How To

Real-time Azure v2.0.0 CIS Benchmark assessments

Assess your security posture with automated Azure CIS v2.0.0 assessments that provide real-time dashboard updates and instant alerts.

Turbot Team
5 min. read - May 15, 2024
Assess your security posture with automated Azure CIS v2.0.0 assessments that provide real-time dashboard updates and instant alerts.

Center for Internet Security (CIS) benchmarks for Azure are widely used by cloud teams as guidance to configure their Azure subscriptions securely. The latest iteration, Azure CIS v2.0.0, includes over 150 recommendations to evaluate your posture against best practices.

Turbot Guardrails now supports the Azure CIS v2.0.0 Benchmark. Use it to enable continuous monitoring of your cloud environment's security posture, and to ensure compliance with industry standards as resources are created and modified.

Go beyond CIS reporting with Guardrails

Traditional compliance assessments rely on periodic scans of your environment, which only give you a point-in-time view of your security posture. But the cloud is dynamic, resources change rapidly, misconfigurations and security gaps can happen anytime.

Turbot Guardrails evaluates your Azure resources against the CIS v2.0.0 Benchmark in real-time. As resources are created or modified, Guardrails instantly assesses them for compliance and provides a view of your security posture that's always current.

Key Features of Turbot Guardrails' CIS Benchmark controls:

  1. Instant Evaluation. As new AWS resources are created or modified, Guardrails immediately assesses them against the relevant CIS controls, providing instant feedback on your compliance status.
  2. Real-time Alerts. Stay informed about critical changes in your compliance posture with real-time alerts. Guardrails can send notifications to Slack, MS Teams, and email, so you and your team always know when benchmarks aren't green.
  3. Take action. By default, Guardrails will alert on misconfigurations. You can use Guardrails' quick actions to fix mistakes, and you can set continuous enforcement.
  4. Controlled Attestations. Some CIS controls are manual and require attestations. Track evidence of your reviews and set reminders to re-evaluate the control next audit period.
  5. Set Exceptions. Not all organizations require every CIS Benchmark recommendation. Set time-based exceptions to ignore recommendations per account or per resource when not applicable.
  6. Comprehensive Reporting. See an always up-to-date view of your compliance status, from sections of the benchmark to per-resource compliance, in the Guardrails console. Generate detailed reports, including CSV exports for easy sharing and analysis.

How to monitor Azure CIS v2.0.0 using Guardrails

Install the Azure CIS mods

To get started, install the @turbot/cis and the @turbot/azure-cisv2-0 mods.

Enable the Azure CIS Benchmark

Once installed, set the policy for Azure > CIS v2.0 to Check: All CIS Benchmarks.

Enable Azure CIS v2.0.0 Policy

Guardrails will immediately assess all applicable resources for compliance to Azure CIS Benchmark v2.0.0.

Azure CIS v2.0.0 Benchmark

Assess your CIS adherence

See control status for each benchmark section.

Azure CIS v2.0.0 Storage Accounts recommendations

In this example, 3.01 - Ensure that 'Secure transfer required' is set to 'Enabled' we can see all the Azure Storage Accounts are reporting in ALARM and OK states.

Azure CIS v2.0.0 3.1 recommendation

In some cases you may need to suppress or ignore the control on a resource, with any Guardrails policy you can set time based exceptions for one or many resources.

Azure CIS v2.0.0 Exception

In this case we set the policy to Skip the acmedemoaz2 bucket for 30 days. This bucket now shows it's in a skipped state and will be reassessed automatically after the expiration period.

Azure CIS v2.0.0 Skipped Recommendation

Instant Azure CIS alerts

When creating or updating cloud resources, Guardrails instantly provides feedback on the state of the recommendation. In this example we created acmedemoaz3 which was instantly discovered and evaluated for CIS compliance.

Azure CIS v2.0.0 Alert

Beyond alerts in the Turbot Guardrails console, you and your team members can subscribe to alerts via email, MS Teams or Slack alerts.

Azure CIS v2.0.0 Alert in Slack

Take action on your CIS alerts

Guardrails quick actions provide direct links to the Guardrails console where you can immediately apply fixes. This enables workflows that keep human approvers in the loop.

Azure CIS v2.0.0 Guardrails Enforce Policy

In Instant AWS CIS v3.0.0 Benchmark compliance, using AWS as the example, we show how you can go further by setting guardrails to continuously enforce CIS recommendations with no human intervention.

See it in action

Level up your security posture with Guardrails

Elevate your compliance game with Turbot Guardrails and experience real-time adherence to the Azure CIS v2.0.0 Benchmark. With instant visibility into your security posture and flexible reporting options, Guardrails makes it easier and faster to address any deviations from best practices.

Turbot Guardrails also supports the latest CIS assessments for AWS and GCP. Try all the CIS Benchmarks, using the 14-day free trial, to gain instant feedback on your adherence to CIS recommendations.