Details of the Azure Security Benchmark Regulatory Compliance built-in initiative

The following article details how the Azure Policy Regulatory Compliance built-in initiative definition maps to compliance domains and controls in Azure Security Benchmark. For more information about this compliance standard, see Azure Security Benchmark. To understand Ownership, see Azure Policy policy definition and Shared responsibility in the cloud.

The following mappings are to the Azure Security Benchmark controls. Use the navigation on the right to jump directly to a specific compliance domain. Many of the controls are implemented with an Azure Policy initiative definition. To review the complete initiative definition, open Policy in the Azure portal and select the Definitions page. Then, find and select the Azure Security Benchmark Regulatory Compliance built-in initiative definition.

This built-in initiative is deployed as part of the Azure Security Benchmark blueprint sample.

Important

Each control below is associated with one or more Azure Policy definitions. These policies may help you assess compliance with the control; however, there often is not a 1:1 or complete match between a control and one or more policies. As such, Compliant in Azure Policy refers only to the policy definitions themselves; this doesn't ensure you're fully compliant with all requirements of a control. In addition, the compliance standard includes controls that aren't addressed by any Azure Policy definitions at this time. Therefore, compliance in Azure Policy is only a partial view of your overall compliance status. The associations between compliance domains, controls, and Azure Policy definitions for this compliance standard may change over time. To view the change history, see the GitHub Commit History.

Network Security

Protect resources using Network Security Groups or Azure Firewall on your Virtual Network

ID: Azure Security Benchmark 1.1 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adaptive Network Hardening recommendations should be applied on internet facing virtual machines Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface AuditIfNotExists, Disabled 1.0.0
All Internet traffic should be routed via your deployed Azure Firewall Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall AuditIfNotExists, Disabled 2.0.0-preview
App Service should use a virtual network service endpoint This policy audits any App Service not configured to use a virtual network service endpoint. AuditIfNotExists, Disabled 1.0.0
Authorized IP ranges should be defined on Kubernetes Services Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. Audit, Disabled 1.0.1-preview
Container Registry should use a virtual network service endpoint This policy audits any Container Registry not configured to use a virtual network service endpoint. Audit, Disabled 1.0.0-preview
Cosmos DB should use a virtual network service endpoint This policy audits any Cosmos DB not configured to use a virtual network service endpoint. Audit, Disabled 1.0.0
Event Hub should use a virtual network service endpoint This policy audits any Event Hub not configured to use a virtual network service endpoint. AuditIfNotExists, Disabled 1.0.0
Internet-facing virtual machines should be protected with network security groups Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc AuditIfNotExists, Disabled 1.1.0
IP Forwarding on your virtual machine should be disabled Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. AuditIfNotExists, Disabled 1.0.1
Key Vault should use a virtual network service endpoint This policy audits any Key Vault not configured to use a virtual network service endpoint. Audit, Disabled 1.0.0
Management ports of virtual machines should be protected with just-in-time network access control Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations AuditIfNotExists, Disabled 1.0.1
Management ports should be closed on your virtual machines Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. AuditIfNotExists, Disabled 1.0.0
Private endpoint should be enabled for MariaDB servers This policy audits MariaDB servers not configured to use a private endpoint. For more details, visit https://aka.ms/mariadbprivatelink. AuditIfNotExists, Disabled 1.0.1
Private endpoint should be enabled for MySQL servers This policy audits MySQL servers not configured to use a private endpoint. For more details, visit https://aka.ms/mysqlprivatelink. AuditIfNotExists, Disabled 1.0.1
Private endpoint should be enabled for PostgreSQL servers This policy audits PostgreSQL servers not configured to use a private endpoint. For more details, visit https://aka.ms/pgprivatelink. AuditIfNotExists, Disabled 1.0.1
Service Bus should use a virtual network service endpoint This policy audits any Service Bus not configured to use a virtual network service endpoint. AuditIfNotExists, Disabled 1.0.0
SQL Server should use a virtual network service endpoint This policy audits any SQL Server not configured to use a virtual network service endpoint. AuditIfNotExists, Disabled 1.0.0
Storage accounts should restrict network access Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premise clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges Audit, Deny, Disabled 1.1.0
Storage Accounts should use a virtual network service endpoint This policy audits any Storage Account not configured to use a virtual network service endpoint. Audit, Disabled 1.0.0
Subnets should be associated with a Network Security Group Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. AuditIfNotExists, Disabled 2.0.0
Virtual machines should be connected to an approved virtual network This policy audits any virtual machine connected to a virtual network that is not approved. Audit, Deny, Disabled 1.0.0
Virtual networks should use specified virtual network gateway This policy audits any virtual network if the default route does not point to the specified virtual network gateway. AuditIfNotExists, Disabled 1.0.0

