | 1.1.0 |
| Implement controls to secure all media | CMA_0314 - Implement controls to secure all media | Manual, Disabled | 1.1.0 |
| Protect data in transit using encryption | CMA_0403 - Protect data in transit using encryption | Manual, Disabled | 1.1.0 |
| Protect special information | CMA_0409 - Protect special information | Manual, Disabled | 1.1.0 |
| Transparent Data Encryption on SQL databases should be enabled | Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements | AuditIfNotExists, Disabled | 2.0.0 |
Ensure that 'Auditing' Retention is 'greater than 90 days'
ID: CIS Microsoft Azure Foundations Benchmark recommendation 4.1.3 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Adhere to retention periods defined | CMA_0004 - Adhere to retention periods defined | Manual, Disabled | 1.1.0 |
| Govern and monitor audit processing activities | CMA_0289 - Govern and monitor audit processing activities | Manual, Disabled | 1.1.0 |
| Retain security policies and procedures | CMA_0454 - Retain security policies and procedures | Manual, Disabled | 1.1.0 |
| Retain terminated user data | CMA_0455 - Retain terminated user data | Manual, Disabled | 1.1.0 |
| SQL servers with auditing to storage account destination should be configured with 90 days retention or higher | For incident investigation purposes, we recommend setting the data retention for your SQL Server' auditing to storage account destination to at least 90 days. Confirm that you are meeting the necessary retention rules for the regions in which you are operating. This is sometimes required for compliance with regulatory standards. | AuditIfNotExists, Disabled | 3.0.0 |
Ensure that Advanced Threat Protection (ATP) on a SQL server is set to 'Enabled'
ID: CIS Microsoft Azure Foundations Benchmark recommendation 4.2.1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Azure Defender for SQL should be enabled for unprotected Azure SQL servers | Audit SQL servers without Advanced Data Security | AuditIfNotExists, Disabled | 2.0.1 |
| Azure Defender for SQL should be enabled for unprotected SQL Managed Instances | Audit each SQL Managed Instance without advanced data security. | AuditIfNotExists, Disabled | 1.0.2 |
| Perform a trend analysis on threats | CMA_0389 - Perform a trend analysis on threats | Manual, Disabled | 1.1.0 |
Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account
ID: CIS Microsoft Azure Foundations Benchmark recommendation 4.2.2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Perform vulnerability scans | CMA_0393 - Perform vulnerability scans | Manual, Disabled | 1.1.0 |
| Remediate information system flaws | CMA_0427 - Remediate information system flaws | Manual, Disabled | 1.1.0 |
| Vulnerability assessment should be enabled on SQL Managed Instance | Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. | AuditIfNotExists, Disabled | 1.0.1 |
| Vulnerability assessment should be enabled on your SQL servers | Audit Azure SQL servers which do not have vulnerability assessment properly configured. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. | AuditIfNotExists, Disabled | 3.0.0 |
Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server
ID: CIS Microsoft Azure Foundations Benchmark recommendation 4.2.3 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Perform vulnerability scans | CMA_0393 - Perform vulnerability scans | Manual, Disabled | 1.1.0 |
| Remediate information system flaws | CMA_0427 - Remediate information system flaws | Manual, Disabled | 1.1.0 |
Ensure that VA setting Send scan reports to is configured for a SQL server
ID: CIS Microsoft Azure Foundations Benchmark recommendation 4.2.4 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Correlate Vulnerability scan information | CMA_C1558 - Correlate Vulnerability scan information | Manual, Disabled | 1.1.1 |
| Perform vulnerability scans | CMA_0393 - Perform vulnerability scans | Manual, Disabled | 1.1.0 |
| Remediate information system flaws | CMA_0427 - Remediate information system flaws | Manual, Disabled | 1.1.0 |
Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server
ID: CIS Microsoft Azure Foundations Benchmark recommendation 4.2.5 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Correlate Vulnerability scan information | CMA_C1558 - Correlate Vulnerability scan information | Manual, Disabled | 1.1.1 |
| Perform vulnerability scans | CMA_0393 - Perform vulnerability scans | Manual, Disabled | 1.1.0 |
| Remediate information system flaws | CMA_0427 - Remediate information system flaws | Manual, Disabled | 1.1.0 |
Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server
ID: CIS Microsoft Azure Foundations Benchmark recommendation 4.3.1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Configure workstations to check for digital certificates | CMA_0073 - Configure workstations to check for digital certificates | Manual, Disabled | 1.1.0 |
| Enforce SSL connection should be enabled for PostgreSQL database servers | Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. | Audit, Disabled | 1.0.1 |
| Protect data in transit using encryption | CMA_0403 - Protect data in transit using encryption | Manual, Disabled | 1.1.0 |
| Protect passwords with encryption | CMA_0408 - Protect passwords with encryption | Manual, Disabled | 1.1.0 |
Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server
ID: CIS Microsoft Azure Foundations Benchmark recommendation 4.3.2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Configure workstations to check for digital certificates | CMA_0073 - Configure workstations to check for digital certificates | Manual, Disabled | 1.1.0 |
| Enforce SSL connection should be enabled for MySQL database servers | Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. | Audit, Disabled | 1.0.1 |
| Protect data in transit using encryption | CMA_0403 - Protect data in transit using encryption | Manual, Disabled | 1.1.0 |
