Details of the CIS Microsoft Azure Foundations Benchmark Regulatory Compliance built-in initiative

The following article details how the Azure Policy Regulatory Compliance built-in initiative definition maps to compliance domains and controls in CIS Microsoft Azure Foundations Benchmark. For more information about this compliance standard, see CIS Microsoft Azure Foundations Benchmark. To understand Ownership, see Azure Policy policy definition and Shared responsibility in the cloud.

The following mappings are to the CIS Microsoft Azure Foundations Benchmark controls. Use the navigation on the right to jump directly to a specific compliance domain. Many of the controls are implemented with an Azure Policy initiative definition. To review the complete initiative definition, open Policy in the Azure portal and select the Definitions page. Then, find and select the CIS Microsoft Azure Foundations Benchmark 1.1.0 Regulatory Compliance built-in initiative definition.

This built-in initiative is deployed as part of the CIS Microsoft Azure Foundations Benchmark blueprint sample.

Important

Each control below is associated with one or more Azure Policy definitions. These policies may help you assess compliance with the control; however, there often is not a 1:1 or complete match between a control and one or more policies. As such, Compliant in Azure Policy refers only to the policy definitions themselves; this doesn't ensure you're fully compliant with all requirements of a control. In addition, the compliance standard includes controls that aren't addressed by any Azure Policy definitions at this time. Therefore, compliance in Azure Policy is only a partial view of your overall compliance status. The associations between compliance domains, controls, and Azure Policy definitions for this compliance standard may change over time. To view the change history, see the GitHub Commit History.

Identity and Access Management

Ensure that multi-factor authentication is enabled for all privileged users

ID: CIS Azure 1.1 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
MFA should be enabled accounts with write permissions on your subscription Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 1.0.0
MFA should be enabled on accounts with owner permissions on your subscription Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 1.0.0

Ensure that multi-factor authentication is enabled for all non-privileged users

ID: CIS Azure 1.2 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
MFA should be enabled on accounts with read permissions on your subscription Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 1.0.0

Ensure that there are no guest users

ID: CIS Azure 1.3 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
External accounts with owner permissions should be removed from your subscription External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. AuditIfNotExists, Disabled 1.0.0
External accounts with read permissions should be removed from your subscription External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access. AuditIfNotExists, Disabled 1.0.0
External accounts with write permissions should be removed from your subscription External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access. AuditIfNotExists, Disabled 1.0.0

Ensure that no custom subscription owner roles are created

ID: CIS Azure 1.23 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Custom subscription owner roles should not exist This policy ensures that no custom subscription owner roles exist. Audit, Disabled 2.0.0

Security Center

Ensure that 'Automatic provisioning of monitoring agent' is set to 'On'

ID: CIS Azure 2.2 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Automatic provisioning of the Log Analytics monitoring agent should be enabled on your subscription Enable automatic provisioning of the Log Analytics monitoring agent in order to collect security data AuditIfNotExists, Disabled 1.0.0

Ensure ASC Default policy setting "Monitor System Updates" is not "Disabled"

ID: CIS Azure 2.3 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
System updates should be installed on your machines Missing security system updates on your servers will be monitored by Azure Security Center as recommendations AuditIfNotExists, Disabled 1.0.0

Ensure ASC Default policy setting "Monitor OS Vulnerabilities" is not "Disabled"

ID: CIS Azure 2.4 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Vulnerabilities in security configuration on your machines should be remediated Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations AuditIfNotExists, Disabled 1.0.0

Ensure ASC Default policy setting "Monitor Endpoint Protection" is not "Disabled"

ID: CIS Azure 2.5 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Monitor missing Endpoint Protection in Azure Security Center Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations AuditIfNotExists, Disabled 1.0.0

Ensure ASC Default policy setting "Monitor Disk Encryption" is not "Disabled"

ID: CIS Azure 2.6 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Disk encryption should be applied on virtual machines VMs without an enabled disk encryption will be monitored by Azure Security Center as recommendations AuditIfNotExists, Disabled 1.0.0