Monitor and log the configuration and traffic of Vnets, Subnets, and NICs

ID: Azure Security Benchmark 1.2 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Network Watcher should be enabled Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. Network diagnostic and visualization tools available with Network Watcher help you understand, diagnose, and gain insights to your network in Azure. auditIfNotExists 1.0.0

Protect critical web applications

ID: Azure Security Benchmark 1.3 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
CORS should not allow every resource to access your API App Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API app. Allow only required domains to interact with your API app. AuditIfNotExists, Disabled 1.0.0
CORS should not allow every resource to access your Function Apps Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app. AuditIfNotExists, Disabled 1.0.0
CORS should not allow every resource to access your Web Applications Cross-Origin Resource Sharing (CORS) should not allow all domains to access your web application. Allow only required domains to interact with your web app. AuditIfNotExists, Disabled 1.0.0
Ensure WEB app has 'Client Certificates (Incoming client certificates)' set to 'On' Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. Audit, Disabled 1.0.0
Remote debugging should be turned off for API Apps Remote debugging requires inbound ports to be opened on API apps. Remote debugging should be turned off. AuditIfNotExists, Disabled 1.0.0
Remote debugging should be turned off for Function Apps Remote debugging requires inbound ports to be opened on function apps. Remote debugging should be turned off. AuditIfNotExists, Disabled 1.0.0
Remote debugging should be turned off for Web Applications Remote debugging requires inbound ports to be opened on a web application. Remote debugging should be turned off. AuditIfNotExists, Disabled 1.0.0

Deny communications with known malicious IP addresses

ID: Azure Security Benchmark 1.4 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adaptive Network Hardening recommendations should be applied on internet facing virtual machines Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface AuditIfNotExists, Disabled 1.0.0
All Internet traffic should be routed via your deployed Azure Firewall Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall AuditIfNotExists, Disabled 2.0.0-preview
Azure DDoS Protection Standard should be enabled DDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. AuditIfNotExists, Disabled 1.0.1
Management ports of virtual machines should be protected with just-in-time network access control Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations AuditIfNotExists, Disabled 1.0.1

Record network packets and flow logs

ID: Azure Security Benchmark 1.5 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Network Watcher should be enabled Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. Network diagnostic and visualization tools available with Network Watcher help you understand, diagnose, and gain insights to your network in Azure. auditIfNotExists 1.0.0

Use automated tools to monitor network resource configurations and detect changes

ID: Azure Security Benchmark 1.11 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Network' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Network'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol deployIfNotExists 1.1.0
Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Server' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Server'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol deployIfNotExists 1.2.0
Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Access' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Access'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol deployIfNotExists 1.2.0
Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Security' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Security'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol deployIfNotExists 1.2.0
Show audit results from Windows VMs configurations in 'Administrative Templates - Network' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Network'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol auditIfNotExists 1.0.0
Show audit results from Windows VMs configurations in 'Security Options - Microsoft Network Client' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Client'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol auditIfNotExists 1.0.0
Show audit results from Windows VMs configurations in 'Security Options - Microsoft Network Server' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Server'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol auditIfNotExists 1.0.0
Show audit results from Windows VMs configurations in 'Security Options - Network Security' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Security'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol auditIfNotExists 1.0.0