| Protect passwords with encryption | CMA_0408 - Protect passwords with encryption | Manual, Disabled | 1.1.0 |
Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server
ID: CIS Microsoft Azure Foundations Benchmark recommendation 4.3.3 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Audit privileged functions | CMA_0019 - Audit privileged functions | Manual, Disabled | 1.1.0 |
| Audit user account status | CMA_0020 - Audit user account status | Manual, Disabled | 1.1.0 |
| Determine auditable events | CMA_0137 - Determine auditable events | Manual, Disabled | 1.1.0 |
| Log checkpoints should be enabled for PostgreSQL database servers | This policy helps audit any PostgreSQL databases in your environment without log_checkpoints setting enabled. | AuditIfNotExists, Disabled | 1.0.0 |
| Review audit data | CMA_0466 - Review audit data | Manual, Disabled | 1.1.0 |
Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server
ID: CIS Microsoft Azure Foundations Benchmark recommendation 4.3.4 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Audit privileged functions | CMA_0019 - Audit privileged functions | Manual, Disabled | 1.1.0 |
| Audit user account status | CMA_0020 - Audit user account status | Manual, Disabled | 1.1.0 |
| Determine auditable events | CMA_0137 - Determine auditable events | Manual, Disabled | 1.1.0 |
| Log connections should be enabled for PostgreSQL database servers | This policy helps audit any PostgreSQL databases in your environment without log_connections setting enabled. | AuditIfNotExists, Disabled | 1.0.0 |
| Review audit data | CMA_0466 - Review audit data | Manual, Disabled | 1.1.0 |
Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server
ID: CIS Microsoft Azure Foundations Benchmark recommendation 4.3.5 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Audit privileged functions | CMA_0019 - Audit privileged functions | Manual, Disabled | 1.1.0 |
| Audit user account status | CMA_0020 - Audit user account status | Manual, Disabled | 1.1.0 |
| Determine auditable events | CMA_0137 - Determine auditable events | Manual, Disabled | 1.1.0 |
| Disconnections should be logged for PostgreSQL database servers. | This policy helps audit any PostgreSQL databases in your environment without log_disconnections enabled. | AuditIfNotExists, Disabled | 1.0.0 |
| Review audit data | CMA_0466 - Review audit data | Manual, Disabled | 1.1.0 |
Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server
ID: CIS Microsoft Azure Foundations Benchmark recommendation 4.3.6 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Audit privileged functions | CMA_0019 - Audit privileged functions | Manual, Disabled | 1.1.0 |
| Audit user account status | CMA_0020 - Audit user account status | Manual, Disabled | 1.1.0 |
| Connection throttling should be enabled for PostgreSQL database servers | This policy helps audit any PostgreSQL databases in your environment without Connection throttling enabled. This setting enables temporary connection throttling per IP for too many invalid password login failures. | AuditIfNotExists, Disabled | 1.0.0 |
| Determine auditable events | CMA_0137 - Determine auditable events | Manual, Disabled | 1.1.0 |
| Review audit data | CMA_0466 - Review audit data | Manual, Disabled | 1.1.0 |
Ensure server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server
ID: CIS Microsoft Azure Foundations Benchmark recommendation 4.3.7 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Adhere to retention periods defined | CMA_0004 - Adhere to retention periods defined | Manual, Disabled | 1.1.0 |
| Govern and monitor audit processing activities | CMA_0289 - Govern and monitor audit processing activities | Manual, Disabled | 1.1.0 |
| Retain security policies and procedures | CMA_0454 - Retain security policies and procedures | Manual, Disabled | 1.1.0 |
| Retain terminated user data | CMA_0455 - Retain terminated user data | Manual, Disabled | 1.1.0 |
Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled
ID: CIS Microsoft Azure Foundations Benchmark recommendation 4.3.8 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Control information flow | CMA_0079 - Control information flow | Manual, Disabled | 1.1.0 |
| Employ flow control mechanisms of encrypted information | CMA_0211 - Employ flow control mechanisms of encrypted information | Manual, Disabled | 1.1.0 |
| Establish firewall and router configuration standards | CMA_0272 - Establish firewall and router configuration standards | Manual, Disabled | 1.1.0 |
| Establish network segmentation for card holder data environment | CMA_0273 - Establish network segmentation for card holder data environment | Manual, Disabled | 1.1.0 |
| Identify and manage downstream information exchanges | CMA_0298 - Identify and manage downstream information exchanges | Manual, Disabled | 1.1.0 |
Ensure that Azure Active Directory Admin is configured
ID: CIS Microsoft Azure Foundations Benchmark recommendation 4.4 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| An Azure Active Directory administrator should be provisioned for SQL servers | Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services | AuditIfNotExists, Disabled | 1.0.0 |
| Automate account management | CMA_0026 - Automate account management | Manual, Disabled | 1.1.0 |
| Manage system and admin accounts | CMA_0368 - Manage system and admin accounts | Manual, Disabled | 1.1.0 |
| Monitor access across the organization | CMA_0376 - Monitor access across the organization | Manual, Disabled | 1.1.0 |
| Notify when account is not needed | CMA_0383 - Notify when account is not needed | Manual, Disabled | 1.1.0 |
Ensure SQL server's TDE protector is encrypted with Customer-managed key
ID: CIS Microsoft Azure Foundations Benchmark recommendation 4.5 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Establish a data leakage management procedure | CMA_0255 - Establish a data leakage management procedure | Manual, Disabled | 1.1.0 |