Ensure ASC Default policy setting "Monitor Network Security Groups" is not "Disabled"

ID: CIS Azure 2.7 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adaptive Network Hardening recommendations should be applied on internet facing virtual machines Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface AuditIfNotExists, Disabled 1.0.0

Ensure ASC Default policy setting "Enable Next Generation Firewall(NGFW) Monitoring" is not "Disabled"

ID: CIS Azure 2.9 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Internet-facing virtual machines should be protected with network security groups Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc AuditIfNotExists, Disabled 1.1.0
Subnets should be associated with a Network Security Group Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. AuditIfNotExists, Disabled 2.0.0

Ensure ASC Default policy setting "Monitor Vulnerability Assessment" is not "Disabled"

ID: CIS Azure 2.10 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Vulnerabilities should be remediated by a Vulnerability Assessment solution Monitors vulnerabilities detected by Vulnerability Assessment solution and VMs without a Vulnerability Assessment solution in Azure Security Center as recommendations. AuditIfNotExists, Disabled 1.0.0

Ensure ASC Default policy setting "Monitor JIT Network Access" is not "Disabled"

ID: CIS Azure 2.12 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Management ports of virtual machines should be protected with just-in-time network access control Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations AuditIfNotExists, Disabled 1.0.1

Ensure ASC Default policy setting "Monitor Adaptive Application Whitelisting" is not "Disabled"

ID: CIS Azure 2.13 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adaptive application controls for defining safe applications should be enabled on your machines Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. AuditIfNotExists, Disabled 1.0.2

Ensure ASC Default policy setting "Monitor SQL Auditing" is not "Disabled"

ID: CIS Azure 2.14 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Auditing on SQL server should be enabled Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. AuditIfNotExists, Disabled 1.0.0

Ensure ASC Default policy setting "Monitor SQL Encryption" is not "Disabled"

ID: CIS Azure 2.15 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Transparent Data Encryption on SQL databases should be enabled Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements AuditIfNotExists, Disabled 1.0.0

Ensure that 'Security contact emails' is set

ID: CIS Azure 2.16 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
A security contact email address should be provided for your subscription Enter an email address to receive notifications when Azure Security Center detects compromised resources AuditIfNotExists, Disabled 1.0.0

Ensure that security contact 'Phone number' is set

ID: CIS Azure 2.17 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
A security contact phone number should be provided for your subscription Enter a phone number to receive notifications when Azure Security Center detects compromised resources AuditIfNotExists, Disabled 1.0.0

Ensure that 'Send email notification for high severity alerts' is set to 'On'

ID: CIS Azure 2.18 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Email notification for high severity alerts should be enabled Enable emailing security alerts to the security contact, in order to have them receive security alert emails from Microsoft. This ensures that the right people are aware of any potential security issues and are able to mitigate the risks AuditIfNotExists, Disabled 1.0.0

Ensure that 'Send email also to subscription owners' is set to 'On'

ID: CIS Azure 2.19 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Email notification to subscription owner for high severity alerts should be enabled Enable emailing security alerts to the subscription owner, in order to have them receive security alert emails from Microsoft. This ensures that they are aware of any potential security issues and can mitigate the risk in a timely fashion AuditIfNotExists, Disabled 1.0.0

Storage Accounts

Ensure that 'Secure transfer required' is set to 'Enabled'

ID: CIS Azure 3.1 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Secure transfer to storage accounts should be enabled Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking Audit, Deny, Disabled 2.0.0

Ensure default network access rule for Storage Accounts is set to deny

ID: CIS Azure 3.7 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Storage accounts should restrict network access Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premise clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges Audit, Deny, Disabled 1.1.0

Ensure 'Trusted Microsoft Services' is enabled for Storage Account access

ID: CIS Azure 3.8 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Storage accounts should allow access from trusted Microsoft services Some Microsoft services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules. These services will then use strong authentication to access the storage account. Audit, Deny, Disabled 1.0.0

Database Services

Ensure that 'Auditing' is set to 'On'