Logging and Monitoring

Configure central security log management

ID: Azure Security Benchmark 2.2 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Automatic provisioning of the Log Analytics monitoring agent should be enabled on your subscription Enable automatic provisioning of the Log Analytics monitoring agent in order to collect security data AuditIfNotExists, Disabled 1.0.0
Azure Monitor log profile should collect logs for categories 'write,' 'delete,' and 'action' This policy ensures that a log profile collects logs for categories 'write,' 'delete,' and 'action' AuditIfNotExists, Disabled 1.0.0
Azure Monitor should collect activity logs from all regions This policy audits the Azure Monitor log profile which does not export activities from all Azure supported regions including global. AuditIfNotExists, Disabled 1.0.0
Deploy prerequisites to audit Windows VMs on which the Log Analytics agent is not connected as expected This policy creates a Guest Configuration assignment to audit Windows virtual machines on which the Log Analytics agent is not connected to the specified workspaces. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol deployIfNotExists 1.2.0
Show audit results from Windows VMs on which the Log Analytics agent is not connected as expected This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which the Log Analytics agent is not connected to the specified workspaces. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol auditIfNotExists 1.0.0
The Log Analytics agent should be installed on Virtual Machine Scale Sets This policy audits any Windows/Linux Virtual Machine Scale Sets if the Log Analytics agent is not installed. AuditIfNotExists, Disabled 1.0.0
The Log Analytics agent should be installed on virtual machines This policy audits any Windows/Linux virtual machines if the Log Analytics agent is not installed. AuditIfNotExists, Disabled 1.0.0

Enable audit logging for Azure resources

ID: Azure Security Benchmark 2.3 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Audit diagnostic setting Audit diagnostic setting for selected resource types AuditIfNotExists 1.0.0
Auditing on SQL server should be enabled Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. AuditIfNotExists, Disabled 1.0.0
Diagnostic logs in App Services should be enabled Audit enabling of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised AuditIfNotExists, Disabled 1.0.0
Diagnostic logs in Azure Data Lake Store should be enabled Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 3.0.0
Diagnostic logs in Azure Stream Analytics should be enabled Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 3.0.0
Diagnostic logs in Batch accounts should be enabled Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 3.0.0
Diagnostic logs in Data Lake Analytics should be enabled Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 3.0.0
Diagnostic logs in Event Hub should be enabled Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 3.0.0
Diagnostic logs in IoT Hub should be enabled Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 2.0.0
Diagnostic logs in Key Vault should be enabled Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 3.0.0
Diagnostic logs in Logic Apps should be enabled Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 3.0.0
Diagnostic logs in Search services should be enabled Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 3.0.0
Diagnostic logs in Service Bus should be enabled Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 3.0.0
Diagnostic logs in Virtual Machine Scale Sets should be enabled It is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. AuditIfNotExists, Disabled 1.0.0
SQL Auditing settings should have Action-Groups configured to capture critical activities The AuditActionsAndGroups property should contain at least SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP, FAILED_DATABASE_AUTHENTICATION_GROUP, BATCH_COMPLETED_GROUP to ensure a thorough audit logging AuditIfNotExists, Disabled 1.0.0

Collect security logs from operating systems

ID: Azure Security Benchmark 2.4 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Automatic provisioning of the Log Analytics monitoring agent should be enabled on your subscription Enable automatic provisioning of the Log Analytics monitoring agent in order to collect security data AuditIfNotExists, Disabled 1.0.0
Deploy prerequisites to audit Windows VMs on which the Log Analytics agent is not connected as expected This policy creates a Guest Configuration assignment to audit Windows virtual machines on which the Log Analytics agent is not connected to the specified workspaces. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol deployIfNotExists 1.2.0
Show audit results from Windows VMs on which the Log Analytics agent is not connected as expected This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which the Log Analytics agent is not connected to the specified workspaces. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol auditIfNotExists 1.0.0
The Log Analytics agent should be installed on Virtual Machine Scale Sets This policy audits any Windows/Linux Virtual Machine Scale Sets if the Log Analytics agent is not installed. AuditIfNotExists, Disabled 1.0.0
The Log Analytics agent should be installed on virtual machines This policy audits any Windows/Linux virtual machines if the Log Analytics agent is not installed. AuditIfNotExists, Disabled 1.0.0

Configure security log storage retention

ID: Azure Security Benchmark 2.5 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
SQL servers should be configured with auditing retention days greater than 90 days. Audit SQL servers configured with an auditing retention period of less than 90 days. AuditIfNotExists, Disabled 1.0.0

Enable alerts for anomalous activity

ID: Azure Security Benchmark 2.7 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Advanced data security should be enabled on SQL Managed Instance Audit each SQL Managed Instance without advanced data security. AuditIfNotExists, Disabled 1.0.1
Advanced data security should be enabled on your SQL servers Audit SQL servers without Advanced Data Security AuditIfNotExists, Disabled 1.0.0

Centralize anti-malware logging

ID: Azure Security Benchmark 2.8 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Endpoint protection solution should be installed on virtual machine scale sets Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities. AuditIfNotExists, Disabled 1.0.0
Microsoft Antimalware for Azure should be configured to automatically update protection signatures This policy audits any Windows virtual machine not configured with automatic update of Microsoft Antimalware protection signatures. AuditIfNotExists, Disabled 1.0.0
Monitor missing Endpoint Protection in Azure Security Center Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations AuditIfNotExists, Disabled 1.0.0

Identity and Access Control

Maintain an inventory of administrative accounts

ID: Azure Security Benchmark 3.1 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
A maximum of 3 owners should be designated for your subscription It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner. AuditIfNotExists, Disabled 1.0.0
Deprecated accounts with owner permissions should be removed from your subscription Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. AuditIfNotExists, Disabled 1.0.0
External accounts with owner permissions should be removed from your subscription External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. AuditIfNotExists, Disabled 1.0.0
There should be more than one owner assigned to your subscription It is recommended to designate more than one subscription owner in order to have administrator access redundancy. AuditIfNotExists, Disabled 1.0.0

Use dedicated administrative accounts

ID: Azure Security Benchmark 3.3 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
A maximum of 3 owners should be designated for your subscription It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner. AuditIfNotExists, Disabled 1.0.0
Deploy prerequisites to audit Windows VMs in which the Administrators group contains any of the specified members This policy creates a Guest Configuration assignment to audit Windows virtual machines in which the Administrators group contains any of the specified members. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol deployIfNotExists 1.2.0
Deploy prerequisites to audit Windows VMs in which the Administrators group does not contain all of the specified members This policy creates a Guest Configuration assignment to audit Windows virtual machines in which the Administrators group does not contain all of the specified members. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol deployIfNotExists 1.2.0
Deploy prerequisites to audit Windows VMs in which the Administrators group does not contain only the specified members This policy creates a Guest Configuration assignment to audit Windows virtual machines in which the Administrators group does not contain only the specified members. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol deployIfNotExists 1.2.0
Show audit results from Windows VMs in which the Administrators group contains any of the specified members This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines in which the Administrators group contains any of the specified members. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol auditIfNotExists 1.0.0
Show audit results from Windows VMs in which the Administrators group does not contain all of the specified members This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines in which the Administrators group does not contain all of the specified members. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol auditIfNotExists 1.0.0
Show audit results from Windows VMs in which the Administrators group does not contain only the specified members This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines in which the Administrators group does not contain only the specified members. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol auditIfNotExists 1.0.0
There should be more than one owner assigned to your subscription It is recommended to designate more than one subscription owner in order to have administrator access redundancy. AuditIfNotExists, Disabled 1.0.0

Use multi-factor authentication for all Azure Active Directory based access

ID: Azure Security Benchmark 3.5 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
MFA should be enabled accounts with write permissions on your subscription Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 1.0.0
MFA should be enabled on accounts with owner permissions on your subscription Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 1.0.0
MFA should be enabled on accounts with read permissions on your subscription Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 1.0.0

Use Azure Active Directory

ID: Azure Security Benchmark 3.9 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
An Azure Active Directory administrator should be provisioned for SQL servers Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services AuditIfNotExists, Disabled 1.0.0
Ensure that Register with Azure Active Directory is enabled on API app Managed service identity in App Service makes the app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app will connect to other Azure services securely without the need of username and passwords AuditIfNotExists, Disabled 1.0.0
Ensure that Register with Azure Active Directory is enabled on Function App Managed service identity in App Service makes the app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app will connect to other Azure services securely without the need of username and passwords AuditIfNotExists, Disabled 1.0.0
Ensure that Register with Azure Active Directory is enabled on WEB App Managed service identity in App Service makes the app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app will connect to other Azure services securely without the need of username and passwords AuditIfNotExists, Disabled 1.0.0
Service Fabric clusters should only use Azure Active Directory for client authentication Audit usage of client authentication only via Azure Active Directory in Service Fabric Audit, Deny, Disabled 1.1.0

Regularly review and reconcile user access

ID: Azure Security Benchmark 3.10 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Deprecated accounts should be removed from your subscription Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. AuditIfNotExists, Disabled 1.0.0
Deprecated accounts with owner permissions should be removed from your subscription Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. AuditIfNotExists, Disabled 1.0.0
External accounts with owner permissions should be removed from your subscription External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. AuditIfNotExists, Disabled 1.0.0
External accounts with read permissions should be removed from your subscription External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access. AuditIfNotExists, Disabled 1.0.0
External accounts with write permissions should be removed from your subscription External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access. AuditIfNotExists, Disabled 1.0.0

Data Protection

Maintain an inventory of sensitive Information

ID: Azure Security Benchmark 4.1 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Sensitive data in your SQL databases should be classified Azure Security Center monitors the data discovery and classification scan results for your SQL databases and provides recommendations to classify the sensitive data in your databases for better monitoring and security AuditIfNotExists, Disabled 1.0.0-preview

Encrypt all sensitive information in transit

ID: Azure Security Benchmark 4.4 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
API App should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Audit, Disabled 1.0.0
Enforce SSL connection should be enabled for MySQL database servers This policy audits any MySQL server that is not enforcing SSL connection. Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. Audit, Disabled 1.0.0
Enforce SSL connection should be enabled for PostgreSQL database servers This policy audits any PostgreSQL server that is not enforcing SSL connection. Azure Database for PostgreSQL prefers connecting your client applications to the PostgreSQL service using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man-in-the-middle' attacks by encrypting the data stream between the server and your application Audit, Disabled 1.0.0
FTPS only should be required in your API App Enable FTPS enforcement for enhanced security AuditIfNotExists, Disabled 1.0.0
FTPS only should be required in your Function App Enable FTPS enforcement for enhanced security AuditIfNotExists, Disabled 1.0.0
FTPS should be required in your Web App Enable FTPS enforcement for enhanced security AuditIfNotExists, Disabled 1.0.0
Function App should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Audit, Disabled 1.0.0
Latest TLS version should be used in your API App Upgrade to the latest TLS version AuditIfNotExists, Disabled 1.0.0
Latest TLS version should be used in your Function App Upgrade to the latest TLS version AuditIfNotExists, Disabled 1.0.0
Latest TLS version should be used in your Web App Upgrade to the latest TLS version AuditIfNotExists, Disabled 1.0.0
Only secure connections to your Azure Cache for Redis should be enabled Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking Audit, Deny, Disabled 1.0.0
Secure transfer to storage accounts should be enabled Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking Audit, Deny, Disabled 2.0.0
Web Application should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Audit, Disabled 1.0.0

Use an active discovery tool to identify sensitive data

ID: Azure Security Benchmark 4.5 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Advanced data security should be enabled on SQL Managed Instance Audit each SQL Managed Instance without advanced data security. AuditIfNotExists, Disabled 1.0.1
Advanced data security should be enabled on your SQL servers Audit SQL servers without Advanced Data Security AuditIfNotExists, Disabled 1.0.0
Sensitive data in your SQL databases should be classified Azure Security Center monitors the data discovery and classification scan results for your SQL databases and provides recommendations to classify the sensitive data in your databases for better monitoring and security AuditIfNotExists, Disabled 1.0.0-preview

Use Azure RBAC to control access to resources

ID: Azure Security Benchmark 4.6 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Audit usage of custom RBAC rules Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling Audit, Disabled 1.0.0
Role-Based Access Control (RBAC) should be used on Kubernetes Services To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. Audit, Disabled 1.0.1-preview