| Implement controls to secure all media | CMA_0314 - Implement controls to secure all media | Manual, Disabled | 1.1.0 |
| Protect data in transit using encryption | CMA_0403 - Protect data in transit using encryption | Manual, Disabled | 1.1.0 |
| Protect special information | CMA_0409 - Protect special information | Manual, Disabled | 1.1.0 |
| SQL managed instances should use customer-managed keys to encrypt data at rest | Implementing Transparent Data Encryption (TDE) with your own key provides you with increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement. | Audit, Deny, Disabled | 2.0.0 |
| SQL servers should use customer-managed keys to encrypt data at rest | Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement. | Audit, Deny, Disabled | 2.0.1 |
5 Logging and Monitoring
Ensure that a 'Diagnostics Setting' exists
ID: CIS Microsoft Azure Foundations Benchmark recommendation 5.1.1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Determine auditable events | CMA_0137 - Determine auditable events | Manual, Disabled | 1.1.0 |
Ensure Diagnostic Setting captures appropriate categories
ID: CIS Microsoft Azure Foundations Benchmark recommendation 5.1.2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Audit privileged functions | CMA_0019 - Audit privileged functions | Manual, Disabled | 1.1.0 |
| Audit user account status | CMA_0020 - Audit user account status | Manual, Disabled | 1.1.0 |
| Configure Azure Audit capabilities | CMA_C1108 - Configure Azure Audit capabilities | Manual, Disabled | 1.1.1 |
| Determine auditable events | CMA_0137 - Determine auditable events | Manual, Disabled | 1.1.0 |
| Review audit data | CMA_0466 - Review audit data | Manual, Disabled | 1.1.0 |
Ensure the storage container storing the activity logs is not publicly accessible
ID: CIS Microsoft Azure Foundations Benchmark recommendation 5.1.3 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| [Preview]: Storage account public access should be disallowed | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | audit, Audit, deny, Deny, disabled, Disabled | 3.1.0-preview |
| Enable dual or joint authorization | CMA_0226 - Enable dual or joint authorization | Manual, Disabled | 1.1.0 |
| Protect audit information | CMA_0401 - Protect audit information | Manual, Disabled | 1.1.0 |
Ensure the storage account containing the container with activity logs is encrypted with BYOK (Use Your Own Key)
ID: CIS Microsoft Azure Foundations Benchmark recommendation 5.1.4 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Enable dual or joint authorization | CMA_0226 - Enable dual or joint authorization | Manual, Disabled | 1.1.0 |
| Maintain integrity of audit system | CMA_C1133 - Maintain integrity of audit system | Manual, Disabled | 1.1.0 |
| Protect audit information | CMA_0401 - Protect audit information | Manual, Disabled | 1.1.0 |
| Storage account containing the container with activity logs must be encrypted with BYOK | This policy audits if the Storage account containing the container with activity logs is encrypted with BYOK. The policy works only if the storage account lies on the same subscription as activity logs by design. More information on Azure Storage encryption at rest can be found here https://aka.ms/azurestoragebyok. | AuditIfNotExists, Disabled | 1.0.0 |
Ensure that logging for Azure KeyVault is 'Enabled'
ID: CIS Microsoft Azure Foundations Benchmark recommendation 5.1.5 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Audit privileged functions | CMA_0019 - Audit privileged functions | Manual, Disabled | 1.1.0 |
| Audit user account status | CMA_0020 - Audit user account status | Manual, Disabled | 1.1.0 |
| Determine auditable events | CMA_0137 - Determine auditable events | Manual, Disabled | 1.1.0 |
| Resource logs in Key Vault should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Review audit data | CMA_0466 - Review audit data | Manual, Disabled | 1.1.0 |
Ensure that Activity Log Alert exists for Create Policy Assignment
ID: CIS Microsoft Azure Foundations Benchmark recommendation 5.2.1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Alert personnel of information spillage | CMA_0007 - Alert personnel of information spillage | Manual, Disabled | 1.1.0 |
| An activity log alert should exist for specific Policy operations | This policy audits specific Policy operations with no activity log alerts configured. | AuditIfNotExists, Disabled | 3.0.0 |
| Develop an incident response plan | CMA_0145 - Develop an incident response plan | Manual, Disabled | 1.1.0 |
| Set automated notifications for new and trending cloud applications in your organization | CMA_0495 - Set automated notifications for new and trending cloud applications in your organization | Manual, Disabled | 1.1.0 |
Ensure that Activity Log Alert exists for Delete Policy Assignment
ID: CIS Microsoft Azure Foundations Benchmark recommendation 5.2.2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Alert personnel of information spillage | CMA_0007 - Alert personnel of information spillage | Manual, Disabled | 1.1.0 |
| An activity log alert should exist for specific Policy operations | This policy audits specific Policy operations with no activity log alerts configured. | AuditIfNotExists, Disabled | 3.0.0 |
| Develop an incident response plan | CMA_0145 - Develop an incident response plan | Manual, Disabled | 1.1.0 |
| Set automated notifications for new and trending cloud applications in your organization | CMA_0495 - Set automated notifications for new and trending cloud applications in your organization | Manual, Disabled | 1.1.0 |
Ensure that Activity Log Alert exists for Create or Update Network Security Group