ID: CIS Azure 4.1 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Auditing on SQL server should be enabled Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. AuditIfNotExists, Disabled 1.0.0

Ensure that 'AuditActionGroups' in 'auditing' policy for a SQL server is set properly

ID: CIS Azure 4.2 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
SQL Auditing settings should have Action-Groups configured to capture critical activities The AuditActionsAndGroups property should contain at least SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP, FAILED_DATABASE_AUTHENTICATION_GROUP, BATCH_COMPLETED_GROUP to ensure a thorough audit logging AuditIfNotExists, Disabled 1.0.0

Ensure that 'Auditing' Retention is 'greater than 90 days'

ID: CIS Azure 4.3 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
SQL servers should be configured with auditing retention days greater than 90 days. Audit SQL servers configured with an auditing retention period of less than 90 days. AuditIfNotExists, Disabled 1.0.0

Ensure that 'Advanced Data Security' on a SQL server is set to 'On'

ID: CIS Azure 4.4 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Advanced data security should be enabled on SQL Managed Instance Audit each SQL Managed Instance without advanced data security. AuditIfNotExists, Disabled 1.0.1
Advanced data security should be enabled on your SQL servers Audit SQL servers without Advanced Data Security AuditIfNotExists, Disabled 1.0.0

Ensure that Azure Active Directory Admin is configured

ID: CIS Azure 4.8 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
An Azure Active Directory administrator should be provisioned for SQL servers Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services AuditIfNotExists, Disabled 1.0.0

Ensure that 'Data encryption' is set to 'On' on a SQL Database

ID: CIS Azure 4.9 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Transparent Data Encryption on SQL databases should be enabled Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements AuditIfNotExists, Disabled 1.0.0

Ensure SQL server's TDE protector is encrypted with BYOK (Use your own key)

ID: CIS Azure 4.10 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
SQL Managed Instance TDE protector should be encrypted with your own key Transparent Data Encryption (TDE) with your own key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. AuditIfNotExists, Disabled 1.0.1
SQL server TDE protector should be encrypted with your own key Transparent Data Encryption (TDE) with your own key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. AuditIfNotExists, Disabled 1.0.0

Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server

ID: CIS Azure 4.11 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Enforce SSL connection should be enabled for MySQL database servers This policy audits any MySQL server that is not enforcing SSL connection. Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. Audit, Disabled 1.0.0

Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server

ID: CIS Azure 4.12 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Log checkpoints should be enabled for PostgreSQL database servers This policy helps audit any PostgreSQL databases in your environment without log_checkpoints setting enabled. AuditIfNotExists, Disabled 1.0.0

Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server

ID: CIS Azure 4.13 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Enforce SSL connection should be enabled for PostgreSQL database servers This policy audits any PostgreSQL server that is not enforcing SSL connection. Azure Database for PostgreSQL prefers connecting your client applications to the PostgreSQL service using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man-in-the-middle' attacks by encrypting the data stream between the server and your application Audit, Disabled 1.0.0

Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server

ID: CIS Azure 4.14 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Log connections should be enabled for PostgreSQL database servers This policy helps audit any PostgreSQL databases in your environment without log_connections setting enabled. AuditIfNotExists, Disabled 1.0.0

Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server

ID: CIS Azure 4.15 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Disconnections should be logged for PostgreSQL database servers. This policy helps audit any PostgreSQL databases in your environment without log_disconnections enabled. AuditIfNotExists, Disabled 1.0.0

Ensure server parameter 'log_duration' is set to 'ON' for PostgreSQL Database Server

ID: CIS Azure 4.16 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Log duration should be enabled for PostgreSQL database servers This policy helps audit any PostgreSQL databases in your environment without log_duration setting enabled. AuditIfNotExists, Disabled 1.0.0

Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server

ID: CIS Azure 4.17 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Connection throttling should be enabled for PostgreSQL database servers This policy helps audit any PostgreSQL databases in your environment without Connection throttling enabled. This setting enables temporary connection throttling per IP for too many invalid password login failures. AuditIfNotExists, Disabled 1.0.0

Logging and Monitoring

Ensure that a Log Profile exists

ID: CIS Azure 5.1.1 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure subscriptions should have a log profile for Activity Log This policy ensures if a log profile is enabled for exporting activity logs. It audits if there is no log profile created to export the logs either to a storage account or to an event hub. AuditIfNotExists, Disabled 1.0.0

Ensure that Activity Log Retention is set 365 days or greater

ID: CIS Azure 5.1.2 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Activity log should be retained for at least one year This policy audits the activity log if the retention is not set for 365 days or forever (retention days set to 0). AuditIfNotExists, Disabled 1.0.0

Ensure audit profile captures all the activities

ID: CIS Azure 5.1.3 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure Monitor log profile should collect logs for categories 'write,' 'delete,' and 'action' This policy ensures that a log profile collects logs for categories 'write,' 'delete,' and 'action' AuditIfNotExists, Disabled 1.0.0

Ensure the log profile captures activity logs for all regions including global

ID: CIS Azure 5.1.4 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure Monitor should collect activity logs from all regions This policy audits the Azure Monitor log profile which does not export activities from all Azure supported regions including global. AuditIfNotExists, Disabled 1.0.0

Ensure the storage account containing the container with activity logs is encrypted with BYOK (Use Your Own Key)

ID: CIS Azure 5.1.6 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Storage account containing the container with activity logs must be encrypted with BYOK This policy audits if the Storage account containing the container with activity logs is encrypted with BYOK. The policy works only if the storage account lies on the same subscription as activity logs by design. More information on Azure Storage encryption at rest can be found here https://aka.ms/azurestoragebyok. AuditIfNotExists, Disabled 1.0.0

Ensure that logging for Azure KeyVault is 'Enabled'

ID: CIS Azure 5.1.7 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Diagnostic logs in Key Vault should be enabled Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 3.0.0

Ensure that Activity Log Alert exists for Create Policy Assignment

ID: CIS Azure 5.2.1 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
An activity log alert should exist for specific Policy operations This policy audits specific Policy operations with no activity log alerts configured. AuditIfNotExists, Disabled 2.0.0

Ensure that Activity Log Alert exists for Create or Update Network Security Group

ID: CIS Azure 5.2.2 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
An activity log alert should exist for specific Administrative operations This policy audits specific Administrative operations with no activity log alerts configured. AuditIfNotExists, Disabled 1.0.0

Ensure that Activity Log Alert exists for Delete Network Security Group

ID: CIS Azure 5.2.3 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
An activity log alert should exist for specific Administrative operations This policy audits specific Administrative operations with no activity log alerts configured. AuditIfNotExists, Disabled 1.0.0

Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule

ID: CIS Azure 5.2.4 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
An activity log alert should exist for specific Administrative operations This policy audits specific Administrative operations with no activity log alerts configured. AuditIfNotExists, Disabled 1.0.0

Ensure that activity log alert exists for the Delete Network Security Group Rule

ID: CIS Azure 5.2.5 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
An activity log alert should exist for specific Administrative operations This policy audits specific Administrative operations with no activity log alerts configured. AuditIfNotExists, Disabled 1.0.0

Ensure that Activity Log Alert exists for Create or Update Security Solution

ID: CIS Azure 5.2.6 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
An activity log alert should exist for specific Security operations This policy audits specific Security operations with no activity log alerts configured. AuditIfNotExists, Disabled 1.0.0

Ensure that Activity Log Alert exists for Delete Security Solution

ID: CIS Azure 5.2.7 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
An activity log alert should exist for specific Security operations This policy audits specific Security operations with no activity log alerts configured. AuditIfNotExists, Disabled 1.0.0

Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule

ID: CIS Azure 5.2.8 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
An activity log alert should exist for specific Administrative operations This policy audits specific Administrative operations with no activity log alerts configured. AuditIfNotExists, Disabled 1.0.0

Ensure that Activity Log Alert exists for Update Security Policy

ID: CIS Azure 5.2.9 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
An activity log alert should exist for specific Security operations This policy audits specific Security operations with no activity log alerts configured. AuditIfNotExists, Disabled 1.0.0

Networking

Ensure that RDP access is restricted from the internet

ID: CIS Azure 6.1 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
RDP access from the Internet should be blocked This policy audits any network security rule that allows RDP access from Internet Audit, Disabled 2.0.0

Ensure that SSH access is restricted from the internet

ID: CIS Azure 6.2 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
SSH access from the Internet should be blocked This policy audits any network security rule that allows SSH access from Internet Audit, Disabled 2.0.0

Ensure that Network Watcher is 'Enabled'

ID: CIS Azure 6.5 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Network Watcher should be enabled Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. Network diagnostic and visualization tools available with Network Watcher help you understand, diagnose, and gain insights to your network in Azure. auditIfNotExists 1.0.0

Virtual Machines

Ensure that 'OS disk' are encrypted

ID: CIS Azure 7.1 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Disk encryption should be applied on virtual machines VMs without an enabled disk encryption will be monitored by Azure Security Center as recommendations AuditIfNotExists, Disabled 1.0.0

Ensure that 'Data disks' are encrypted

ID: CIS Azure 7.2 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Disk encryption should be applied on virtual machines VMs without an enabled disk encryption will be monitored by Azure Security Center as recommendations AuditIfNotExists, Disabled 1.0.0

Ensure that 'Unattached disks' are encrypted

ID: CIS Azure 7.3 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Unattached disks should be encrypted This policy audits any unattached disk without encryption enabled. Audit, Disabled 1.0.0

Ensure that only approved extensions are installed

ID: CIS Azure 7.4 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Only approved VM extensions should be installed This policy governs the virtual machine extensions that are not approved. Audit, Deny, Disabled 1.0.0

Ensure that the latest OS Patches for all Virtual Machines are applied

ID: CIS Azure 7.5 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
System updates should be installed on your machines Missing security system updates on your servers will be monitored by Azure Security Center as recommendations AuditIfNotExists, Disabled 1.0.0

Ensure that the endpoint protection for all Virtual Machines is installed

ID: CIS Azure 7.6 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Monitor missing Endpoint Protection in Azure Security Center Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations AuditIfNotExists, Disabled 1.0.0

Other Security Considerations

Ensure the key vault is recoverable

ID: CIS Azure 8.4 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Key Vault objects should be recoverable This policy audits if key vault objects are not recoverable. Soft Delete feature helps to effectively hold the resources for a given retention period (90 days) even after a DELETE operation, while giving the appearance that the object is deleted. When 'Purge protection' is on, a vault or an object in deleted state cannot be purged until the retention period of 90 days has passed. These vaults and objects can still be recovered, assuring customers that the retention policy will be followed. Audit, Disabled 1.0.0

Enable role-based access control (RBAC) within Azure Kubernetes Services

ID: CIS Azure 8.5 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Role-Based Access Control (RBAC) should be used on Kubernetes Services To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. Audit, Disabled 1.0.1-preview

AppService

Ensure App Service Authentication is set on Azure App Service

ID: CIS Azure 9.1 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Authentication should be enabled on your API app Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the API app, or authenticate those that have tokens before they reach the API app AuditIfNotExists, Disabled 1.0.0
Authentication should be enabled on your Function app Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the Function app, or authenticate those that have tokens before they reach the Function app AuditIfNotExists, Disabled 1.0.0
Authentication should be enabled on your web app Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the web app, or authenticate those that have tokens before they reach the web app AuditIfNotExists, Disabled 1.0.0

Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service

ID: CIS Azure 9.2 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Web Application should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Audit, Disabled 1.0.0

Ensure web app is using the latest version of TLS encryption

ID: CIS Azure 9.3 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Latest TLS version should be used in your API App Upgrade to the latest TLS version AuditIfNotExists, Disabled 1.0.0
Latest TLS version should be used in your Function App Upgrade to the latest TLS version AuditIfNotExists, Disabled 1.0.0
Latest TLS version should be used in your Web App Upgrade to the latest TLS version AuditIfNotExists, Disabled 1.0.0

Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On'

ID: CIS Azure 9.4 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Ensure API app has 'Client Certificates (Incoming client certificates)' set to 'On' Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. Audit, Disabled 1.0.0
Ensure Function app has 'Client Certificates (Incoming client certificates)' set to 'On' Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. Audit, Disabled 1.0.0
Ensure WEB app has 'Client Certificates (Incoming client certificates)' set to 'On' Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. Audit, Disabled 1.0.0

Ensure that Register with Azure Active Directory is enabled on App Service

ID: CIS Azure 9.5 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Ensure that Register with Azure Active Directory is enabled on API app Managed service identity in App Service makes the app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app will connect to other Azure services securely without the need of username and passwords AuditIfNotExists, Disabled 1.0.0
Ensure that Register with Azure Active Directory is enabled on Function App Managed service identity in App Service makes the app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app will connect to other Azure services securely without the need of username and passwords AuditIfNotExists, Disabled 1.0.0
Ensure that Register with Azure Active Directory is enabled on WEB App Managed service identity in App Service makes the app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app will connect to other Azure services securely without the need of username and passwords AuditIfNotExists, Disabled 1.0.0

Ensure that '.Net Framework' version is the latest, if used as a part of the web app

ID: CIS Azure 9.6 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Ensure that '.NET Framework' version is the latest, if used as a part of the API app Periodically, newer versions are released for .NET Framework software either due to security flaws or to include additional functionality. Using the latest .NET framework version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists, Disabled 1.0.0
Ensure that '.NET Framework' version is the latest, if used as a part of the Function App Periodically, newer versions are released for .NET Framework software either due to security flaws or to include additional functionality. Using the latest .NET framework version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists, Disabled 1.0.0
Ensure that '.NET Framework' version is the latest, if used as a part of the Web app Periodically, newer versions are released for .NET Framework software either due to security flaws or to include additional functionality. Using the latest .NET framework version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists, Disabled 1.0.0

Ensure that 'PHP version' is the latest, if used to run the web app

ID: CIS Azure 9.7 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Ensure that 'PHP version' is the latest, if used as a part of the Api app Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists, Disabled 1.0.0
Ensure that 'PHP version' is the latest, if used as a part of the Function app Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists, Disabled 1.0.0
Ensure that 'PHP version' is the latest, if used as a part of the WEB app Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists, Disabled 1.0.0

Ensure that 'Python version' is the latest, if used to run the web app

ID: CIS Azure 9.8 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Ensure that 'Python version' is the latest, if used as a part of the Api app Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Api apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists, Disabled 1.0.0
Ensure that 'Python version' is the latest, if used as a part of the Function app Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists, Disabled 1.0.0
Ensure that 'Python version' is the latest, if used as a part of the Web app Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists, Disabled 1.0.0

Ensure that 'Java version' is the latest, if used to run the web app

ID: CIS Azure 9.9 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Ensure that 'Java version' is the latest, if used as a part of the Api app Periodically, newer versions are released for Java either due to security flaws or to include additional functionality. Using the latest Python version for Api apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists, Disabled 1.0.0
Ensure that 'Java version' is the latest, if used as a part of the Function app Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists, Disabled 1.0.1
Ensure that 'Java version' is the latest, if used as a part of the Web app Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists, Disabled 1.0.0

Ensure that 'HTTP Version' is the latest, if used to run the web app

ID: CIS Azure 9.10 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Ensure that 'HTTP Version' is the latest, if used to run the Api app Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. AuditIfNotExists, Disabled 1.0.0
Ensure that 'HTTP Version' is the latest, if used to run the Function app Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. AuditIfNotExists, Disabled 1.0.0
Ensure that 'HTTP Version' is the latest, if used to run the Web app Managed service identity in App Service makes the app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app will connect to other Azure services securely without the need of username and passwords AuditIfNotExists, Disabled 1.0.0

Note

Availability of specific Azure Policy definitions may vary in Azure Government and other national clouds.

Next steps

Additional articles about Azure Policy: