Launch Week 11 announcements & demos →
← Changelog

azure-cisv4-0 v5.0.0 is now available

Feb 03, 2026Mods

Control Types

  • Azure > CIS v4.0
  • Azure > CIS v4.0 > 02 - Common Reference Recommendations
  • Azure > CIS v4.0 > 02 - Common Reference Recommendations > 02.01 - Secrets and Keys
  • Azure > CIS v4.0 > 02 - Common Reference Recommendations > 02.01 - Secrets and Keys > 02.01.01 - Encryption Key Management
  • Azure > CIS v4.0 > 02 - Common Reference Recommendations > 02.01 - Secrets and Keys > 02.01.01 - Encryption Key Management > 02.01.01.01 - Microsoft Managed Keys (MMK)
  • Azure > CIS v4.0 > 02 - Common Reference Recommendations > 02.01 - Secrets and Keys > 02.01.01 - Encryption Key Management > 02.01.01.01 - Microsoft Managed Keys (MMK) > 02.01.01.01.01 - Ensure Critical Data is Encrypted with Microsoft Managed Keys (MMK)
  • Azure > CIS v4.0 > 02 - Common Reference Recommendations > 02.01 - Secrets and Keys > 02.01.01 - Encryption Key Management > 02.01.01.02 - Customer Managed Keys (CMK)
  • Azure > CIS v4.0 > 02 - Common Reference Recommendations > 02.01 - Secrets and Keys > 02.01.01 - Encryption Key Management > 02.01.01.02 - Customer Managed Keys (CMK) > 02.01.01.02.01 - Ensure Critical Data is Encrypted with Customer Managed Keys (CMK)
  • Azure > CIS v4.0 > 02 - Common Reference Recommendations > 02.02 - Networking
  • Azure > CIS v4.0 > 02 - Common Reference Recommendations > 02.02 - Networking > 02.02.01 - Virtual Networks (VNets)
  • Azure > CIS v4.0 > 02 - Common Reference Recommendations > 02.02 - Networking > 02.02.01 - Virtual Networks (VNets) > 02.02.01.01 - Ensure public network access is Disabled
  • Azure > CIS v4.0 > 02 - Common Reference Recommendations > 02.02 - Networking > 02.02.01 - Virtual Networks (VNets) > 02.02.01.02 - Ensure Network Access Rules are set to Deny-by-default
  • Azure > CIS v4.0 > 02 - Common Reference Recommendations > 02.02 - Networking > 02.02.02 - Private Endpoints
  • Azure > CIS v4.0 > 02 - Common Reference Recommendations > 02.02 - Networking > 02.02.02 - Private Endpoints > 02.02.02.01 - Ensure Private Endpoints are used to access {service}
  • Azure > CIS v4.0 > 03 - Analytics Services
  • Azure > CIS v4.0 > 03 - Analytics Services > 03.01 - Azure Databricks
  • Azure > CIS v4.0 > 03 - Analytics Services > 03.01 - Azure Databricks > 03.01.01 - Ensure that Azure Databricks is deployed in a customer-managed virtual network (VNet)
  • Azure > CIS v4.0 > 03 - Analytics Services > 03.01 - Azure Databricks > 03.01.02 - Ensure that network security groups are configured for Databricks subnets
  • Azure > CIS v4.0 > 03 - Analytics Services > 03.01 - Azure Databricks > 03.01.03 - Ensure that traffic is encrypted between cluster worker nodes
  • Azure > CIS v4.0 > 03 - Analytics Services > 03.01 - Azure Databricks > 03.01.04 - Ensure that users and groups are synced from Microsoft Entra ID to Azure Databricks
  • Azure > CIS v4.0 > 03 - Analytics Services > 03.01 - Azure Databricks > 03.01.05 - Ensure that Unity Catalog is configured for Azure Databricks
  • Azure > CIS v4.0 > 03 - Analytics Services > 03.01 - Azure Databricks > 03.01.06 - Ensure that usage is restricted and expiry is enforced for Databricks personal access tokens
  • Azure > CIS v4.0 > 03 - Analytics Services > 03.01 - Azure Databricks > 03.01.07 - Ensure that diagnostic log delivery is configured for Azure Databricks
  • Azure > CIS v4.0 > 03 - Analytics Services > 03.01 - Azure Databricks > 03.01.08 - Ensure that data at rest and in transit is encrypted in Azure Databricks using customer managed keys (CMK)
  • Azure > CIS v4.0 > 04 - Compute Services
  • Azure > CIS v4.0 > 04 - Compute Services > 04.01 - Virtual Machines
  • Azure > CIS v4.0 > 04 - Compute Services > 04.01 - Virtual Machines > 04.01.01 - Ensure only MFA enabled identities can access privileged Virtual Machine
  • Azure > CIS v4.0 > 06 - Identity Services
  • Azure > CIS v4.0 > 06 - Identity Services > 06.01 - Security Defaults (Per-User MFA)
  • Azure > CIS v4.0 > 06 - Identity Services > 06.01 - Security Defaults (Per-User MFA) > 06.01.01 - Ensure that 'security defaults' is enabled in Microsoft Entra ID
  • Azure > CIS v4.0 > 06 - Identity Services > 06.01 - Security Defaults (Per-User MFA) > 06.01.02 - Ensure that 'multifactor authentication' is 'enabled' for all users
  • Azure > CIS v4.0 > 06 - Identity Services > 06.01 - Security Defaults (Per-User MFA) > 06.01.03 - Ensure that 'Allow users to remember multifactor authentication on devices they trust' is disabled
  • Azure > CIS v4.0 > 06 - Identity Services > 06.02 - Conditional Access
  • Azure > CIS v4.0 > 06 - Identity Services > 06.02 - Conditional Access > 06.02.01 - Ensure that 'trusted locations' are defined
  • Azure > CIS v4.0 > 06 - Identity Services > 06.02 - Conditional Access > 06.02.02 - Ensure that an exclusionary geographic Conditional Access policy is considered
  • Azure > CIS v4.0 > 06 - Identity Services > 06.02 - Conditional Access > 06.02.03 - Ensure that an exclusionary device code flow policy is considered
  • Azure > CIS v4.0 > 06 - Identity Services > 06.02 - Conditional Access > 06.02.04 - Ensure that a multifactor authentication policy exists for all users
  • Azure > CIS v4.0 > 06 - Identity Services > 06.02 - Conditional Access > 06.02.05 - Ensure that multifactor authentication is required for risky sign-ins
  • Azure > CIS v4.0 > 06 - Identity Services > 06.02 - Conditional Access > 06.02.06 - Ensure that multifactor authentication is required for Windows Azure Service Management API
  • Azure > CIS v4.0 > 06 - Identity Services > 06.02 - Conditional Access > 06.02.07 - Ensure that multifactor authentication is required to access Microsoft Admin Portals
  • Azure > CIS v4.0 > 06 - Identity Services > 06.03 - Periodic Identity Reviews
  • Azure > CIS v4.0 > 06 - Identity Services > 06.03 - Periodic Identity Reviews > 06.03.01 - Ensure that Azure admin accounts are not used for daily operations
  • Azure > CIS v4.0 > 06 - Identity Services > 06.03 - Periodic Identity Reviews > 06.03.02 - Ensure that guest users are reviewed on a regular basis
  • Azure > CIS v4.0 > 06 - Identity Services > 06.03 - Periodic Identity Reviews > 06.03.03 - Ensure that use of the 'User Access Administrator' role is restricted
  • Azure > CIS v4.0 > 06 - Identity Services > 06.03 - Periodic Identity Reviews > 06.03.04 - Ensure that all 'privileged' role assignments are periodically reviewed
  • Azure > CIS v4.0 > 06 - Identity Services > 06.04 - Ensure that 'Restrict non-admin users from creating tenants' is set to 'Yes'
  • Azure > CIS v4.0 > 06 - Identity Services > 06.05 - Ensure that 'Number of methods required to reset' is set to '2'
  • Azure > CIS v4.0 > 06 - Identity Services > 06.06 - Ensure that account 'Lockout threshold' is less than or equal to '10'
  • Azure > CIS v4.0 > 06 - Identity Services > 06.07 - Ensure that account 'Lockout duration in seconds' is greater than or equal to '60'
  • Azure > CIS v4.0 > 06 - Identity Services > 06.08 - Ensure that a 'Custom banned password list' is set to 'Enforce'
  • Azure > CIS v4.0 > 06 - Identity Services > 06.09 - Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0'
  • Azure > CIS v4.0 > 06 - Identity Services > 06.10 - Ensure that 'Notify users on password resets?' is set to 'Yes'
  • Azure > CIS v4.0 > 06 - Identity Services > 06.11 - Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes'
  • Azure > CIS v4.0 > 06 - Identity Services > 06.12 - Ensure that 'User consent for applications' is set to 'Do not allow user consent'
  • Azure > CIS v4.0 > 06 - Identity Services > 06.13 - Ensure that 'User consent for applications' is set to 'Allow user consent for apps from verified publishers, for selected permissions'
  • Azure > CIS v4.0 > 06 - Identity Services > 06.14 - Ensure that 'Users can register applications' is set to 'No'