Encrypt sensitive information at rest

ID: Azure Security Benchmark 4.8 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Automation account variables should be encrypted It is important to enable encryption of Automation account variable assets when storing sensitive data Audit, Deny, Disabled 1.1.0
Disk encryption should be applied on virtual machines VMs without an enabled disk encryption will be monitored by Azure Security Center as recommendations AuditIfNotExists, Disabled 1.0.0
Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed Audit, Deny, Disabled 1.1.0
SQL Managed Instance TDE protector should be encrypted with your own key Transparent Data Encryption (TDE) with your own key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. AuditIfNotExists, Disabled 1.0.1
SQL server TDE protector should be encrypted with your own key Transparent Data Encryption (TDE) with your own key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. AuditIfNotExists, Disabled 1.0.0
Transparent Data Encryption on SQL databases should be enabled Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements AuditIfNotExists, Disabled 1.0.0
Unattached disks should be encrypted This policy audits any unattached disk without encryption enabled. Audit, Disabled 1.0.0

Log and alert on changes to critical Azure resources

ID: Azure Security Benchmark 4.9 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure Monitor should collect activity logs from all regions This policy audits the Azure Monitor log profile which does not export activities from all Azure supported regions including global. AuditIfNotExists, Disabled 1.0.0

Vulnerability Management

Run automated vulnerability scanning tools

ID: Azure Security Benchmark 5.1 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Vulnerability assessment should be enabled on SQL Managed Instance Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. AuditIfNotExists, Disabled 1.0.1
Vulnerability assessment should be enabled on virtual machines Monitors vulnerabilities detected by Azure Security Center vulnerability assessment on virtual machines. AuditIfNotExists, Disabled 1.0.1
Vulnerability assessment should be enabled on your SQL servers Audit Azure SQL servers which do not have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. AuditIfNotExists, Disabled 1.0.0

Deploy automated operating system patch management solution

ID: Azure Security Benchmark 5.2 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Ensure that '.NET Framework' version is the latest, if used as a part of the API app Periodically, newer versions are released for .NET Framework software either due to security flaws or to include additional functionality. Using the latest .NET framework version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists, Disabled 1.0.0
Ensure that '.NET Framework' version is the latest, if used as a part of the Function App Periodically, newer versions are released for .NET Framework software either due to security flaws or to include additional functionality. Using the latest .NET framework version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists, Disabled 1.0.0
Ensure that '.NET Framework' version is the latest, if used as a part of the Web app Periodically, newer versions are released for .NET Framework software either due to security flaws or to include additional functionality. Using the latest .NET framework version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists, Disabled 1.0.0
System updates on virtual machine scale sets should be installed Audit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure. AuditIfNotExists, Disabled 1.0.0
System updates should be installed on your machines Missing security system updates on your servers will be monitored by Azure Security Center as recommendations AuditIfNotExists, Disabled 1.0.0

Deploy automated third-party software patch management solution

ID: Azure Security Benchmark 5.3 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Ensure that 'Java version' is the latest, if used as a part of the Api app Periodically, newer versions are released for Java either due to security flaws or to include additional functionality. Using the latest Python version for Api apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists, Disabled 1.0.0
Ensure that 'Java version' is the latest, if used as a part of the Function app Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists, Disabled 1.0.1
Ensure that 'Java version' is the latest, if used as a part of the Web app Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists, Disabled 1.0.0
Ensure that 'PHP version' is the latest, if used as a part of the Api app Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists, Disabled 1.0.0
Ensure that 'PHP version' is the latest, if used as a part of the Function app Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists, Disabled 1.0.0
Ensure that 'PHP version' is the latest, if used as a part of the WEB app Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists, Disabled 1.0.0
Ensure that 'Python version' is the latest, if used as a part of the Api app Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Api apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists, Disabled 1.0.0
Ensure that 'Python version' is the latest, if used as a part of the Function app Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists, Disabled 1.0.0
Ensure that 'Python version' is the latest, if used as a part of the Web app Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists, Disabled 1.0.0
Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version Upgrade your Kubernetes service cluster to a later Kubernetes version to protect against known vulnerabilities in your current Kubernetes version. Vulnerability CVE-2019-9946 has been patched in Kubernetes versions 1.11.9+, 1.12.7+, 1.13.5+, and 1.14.0+ Audit, Disabled 1.0.1-preview

Use a risk-rating process to prioritize the remediation of discovered vulnerabilities

ID: Azure Security Benchmark 5.5 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Vulnerabilities in container security configurations should be remediated Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. AuditIfNotExists, Disabled 1.0.0
Vulnerabilities in security configuration on your machines should be remediated Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations AuditIfNotExists, Disabled 1.0.0
Vulnerabilities in security configuration on your virtual machine scale sets should be remediated Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. AuditIfNotExists, Disabled 1.0.0
Vulnerabilities on your SQL databases should be remediated Monitor Vulnerability Assessment scan results and recommendations for how to remediate database vulnerabilities. AuditIfNotExists, Disabled 1.0.0
Vulnerabilities should be remediated by a Vulnerability Assessment solution Monitors vulnerabilities detected by Vulnerability Assessment solution and VMs without a Vulnerability Assessment solution in Azure Security Center as recommendations. AuditIfNotExists, Disabled 1.0.0

Inventory and Asset Management

Use only approved applications

ID: Azure Security Benchmark 6.8 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adaptive application controls for defining safe applications should be enabled on your machines Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. AuditIfNotExists, Disabled 1.0.2

Use only approved Azure services

ID: Azure Security Benchmark 6.9 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Storage accounts should be migrated to new Azure Resource Manager resources Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management Audit, Deny, Disabled 1.0.0
Virtual machines should be migrated to new Azure Resource Manager resources Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management Audit, Deny, Disabled 1.0.0

Implement approved application list

ID: Azure Security Benchmark 6.10 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adaptive application controls for defining safe applications should be enabled on your machines Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. AuditIfNotExists, Disabled 1.0.2

Secure Configuration

Maintain secure Azure resource configurations

ID: Azure Security Benchmark 7.3 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
[Preview]: Pod Security Policies should be defined on Kubernetes Services Define Pod Security Policies to reduce the attack vector by removing unnecessary application privileges. It is recommended to configure Pod Security Policies to only allow pods to access the resources which they have permissions to access. Audit, Disabled 1.0.0-preview

Maintain secure operating system configurations

ID: Azure Security Benchmark 7.4 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Vulnerabilities in container security configurations should be remediated Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. AuditIfNotExists, Disabled 1.0.0
Vulnerabilities in security configuration on your machines should be remediated Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations AuditIfNotExists, Disabled 1.0.0
Vulnerabilities in security configuration on your virtual machine scale sets should be remediated Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. AuditIfNotExists, Disabled 1.0.0

Implement automated configuration monitoring for Azure services

ID: Azure Security Benchmark 7.9 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
[Preview]: Pod Security Policies should be defined on Kubernetes Services Define Pod Security Policies to reduce the attack vector by removing unnecessary application privileges. It is recommended to configure Pod Security Policies to only allow pods to access the resources which they have permissions to access. Audit, Disabled 1.0.0-preview

Implement automated configuration monitoring for operating systems

ID: Azure Security Benchmark 7.10 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Vulnerabilities in container security configurations should be remediated Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. AuditIfNotExists, Disabled 1.0.0
Vulnerabilities in security configuration on your machines should be remediated Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations AuditIfNotExists, Disabled 1.0.0
Vulnerabilities in security configuration on your virtual machine scale sets should be remediated Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. AuditIfNotExists, Disabled 1.0.0

Manage Azure secrets securely

ID: Azure Security Benchmark 7.11 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Key Vault objects should be recoverable This policy audits if key vault objects are not recoverable. Soft Delete feature helps to effectively hold the resources for a given retention period (90 days) even after a DELETE operation, while giving the appearance that the object is deleted. When 'Purge protection' is on, a vault or an object in deleted state cannot be purged until the retention period of 90 days has passed. These vaults and objects can still be recovered, assuring customers that the retention policy will be followed. Audit, Disabled 1.0.0

Manage identities securely and automatically

ID: Azure Security Benchmark 7.12 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Managed identity should be used in your API App Use a managed identity for enhanced authentication security AuditIfNotExists, Disabled 1.0.0
Managed identity should be used in your Function App Use a managed identity for enhanced authentication security AuditIfNotExists, Disabled 1.0.0
Managed identity should be used in your Web App Use a managed identity for enhanced authentication security AuditIfNotExists, Disabled 1.0.0

Malware Defense

Use centrally managed anti-malware software

ID: Azure Security Benchmark 8.1 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Endpoint protection solution should be installed on virtual machine scale sets Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities. AuditIfNotExists, Disabled 1.0.0
Monitor missing Endpoint Protection in Azure Security Center Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations AuditIfNotExists, Disabled 1.0.0

Ensure anti-malware software and signatures are updated

ID: Azure Security Benchmark 8.3 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Antimalware for Azure should be configured to automatically update protection signatures This policy audits any Windows virtual machine not configured with automatic update of Microsoft Antimalware protection signatures. AuditIfNotExists, Disabled 1.0.0

Data Recovery

Ensure regular automated back ups

ID: Azure Security Benchmark 9.1 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure Backup should be enabled for Virtual Machines This policy helps audit if Azure Backup service is enabled for all Virtual machines. Azure Backup is a cost-effective, one-click backup solution simplifies data recovery and is easier to enable than other cloud backup services. AuditIfNotExists, Disabled 1.0.0
Geo-redundant backup should be enabled for Azure Database for MariaDB This policy audits any Azure Database for MariaDB with geo-redundant backup not enabled. Audit, Disabled 1.0.0
Geo-redundant backup should be enabled for Azure Database for MySQL This policy audits any Azure Database for MySQL with geo-redundant backup not enabled. Audit, Disabled 1.0.0
Geo-redundant backup should be enabled for Azure Database for PostgreSQL This policy audits any Azure Database for PostgreSQL with geo-redundant backup not enabled. Audit, Disabled 1.0.0
Long-term geo-redundant backup should be enabled for Azure SQL Databases This policy audits any Azure SQL Database with long-term geo-redundant backup not enabled. AuditIfNotExists, Disabled 1.0.0

Perform complete system backups and backup any customer managed keys

ID: Azure Security Benchmark 9.2 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure Backup should be enabled for Virtual Machines This policy helps audit if Azure Backup service is enabled for all Virtual machines. Azure Backup is a cost-effective, one-click backup solution simplifies data recovery and is easier to enable than other cloud backup services. AuditIfNotExists, Disabled 1.0.0
Geo-redundant backup should be enabled for Azure Database for MariaDB This policy audits any Azure Database for MariaDB with geo-redundant backup not enabled. Audit, Disabled 1.0.0
Geo-redundant backup should be enabled for Azure Database for MySQL This policy audits any Azure Database for MySQL with geo-redundant backup not enabled. Audit, Disabled 1.0.0
Geo-redundant backup should be enabled for Azure Database for PostgreSQL This policy audits any Azure Database for PostgreSQL with geo-redundant backup not enabled. Audit, Disabled 1.0.0
Long-term geo-redundant backup should be enabled for Azure SQL Databases This policy audits any Azure SQL Database with long-term geo-redundant backup not enabled. AuditIfNotExists, Disabled 1.0.0

Ensure protection of backups and customer managed keys

ID: Azure Security Benchmark 9.4 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Key Vault objects should be recoverable This policy audits if key vault objects are not recoverable. Soft Delete feature helps to effectively hold the resources for a given retention period (90 days) even after a DELETE operation, while giving the appearance that the object is deleted. When 'Purge protection' is on, a vault or an object in deleted state cannot be purged until the retention period of 90 days has passed. These vaults and objects can still be recovered, assuring customers that the retention policy will be followed. Audit, Disabled 1.0.0

Incident Response

Provide security incident contact details and configure alert notifications for security incidents

ID: Azure Security Benchmark 10.4 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
A security contact email address should be provided for your subscription Enter an email address to receive notifications when Azure Security Center detects compromised resources AuditIfNotExists, Disabled 1.0.0
A security contact phone number should be provided for your subscription Enter a phone number to receive notifications when Azure Security Center detects compromised resources AuditIfNotExists, Disabled 1.0.0

Note

Availability of specific Azure Policy definitions may vary in Azure Government and other national clouds.

Next steps

Additional articles about Azure Policy: