How To

Get to green with real-time remediation for Azure CIS v2.0.0

Turn your Azure CIS Benchmark green with auto-remediation guardrails to comply with Azure best practice security standards.

Turbot Team
5 min. read - Jul 22, 2024
Turn your Azure CIS Benchmark green with auto-remediation guardrails to comply with Azure best practice security standards.

In our previous blog post, Real-time Azure v2.0.0 CIS Benchmark assessments, we showed how Turbot Guardrails enables continuous monitoring of your Azure environment against the CIS v2.0.0 Benchmark. Guardrails discovers changes in real-time, instantly evaluates compliance, sends alerts when misconfigurations are detected, and takes quick actions to immediately apply fixes.

But what if you could automatically fix those misconfigurations and maintain a secure and compliant environment without manual intervention? With Turbot Guardrails' auto-remediation policies, you can.

Effortless CIS compliance with auto-remediation

Traditional security incident management relies on manual processes to address misconfigurations identified in periodic assessments. This approach is time-consuming, error-prone, and leaves your environment vulnerable between scans.

Turbot Guardrails takes CIS assessments to the next level with auto-remediation policies. Guardrails detects configuration drift in real-time, evaluates the change for a misconfiguration, and can automatically take action to fix the issue and bring the resource back into compliance with the Azure CIS v2.0.0 Benchmark.

Key benefits of Turbot Guardrails' auto-remediation policies:

  • Continuous compliance: As soon as a misconfiguration is detected, Guardrails automatically remediates the issue, ensuring your environment remains compliant with CIS recommendations at all times.
  • Reduced security operations overhead: Auto-close incidents. Eliminate the need for manual intervention and free up your team to focus on higher-value tasks. Guardrails handles the heavy lifting of maintaining compliance.
  • Customizable policies: Define auto-remediation policies that align with your organization's specific requirements and risk posture. Set different policies for different accounts, regions, resources, or per specific resource configurations. Set time-based exceptions to ignore recommendations per cloud account or per resource when not applicable.
  • Audit trail: Guardrails keeps a detailed record of all auto-remediation actions taken, providing a complete audit trail for compliance reporting and troubleshooting.
  • Comprehensive coverage: Guardrails provides over 10,000+ security and operational policies OOTB for AWS, Azure, GCP, Kubernetes and ServiceNow, so you can centralize your security posture management efforts across your entire cloud infrastructure.

How to enable auto-remediation for Azure CIS v2.0.0 using Guardrails

Prerequisite: Install the Azure CIS mods

If you haven't already, install the @turbot/cis and the @turbot/azure-cisv2-0 mods, and enable the Azure > CIS v2.0 policy to Check: All CIS Benchmarks as described in our previous blog post. Installing the CIS mods will also ensure you have the appropriate azure-* dependent mods.

Remediation for a control

You can focus on specific CIS Benchmark recommendations and set policies that map to them. For example, 3.15 Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2' has a number of storage accounts that are not meeting the related CIS recommendation.

To remediate, use the following Azure > Storage > Storage Account > Minimum TLS Version policy to enforce the minimum TLS version setting:

Once the policy is set to enforce, Guardrails will immediately remediate all applicable Azure storage accounts in scope:

All the buckets were remediated and now the CIS recommendation 3.15 is showing 'green' for the controls:

Now that enforcement policies are set, Guardrails will continuously monitor and take action whenever a new bucket is created or an existing bucket is misconfigured.

Remediation for a CIS section

While you can set your own policies to remediate CIS recommendations, you can also leverage the collection of open-source policy samples available in the Guardrails Samples repository. Included in the repo are Policy Packs which are a collection of policies that can be applied to your cloud resources. Specifically for Azure CIS v2.0.0, there is a collection of Azure CIS v2.0.0 remediation Policy Packs that can be applied to your Guardrails workspace.

In the Acme environment, there are a number of Application Services resources which don't adhere to the broader set of Azure CIS v2.0.0 Section 9 recommendations.

Using Azure CIS v2.0.0 Section 9 - Application Services Policy Pack as an example, we can apply a group of preset policies to cover the Section 9 recommendations.

To apply the Policy Pack policies, you can attach it to any resource. In this case we attach it to the Acme folder which contains a few Azure subscriptions.

Once the Policy Pack is attached, Guardrails will immediately remediate all applicable app services resources in scope:

All the storage account resources were remediated and now Section 3 of the CIS Benchmark is showing 'green' for the controls:

See it in action

Level up your compliance game with Guardrails

Take your Azure CIS v2.0.0 Benchmark compliance to the next level with Turbot Guardrails' auto-remediation policies. With continuous monitoring, instant remediation, and detailed audit trails, Guardrails makes it effortless to maintain a secure and compliant cloud environment.

Try it now with a 14-day free trial and see how easy it is to keep your Azure environment aligned with CIS best practices.

Looking for AWS & GCP CIS guardrails? Guardrails also supports auto-remediation policies and covers the latest CIS benchmark assessments for AWS and GCP.