Azure Policy security baseline for Azure Security Benchmark

This security baseline applies guidance from the Azure Security Benchmark to Azure Policy. The Azure Security Benchmark provides recommendations on how you can secure your cloud solutions on Azure. The content is grouped by the compliance domains and security controls defined by the Azure Security Benchmark and the related guidance applicable to Azure Policy. Controls not applicable to Azure Policy have been excluded. To see how Azure Policy completely maps to the Azure Security Benchmark, see the full Azure Policy security baseline mapping file.

For a mapping of the Azure Security Benchmark controls to built-in policy definitions via the built-in initiative, see Regulatory Compliance: Azure Security Benchmark.

Azure Policy uses the term Ownership in place of Responsibility. For details on Ownership, see Azure Policy policy definitions and Shared responsibility in the cloud.

Logging and monitoring

For more information, see Security control: Logging and monitoring.

2.3: Enable audit logging for Azure resources

Guidance: Azure Policy uses activity logs, which are automatically enabled, to include event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.

Azure Security Center monitoring: Currently not available

Responsibility: Customer

Identity and access control

For more information, see Security control: Identity and access control.

3.3: Use dedicated administrative accounts

Guidance: Create standard operating procedures around the use of dedicated administrative accounts. Use Azure Security Center Identity and Access Management to monitor the number of administrative accounts.

You can also enable a Just-In-Time / Just-Enough-Access solution by using Azure AD Privileged Identity Management Privileged Roles or Azure Resource Manager.

Azure Security Center monitoring: Currently not available

Responsibility: Customer

3.6: Use dedicated machines (Privileged Access Workstations) for all administrative tasks

Guidance: Use PAWs (privileged access workstations) with MFA configured to log into and configure Azure resources.

Azure Security Center monitoring: Not applicable

Responsibility: Customer

Data protection

For more information, see Security control: Data protection.

4.6: Use Role-based access control to control access to resources

Guidance: Use Azure Active Directory role-based access control (RBAC) to control access to Azure Policy.

Azure Security Center monitoring: Currently not available

Responsibility: Customer

4.9: Log and alert on changes to critical Azure resources

Guidance: Use Azure Monitor with activity logs to create alerts for when changes take place in Azure Policy.

Azure Security Center monitoring: Currently not available

Responsibility: Customer

Inventory and asset management

For more information, see Security control: Inventory and asset management.

6.2: Maintain asset metadata

Guidance: Apply tags to Azure resources giving metadata to logically organize them into a taxonomy. Use the Azure Policy modify effect to report on and enforce compliance and consistent tag governance.

Azure Security Center monitoring: Currently not available

Responsibility: Customer

6.4: Define and Maintain an inventory of approved Azure resources

Guidance: Create an inventory of approved policy definitions and policy assignments as per your organizational needs.

Azure Security Center monitoring: Not applicable

Responsibility: Customer

6.5: Monitor for unapproved Azure resources

Guidance: Use Azure Policy to put restrictions on the type of resources that can be created in your subscriptions.

Azure Security Center monitoring: Not applicable

Responsibility: Customer

Next steps