ID: CIS Microsoft Azure Foundations Benchmark recommendation 5.2.3 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Alert personnel of information spillage | CMA_0007 - Alert personnel of information spillage | Manual, Disabled | 1.1.0 |
| An activity log alert should exist for specific Administrative operations | This policy audits specific Administrative operations with no activity log alerts configured. | AuditIfNotExists, Disabled | 1.0.0 |
| Develop an incident response plan | CMA_0145 - Develop an incident response plan | Manual, Disabled | 1.1.0 |
| Set automated notifications for new and trending cloud applications in your organization | CMA_0495 - Set automated notifications for new and trending cloud applications in your organization | Manual, Disabled | 1.1.0 |
Ensure that Activity Log Alert exists for Delete Network Security Group
ID: CIS Microsoft Azure Foundations Benchmark recommendation 5.2.4 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Alert personnel of information spillage | CMA_0007 - Alert personnel of information spillage | Manual, Disabled | 1.1.0 |
| An activity log alert should exist for specific Administrative operations | This policy audits specific Administrative operations with no activity log alerts configured. | AuditIfNotExists, Disabled | 1.0.0 |
| Develop an incident response plan | CMA_0145 - Develop an incident response plan | Manual, Disabled | 1.1.0 |
| Set automated notifications for new and trending cloud applications in your organization | CMA_0495 - Set automated notifications for new and trending cloud applications in your organization | Manual, Disabled | 1.1.0 |
Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule
ID: CIS Microsoft Azure Foundations Benchmark recommendation 5.2.5 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Alert personnel of information spillage | CMA_0007 - Alert personnel of information spillage | Manual, Disabled | 1.1.0 |
| An activity log alert should exist for specific Administrative operations | This policy audits specific Administrative operations with no activity log alerts configured. | AuditIfNotExists, Disabled | 1.0.0 |
| Develop an incident response plan | CMA_0145 - Develop an incident response plan | Manual, Disabled | 1.1.0 |
| Set automated notifications for new and trending cloud applications in your organization | CMA_0495 - Set automated notifications for new and trending cloud applications in your organization | Manual, Disabled | 1.1.0 |
Ensure that activity log alert exists for the Delete Network Security Group Rule
ID: CIS Microsoft Azure Foundations Benchmark recommendation 5.2.6 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Alert personnel of information spillage | CMA_0007 - Alert personnel of information spillage | Manual, Disabled | 1.1.0 |
| An activity log alert should exist for specific Administrative operations | This policy audits specific Administrative operations with no activity log alerts configured. | AuditIfNotExists, Disabled | 1.0.0 |
| Develop an incident response plan | CMA_0145 - Develop an incident response plan | Manual, Disabled | 1.1.0 |
| Set automated notifications for new and trending cloud applications in your organization | CMA_0495 - Set automated notifications for new and trending cloud applications in your organization | Manual, Disabled | 1.1.0 |
Ensure that Activity Log Alert exists for Create or Update Security Solution
ID: CIS Microsoft Azure Foundations Benchmark recommendation 5.2.7 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Alert personnel of information spillage | CMA_0007 - Alert personnel of information spillage | Manual, Disabled | 1.1.0 |
| An activity log alert should exist for specific Security operations | This policy audits specific Security operations with no activity log alerts configured. | AuditIfNotExists, Disabled | 1.0.0 |
| Develop an incident response plan | CMA_0145 - Develop an incident response plan | Manual, Disabled | 1.1.0 |
| Set automated notifications for new and trending cloud applications in your organization | CMA_0495 - Set automated notifications for new and trending cloud applications in your organization | Manual, Disabled | 1.1.0 |
Ensure that Activity Log Alert exists for Delete Security Solution
ID: CIS Microsoft Azure Foundations Benchmark recommendation 5.2.8 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Alert personnel of information spillage | CMA_0007 - Alert personnel of information spillage | Manual, Disabled | 1.1.0 |
| An activity log alert should exist for specific Security operations | This policy audits specific Security operations with no activity log alerts configured. | AuditIfNotExists, Disabled | 1.0.0 |
| Develop an incident response plan | CMA_0145 - Develop an incident response plan | Manual, Disabled | 1.1.0 |
| Set automated notifications for new and trending cloud applications in your organization | CMA_0495 - Set automated notifications for new and trending cloud applications in your organization | Manual, Disabled | 1.1.0 |
Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule
ID: CIS Microsoft Azure Foundations Benchmark recommendation 5.2.9 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Alert personnel of information spillage | CMA_0007 - Alert personnel of information spillage | Manual, Disabled | 1.1.0 |
| An activity log alert should exist for specific Administrative operations | This policy audits specific Administrative operations with no activity log alerts configured. | AuditIfNotExists, Disabled | 1.0.0 |
| Develop an incident response plan | CMA_0145 - Develop an incident response plan | Manual, Disabled | 1.1.0 |
| Set automated notifications for new and trending cloud applications in your organization | CMA_0495 - Set automated notifications for new and trending cloud applications in your organization | Manual, Disabled | 1.1.0 |
Ensure that Diagnostic Logs are enabled for all services which support it.
ID: CIS Microsoft Azure Foundations Benchmark recommendation 5.3 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Adhere to retention periods defined | CMA_0004 - Adhere to retention periods defined | Manual, Disabled | 1.1.0 |
| App Service apps should have resource logs enabled | Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. | AuditIfNotExists, Disabled | 2.0.1 |
| Audit privileged functions | CMA_0019 - Audit privileged functions | Manual, Disabled | 1.1.0 |
| Audit user account status | CMA_0020 - Audit user account status | Manual, Disabled | 1.1.0 |
| Configure Azure Audit capabilities | CMA_C1108 - Configure Azure Audit capabilities | Manual, Disabled | 1.1.1 |
| Determine auditable events | CMA_0137 - Determine auditable events | Manual, Disabled | 1.1.0 |
| Govern and monitor audit processing activities | CMA_0289 - Govern and monitor audit processing activities | Manual, Disabled | 1.1.0 |
| Resource logs in Azure Data Lake Store should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Azure Stream Analytics should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Batch accounts should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Data Lake Analytics should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Event Hub should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in IoT Hub should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 3.1.0 |
| Resource logs in Key Vault should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Logic Apps should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.1.0 |
| Resource logs in Search services should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Service Bus should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Retain security policies and procedures | CMA_0454 - Retain security policies and procedures | Manual, Disabled | 1.1.0 |
| Retain terminated user data | CMA_0455 - Retain terminated user data | Manual, Disabled | 1.1.0 |
| Review audit data | CMA_0466 - Review audit data | Manual, Disabled | 1.1.0 |
6 Networking
Ensure no SQL Databases allow ingress 0.0.0.0/0 (ANY IP)
ID: CIS Microsoft Azure Foundations Benchmark recommendation 6.3 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Control information flow | CMA_0079 - Control information flow | Manual, Disabled | 1.1.0 |
| Employ flow control mechanisms of encrypted information | CMA_0211 - Employ flow control mechanisms of encrypted information | Manual, Disabled | 1.1.0 |
Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'
ID: CIS Microsoft Azure Foundations Benchmark recommendation 6.4 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Adhere to retention periods defined | CMA_0004 - Adhere to retention periods defined | Manual, Disabled | 1.1.0 |
| Retain security policies and procedures | CMA_0454 - Retain security policies and procedures | Manual, Disabled | 1.1.0 |
| Retain terminated user data | CMA_0455 - Retain terminated user data | Manual, Disabled | 1.1.0 |
Ensure that Network Watcher is 'Enabled'
ID: CIS Microsoft Azure Foundations Benchmark recommendation 6.5 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Network Watcher should be enabled | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | AuditIfNotExists, Disabled | 3.0.0 |
| Verify security functions | CMA_C1708 - Verify security functions | Manual, Disabled | 1.1.0 |
7 Virtual Machines
Ensure Virtual Machines are utilizing Managed Disks
ID: CIS Microsoft Azure Foundations Benchmark recommendation 7.1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Audit VMs that do not use managed disks | This policy audits VMs that do not use managed disks | audit | 1.0.0 |
| Control physical access | CMA_0081 - Control physical access | Manual, Disabled | 1.1.0 |
| Manage the input, output, processing, and storage of data | CMA_0369 - Manage the input, output, processing, and storage of data | Manual, Disabled | 1.1.0 |
| Review label activity and analytics | CMA_0474 - Review label activity and analytics | Manual, Disabled | 1.1.0 |
Ensure that 'OS and Data' disks are encrypted with CMK
ID: CIS Microsoft Azure Foundations Benchmark recommendation 7.2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Establish a data leakage management procedure | CMA_0255 - Establish a data leakage management procedure | Manual, Disabled | 1.1.0 |
| Implement controls to secure all media | CMA_0314 - Implement controls to secure all media | Manual, Disabled | 1.1.0 |
| Protect data in transit using encryption | CMA_0403 - Protect data in transit using encryption | Manual, Disabled | 1.1.0 |
| Protect special information | CMA_0409 - Protect special information | Manual, Disabled | 1.1.0 |
| Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | AuditIfNotExists, Disabled | 2.0.3 |
Ensure that 'Unattached disks' are encrypted with CMK
ID: CIS Microsoft Azure Foundations Benchmark recommendation 7.3 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Establish a data leakage management procedure | CMA_0255 - Establish a data leakage management procedure | Manual, Disabled | 1.1.0 |
| Implement controls to secure all media | CMA_0314 - Implement controls to secure all media | Manual, Disabled | 1.1.0 |
| Protect data in transit using encryption | CMA_0403 - Protect data in transit using encryption | Manual, Disabled | 1.1.0 |
| Protect special information | CMA_0409 - Protect special information | Manual, Disabled | 1.1.0 |
Ensure that only approved extensions are installed
ID: CIS Microsoft Azure Foundations Benchmark recommendation 7.4 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Only approved VM extensions should be installed | This policy governs the virtual machine extensions that are not approved. | Audit, Deny, Disabled | 1.0.0 |
Ensure that the latest OS Patches for all Virtual Machines are applied
ID: CIS Microsoft Azure Foundations Benchmark recommendation 7.5 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Remediate information system flaws | CMA_0427 - Remediate information system flaws | Manual, Disabled | 1.1.0 |
| System updates should be installed on your machines | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | AuditIfNotExists, Disabled | 4.0.0 |
Ensure that the endpoint protection for all Virtual Machines is installed
ID: CIS Microsoft Azure Foundations Benchmark recommendation 7.6 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Block untrusted and unsigned processes that run from USB | CMA_0050 - Block untrusted and unsigned processes that run from USB | Manual, Disabled | 1.1.0 |
| Document security operations | CMA_0202 - Document security operations | Manual, Disabled | 1.1.0 |
| Manage gateways | CMA_0363 - Manage gateways | Manual, Disabled | 1.1.0 |
| Monitor missing Endpoint Protection in Azure Security Center | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | AuditIfNotExists, Disabled | 3.0.0 |
| Perform a trend analysis on threats | CMA_0389 - Perform a trend analysis on threats | Manual, Disabled | 1.1.0 |
| Perform vulnerability scans | CMA_0393 - Perform vulnerability scans | Manual, Disabled | 1.1.0 |
| Review malware detections report weekly | CMA_0475 - Review malware detections report weekly | Manual, Disabled | 1.1.0 |
| Review threat protection status weekly | CMA_0479 - Review threat protection status weekly | Manual, Disabled | 1.1.0 |
| Turn on sensors for endpoint security solution | CMA_0514 - Turn on sensors for endpoint security solution | Manual, Disabled | 1.1.0 |
| Update antivirus definitions | CMA_0517 - Update antivirus definitions | Manual, Disabled | 1.1.0 |
| Verify software, firmware and information integrity | CMA_0542 - Verify software, firmware and information integrity | Manual, Disabled | 1.1.0 |
Ensure that VHD's are encrypted
ID: CIS Microsoft Azure Foundations Benchmark recommendation 7.7 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Establish a data leakage management procedure | CMA_0255 - Establish a data leakage management procedure | Manual, Disabled | 1.1.0 |
| Implement controls to secure all media | CMA_0314 - Implement controls to secure all media | Manual, Disabled | 1.1.0 |
| Protect data in transit using encryption | CMA_0403 - Protect data in transit using encryption | Manual, Disabled | 1.1.0 |
| Protect special information | CMA_0409 - Protect special information | Manual, Disabled | 1.1.0 |
8 Other Security Considerations
Ensure that the expiration date is set on all keys
ID: CIS Microsoft Azure Foundations Benchmark recommendation 8.1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Define a physical key management process | CMA_0115 - Define a physical key management process | Manual, Disabled | 1.1.0 |
| Define cryptographic use | CMA_0120 - Define cryptographic use | Manual, Disabled | 1.1.0 |
| Define organizational requirements for cryptographic key management | CMA_0123 - Define organizational requirements for cryptographic key management | Manual, Disabled | 1.1.0 |
| Determine assertion requirements | CMA_0136 - Determine assertion requirements | Manual, Disabled | 1.1.0 |
| Issue public key certificates | CMA_0347 - Issue public key certificates | Manual, Disabled | 1.1.0 |
| Key Vault keys should have an expiration date | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Audit, Deny, Disabled | 1.0.2 |
| Manage symmetric cryptographic keys | CMA_0367 - Manage symmetric cryptographic keys | Manual, Disabled | 1.1.0 |
| Restrict access to private keys | CMA_0445 - Restrict access to private keys | Manual, Disabled | 1.1.0 |
Ensure that the expiration date is set on all Secrets
ID: CIS Microsoft Azure Foundations Benchmark recommendation 8.2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Define a physical key management process | CMA_0115 - Define a physical key management process | Manual, Disabled | 1.1.0 |
| Define cryptographic use | CMA_0120 - Define cryptographic use | Manual, Disabled | 1.1.0 |
| Define organizational requirements for cryptographic key management | CMA_0123 - Define organizational requirements for cryptographic key management | Manual, Disabled | 1.1.0 |
| Determine assertion requirements | CMA_0136 - Determine assertion requirements | Manual, Disabled | 1.1.0 |
| Issue public key certificates | CMA_0347 - Issue public key certificates | Manual, Disabled | 1.1.0 |
| Key Vault secrets should have an expiration date | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Audit, Deny, Disabled | 1.0.2 |
| Manage symmetric cryptographic keys | CMA_0367 - Manage symmetric cryptographic keys | Manual, Disabled | 1.1.0 |
| Restrict access to private keys | CMA_0445 - Restrict access to private keys | Manual, Disabled | 1.1.0 |
Ensure that Resource Locks are set for mission critical Azure resources
ID: CIS Microsoft Azure Foundations Benchmark recommendation 8.3 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Establish and document change control processes | CMA_0265 - Establish and document change control processes | Manual, Disabled | 1.1.0 |
Ensure the key vault is recoverable
ID: CIS Microsoft Azure Foundations Benchmark recommendation 8.4 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Key vaults should have deletion protection enabled | Malicious deletion of a key vault can lead to permanent data loss. You can prevent permanent data loss by enabling purge protection and soft delete. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. Keep in mind that key vaults created after September 1st 2019 have soft-delete enabled by default. | Audit, Deny, Disabled | 2.1.0 |
| Maintain availability of information | CMA_C1644 - Maintain availability of information | Manual, Disabled | 1.1.0 |
Enable role-based access control (RBAC) within Azure Kubernetes Services
ID: CIS Microsoft Azure Foundations Benchmark recommendation 8.5 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Authorize access to security functions and information | CMA_0022 - Authorize access to security functions and information | Manual, Disabled | 1.1.0 |
| Authorize and manage access | CMA_0023 - Authorize and manage access | Manual, Disabled | 1.1.0 |
| Azure Role-Based Access Control (RBAC) should be used on Kubernetes Services | To provide granular filtering on the actions that users can perform, use Azure Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. | Audit, Disabled | 1.0.3 |
| Enforce logical access | CMA_0245 - Enforce logical access | Manual, Disabled | 1.1.0 |
| Enforce mandatory and discretionary access control policies | CMA_0246 - Enforce mandatory and discretionary access control policies | Manual, Disabled | 1.1.0 |
| Require approval for account creation | CMA_0431 - Require approval for account creation | Manual, Disabled | 1.1.0 |
| Review user groups and applications with access to sensitive data | CMA_0481 - Review user groups and applications with access to sensitive data | Manual, Disabled | 1.1.0 |
9 AppService
Ensure App Service Authentication is set on Azure App Service
ID: CIS Microsoft Azure Foundations Benchmark recommendation 9.1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| App Service apps should have authentication enabled | Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the web app, or authenticate those that have tokens before they reach the web app. | AuditIfNotExists, Disabled | 2.0.1 |
| Authenticate to cryptographic module | CMA_0021 - Authenticate to cryptographic module | Manual, Disabled | 1.1.0 |
| Enforce user uniqueness | CMA_0250 - Enforce user uniqueness | Manual, Disabled | 1.1.0 |
| Function apps should have authentication enabled | Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the Function app, or authenticate those that have tokens before they reach the Function app. | AuditIfNotExists, Disabled | 3.0.0 |
| Support personal verification credentials issued by legal authorities | CMA_0507 - Support personal verification credentials issued by legal authorities | Manual, Disabled | 1.1.0 |
Ensure FTP deployments are disabled
ID: CIS Microsoft Azure Foundations Benchmark recommendation 9.10 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| App Service apps should require FTPS only | Enable FTPS enforcement for enhanced security. | AuditIfNotExists, Disabled | 3.0.0 |
| Configure workstations to check for digital certificates | CMA_0073 - Configure workstations to check for digital certificates | Manual, Disabled | 1.1.0 |
| Function apps should require FTPS only | Enable FTPS enforcement for enhanced security. | AuditIfNotExists, Disabled | 3.0.0 |
| Protect data in transit using encryption | CMA_0403 - Protect data in transit using encryption | Manual, Disabled | 1.1.0 |
| Protect passwords with encryption | CMA_0408 - Protect passwords with encryption | Manual, Disabled | 1.1.0 |
Ensure Azure Keyvaults are used to store secrets
ID: CIS Microsoft Azure Foundations Benchmark recommendation 9.11 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Define a physical key management process | CMA_0115 - Define a physical key management process | Manual, Disabled | 1.1.0 |
| Define cryptographic use | CMA_0120 - Define cryptographic use | Manual, Disabled | 1.1.0 |
| Define organizational requirements for cryptographic key management | CMA_0123 - Define organizational requirements for cryptographic key management | Manual, Disabled | 1.1.0 |
| Determine assertion requirements | CMA_0136 - Determine assertion requirements | Manual, Disabled | 1.1.0 |
| Ensure cryptographic mechanisms are under configuration management | CMA_C1199 - Ensure cryptographic mechanisms are under configuration management | Manual, Disabled | 1.1.0 |
| Issue public key certificates | CMA_0347 - Issue public key certificates | Manual, Disabled | 1.1.0 |
| Maintain availability of information | CMA_C1644 - Maintain availability of information | Manual, Disabled | 1.1.0 |
| Manage symmetric cryptographic keys | CMA_0367 - Manage symmetric cryptographic keys | Manual, Disabled | 1.1.0 |
| Restrict access to private keys | CMA_0445 - Restrict access to private keys | Manual, Disabled | 1.1.0 |
Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service
ID: CIS Microsoft Azure Foundations Benchmark recommendation 9.2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| App Service apps should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Audit, Disabled, Deny | 4.0.0 |
| Configure workstations to check for digital certificates | CMA_0073 - Configure workstations to check for digital certificates | Manual, Disabled | 1.1.0 |
| Protect data in transit using encryption | CMA_0403 - Protect data in transit using encryption | Manual, Disabled | 1.1.0 |
| Protect passwords with encryption | CMA_0408 - Protect passwords with encryption | Manual, Disabled | 1.1.0 |
Ensure web app is using the latest version of TLS encryption
ID: CIS Microsoft Azure Foundations Benchmark recommendation 9.3 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| App Service apps should use the latest TLS version | Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. | AuditIfNotExists, Disabled | 2.0.1 |
| Configure workstations to check for digital certificates | CMA_0073 - Configure workstations to check for digital certificates | Manual, Disabled | 1.1.0 |
| Function apps should use the latest TLS version | Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. | AuditIfNotExists, Disabled | 2.0.1 |
| Protect data in transit using encryption | CMA_0403 - Protect data in transit using encryption | Manual, Disabled | 1.1.0 |
| Protect passwords with encryption | CMA_0408 - Protect passwords with encryption | Manual, Disabled | 1.1.0 |
Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On'
ID: CIS Microsoft Azure Foundations Benchmark recommendation 9.4 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| [Deprecated]: Function apps should have 'Client Certificates (Incoming client certificates)' enabled | Client certificates allow for the app to request a certificate for incoming requests. Only clients with valid certificates will be able to reach the app. This policy has been replaced by a new policy with the same name because Http 2.0 doesn't support client certificates. | Audit, Disabled | 3.1.0-deprecated |
| App Service apps should have Client Certificates (Incoming client certificates) enabled | Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. This policy applies to apps with Http version set to 1.1. | AuditIfNotExists, Disabled | 1.0.0 |
| Authenticate to cryptographic module | CMA_0021 - Authenticate to cryptographic module | Manual, Disabled | 1.1.0 |
Ensure that Register with Azure Active Directory is enabled on App Service
ID: CIS Microsoft Azure Foundations Benchmark recommendation 9.5 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| App Service apps should use managed identity | Use a managed identity for enhanced authentication security | AuditIfNotExists, Disabled | 3.0.0 |
| Automate account management | CMA_0026 - Automate account management | Manual, Disabled | 1.1.0 |
| Function apps should use managed identity | Use a managed identity for enhanced authentication security | AuditIfNotExists, Disabled | 3.0.0 |
| Manage system and admin accounts | CMA_0368 - Manage system and admin accounts | Manual, Disabled | 1.1.0 |
| Monitor access across the organization | CMA_0376 - Monitor access across the organization | Manual, Disabled | 1.1.0 |
| Notify when account is not needed | CMA_0383 - Notify when account is not needed | Manual, Disabled | 1.1.0 |
Ensure that 'PHP version' is the latest, if used to run the web app
ID: CIS Microsoft Azure Foundations Benchmark recommendation 9.6 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Remediate information system flaws | CMA_0427 - Remediate information system flaws | Manual, Disabled | 1.1.0 |
Ensure that 'Python version' is the latest, if used to run the web app
ID: CIS Microsoft Azure Foundations Benchmark recommendation 9.7 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Remediate information system flaws | CMA_0427 - Remediate information system flaws | Manual, Disabled | 1.1.0 |
Ensure that 'Java version' is the latest, if used to run the web app
ID: CIS Microsoft Azure Foundations Benchmark recommendation 9.8 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Remediate information system flaws | CMA_0427 - Remediate information system flaws | Manual, Disabled | 1.1.0 |
Ensure that 'HTTP Version' is the latest, if used to run the web app
ID: CIS Microsoft Azure Foundations Benchmark recommendation 9.9 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| App Service apps should use latest 'HTTP Version' | Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. | AuditIfNotExists, Disabled | 4.0.0 |
| Function apps should use latest 'HTTP Version' | Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. | AuditIfNotExists, Disabled | 4.0.0 |
| Remediate information system flaws | CMA_0427 - Remediate information system flaws | Manual, Disabled | 1.1.0 |
Next steps
Additional articles about Azure Policy:
- Regulatory Compliance overview.
- See the initiative definition structure.
- Review other examples at Azure Policy samples.
- Review Understanding policy effects.
- Learn how to remediate non-compliant resources.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for