  • Azure > CIS v4.0 > 06 - Identity Services > 06.15 - Ensure that 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects'
  • Azure > CIS v4.0 > 06 - Identity Services > 06.16 - Ensure that 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles can invite guest users'
  • Azure > CIS v4.0 > 06 - Identity Services > 06.17 - Ensure that 'Restrict access to Microsoft Entra admin center' is set to 'Yes'
  • Azure > CIS v4.0 > 06 - Identity Services > 06.18 - Ensure that 'Restrict user ability to access groups features in My Groups' is set to 'Yes'
  • Azure > CIS v4.0 > 06 - Identity Services > 06.19 - Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No'
  • Azure > CIS v4.0 > 06 - Identity Services > 06.20 - Ensure that 'Owners can manage group membership requests in My Groups' is set to 'No'
  • Azure > CIS v4.0 > 06 - Identity Services > 06.21 - Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No'
  • Azure > CIS v4.0 > 06 - Identity Services > 06.22 - Ensure that 'Require Multifactor Authentication to register or join devices with Microsoft Entra' is set to 'Yes'
  • Azure > CIS v4.0 > 06 - Identity Services > 06.23 - Ensure that no custom subscription administrator roles exist
  • Azure > CIS v4.0 > 06 - Identity Services > 06.24 - Ensure that a custom role is assigned permissions for administering resource locks
  • Azure > CIS v4.0 > 06 - Identity Services > 06.25 - Ensure that 'Subscription leaving Microsoft Entra tenant' and 'Subscription entering Microsoft Entra tenant' is set to 'Permit no one'
  • Azure > CIS v4.0 > 06 - Identity Services > 06.26 - Ensure fewer than 5 users have global administrator assignment
  • Azure > CIS v4.0 > 07 - Management and Governance
  • Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring
  • Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.01 - Configuring Diagnostic Settings
  • Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.01 - Configuring Diagnostic Settings > 07.01.01.01 - Ensure that a 'Diagnostic Setting' exists for Subscription Activity Logs
  • Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.01 - Configuring Diagnostic Settings > 07.01.01.02 - Ensure Diagnostic Setting captures appropriate categories
  • Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.01 - Configuring Diagnostic Settings > 07.01.01.03 - Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key (CMK)
  • Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.01 - Configuring Diagnostic Settings > 07.01.01.04 - Ensure that logging for Azure Key Vault is 'Enabled'
  • Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.01 - Configuring Diagnostic Settings > 07.01.01.05 - Ensure that Network Security Group Flow logs are captured and sent to Log Analytics
  • Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.01 - Configuring Diagnostic Settings > 07.01.01.06 - Ensure that logging for Azure AppService 'HTTP logs' is enabled
  • Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.01 - Configuring Diagnostic Settings > 07.01.01.07 - Ensure that virtual network flow logs are captured and sent to Log Analytics
  • Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.01 - Configuring Diagnostic Settings > 07.01.01.08 - Ensure that a Microsoft Entra diagnostic setting exists to send Microsoft Graph activity logs to an appropriate destination
  • Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.01 - Configuring Diagnostic Settings > 07.01.01.09 - Ensure that a Microsoft Entra diagnostic setting exists to send Microsoft Entra activity logs to an appropriate destination
  • Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.01 - Configuring Diagnostic Settings > 07.01.01.10 - Ensure that Intune logs are captured and sent to Log Analytics
  • Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.02 - Monitoring using Activity Log Alerts
  • Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.02 - Monitoring using Activity Log Alerts > 07.01.02.01 - Ensure that Activity Log Alert exists for Create Policy Assignment
  • Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.02 - Monitoring using Activity Log Alerts > 07.01.02.02 - Ensure that Activity Log Alert exists for Delete Policy Assignment
  • Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.02 - Monitoring using Activity Log Alerts > 07.01.02.03 - Ensure that Activity Log Alert exists for Create or Update Network Security Group
  • Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.02 - Monitoring using Activity Log Alerts > 07.01.02.04 - Ensure that Activity Log Alert exists for Delete Network Security Group
  • Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.02 - Monitoring using Activity Log Alerts > 07.01.02.05 - Ensure that Activity Log Alert exists for Create or Update Security Solution
  • Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.02 - Monitoring using Activity Log Alerts > 07.01.02.06 - Ensure that Activity Log Alert exists for Delete Security Solution
  • Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.02 - Monitoring using Activity Log Alerts > 07.01.02.07 - Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule
  • Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.02 - Monitoring using Activity Log Alerts > 07.01.02.08 - Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule
  • Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.02 - Monitoring using Activity Log Alerts > 07.01.02.09 - Ensure that Activity Log Alert exists for Create or Update Public IP Address rule
  • Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.02 - Monitoring using Activity Log Alerts > 07.01.02.10 - Ensure that Activity Log Alert exists for Delete Public IP Address rule
  • Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.02 - Monitoring using Activity Log Alerts > 07.01.02.11 - Ensure that Activity Log Alert exists for Service Health
  • Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.03 - Configuring Application Insights
  • Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.03 - Configuring Application Insights > 07.01.03.01 - Ensure Application Insights are Configured
  • Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.04 - Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it
  • Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.05 - Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads)
  • Azure > CIS v4.0 > 07 - Management and Governance > 07.02 - Ensure that Resource Locks are set for Mission-Critical Azure Resources
  • Azure > CIS v4.0 > 08 - Networking
  • Azure > CIS v4.0 > 08 - Networking > 08.01 - Ensure that RDP access from the Internet is evaluated and restricted
  • Azure > CIS v4.0 > 08 - Networking > 08.02 - Ensure that SSH access from the Internet is evaluated and restricted
  • Azure > CIS v4.0 > 08 - Networking > 08.03 - Ensure that UDP access from the Internet is evaluated and restricted
  • Azure > CIS v4.0 > 08 - Networking > 08.04 - Ensure that HTTP(S) access from the Internet is evaluated and restricted
  • Azure > CIS v4.0 > 08 - Networking > 08.05 - Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'
  • Azure > CIS v4.0 > 08 - Networking > 08.06 - Ensure that Network Watcher is 'Enabled' for Azure Regions that are in use
  • Azure > CIS v4.0 > 08 - Networking > 08.07 - Ensure that Public IP addresses are evaluated on a periodic basis
  • Azure > CIS v4.0 > 08 - Networking > 08.08 - Ensure that virtual network flow log retention days is set to greater than or equal to 90
  • Azure > CIS v4.0 > 09 - Security Services
  • Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud
  • Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.03 - Defender Plan: Servers
  • Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.03 - Defender Plan: Servers > 09.01.03.01 - Ensure that Defender for Servers is set to 'On'
  • Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.03 - Defender Plan: Servers > 09.01.03.02 - Ensure that 'Vulnerability assessment for machines' component status is set to 'On'
  • Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.03 - Defender Plan: Servers > 09.01.03.03 - Ensure that 'Endpoint protection' component status is set to 'On'
  • Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.03 - Defender Plan: Servers > 09.01.03.04 - Ensure that 'Agentless scanning for machines' component status is set to 'On'
  • Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.03 - Defender Plan: Servers > 09.01.03.05 - Ensure that 'File Integrity Monitoring' component status is set to 'On'
  • Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.04 - Defender Plan: Containers
  • Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.04 - Defender Plan: Containers > 09.01.04.01 - Ensure That Microsoft Defender for Containers Is Set To 'On'
  • Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.05 - Defender Plan: Storage
  • Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.05 - Defender Plan: Storage > 09.01.05.01 - Ensure That Microsoft Defender for Storage Is Set To 'On'
  • Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.06 - Defender Plan: App Service
  • Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.06 - Defender Plan: App Service > 09.01.06.01 - Ensure That Microsoft Defender for App Services Is Set To 'On'
  • Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.07 - Defender Plan: Databases
  • Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.07 - Defender Plan: Databases > 09.01.07.01 - Ensure That Microsoft Defender for Azure Cosmos DB Is Set To 'On'
  • Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.07 - Defender Plan: Databases > 09.01.07.02 - Ensure That Microsoft Defender for Open-Source Relational Databases Is Set To 'On'
  • Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.07 - Defender Plan: Databases > 09.01.07.03 - Ensure That Microsoft Defender for (Managed Instance) Azure SQL Databases Is Set To 'On'
  • Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.07 - Defender Plan: Databases > 09.01.07.04 - Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On'
  • Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.08 - Defender Plan: Key Vault
  • Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.08 - Defender Plan: Key Vault > 09.01.08.01 - Ensure That Microsoft Defender for Key Vault Is Set To 'On'
  • Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.09 - Defender Plan: Resource Manager
  • Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.09 - Defender Plan: Resource Manager > 09.01.09.01 - Ensure That Microsoft Defender for Resource Manager Is Set To 'On'
  • Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.10 - Ensure that Microsoft Defender for Cloud is configured to check VM operating systems for updates
  • Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.11 - Ensure that Microsoft Cloud Security Benchmark policies are not set to 'Disabled'
  • Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.12 - Ensure That 'All users with the following roles' is set to 'Owner'
  • Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.13 - Ensure 'Additional email addresses' is Configured with a Security Contact Email
  • Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.14 - Ensure that 'Notify about alerts with the following severity (or higher)' is enabled
  • Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.15 - Ensure that 'Notify about attack paths with the following risk level (or higher)' is enabled
  • Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.16 - Ensure that Microsoft Defender External Attack Surface Monitoring (EASM) is enabled
  • Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.17 - [LEGACY] Ensure That Microsoft Defender for DNS Is Set To 'On'
  • Azure > CIS v4.0 > 09 - Security Services > 09.02 - Microsoft Defender for IoT
  • Azure > CIS v4.0 > 09 - Security Services > 09.02 - Microsoft Defender for IoT > 09.02.01 - Ensure That Microsoft Defender for IoT Hub Is Set To 'On'
  • Azure > CIS v4.0 > 09 - Security Services > 09.03 - Key Vault
  • Azure > CIS v4.0 > 09 - Security Services > 09.03 - Key Vault > 09.03.01 - Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults
  • Azure > CIS v4.0 > 09 - Security Services > 09.03 - Key Vault > 09.03.02 - Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults
  • Azure > CIS v4.0 > 09 - Security Services > 09.03 - Key Vault > 09.03.03 - Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults
  • Azure > CIS v4.0 > 09 - Security Services > 09.03 - Key Vault > 09.03.04 - Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults
  • Azure > CIS v4.0 > 09 - Security Services > 09.03 - Key Vault > 09.03.05 - Ensure the Key Vault is Recoverable
  • Azure > CIS v4.0 > 09 - Security Services > 09.03 - Key Vault > 09.03.06 - Ensure that Role Based Access Control for Azure Key Vault is enabled
  • Azure > CIS v4.0 > 09 - Security Services > 09.03 - Key Vault > 09.03.07 - Ensure that Public Network Access when using Private Endpoint is disabled
  • Azure > CIS v4.0 > 09 - Security Services > 09.03 - Key Vault > 09.03.08 - Ensure that Private Endpoints are Used for Azure Key Vault
  • Azure > CIS v4.0 > 09 - Security Services > 09.03 - Key Vault > 09.03.09 - Ensure automatic key rotation is enabled within Azure Key Vault
  • Azure > CIS v4.0 > 09 - Security Services > 09.03 - Key Vault > 09.03.10 - Ensure that Azure Key Vault Managed HSM is used when required
  • Azure > CIS v4.0 > 09 - Security Services > 09.04 - Azure Bastion
  • Azure > CIS v4.0 > 09 - Security Services > 09.04 - Azure Bastion > 09.04.01 - Ensure an Azure Bastion Host Exists
  • Azure > CIS v4.0 > 10 - Storage Services
  • Azure > CIS v4.0 > 10 - Storage Services > 10.01 - Azure Files
  • Azure > CIS v4.0 > 10 - Storage Services > 10.01 - Azure Files > 10.01.01 - Ensure soft delete for Azure File Shares is Enabled
  • Azure > CIS v4.0 > 10 - Storage Services > 10.01 - Azure Files > 10.01.02 - Ensure 'SMB protocol version' is set to 'SMB 3.1.1' or higher for SMB file shares
  • Azure > CIS v4.0 > 10 - Storage Services > 10.01 - Azure Files > 10.01.03 - Ensure 'SMB channel encryption' is set to 'AES-256-GCM' or higher for SMB file shares
  • Azure > CIS v4.0 > 10 - Storage Services > 10.02 - Azure Blob Storage
  • Azure > CIS v4.0 > 10 - Storage Services > 10.02 - Azure Blob Storage > 10.02.01 - Ensure that soft delete for blobs on Azure Blob Storage storage accounts is Enabled
  • Azure > CIS v4.0 > 10 - Storage Services > 10.02 - Azure Blob Storage > 10.02.02 - Ensure 'Versioning' is set to 'Enabled' on Azure Blob Storage storage accounts
  • Azure > CIS v4.0 > 10 - Storage Services > 10.03 - Storage Accounts
  • Azure > CIS v4.0 > 10 - Storage Services > 10.03 - Storage Accounts > 10.03.01 - Secrets and Keys
  • Azure > CIS v4.0 > 10 - Storage Services > 10.03 - Storage Accounts > 10.03.01 - Secrets and Keys > 10.03.01.01 - Ensure that 'Enable key rotation reminders' is enabled for each Storage Account
  • Azure > CIS v4.0 > 10 - Storage Services > 10.03 - Storage Accounts > 10.03.01 - Secrets and Keys > 10.03.01.02 - Ensure that Storage Account access keys are periodically regenerated
  • Azure > CIS v4.0 > 10 - Storage Services > 10.03 - Storage Accounts > 10.03.01 - Secrets and Keys > 10.03.01.03 - Ensure 'Allow storage account key access' for Azure Storage Accounts is 'Disabled'
  • Azure > CIS v4.0 > 10 - Storage Services > 10.03 - Storage Accounts > 10.03.02 - Networking
  • Azure > CIS v4.0 > 10 - Storage Services > 10.03 - Storage Accounts > 10.03.02 - Networking > 10.03.02.01 - Ensure Private Endpoints are used to access Storage Accounts
  • Azure > CIS v4.0 > 10 - Storage Services > 10.03 - Storage Accounts > 10.03.02 - Networking > 10.03.02.02 - Ensure that 'Public Network Access' is 'Disabled' for storage accounts
  • Azure > CIS v4.0 > 10 - Storage Services > 10.03 - Storage Accounts > 10.03.02 - Networking > 10.03.02.03 - Ensure default network access rule for storage accounts is set to deny
  • Azure > CIS v4.0 > 10 - Storage Services > 10.03 - Storage Accounts > 10.03.03 - Identity and Access Management
  • Azure > CIS v4.0 > 10 - Storage Services > 10.03 - Storage Accounts > 10.03.03 - Identity and Access Management > 10.03.03.01 - Ensure that 'Default to Microsoft Entra authorization in the Azure portal' is set to 'Enabled'
  • Azure > CIS v4.0 > 10 - Storage Services > 10.03 - Storage Accounts > 10.03.04 - Ensure that 'Secure transfer required' is set to 'Enabled'
  • Azure > CIS v4.0 > 10 - Storage Services > 10.03 - Storage Accounts > 10.03.05 - Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access
  • Azure > CIS v4.0 > 10 - Storage Services > 10.03 - Storage Accounts > 10.03.06 - Ensure Soft Delete is Enabled for Azure Containers and Blob Storage
  • Azure > CIS v4.0 > 10 - Storage Services > 10.03 - Storage Accounts > 10.03.07 - Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2'
  • Azure > CIS v4.0 > 10 - Storage Services > 10.03 - Storage Accounts > 10.03.08 - Ensure 'Cross Tenant Replication' is not enabled
  • Azure > CIS v4.0 > 10 - Storage Services > 10.03 - Storage Accounts > 10.03.09 - Ensure that 'Allow Blob Anonymous Access' is set to 'Disabled'
  • Azure > CIS v4.0 > 10 - Storage Services > 10.03 - Storage Accounts > 10.03.10 - Ensure Azure Resource Manager Delete locks are applied to Azure Storage Accounts
  • Azure > CIS v4.0 > 10 - Storage Services > 10.03 - Storage Accounts > 10.03.11 - Ensure Azure Resource Manager ReadOnly locks are considered for Azure Storage Accounts
  • Azure > CIS v4.0 > 10 - Storage Services > 10.03 - Storage Accounts > 10.03.12 - Ensure Redundancy is set to 'geo-redundant storage (GRS)' on critical Azure Storage Accounts

Policy Types

  • Azure > CIS v4.0
  • Azure > CIS v4.0 > 02 - Common Reference Recommendations
  • Azure > CIS v4.0 > 02 - Common Reference Recommendations > 02.01 - Secrets and Keys
  • Azure > CIS v4.0 > 02 - Common Reference Recommendations > 02.01 - Secrets and Keys > 02.01.01 - Encryption Key Management
  • Azure > CIS v4.0 > 02 - Common Reference Recommendations > 02.01 - Secrets and Keys > 02.01.01 - Encryption Key Management > 02.01.01.01 - Microsoft Managed Keys (MMK)
  • Azure > CIS v4.0 > 02 - Common Reference Recommendations > 02.01 - Secrets and Keys > 02.01.01 - Encryption Key Management > 02.01.01.01 - Microsoft Managed Keys (MMK) > 02.01.01.01.01 - Ensure Critical Data is Encrypted with Microsoft Managed Keys (MMK)
  • Azure > CIS v4.0 > 02 - Common Reference Recommendations > 02.01 - Secrets and Keys > 02.01.01 - Encryption Key Management > 02.01.01.01 - Microsoft Managed Keys (MMK) > 02.01.01.01.01 - Ensure Critical Data is Encrypted with Microsoft Managed Keys (MMK) > Attestation
  • Azure > CIS v4.0 > 02 - Common Reference Recommendations > 02.01 - Secrets and Keys > 02.01.01 - Encryption Key Management > 02.01.01.02 - Customer Managed Keys (CMK)
  • Azure > CIS v4.0 > 02 - Common Reference Recommendations > 02.01 - Secrets and Keys > 02.01.01 - Encryption Key Management > 02.01.01.02 - Customer Managed Keys (CMK) > 02.01.01.02.01 - Ensure Critical Data is Encrypted with Customer Managed Keys (CMK)
  • Azure > CIS v4.0 > 02 - Common Reference Recommendations > 02.01 - Secrets and Keys > 02.01.01 - Encryption Key Management > 02.01.01.02 - Customer Managed Keys (CMK) > 02.01.01.02.01 - Ensure Critical Data is Encrypted with Customer Managed Keys (CMK) > Attestation
  • Azure > CIS v4.0 > 02 - Common Reference Recommendations > 02.02 - Networking
  • Azure > CIS v4.0 > 02 - Common Reference Recommendations > 02.02 - Networking > 02.02.01 - Virtual Networks (VNets)
  • Azure > CIS v4.0 > 02 - Common Reference Recommendations > 02.02 - Networking > 02.02.01 - Virtual Networks (VNets) > 02.02.01.01 - Ensure public network access is Disabled
  • Azure > CIS v4.0 > 02 - Common Reference Recommendations > 02.02 - Networking > 02.02.01 - Virtual Networks (VNets) > 02.02.01.01 - Ensure public network access is Disabled > Attestation
  • Azure > CIS v4.0 > 02 - Common Reference Recommendations > 02.02 - Networking > 02.02.01 - Virtual Networks (VNets) > 02.02.01.02 - Ensure Network Access Rules are set to Deny-by-default
  • Azure > CIS v4.0 > 02 - Common Reference Recommendations > 02.02 - Networking > 02.02.01 - Virtual Networks (VNets) > 02.02.01.02 - Ensure Network Access Rules are set to Deny-by-default > Attestation
  • Azure > CIS v4.0 > 02 - Common Reference Recommendations > 02.02 - Networking > 02.02.02 - Private Endpoints
  • Azure > CIS v4.0 > 02 - Common Reference Recommendations > 02.02 - Networking > 02.02.02 - Private Endpoints > 02.02.02.01 - Ensure Private Endpoints are used to access {service}
  • Azure > CIS v4.0 > 02 - Common Reference Recommendations > 02.02 - Networking > 02.02.02 - Private Endpoints > 02.02.02.01 - Ensure Private Endpoints are used to access {service} > Attestation
  • Azure > CIS v4.0 > 02 - Common Reference Recommendations > Maximum Attestation Duration
  • Azure > CIS v4.0 > 03 - Analytics Services
  • Azure > CIS v4.0 > 03 - Analytics Services > 03.01 - Azure Databricks
  • Azure > CIS v4.0 > 03 - Analytics Services > 03.01 - Azure Databricks > 03.01.01 - Ensure that Azure Databricks is deployed in a customer-managed virtual network (VNet)
  • Azure > CIS v4.0 > 03 - Analytics Services > 03.01 - Azure Databricks > 03.01.02 - Ensure that network security groups are configured for Databricks subnets
  • Azure > CIS v4.0 > 03 - Analytics Services > 03.01 - Azure Databricks > 03.01.02 - Ensure that network security groups are configured for Databricks subnets > Attestation
  • Azure > CIS v4.0 > 03 - Analytics Services > 03.01 - Azure Databricks > 03.01.03 - Ensure that traffic is encrypted between cluster worker nodes
  • Azure > CIS v4.0 > 03 - Analytics Services > 03.01 - Azure Databricks > 03.01.03 - Ensure that traffic is encrypted between cluster worker nodes > Attestation
  • Azure > CIS v4.0 > 03 - Analytics Services > 03.01 - Azure Databricks > 03.01.04 - Ensure that users and groups are synced from Microsoft Entra ID to Azure Databricks
  • Azure > CIS v4.0 > 03 - Analytics Services > 03.01 - Azure Databricks > 03.01.04 - Ensure that users and groups are synced from Microsoft Entra ID to Azure Databricks > Attestation
  • Azure > CIS v4.0 > 03 - Analytics Services > 03.01 - Azure Databricks > 03.01.05 - Ensure that Unity Catalog is configured for Azure Databricks
  • Azure > CIS v4.0 > 03 - Analytics Services > 03.01 - Azure Databricks > 03.01.05 - Ensure that Unity Catalog is configured for Azure Databricks > Attestation
  • Azure > CIS v4.0 > 03 - Analytics Services > 03.01 - Azure Databricks > 03.01.06 - Ensure that usage is restricted and expiry is enforced for Databricks personal access tokens
  • Azure > CIS v4.0 > 03 - Analytics Services > 03.01 - Azure Databricks > 03.01.06 - Ensure that usage is restricted and expiry is enforced for Databricks personal access tokens > Attestation
  • Azure > CIS v4.0 > 03 - Analytics Services > 03.01 - Azure Databricks > 03.01.07 - Ensure that diagnostic log delivery is configured for Azure Databricks
  • Azure > CIS v4.0 > 03 - Analytics Services > 03.01 - Azure Databricks > 03.01.07 - Ensure that diagnostic log delivery is configured for Azure Databricks > Attestation
  • Azure > CIS v4.0 > 03 - Analytics Services > 03.01 - Azure Databricks > 03.01.08 - Ensure that data at rest and in transit is encrypted in Azure Databricks using customer managed keys (CMK)
  • Azure > CIS v4.0 > 03 - Analytics Services > Maximum Attestation Duration
  • Azure > CIS v4.0 > 04 - Compute Services
  • Azure > CIS v4.0 > 04 - Compute Services > 04.01 - Virtual Machines
  • Azure > CIS v4.0 > 04 - Compute Services > 04.01 - Virtual Machines > 04.01.01 - Ensure only MFA enabled identities can access privileged Virtual Machine
  • Azure > CIS v4.0 > 04 - Compute Services > 04.01 - Virtual Machines > 04.01.01 - Ensure only MFA enabled identities can access privileged Virtual Machine > Attestation
  • Azure > CIS v4.0 > 04 - Compute Services > Maximum Attestation Duration
  • Azure > CIS v4.0 > 06 - Identity Services
  • Azure > CIS v4.0 > 06 - Identity Services > 06.01 - Security Defaults (Per-User MFA)
  • Azure > CIS v4.0 > 06 - Identity Services > 06.01 - Security Defaults (Per-User MFA) > 06.01.01 - Ensure that 'security defaults' is enabled in Microsoft Entra ID
  • Azure > CIS v4.0 > 06 - Identity Services > 06.01 - Security Defaults (Per-User MFA) > 06.01.01 - Ensure that 'security defaults' is enabled in Microsoft Entra ID > Attestation
  • Azure > CIS v4.0 > 06 - Identity Services > 06.01 - Security Defaults (Per-User MFA) > 06.01.02 - Ensure that 'multifactor authentication' is 'enabled' for all users
  • Azure > CIS v4.0 > 06 - Identity Services > 06.01 - Security Defaults (Per-User MFA) > 06.01.02 - Ensure that 'multifactor authentication' is 'enabled' for all users > Attestation
  • Azure > CIS v4.0 > 06 - Identity Services > 06.01 - Security Defaults (Per-User MFA) > 06.01.03 - Ensure that 'Allow users to remember multifactor authentication on devices they trust' is disabled
  • Azure > CIS v4.0 > 06 - Identity Services > 06.01 - Security Defaults (Per-User MFA) > 06.01.03 - Ensure that 'Allow users to remember multifactor authentication on devices they trust' is disabled > Attestation
  • Azure > CIS v4.0 > 06 - Identity Services > 06.02 - Conditional Access
  • Azure > CIS v4.0 > 06 - Identity Services > 06.02 - Conditional Access > 06.02.01 - Ensure that 'trusted locations' are defined
  • Azure > CIS v4.0 > 06 - Identity Services > 06.02 - Conditional Access > 06.02.01 - Ensure that 'trusted locations' are defined > Attestation
  • Azure > CIS v4.0 > 06 - Identity Services > 06.02 - Conditional Access > 06.02.02 - Ensure that an exclusionary geographic Conditional Access policy is considered
  • Azure > CIS v4.0 > 06 - Identity Services > 06.02 - Conditional Access > 06.02.02 - Ensure that an exclusionary geographic Conditional Access policy is considered > Attestation
  • Azure > CIS v4.0 > 06 - Identity Services > 06.02 - Conditional Access > 06.02.03 - Ensure exclusionary device code flow policy is considered
  • Azure > CIS v4.0 > 06 - Identity Services > 06.02 - Conditional Access > 06.02.03 - Ensure exclusionary device code flow policy is considered > Attestation
  • Azure > CIS v4.0 > 06 - Identity Services > 06.02 - Conditional Access > 06.02.04 - Ensure that a multifactor authentication policy exists for all users
  • Azure > CIS v4.0 > 06 - Identity Services > 06.02 - Conditional Access > 06.02.04 - Ensure that a multifactor authentication policy exists for all users > Attestation
  • Azure > CIS v4.0 > 06 - Identity Services > 06.02 - Conditional Access > 06.02.05 - Ensure that multifactor authentication is required for risky sign-ins
  • Azure > CIS v4.0 > 06 - Identity Services > 06.02 - Conditional Access > 06.02.05 - Ensure that multifactor authentication is required for risky sign-ins > Attestation
  • Azure > CIS v4.0 > 06 - Identity Services > 06.02 - Conditional Access > 06.02.06 - Ensure that multifactor authentication is required for Windows Azure Service Management API
  • Azure > CIS v4.0 > 06 - Identity Services > 06.02 - Conditional Access > 06.02.06 - Ensure that multifactor authentication is required for Windows Azure Service Management API > Attestation
  • Azure > CIS v4.0 > 06 - Identity Services > 06.02 - Conditional Access > 06.02.07 - Ensure that multifactor authentication is required to access Microsoft Admin Portals
  • Azure > CIS v4.0 > 06 - Identity Services > 06.02 - Conditional Access > 06.02.07 - Ensure that multifactor authentication is required to access Microsoft Admin Portals > Attestation
  • Azure > CIS v4.0 > 06 - Identity Services > 06.03 - Periodic Identity Reviews
  • Azure > CIS v4.0 > 06 - Identity Services > 06.03 - Periodic Identity Reviews > 06.03.01 - Ensure that Azure admin accounts are not used for daily operations
  • Azure > CIS v4.0 > 06 - Identity Services > 06.03 - Periodic Identity Reviews > 06.03.01 - Ensure that Azure admin accounts are not used for daily operations > Attestation
  • Azure > CIS v4.0 > 06 - Identity Services > 06.03 - Periodic Identity Reviews > 06.03.02 - Ensure that guest users are reviewed on a regular basis
  • Azure > CIS v4.0 > 06 - Identity Services > 06.03 - Periodic Identity Reviews > 06.03.02 - Ensure that guest users are reviewed on a regular basis > Attestation
  • Azure > CIS v4.0 > 06 - Identity Services > 06.03 - Periodic Identity Reviews > 06.03.03 - Ensure that use of the 'User Access Administrator' role is restricted
  • Azure > CIS v4.0 > 06 - Identity Services > 06.03 - Periodic Identity Reviews > 06.03.04 - Ensure that all 'privileged' role assignments are periodically reviewed
  • Azure > CIS v4.0 > 06 - Identity Services > 06.03 - Periodic Identity Reviews > 06.03.04 - Ensure that all 'privileged' role assignments are periodically reviewed > Attestation
  • Azure > CIS v4.0 > 06 - Identity Services > 06.04 - Ensure 'Restrict non-admin users from creating tenants' is set to 'Yes'
  • Azure > CIS v4.0 > 06 - Identity Services > 06.04 - Ensure 'Restrict non-admin users from creating tenants' is set to 'Yes' > Attestation
  • Azure > CIS v4.0 > 06 - Identity Services > 06.05 - Ensure 'Number of methods required to reset' is set to '2'
  • Azure > CIS v4.0 > 06 - Identity Services > 06.05 - Ensure 'Number of methods required to reset' is set to '2' > Attestation
  • Azure > CIS v4.0 > 06 - Identity Services > 06.06 - Ensure account 'Lockout threshold' is less than or equal to '10'
  • Azure > CIS v4.0 > 06 - Identity Services > 06.06 - Ensure account 'Lockout threshold' is less than or equal to '10' > Attestation
  • Azure > CIS v4.0 > 06 - Identity Services > 06.07 - Ensure 'Lockout duration in seconds' is greater than or equal to '60'
  • Azure > CIS v4.0 > 06 - Identity Services > 06.07 - Ensure 'Lockout duration in seconds' is greater than or equal to '60' > Attestation
  • Azure > CIS v4.0 > 06 - Identity Services > 06.08 - Ensure 'Custom banned password list' is set to 'Enforce'
  • Azure > CIS v4.0 > 06 - Identity Services > 06.08 - Ensure 'Custom banned password list' is set to 'Enforce' > Attestation
  • Azure > CIS v4.0 > 06 - Identity Services > 06.09 - Ensure 'Number of days before users are asked to re-confirm their authentication information' is not set to '0'
  • Azure > CIS v4.0 > 06 - Identity Services > 06.09 - Ensure 'Number of days before users are asked to re-confirm their authentication information' is not set to '0' > Attestation
  • Azure > CIS v4.0 > 06 - Identity Services > 06.10 - Ensure 'Notify users on password resets?' is set to 'Yes'
  • Azure > CIS v4.0 > 06 - Identity Services > 06.10 - Ensure 'Notify users on password resets?' is set to 'Yes' > Attestation
  • Azure > CIS v4.0 > 06 - Identity Services > 06.11 - Ensure 'Notify all admins when other admins reset their password?' is set to 'Yes'
  • Azure > CIS v4.0 > 06 - Identity Services > 06.11 - Ensure 'Notify all admins when other admins reset their password?' is set to 'Yes' > Attestation
  • Azure > CIS v4.0 > 06 - Identity Services > 06.12 - Ensure 'User consent for applications' is set to 'Do not allow user consent'
  • Azure > CIS v4.0 > 06 - Identity Services > 06.12 - Ensure 'User consent for applications' is set to 'Do not allow user consent' > Attestation
  • Azure > CIS v4.0 > 06 - Identity Services > 06.13 - Ensure user consent is 'Allow for verified publishers only'
  • Azure > CIS v4.0 > 06 - Identity Services > 06.13 - Ensure user consent is 'Allow for verified publishers only' > Attestation
  • Azure > CIS v4.0 > 06 - Identity Services > 06.14 - Ensure 'Users can register applications' is set to 'No'
  • Azure > CIS v4.0 > 06 - Identity Services > 06.15 - Ensure 'Guest users access restrictions' is properly configured
  • Azure > CIS v4.0 > 06 - Identity Services > 06.15 - Ensure 'Guest users access restrictions' is properly configured > Attestation
  • Azure > CIS v4.0 > 06 - Identity Services > 06.16 - Ensure 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles can invite guest users'
  • Azure > CIS v4.0 > 06 - Identity Services > 06.16 - Ensure 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles can invite guest users' > Attestation
  • Azure > CIS v4.0 > 06 - Identity Services > 06.17 - Ensure 'Restrict access to Microsoft Entra admin center' is set to 'Yes'
  • Azure > CIS v4.0 > 06 - Identity Services > 06.17 - Ensure 'Restrict access to Microsoft Entra admin center' is set to 'Yes' > Attestation
  • Azure > CIS v4.0 > 06 - Identity Services > 06.18 - Ensure 'Restrict user ability to access groups features' is set to 'Yes'
  • Azure > CIS v4.0 > 06 - Identity Services > 06.18 - Ensure 'Restrict user ability to access groups features' is set to 'Yes' > Attestation
  • Azure > CIS v4.0 > 06 - Identity Services > 06.19 - Ensure 'Users can create security groups' is set to 'No'
  • Azure > CIS v4.0 > 06 - Identity Services > 06.19 - Ensure 'Users can create security groups' is set to 'No' > Attestation
  • Azure > CIS v4.0 > 06 - Identity Services > 06.20 - Ensure 'Owners can manage group membership requests in My Groups' is set to 'No'
  • Azure > CIS v4.0 > 06 - Identity Services > 06.20 - Ensure 'Owners can manage group membership requests in My Groups' is set to 'No' > Attestation
  • Azure > CIS v4.0 > 06 - Identity Services > 06.21 - Ensure 'Users can create M365 groups in Azure portals, API or PowerShell' is set to 'No'
  • Azure > CIS v4.0 > 06 - Identity Services > 06.21 - Ensure 'Users can create M365 groups in Azure portals, API or PowerShell' is set to 'No' > Attestation
  • Azure > CIS v4.0 > 06 - Identity Services > 06.22 - Ensure 'Require Multifactor Authentication to register or join devices with Microsoft Entra' is set to 'Yes'
  • Azure > CIS v4.0 > 06 - Identity Services > 06.22 - Ensure 'Require Multifactor Authentication to register or join devices with Microsoft Entra' is set to 'Yes' > Attestation
  • Azure > CIS v4.0 > 06 - Identity Services > 06.23 - Ensure no custom subscription administrator roles exist
  • Azure > CIS v4.0 > 06 - Identity Services > 06.24 - Ensure custom role is assigned permissions for administering resource locks
  • Azure > CIS v4.0 > 06 - Identity Services > 06.24 - Ensure custom role is assigned permissions for administering resource locks > Attestation
  • Azure > CIS v4.0 > 06 - Identity Services > 06.25 - Ensure 'Subscription leaving Microsoft Entra tenant' and 'Subscription entering Microsoft Entra tenant' is set to 'Permit no one'
  • Azure > CIS v4.0 > 06 - Identity Services > 06.25 - Ensure 'Subscription leaving Microsoft Entra tenant' and 'Subscription entering Microsoft Entra tenant' is set to 'Permit no one' > Attestation
  • Azure > CIS v4.0 > 06 - Identity Services > 06.26 - Ensure fewer than 5 users have global administrator assignment
  • Azure > CIS v4.0 > 06 - Identity Services > 06.26 - Ensure fewer than 5 users have global administrator assignment > Attestation
  • Azure > CIS v4.0 > 06 - Identity Services > Maximum Attestation Duration
  • Azure > CIS v4.0 > 07 - Management and Governance
  • Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring
  • Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.01 - Configuring Diagnostic Settings
  • Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.01 - Configuring Diagnostic Settings > 07.01.01.01 - Ensure that a 'Diagnostic Setting' exists for Subscription Activity Logs
  • Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.01 - Configuring Diagnostic Settings > 07.01.01.01 - Ensure that a 'Diagnostic Setting' exists for Subscription Activity Logs > Attestation
  • Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.01 - Configuring Diagnostic Settings > 07.01.01.02 - Ensure Diagnostic Setting captures appropriate categories
  • Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.01 - Configuring Diagnostic Settings > 07.01.01.03 - Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key (CMK)
  • Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.01 - Configuring Diagnostic Settings > 07.01.01.04 - Ensure that logging for Azure Key Vault is 'Enabled'
  • Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.01 - Configuring Diagnostic Settings > 07.01.01.05 - Ensure that Network Security Group Flow logs are captured and sent to Log Analytics
  • Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.01 - Configuring Diagnostic Settings > 07.01.01.06 - Ensure that logging for Azure AppService 'HTTP logs' is enabled
  • Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.01 - Configuring Diagnostic Settings > 07.01.01.07 - Ensure that virtual network flow logs are captured and sent to Log Analytics
  • Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.01 - Configuring Diagnostic Settings > 07.01.01.07 - Ensure that virtual network flow logs are captured and sent to Log Analytics > Attestation
  • Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.01 - Configuring Diagnostic Settings > 07.01.01.08 - Ensure that a Microsoft Entra diagnostic setting exists to send Microsoft Graph activity logs to an appropriate destination
  • Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.01 - Configuring Diagnostic Settings > 07.01.01.08 - Ensure that a Microsoft Entra diagnostic setting exists to send Microsoft Graph activity logs to an appropriate destination > Attestation
  • Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.01 - Configuring Diagnostic Settings > 07.01.01.09 - Ensure that a Microsoft Entra diagnostic setting exists to send Microsoft Entra activity logs to an appropriate destination
  • Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.01 - Configuring Diagnostic Settings > 07.01.01.09 - Ensure that a Microsoft Entra diagnostic setting exists to send Microsoft Entra activity logs to an appropriate destination > Attestation
  • Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.01 - Configuring Diagnostic Settings > 07.01.01.10 - Ensure that Intune logs are captured and sent to Log Analytics
  • Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.01 - Configuring Diagnostic Settings > 07.01.01.10 - Ensure that Intune logs are captured and sent to Log Analytics > Attestation
  • Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.02 - Monitoring using Activity Log Alerts
  • Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.02 - Monitoring using Activity Log Alerts > 07.01.02.01 - Ensure that Activity Log Alert exists for Create Policy Assignment
  • Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.02 - Monitoring using Activity Log Alerts > 07.01.02.02 - Ensure that Activity Log Alert exists for Delete Policy Assignment
  • Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.02 - Monitoring using Activity Log Alerts > 07.01.02.03 - Ensure that Activity Log Alert exists for Create or Update Network Security Group
  • Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.02 - Monitoring using Activity Log Alerts > 07.01.02.04 - Ensure that Activity Log Alert exists for Delete Network Security Group
  • Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.02 - Monitoring using Activity Log Alerts > 07.01.02.05 - Ensure that Activity Log Alert exists for Create or Update Security Solution
  • Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.02 - Monitoring using Activity Log Alerts > 07.01.02.06 - Ensure that Activity Log Alert exists for Delete Security Solution
  • Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.02 - Monitoring using Activity Log Alerts > 07.01.02.07 - Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule
  • Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.02 - Monitoring using Activity Log Alerts > 07.01.02.08 - Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule
  • Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.02 - Monitoring using Activity Log Alerts > 07.01.02.09 - Ensure that Activity Log Alert exists for Create or Update Public IP Address rule
  • Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.02 - Monitoring using Activity Log Alerts > 07.01.02.10 - Ensure that Activity Log Alert exists for Delete Public IP Address rule
  • Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.02 - Monitoring using Activity Log Alerts > 07.01.02.11 - Ensure that Activity Log Alert exists for Service Health
  • Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.03 - Configuring Application Insights
  • Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.03 - Configuring Application Insights > 07.01.03.01 - Ensure Application Insights are Configured
  • Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.04 - Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it
  • Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.04 - Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it > Attestation
  • Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.05 - Ensure SKU Basic/Consumption is not used on artifacts that need to be monitored
  • Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.05 - Ensure SKU Basic/Consumption is not used on artifacts that need to be monitored > Attestation
  • Azure > CIS v4.0 > 07 - Management and Governance > 07.02 - Ensure that Resource Locks are set for Mission-Critical Azure Resources
  • Azure > CIS v4.0 > 07 - Management and Governance > 07.02 - Ensure that Resource Locks are set for Mission-Critical Azure Resources > Attestation
  • Azure > CIS v4.0 > 07 - Management and Governance > Maximum Attestation Duration
  • Azure > CIS v4.0 > 08 - Networking
  • Azure > CIS v4.0 > 08 - Networking > 08.01 - Ensure that RDP access from the Internet is evaluated and restricted
  • Azure > CIS v4.0 > 08 - Networking > 08.02 - Ensure that SSH access from the Internet is evaluated and restricted
  • Azure > CIS v4.0 > 08 - Networking > 08.03 - Ensure that UDP access from the Internet is evaluated and restricted
  • Azure > CIS v4.0 > 08 - Networking > 08.04 - Ensure that HTTP(S) access from the Internet is evaluated and restricted
  • Azure > CIS v4.0 > 08 - Networking > 08.05 - Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'
  • Azure > CIS v4.0 > 08 - Networking > 08.06 - Ensure that Network Watcher is 'Enabled' for Azure Regions that are in use
  • Azure > CIS v4.0 > 08 - Networking > 08.07 - Ensure that Public IP addresses are evaluated on a periodic basis
  • Azure > CIS v4.0 > 08 - Networking > 08.07 - Ensure that Public IP addresses are evaluated on a periodic basis > Attestation
  • Azure > CIS v4.0 > 08 - Networking > 08.08 - Ensure that virtual network flow log retention days is set to greater than or equal to 90
  • Azure > CIS v4.0 > 08 - Networking > Maximum Attestation Duration
  • Azure > CIS v4.0 > 09 - Security Services
  • Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud
  • Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.03 - Defender Plan: Servers
  • Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.03 - Defender Plan: Servers > 09.01.03.01 - Ensure that Defender for Servers is set to 'On'
  • Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.03 - Defender Plan: Servers > 09.01.03.02 - Ensure that 'Vulnerability assessment for machines' component status is set to 'On'
  • Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.03 - Defender Plan: Servers > 09.01.03.02 - Ensure that 'Vulnerability assessment for machines' component status is set to 'On' > Attestation
  • Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.03 - Defender Plan: Servers > 09.01.03.03 - Ensure that 'Endpoint protection' component status is set to 'On'
  • Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.03 - Defender Plan: Servers > 09.01.03.03 - Ensure that 'Endpoint protection' component status is set to 'On' > Attestation
  • Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.03 - Defender Plan: Servers > 09.01.03.04 - Ensure that 'Agentless scanning for machines' component status is set to 'On'
  • Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.03 - Defender Plan: Servers > 09.01.03.04 - Ensure that 'Agentless scanning for machines' component status is set to 'On' > Attestation
  • Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.03 - Defender Plan: Servers > 09.01.03.05 - Ensure that 'File Integrity Monitoring' component status is set to 'On'
  • Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.03 - Defender Plan: Servers > 09.01.03.05 - Ensure that 'File Integrity Monitoring' component status is set to 'On' > Attestation
  • Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.04 - Defender Plan: Containers
  • Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.04 - Defender Plan: Containers > 09.01.04.01 - Ensure That Microsoft Defender for Containers Is Set To 'On'
  • Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.05 - Defender Plan: Storage
  • Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.05 - Defender Plan: Storage > 09.01.05.01 - Ensure That Microsoft Defender for Storage Is Set To 'On'
  • Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.06 - Defender Plan: App Service
  • Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.06 - Defender Plan: App Service > 09.01.06.01 - Ensure That Microsoft Defender for App Services Is Set To 'On'
  • Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.07 - Defender Plan: Databases
  • Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.07 - Defender Plan: Databases > 09.01.07.01 - Ensure That Microsoft Defender for Azure Cosmos DB Is Set To 'On'
  • Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.07 - Defender Plan: Databases > 09.01.07.02 - Ensure That Microsoft Defender for Open-Source Relational Databases Is Set To 'On'
  • Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.07 - Defender Plan: Databases > 09.01.07.03 - Ensure That Microsoft Defender for (Managed Instance) Azure SQL Databases Is Set To 'On'
  • Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.07 - Defender Plan: Databases > 09.01.07.04 - Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On'
  • Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.08 - Defender Plan: Key Vault
  • Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.08 - Defender Plan: Key Vault > 09.01.08.01 - Ensure That Microsoft Defender for Key Vault Is Set To 'On'
  • Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.09 - Defender Plan: Resource Manager
  • Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.09 - Defender Plan: Resource Manager > 09.01.09.01 - Ensure That Microsoft Defender for Resource Manager Is Set To 'On'
  • Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.10 - Ensure that Microsoft Defender for Cloud is configured to check VM operating systems for updates
  • Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.10 - Ensure that Microsoft Defender for Cloud is configured to check VM operating systems for updates > Attestation
  • Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.11 - Ensure that Microsoft Cloud Security Benchmark policies are not set to 'Disabled'
  • Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.11 - Ensure that Microsoft Cloud Security Benchmark policies are not set to 'Disabled' > Attestation
  • Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.12 - Ensure That 'All users with the following roles' is set to 'Owner'
  • Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.13 - Ensure 'Additional email addresses' is Configured with a Security Contact Email
  • Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.14 - Ensure that 'Notify about alerts with the following severity (or higher)' is enabled
  • Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.15 - Ensure that 'Notify about attack paths with the following risk level (or higher)' is enabled
  • Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.16 - Ensure that Microsoft Defender External Attack Surface Monitoring (EASM) is enabled
  • Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.16 - Ensure that Microsoft Defender External Attack Surface Monitoring (EASM) is enabled > Attestation
  • Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.17 - [LEGACY] Ensure That Microsoft Defender for DNS Is Set To 'On'
  • Azure > CIS v4.0 > 09 - Security Services > 09.02 - Microsoft Defender for IoT
  • Azure > CIS v4.0 > 09 - Security Services > 09.02 - Microsoft Defender for IoT > 09.02.01 - Ensure That Microsoft Defender for IoT Hub Is Set To 'On'
  • Azure > CIS v4.0 > 09 - Security Services > 09.02 - Microsoft Defender for IoT > 09.02.01 - Ensure That Microsoft Defender for IoT Hub Is Set To 'On' > Attestation
  • Azure > CIS v4.0 > 09 - Security Services > 09.03 - Key Vault
  • Azure > CIS v4.0 > 09 - Security Services > 09.03 - Key Vault > 09.03.01 - Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults
  • Azure > CIS v4.0 > 09 - Security Services > 09.03 - Key Vault > 09.03.02 - Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults
  • Azure > CIS v4.0 > 09 - Security Services > 09.03 - Key Vault > 09.03.03 - Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults
  • Azure > CIS v4.0 > 09 - Security Services > 09.03 - Key Vault > 09.03.04 - Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults
  • Azure > CIS v4.0 > 09 - Security Services > 09.03 - Key Vault > 09.03.05 - Ensure the Key Vault is Recoverable
  • Azure > CIS v4.0 > 09 - Security Services > 09.03 - Key Vault > 09.03.06 - Ensure that Role Based Access Control for Azure Key Vault is enabled
  • Azure > CIS v4.0 > 09 - Security Services > 09.03 - Key Vault > 09.03.07 - Ensure that Public Network Access when using Private Endpoint is disabled
  • Azure > CIS v4.0 > 09 - Security Services > 09.03 - Key Vault > 09.03.08 - Ensure that Private Endpoints are Used for Azure Key Vault
  • Azure > CIS v4.0 > 09 - Security Services > 09.03 - Key Vault > 09.03.09 - Ensure automatic key rotation is enabled within Azure Key Vault
  • Azure > CIS v4.0 > 09 - Security Services > 09.03 - Key Vault > 09.03.10 - Ensure that Azure Key Vault Managed HSM is used when required
  • Azure > CIS v4.0 > 09 - Security Services > 09.03 - Key Vault > 09.03.10 - Ensure that Azure Key Vault Managed HSM is used when required > Attestation
  • Azure > CIS v4.0 > 09 - Security Services > 09.04 - Azure Bastion
  • Azure > CIS v4.0 > 09 - Security Services > 09.04 - Azure Bastion > 09.04.01 - Ensure an Azure Bastion Host Exists
  • Azure > CIS v4.0 > 09 - Security Services > Maximum Attestation Duration
  • Azure > CIS v4.0 > 10 - Storage Services
  • Azure > CIS v4.0 > 10 - Storage Services > 10.01 - Azure Files
  • Azure > CIS v4.0 > 10 - Storage Services > 10.01 - Azure Files > 10.01.01 - Ensure soft delete for Azure File Shares is Enabled
  • Azure > CIS v4.0 > 10 - Storage Services > 10.01 - Azure Files > 10.01.02 - Ensure 'SMB protocol version' is set to 'SMB 3.1.1' or higher for SMB file shares
  • Azure > CIS v4.0 > 10 - Storage Services > 10.01 - Azure Files > 10.01.03 - Ensure 'SMB channel encryption' is set to 'AES-256-GCM' or higher for SMB file shares
  • Azure > CIS v4.0 > 10 - Storage Services > 10.02 - Azure Blob Storage
  • Azure > CIS v4.0 > 10 - Storage Services > 10.02 - Azure Blob Storage > 10.02.01 - Ensure that soft delete for blobs on Azure Blob Storage storage accounts is Enabled
  • Azure > CIS v4.0 > 10 - Storage Services > 10.02 - Azure Blob Storage > 10.02.02 - Ensure 'Versioning' is set to 'Enabled' on Azure Blob Storage storage accounts
  • Azure > CIS v4.0 > 10 - Storage Services > 10.03 - Storage Accounts
  • Azure > CIS v4.0 > 10 - Storage Services > 10.03 - Storage Accounts > 10.03.01 - Secrets and Keys
  • Azure > CIS v4.0 > 10 - Storage Services > 10.03 - Storage Accounts > 10.03.01 - Secrets and Keys > 10.03.01.01 - Ensure that 'Enable key rotation reminders' is enabled for each Storage Account
  • Azure > CIS v4.0 > 10 - Storage Services > 10.03 - Storage Accounts > 10.03.01 - Secrets and Keys > 10.03.01.01 - Ensure that 'Enable key rotation reminders' is enabled for each Storage Account > Attestation
  • Azure > CIS v4.0 > 10 - Storage Services > 10.03 - Storage Accounts > 10.03.01 - Secrets and Keys > 10.03.01.02 - Ensure that Storage Account access keys are periodically regenerated
  • Azure > CIS v4.0 > 10 - Storage Services > 10.03 - Storage Accounts > 10.03.01 - Secrets and Keys > 10.03.01.02 - Ensure that Storage Account access keys are periodically regenerated > Attestation
  • Azure > CIS v4.0 > 10 - Storage Services > 10.03 - Storage Accounts > 10.03.01 - Secrets and Keys > 10.03.01.03 - Ensure 'Allow storage account key access' for Azure Storage Accounts is 'Disabled'
  • Azure > CIS v4.0 > 10 - Storage Services > 10.03 - Storage Accounts > 10.03.02 - Networking
  • Azure > CIS v4.0 > 10 - Storage Services > 10.03 - Storage Accounts > 10.03.02 - Networking > 10.03.02.01 - Ensure Private Endpoints are used to access Storage Accounts
  • Azure > CIS v4.0 > 10 - Storage Services > 10.03 - Storage Accounts > 10.03.02 - Networking > 10.03.02.02 - Ensure 'Public Network Access' is 'Disabled'
  • Azure > CIS v4.0 > 10 - Storage Services > 10.03 - Storage Accounts > 10.03.02 - Networking > 10.03.02.03 - Ensure default network access rule is set to deny
  • Azure > CIS v4.0 > 10 - Storage Services > 10.03 - Storage Accounts > 10.03.03 - Identity and Access Management
  • Azure > CIS v4.0 > 10 - Storage Services > 10.03 - Storage Accounts > 10.03.03 - Identity and Access Management > 10.03.03.01 - Ensure 'Default to Microsoft Entra authorization' is 'Enabled'
  • Azure > CIS v4.0 > 10 - Storage Services > 10.03 - Storage Accounts > 10.03.04 - Ensure 'Secure transfer required' is set to 'Enabled'
  • Azure > CIS v4.0 > 10 - Storage Services > 10.03 - Storage Accounts > 10.03.05 - Ensure 'Allow Azure services on trusted services list' is Enabled
  • Azure > CIS v4.0 > 10 - Storage Services > 10.03 - Storage Accounts > 10.03.06 - Ensure Soft Delete is Enabled for Azure Containers and Blob Storage
  • Azure > CIS v4.0 > 10 - Storage Services > 10.03 - Storage Accounts > 10.03.07 - Ensure 'Minimum TLS version' is set to 'Version 1.2'
  • Azure > CIS v4.0 > 10 - Storage Services > 10.03 - Storage Accounts > 10.03.08 - Ensure 'Cross Tenant Replication' is not enabled
  • Azure > CIS v4.0 > 10 - Storage Services > 10.03 - Storage Accounts > 10.03.09 - Ensure 'Allow Blob Anonymous Access' is set to 'Disabled'
  • Azure > CIS v4.0 > 10 - Storage Services > 10.03 - Storage Accounts > 10.03.10 - Ensure Azure Resource Manager Delete locks are applied
  • Azure > CIS v4.0 > 10 - Storage Services > 10.03 - Storage Accounts > 10.03.10 - Ensure Azure Resource Manager Delete locks are applied > Attestation
  • Azure > CIS v4.0 > 10 - Storage Services > 10.03 - Storage Accounts > 10.03.11 - Ensure Azure Resource Manager ReadOnly locks are considered
  • Azure > CIS v4.0 > 10 - Storage Services > 10.03 - Storage Accounts > 10.03.11 - Ensure Azure Resource Manager ReadOnly locks are considered > Attestation
  • Azure > CIS v4.0 > 10 - Storage Services > 10.03 - Storage Accounts > 10.03.12 - Ensure Redundancy is set to 'geo-redundant storage (GRS)' for critical accounts
  • Azure > CIS v4.0 > 10 - Storage Services > Maximum Attestation Duration
  • Azure > CIS v4.0 > Maximum Attestation Duration

Note

To ensure compatibility and proper functioning of the Guardrails Azure CIS v4 mod, we recommend updating all dependent mods to their latest versions.