Changelog

Azure > CIS v5.0
Azure > CIS v5.0 > 2 - Analytics Services
Azure > CIS v5.0 > 2 - Analytics Services > 2.01 - Azure Databricks
Azure > CIS v5.0 > 2 - Analytics Services > 2.01 - Azure Databricks > 2.01.01 - Ensure that Azure Databricks is deployed in a customer-managed virtual network (VNet)
Azure > CIS v5.0 > 2 - Analytics Services > 2.01 - Azure Databricks > 2.01.02 - Ensure that network security groups are configured for Databricks subnets
Azure > CIS v5.0 > 2 - Analytics Services > 2.01 - Azure Databricks > 2.01.03 - Ensure that traffic is encrypted between cluster worker nodes
Azure > CIS v5.0 > 2 - Analytics Services > 2.01 - Azure Databricks > 2.01.04 - Ensure that users and groups are synced from Microsoft Entra ID to Azure Databricks
Azure > CIS v5.0 > 2 - Analytics Services > 2.01 - Azure Databricks > 2.01.05 - Ensure that Unity Catalog is configured for Azure Databricks
Azure > CIS v5.0 > 2 - Analytics Services > 2.01 - Azure Databricks > 2.01.06 - Ensure that usage is restricted and expiry is enforced for Databricks personal access tokens
Azure > CIS v5.0 > 2 - Analytics Services > 2.01 - Azure Databricks > 2.01.07 - Ensure that diagnostic log delivery is configured for Azure Databricks
Azure > CIS v5.0 > 2 - Analytics Services > 2.01 - Azure Databricks > 2.01.08 - Ensure critical data in Azure Databricks is encrypted with customer-managed keys (CMK)
Azure > CIS v5.0 > 2 - Analytics Services > 2.01 - Azure Databricks > 2.01.09 - Ensure 'No Public IP' is set to 'Enabled'
Azure > CIS v5.0 > 2 - Analytics Services > 2.01 - Azure Databricks > 2.01.10 - Ensure 'Allow Public Network Access' is set to 'Disabled'
Azure > CIS v5.0 > 2 - Analytics Services > 2.01 - Azure Databricks > 2.01.11 - Ensure private endpoints are used to access Azure Databricks workspaces
Azure > CIS v5.0 > 3 - Compute Services
Azure > CIS v5.0 > 3 - Compute Services > 3.01 - Virtual Machines
Azure > CIS v5.0 > 3 - Compute Services > 3.01 - Virtual Machines > 3.01.01 - Ensure only MFA enabled identities can access privileged Virtual Machine
Azure > CIS v5.0 > 5 - Identity Services
Azure > CIS v5.0 > 5 - Identity Services > 5.01 - Security Defaults (Per-User MFA)
Azure > CIS v5.0 > 5 - Identity Services > 5.01 - Security Defaults (Per-User MFA) > 5.01.01 - Ensure that 'security defaults' is enabled in Microsoft Entra ID
Azure > CIS v5.0 > 5 - Identity Services > 5.01 - Security Defaults (Per-User MFA) > 5.01.02 - Ensure that 'multifactor authentication' is 'enabled' for all users
Azure > CIS v5.0 > 5 - Identity Services > 5.01 - Security Defaults (Per-User MFA) > 5.01.03 - Ensure that 'Allow users to remember multifactor authentication on devices they trust' is disabled
Azure > CIS v5.0 > 5 - Identity Services > 5.02 - Conditional Access
Azure > CIS v5.0 > 5 - Identity Services > 5.02 - Conditional Access > 5.02.01 - Ensure that 'trusted locations' are defined
Azure > CIS v5.0 > 5 - Identity Services > 5.02 - Conditional Access > 5.02.02 - Ensure that an exclusionary geographic Conditional Access policy is considered
Azure > CIS v5.0 > 5 - Identity Services > 5.02 - Conditional Access > 5.02.03 - Ensure that an exclusionary Device code flow policy is considered
Azure > CIS v5.0 > 5 - Identity Services > 5.02 - Conditional Access > 5.02.04 - Ensure that a multifactor authentication policy exists for all users
Azure > CIS v5.0 > 5 - Identity Services > 5.02 - Conditional Access > 5.02.05 - Ensure that multifactor authentication is required for risky sign-ins
Azure > CIS v5.0 > 5 - Identity Services > 5.02 - Conditional Access > 5.02.06 - Ensure that multifactor authentication is required for Windows Azure Service Management API
Azure > CIS v5.0 > 5 - Identity Services > 5.02 - Conditional Access > 5.02.07 - Ensure that multifactor authentication is required to access Microsoft Admin Portals
Azure > CIS v5.0 > 5 - Identity Services > 5.02 - Conditional Access > 5.02.08 - Ensure a Token Protection Conditional Access policy is considered
Azure > CIS v5.0 > 5 - Identity Services > 5.03 - Periodic Identity Reviews
Azure > CIS v5.0 > 5 - Identity Services > 5.03 - Periodic Identity Reviews > 5.03.01 - Ensure that Azure admin accounts are not used for daily operations
Azure > CIS v5.0 > 5 - Identity Services > 5.03 - Periodic Identity Reviews > 5.03.02 - Ensure that guest users are reviewed on a regular basis
Azure > CIS v5.0 > 5 - Identity Services > 5.03 - Periodic Identity Reviews > 5.03.03 - Ensure that use of the 'User Access Administrator' role is restricted
Azure > CIS v5.0 > 5 - Identity Services > 5.03 - Periodic Identity Reviews > 5.03.04 - Ensure that all 'privileged' role assignments are periodically reviewed
Azure > CIS v5.0 > 5 - Identity Services > 5.03 - Periodic Identity Reviews > 5.03.05 - Ensure disabled user accounts do not have read, write, or owner permissions
Azure > CIS v5.0 > 5 - Identity Services > 5.03 - Periodic Identity Reviews > 5.03.06 - Ensure 'Tenant Creator' role assignments are periodically reviewed
Azure > CIS v5.0 > 5 - Identity Services > 5.03 - Periodic Identity Reviews > 5.03.07 - Ensure all non-privileged role assignments are periodically reviewed
Azure > CIS v5.0 > 5 - Identity Services > 5.04 - Ensure that 'Restrict non-admin users from creating tenants' is set to 'Yes'
Azure > CIS v5.0 > 5 - Identity Services > 5.05 - Ensure that 'Number of methods required to reset' is set to '2'
Azure > CIS v5.0 > 5 - Identity Services > 5.06 - Ensure that account 'Lockout Threshold' is less than or equal to '10'
Azure > CIS v5.0 > 5 - Identity Services > 5.07 - Ensure that account 'Lockout duration in seconds' is greater than or equal to '60'
Azure > CIS v5.0 > 5 - Identity Services > 5.08 - Ensure that a 'Custom banned password list' is set to 'Enforce'
Azure > CIS v5.0 > 5 - Identity Services > 5.09 - Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0'
Azure > CIS v5.0 > 5 - Identity Services > 5.10 - Ensure that 'Notify users on password resets?' is set to 'Yes'
Azure > CIS v5.0 > 5 - Identity Services > 5.11 - Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes'
Azure > CIS v5.0 > 5 - Identity Services > 5.12 - Ensure that 'User consent for applications' is set to 'Do not allow user consent'
Azure > CIS v5.0 > 5 - Identity Services > 5.13 - Ensure that 'User consent for applications' is set to 'Allow user consent for apps from verified publishers, for selected permissions'
Azure > CIS v5.0 > 5 - Identity Services > 5.14 - Ensure that 'Users can register applications' is set to 'No'
Azure > CIS v5.0 > 5 - Identity Services > 5.15 - Ensure that 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects'
Azure > CIS v5.0 > 5 - Identity Services > 5.16 - Ensure that 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles [...]' or 'No one [..]'
Azure > CIS v5.0 > 5 - Identity Services > 5.17 - Ensure that 'Restrict access to Microsoft Entra admin center' is set to 'Yes'
Azure > CIS v5.0 > 5 - Identity Services > 5.18 - Ensure that 'Restrict user ability to access groups features in My Groups' is set to 'Yes'
Azure > CIS v5.0 > 5 - Identity Services > 5.19 - Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No'
Azure > CIS v5.0 > 5 - Identity Services > 5.20 - Ensure that 'Owners can manage group membership requests in My Groups' is set to 'No'
Azure > CIS v5.0 > 5 - Identity Services > 5.21 - Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No'
Azure > CIS v5.0 > 5 - Identity Services > 5.22 - Ensure that 'Require Multifactor Authentication to register or join devices with Microsoft Entra' is set to 'Yes'
Azure > CIS v5.0 > 5 - Identity Services > 5.23 - Ensure That No Custom Subscription Administrator Roles Exist
Azure > CIS v5.0 > 5 - Identity Services > 5.24 - Ensure that a custom role is assigned permissions for administering resource locks
Azure > CIS v5.0 > 5 - Identity Services > 5.25 - Ensure that 'Subscription leaving Microsoft Entra tenant' and 'Subscription entering Microsoft Entra tenant' is set to 'Permit no one'
Azure > CIS v5.0 > 5 - Identity Services > 5.26 - Ensure fewer than 5 users have global administrator assignment
Azure > CIS v5.0 > 5 - Identity Services > 5.27 - Ensure there are between 2 and 3 subscription owners
Azure > CIS v5.0 > 5 - Identity Services > 5.28 - Ensure passwordless authentication methods are considered
Azure > CIS v5.0 > 6 - Management and Governance Services
Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring
Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.01 - Configuring Diagnostic Settings
Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.01 - Configuring Diagnostic Settings > 6.01.01.01 - Ensure that a 'Diagnostic Setting' exists for Subscription Activity Logs
Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.01 - Configuring Diagnostic Settings > 6.01.01.02 - Ensure Diagnostic Setting captures appropriate categories
Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.01 - Configuring Diagnostic Settings > 6.01.01.03 - Ensure the storage account containing the container with activity logs is encrypted with customer-managed key (CMK)
Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.01 - Configuring Diagnostic Settings > 6.01.01.04 - Ensure that logging for Azure Key Vault is 'Enabled'
Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.01 - Configuring Diagnostic Settings > 6.01.01.05 - Ensure that Network Security Group Flow logs are captured and sent to Log Analytics
Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.01 - Configuring Diagnostic Settings > 6.01.01.06 - Ensure that logging for Azure AppService 'HTTP logs' is enabled
Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.01 - Configuring Diagnostic Settings > 6.01.01.07 - Ensure that virtual network flow logs are captured and sent to Log Analytics
Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.01 - Configuring Diagnostic Settings > 6.01.01.08 - Ensure that a Microsoft Entra diagnostic setting exists to send Microsoft Graph activity logs to an appropriate destination
Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.01 - Configuring Diagnostic Settings > 6.01.01.09 - Ensure that a Microsoft Entra diagnostic setting exists to send Microsoft Entra activity logs to an appropriate destination
Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.01 - Configuring Diagnostic Settings > 6.01.01.10 - Ensure that Intune logs are captured and sent to Log Analytics
Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.02 - Monitoring using Activity Log Alerts
Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.02 - Monitoring using Activity Log Alerts > 6.01.02.01 - Ensure that Activity Log Alert exists for Create Policy Assignment
Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.02 - Monitoring using Activity Log Alerts > 6.01.02.02 - Ensure that Activity Log Alert exists for Delete Policy Assignment
Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.02 - Monitoring using Activity Log Alerts > 6.01.02.03 - Ensure that Activity Log Alert exists for Create or Update Network Security Group
Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.02 - Monitoring using Activity Log Alerts > 6.01.02.04 - Ensure that Activity Log Alert exists for Delete Network Security Group
Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.02 - Monitoring using Activity Log Alerts > 6.01.02.05 - Ensure that Activity Log Alert exists for Create or Update Security Solution
Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.02 - Monitoring using Activity Log Alerts > 6.01.02.06 - Ensure that Activity Log Alert exists for Delete Security Solution
Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.02 - Monitoring using Activity Log Alerts > 6.01.02.07 - Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule
Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.02 - Monitoring using Activity Log Alerts > 6.01.02.08 - Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule
Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.02 - Monitoring using Activity Log Alerts > 6.01.02.09 - Ensure that Activity Log Alert exists for Create or Update Public IP Address rule
Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.02 - Monitoring using Activity Log Alerts > 6.01.02.10 - Ensure that Activity Log Alert exists for Delete Public IP Address rule
Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.02 - Monitoring using Activity Log Alerts > 6.01.02.11 - Ensure that an Activity Log Alert exists for Service Health
Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.03 - Configuring Application Insights
Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.03 - Configuring Application Insights > 6.01.03.01 - Ensure Application Insights are Configured
Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.04 - Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it
Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.05 - Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads)
Azure > CIS v5.0 > 6 - Management and Governance Services > 6.02 - Ensure that Resource Locks are set for Mission-Critical Azure Resources
Azure > CIS v5.0 > 7 - Networking Services
Azure > CIS v5.0 > 7 - Networking Services > 7.01 - Ensure that RDP access from the Internet is evaluated and restricted
Azure > CIS v5.0 > 7 - Networking Services > 7.02 - Ensure that SSH access from the Internet is evaluated and restricted
Azure > CIS v5.0 > 7 - Networking Services > 7.03 - Ensure that UDP access from the Internet is evaluated and restricted
Azure > CIS v5.0 > 7 - Networking Services > 7.04 - Ensure that HTTP(S) access from the Internet is evaluated and restricted
Azure > CIS v5.0 > 7 - Networking Services > 7.05 - Ensure that network security group flow log retention days is set to greater than or equal to 90
Azure > CIS v5.0 > 7 - Networking Services > 7.06 - Ensure that Network Watcher is 'Enabled' for Azure Regions that are in use
Azure > CIS v5.0 > 7 - Networking Services > 7.07 - Ensure that Public IP addresses are Evaluated on a Periodic Basis
Azure > CIS v5.0 > 7 - Networking Services > 7.08 - Ensure that virtual network flow log retention days is set to greater than or equal to 90
Azure > CIS v5.0 > 7 - Networking Services > 7.09 - Ensure 'Authentication type' is set to 'Azure Active Directory' only for Azure VPN Gateway point-to-site configuration
Azure > CIS v5.0 > 7 - Networking Services > 7.10 - Ensure Azure Web Application Firewall (WAF) is enabled on Azure Application Gateway
Azure > CIS v5.0 > 7 - Networking Services > 7.11 - Ensure subnets are associated with network security groups
Azure > CIS v5.0 > 7 - Networking Services > 7.12 - Ensure the SSL policy's 'Min protocol version' is set to 'TLSv1_2' or higher on Azure Application Gateway
Azure > CIS v5.0 > 7 - Networking Services > 7.13 - Ensure 'HTTP2' is set to 'Enabled' on Azure Application Gateway
Azure > CIS v5.0 > 7 - Networking Services > 7.14 - Ensure request body inspection is enabled in Azure Web Application Firewall policy on Azure Application Gateway
Azure > CIS v5.0 > 7 - Networking Services > 7.15 - Ensure bot protection is enabled in Azure Web Application Firewall policy on Azure Application Gateway
Azure > CIS v5.0 > 7 - Networking Services > 7.16 - Ensure Azure Network Security Perimeter is used to secure Azure platform-as-a-service resources
Azure > CIS v5.0 > 8 - Security Services
Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud
Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.01 - Microsoft Cloud Security Posture Management (CSPM)
Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.01 - Microsoft Cloud Security Posture Management (CSPM) > 8.01.01.01 - Ensure Microsoft Defender CSPM is set to 'On'
Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.02 - Defender Plan: APIs
Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.02 - Defender Plan: APIs > 8.01.02.01 - Ensure Microsoft Defender for APIs is set to 'On'
Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.03 - Defender Plan: Servers
Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.03 - Defender Plan: Servers > 8.01.03.01 - Ensure that Defender for Servers is set to 'On'
Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.03 - Defender Plan: Servers > 8.01.03.02 - Ensure that 'Vulnerability assessment for machines' component status is set to 'On'
Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.03 - Defender Plan: Servers > 8.01.03.03 - Ensure that 'Endpoint protection' component status is set to 'On'
Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.03 - Defender Plan: Servers > 8.01.03.04 - Ensure that 'Agentless scanning for machines' component status is set to 'On'
Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.03 - Defender Plan: Servers > 8.01.03.05 - Ensure that 'File Integrity Monitoring' component status is set to 'On'
Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.04 - Defender Plan: Containers
Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.04 - Defender Plan: Containers > 8.01.04.01 - Ensure That Microsoft Defender for Containers Is Set To 'On'
Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.05 - Defender Plan: Storage
Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.05 - Defender Plan: Storage > 8.01.05.01 - Ensure That Microsoft Defender for Storage Is Set To 'On'
Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.05 - Defender Plan: Storage > 8.01.05.02 - Ensure Advanced Threat Protection Alerts for Storage Accounts Are Monitored
Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.06 - Defender Plan: App Service
Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.06 - Defender Plan: App Service > 8.01.06.01 - Ensure That Microsoft Defender for App Services Is Set To 'On'
Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.07 - Defender Plan: Databases
Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.07 - Defender Plan: Databases > 8.01.07.01 - Ensure That Microsoft Defender for Azure Cosmos DB Is Set To 'On'
Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.07 - Defender Plan: Databases > 8.01.07.02 - Ensure That Microsoft Defender for Open-Source Relational Databases Is Set To 'On'
Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.07 - Defender Plan: Databases > 8.01.07.03 - Ensure That Microsoft Defender for (Managed Instance) Azure SQL Databases Is Set To 'On'
Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.07 - Defender Plan: Databases > 8.01.07.04 - Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On'
Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.08 - Defender Plan: Key Vault
Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.08 - Defender Plan: Key Vault > 8.01.08.01 - Ensure That Microsoft Defender for Key Vault Is Set To 'On'
Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.09 - Defender Plan: Resource Manager
Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.09 - Defender Plan: Resource Manager > 8.01.09.01 - Ensure That Microsoft Defender for Resource Manager Is Set To 'On'
Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.10 - Ensure that Microsoft Defender for Cloud is configured to check VM operating systems for updates
Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.11 - Ensure That Microsoft Cloud Security Benchmark policies are not set to 'Disabled'
Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.12 - Ensure That 'All users with the following roles' is set to 'Owner'
Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.13 - Ensure 'Additional email addresses' is Configured with a Security Contact Email
Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.14 - Ensure that 'Notify about alerts with the following severity (or higher)' is enabled
Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.15 - Ensure that 'Notify about attack paths with the following risk level (or higher)' is enabled
Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.16 - Ensure that Microsoft Defender External Attack Surface Monitoring (EASM) is enabled
Azure > CIS v5.0 > 8 - Security Services > 8.02 - Microsoft Defender for IoT
Azure > CIS v5.0 > 8 - Security Services > 8.02 - Microsoft Defender for IoT > 8.02.01 - Ensure That Microsoft Defender for IoT Hub Is Set To 'On'
Azure > CIS v5.0 > 8 - Security Services > 8.03 - Key Vault
Azure > CIS v5.0 > 8 - Security Services > 8.03 - Key Vault > 8.03.01 - Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults
Azure > CIS v5.0 > 8 - Security Services > 8.03 - Key Vault > 8.03.02 - Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults
Azure > CIS v5.0 > 8 - Security Services > 8.03 - Key Vault > 8.03.03 - Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults
Azure > CIS v5.0 > 8 - Security Services > 8.03 - Key Vault > 8.03.04 - Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults
Azure > CIS v5.0 > 8 - Security Services > 8.03 - Key Vault > 8.03.05 - Ensure 'Purge protection' is set to 'Enabled'
Azure > CIS v5.0 > 8 - Security Services > 8.03 - Key Vault > 8.03.06 - Ensure that Role Based Access Control for Azure Key Vault is enabled
Azure > CIS v5.0 > 8 - Security Services > 8.03 - Key Vault > 8.03.07 - Ensure Public Network Access is Disabled
Azure > CIS v5.0 > 8 - Security Services > 8.03 - Key Vault > 8.03.08 - Ensure Private Endpoints are used to access Azure Key Vault
Azure > CIS v5.0 > 8 - Security Services > 8.03 - Key Vault > 8.03.09 - Ensure automatic key rotation is enabled within Azure Key Vault
Azure > CIS v5.0 > 8 - Security Services > 8.03 - Key Vault > 8.03.10 - Ensure that Azure Key Vault Managed HSM is used when required
Azure > CIS v5.0 > 8 - Security Services > 8.03 - Key Vault > 8.03.11 - Ensure certificate 'Validity Period (in months)' is less than or equal to '12'
Azure > CIS v5.0 > 8 - Security Services > 8.04 - Azure Bastion
Azure > CIS v5.0 > 8 - Security Services > 8.04 - Azure Bastion > 8.04.01 - Ensure an Azure Bastion Host Exists
Azure > CIS v5.0 > 8 - Security Services > 8.05 - Ensure Azure DDoS Network Protection is enabled on virtual networks
Azure > CIS v5.0 > 9 - Storage Services
Azure > CIS v5.0 > 9 - Storage Services > 9.01 - Azure Files
Azure > CIS v5.0 > 9 - Storage Services > 9.01 - Azure Files > 9.01.01 - Ensure soft delete for Azure File Shares is Enabled
Azure > CIS v5.0 > 9 - Storage Services > 9.01 - Azure Files > 9.01.02 - Ensure 'SMB protocol version' is set to 'SMB 3.1.1' or higher for SMB file shares
Azure > CIS v5.0 > 9 - Storage Services > 9.01 - Azure Files > 9.01.03 - Ensure 'SMB channel encryption' is set to 'AES-256-GCM' or higher for SMB file shares
Azure > CIS v5.0 > 9 - Storage Services > 9.02 - Azure Blob Storage
Azure > CIS v5.0 > 9 - Storage Services > 9.02 - Azure Blob Storage > 9.02.01 - Ensure that soft delete for blobs on Azure Blob Storage storage accounts is Enabled
Azure > CIS v5.0 > 9 - Storage Services > 9.02 - Azure Blob Storage > 9.02.02 - Ensure that soft delete for containers on Azure Blob Storage storage accounts is Enabled
Azure > CIS v5.0 > 9 - Storage Services > 9.02 - Azure Blob Storage > 9.02.03 - Ensure 'Versioning' is set to 'Enabled' on Azure Blob Storage storage accounts
Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts
Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.01 - Secrets and Keys
Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.01 - Secrets and Keys > 9.03.01.01 - Ensure that 'Enable key rotation reminders' is enabled for each Storage Account
Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.01 - Secrets and Keys > 9.03.01.02 - Ensure that Storage Account Access Keys are Periodically Regenerated
Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.01 - Secrets and Keys > 9.03.01.03 - Ensure 'Allow storage account key access' for Azure Storage Accounts is 'Disabled'
Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.02 - Networking
Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.02 - Networking > 9.03.02.01 - Ensure Private Endpoints are used to access Storage Accounts
Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.02 - Networking > 9.03.02.02 - Ensure that 'Public Network Access' is 'Disabled' for storage accounts
Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.02 - Networking > 9.03.02.03 - Ensure default network access rule for storage accounts is set to deny
Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.03 - Identity and Access Management
Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.03 - Identity and Access Management > 9.03.03.01 - Ensure that 'Default to Microsoft Entra authorization in the Azure portal' is set to 'Enabled'
Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.04 - Ensure that 'Secure transfer required' is set to 'Enabled'
Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.05 - Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access
Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.06 - Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2'
Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.07 - Ensure 'Cross Tenant Replication' is not enabled
Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.08 - Ensure that 'Allow Blob Anonymous Access' is set to 'Disabled'
Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.09 - Ensure Azure Resource Manager Delete locks are applied to Azure Storage Accounts
Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.10 - Ensure Azure Resource Manager ReadOnly locks are considered for Azure Storage Accounts
Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.11 - Ensure Redundancy is set to 'geo-redundant storage (GRS)' on critical Azure Storage Accounts

Policy Types

Azure > CIS v5.0
Azure > CIS v5.0 > 2 - Analytics Services
Azure > CIS v5.0 > 2 - Analytics Services > 2.01 - Azure Databricks
Azure > CIS v5.0 > 2 - Analytics Services > 2.01 - Azure Databricks > 2.01.01 - Ensure that Azure Databricks is deployed in a customer-managed virtual network (VNet)
Azure > CIS v5.0 > 2 - Analytics Services > 2.01 - Azure Databricks > 2.01.02 - Ensure that network security groups are configured for Databricks subnets
Azure > CIS v5.0 > 2 - Analytics Services > 2.01 - Azure Databricks > 2.01.02 - Ensure that network security groups are configured for Databricks subnets > Attestation
Azure > CIS v5.0 > 2 - Analytics Services > 2.01 - Azure Databricks > 2.01.03 - Ensure that traffic is encrypted between cluster worker nodes
Azure > CIS v5.0 > 2 - Analytics Services > 2.01 - Azure Databricks > 2.01.03 - Ensure that traffic is encrypted between cluster worker nodes > Attestation
Azure > CIS v5.0 > 2 - Analytics Services > 2.01 - Azure Databricks > 2.01.04 - Ensure that users and groups are synced from Microsoft Entra ID to Azure Databricks
Azure > CIS v5.0 > 2 - Analytics Services > 2.01 - Azure Databricks > 2.01.04 - Ensure that users and groups are synced from Microsoft Entra ID to Azure Databricks > Attestation
Azure > CIS v5.0 > 2 - Analytics Services > 2.01 - Azure Databricks > 2.01.05 - Ensure that Unity Catalog is configured for Azure Databricks
Azure > CIS v5.0 > 2 - Analytics Services > 2.01 - Azure Databricks > 2.01.05 - Ensure that Unity Catalog is configured for Azure Databricks > Attestation
Azure > CIS v5.0 > 2 - Analytics Services > 2.01 - Azure Databricks > 2.01.06 - Ensure that usage is restricted and expiry is enforced for Databricks personal access tokens
Azure > CIS v5.0 > 2 - Analytics Services > 2.01 - Azure Databricks > 2.01.06 - Ensure that usage is restricted and expiry is enforced for Databricks personal access tokens > Attestation
Azure > CIS v5.0 > 2 - Analytics Services > 2.01 - Azure Databricks > 2.01.07 - Ensure that diagnostic log delivery is configured for Azure Databricks
Azure > CIS v5.0 > 2 - Analytics Services > 2.01 - Azure Databricks > 2.01.07 - Ensure that diagnostic log delivery is configured for Azure Databricks > Attestation
Azure > CIS v5.0 > 2 - Analytics Services > 2.01 - Azure Databricks > 2.01.08 - Ensure critical data in Azure Databricks is encrypted with customer-managed keys (CMK)
Azure > CIS v5.0 > 2 - Analytics Services > 2.01 - Azure Databricks > 2.01.09 - Ensure 'No Public IP' is set to 'Enabled'
Azure > CIS v5.0 > 2 - Analytics Services > 2.01 - Azure Databricks > 2.01.10 - Ensure 'Allow Public Network Access' is set to 'Disabled'
Azure > CIS v5.0 > 2 - Analytics Services > 2.01 - Azure Databricks > 2.01.11 - Ensure private endpoints are used to access Azure Databricks workspaces
Azure > CIS v5.0 > 2 - Analytics Services > Maximum Attestation Duration
Azure > CIS v5.0 > 3 - Compute Services
Azure > CIS v5.0 > 3 - Compute Services > 3.01 - Virtual Machines
Azure > CIS v5.0 > 3 - Compute Services > 3.01 - Virtual Machines > 3.01.01 - Ensure only MFA enabled identities can access privileged Virtual Machine
Azure > CIS v5.0 > 3 - Compute Services > 3.01 - Virtual Machines > 3.01.01 - Ensure only MFA enabled identities can access privileged Virtual Machine > Attestation
Azure > CIS v5.0 > 3 - Compute Services > Maximum Attestation Duration
Azure > CIS v5.0 > 5 - Identity Services
Azure > CIS v5.0 > 5 - Identity Services > 5.01 - Security Defaults (Per-User MFA)
Azure > CIS v5.0 > 5 - Identity Services > 5.01 - Security Defaults (Per-User MFA) > 5.01.01 - Ensure that 'security defaults' is enabled in Microsoft Entra ID
Azure > CIS v5.0 > 5 - Identity Services > 5.01 - Security Defaults (Per-User MFA) > 5.01.01 - Ensure that 'security defaults' is enabled in Microsoft Entra ID > Attestation
Azure > CIS v5.0 > 5 - Identity Services > 5.01 - Security Defaults (Per-User MFA) > 5.01.02 - Ensure that 'multifactor authentication' is 'enabled' for all users
Azure > CIS v5.0 > 5 - Identity Services > 5.01 - Security Defaults (Per-User MFA) > 5.01.02 - Ensure that 'multifactor authentication' is 'enabled' for all users > Attestation
Azure > CIS v5.0 > 5 - Identity Services > 5.01 - Security Defaults (Per-User MFA) > 5.01.03 - Ensure that 'Allow users to remember multifactor authentication on devices they trust' is disabled
Azure > CIS v5.0 > 5 - Identity Services > 5.01 - Security Defaults (Per-User MFA) > 5.01.03 - Ensure that 'Allow users to remember multifactor authentication on devices they trust' is disabled > Attestation
Azure > CIS v5.0 > 5 - Identity Services > 5.02 - Conditional Access
Azure > CIS v5.0 > 5 - Identity Services > 5.02 - Conditional Access > 5.02.01 - Ensure that 'trusted locations' are defined
Azure > CIS v5.0 > 5 - Identity Services > 5.02 - Conditional Access > 5.02.02 - Ensure that an exclusionary geographic Conditional Access policy is considered
Azure > CIS v5.0 > 5 - Identity Services > 5.02 - Conditional Access > 5.02.02 - Ensure that an exclusionary geographic Conditional Access policy is considered > Attestation
Azure > CIS v5.0 > 5 - Identity Services > 5.02 - Conditional Access > 5.02.03 - Ensure that an exclusionary Device code flow policy is considered
Azure > CIS v5.0 > 5 - Identity Services > 5.02 - Conditional Access > 5.02.03 - Ensure that an exclusionary Device code flow policy is considered > Attestation
Azure > CIS v5.0 > 5 - Identity Services > 5.02 - Conditional Access > 5.02.04 - Ensure that a multifactor authentication policy exists for all users
Azure > CIS v5.0 > 5 - Identity Services > 5.02 - Conditional Access > 5.02.04 - Ensure that a multifactor authentication policy exists for all users > Attestation
Azure > CIS v5.0 > 5 - Identity Services > 5.02 - Conditional Access > 5.02.05 - Ensure that multifactor authentication is required for risky sign-ins
Azure > CIS v5.0 > 5 - Identity Services > 5.02 - Conditional Access > 5.02.05 - Ensure that multifactor authentication is required for risky sign-ins > Attestation
Azure > CIS v5.0 > 5 - Identity Services > 5.02 - Conditional Access > 5.02.06 - Ensure that multifactor authentication is required for Windows Azure Service Management API
Azure > CIS v5.0 > 5 - Identity Services > 5.02 - Conditional Access > 5.02.07 - Ensure that multifactor authentication is required to access Microsoft Admin Portals
Azure > CIS v5.0 > 5 - Identity Services > 5.02 - Conditional Access > 5.02.08 - Ensure a Token Protection Conditional Access policy is considered
Azure > CIS v5.0 > 5 - Identity Services > 5.02 - Conditional Access > 5.02.08 - Ensure a Token Protection Conditional Access policy is considered > Attestation
Azure > CIS v5.0 > 5 - Identity Services > 5.03 - Periodic Identity Reviews
Azure > CIS v5.0 > 5 - Identity Services > 5.03 - Periodic Identity Reviews > 5.03.01 - Ensure that Azure admin accounts are not used for daily operations
Azure > CIS v5.0 > 5 - Identity Services > 5.03 - Periodic Identity Reviews > 5.03.01 - Ensure that Azure admin accounts are not used for daily operations > Attestation
Azure > CIS v5.0 > 5 - Identity Services > 5.03 - Periodic Identity Reviews > 5.03.02 - Ensure that guest users are reviewed on a regular basis
Azure > CIS v5.0 > 5 - Identity Services > 5.03 - Periodic Identity Reviews > 5.03.03 - Ensure that use of the 'User Access Administrator' role is restricted
Azure > CIS v5.0 > 5 - Identity Services > 5.03 - Periodic Identity Reviews > 5.03.04 - Ensure that all 'privileged' role assignments are periodically reviewed
Azure > CIS v5.0 > 5 - Identity Services > 5.03 - Periodic Identity Reviews > 5.03.04 - Ensure that all 'privileged' role assignments are periodically reviewed > Attestation
Azure > CIS v5.0 > 5 - Identity Services > 5.03 - Periodic Identity Reviews > 5.03.05 - Ensure disabled user accounts do not have read, write, or owner permissions
Azure > CIS v5.0 > 5 - Identity Services > 5.03 - Periodic Identity Reviews > 5.03.05 - Ensure disabled user accounts do not have read, write, or owner permissions > Attestation
Azure > CIS v5.0 > 5 - Identity Services > 5.03 - Periodic Identity Reviews > 5.03.06 - Ensure 'Tenant Creator' role assignments are periodically reviewed
Azure > CIS v5.0 > 5 - Identity Services > 5.03 - Periodic Identity Reviews > 5.03.06 - Ensure 'Tenant Creator' role assignments are periodically reviewed > Attestation
Azure > CIS v5.0 > 5 - Identity Services > 5.03 - Periodic Identity Reviews > 5.03.07 - Ensure all non-privileged role assignments are periodically reviewed
Azure > CIS v5.0 > 5 - Identity Services > 5.03 - Periodic Identity Reviews > 5.03.07 - Ensure all non-privileged role assignments are periodically reviewed > Attestation
Azure > CIS v5.0 > 5 - Identity Services > 5.04 - Ensure that 'Restrict non-admin users from creating tenants' is set to 'Yes'
Azure > CIS v5.0 > 5 - Identity Services > 5.04 - Ensure that 'Restrict non-admin users from creating tenants' is set to 'Yes' > Attestation
Azure > CIS v5.0 > 5 - Identity Services > 5.05 - Ensure that 'Number of methods required to reset' is set to '2'
Azure > CIS v5.0 > 5 - Identity Services > 5.05 - Ensure that 'Number of methods required to reset' is set to '2' > Attestation
Azure > CIS v5.0 > 5 - Identity Services > 5.06 - Ensure that account 'Lockout Threshold' is less than or equal to '10'
Azure > CIS v5.0 > 5 - Identity Services > 5.06 - Ensure that account 'Lockout Threshold' is less than or equal to '10' > Attestation
Azure > CIS v5.0 > 5 - Identity Services > 5.07 - Ensure that account 'Lockout duration in seconds' is greater than or equal to '60'
Azure > CIS v5.0 > 5 - Identity Services > 5.07 - Ensure that account 'Lockout duration in seconds' is greater than or equal to '60' > Attestation
Azure > CIS v5.0 > 5 - Identity Services > 5.08 - Ensure that a 'Custom banned password list' is set to 'Enforce'
Azure > CIS v5.0 > 5 - Identity Services > 5.08 - Ensure that a 'Custom banned password list' is set to 'Enforce' > Attestation
Azure > CIS v5.0 > 5 - Identity Services > 5.09 - Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0'
Azure > CIS v5.0 > 5 - Identity Services > 5.09 - Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0' > Attestation
Azure > CIS v5.0 > 5 - Identity Services > 5.10 - Ensure that 'Notify users on password resets?' is set to 'Yes'
Azure > CIS v5.0 > 5 - Identity Services > 5.10 - Ensure that 'Notify users on password resets?' is set to 'Yes' > Attestation
Azure > CIS v5.0 > 5 - Identity Services > 5.11 - Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes'
Azure > CIS v5.0 > 5 - Identity Services > 5.11 - Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes' > Attestation
Azure > CIS v5.0 > 5 - Identity Services > 5.12 - Ensure that 'User consent for applications' is set to 'Do not allow user consent'
Azure > CIS v5.0 > 5 - Identity Services > 5.12 - Ensure that 'User consent for applications' is set to 'Do not allow user consent' > Attestation
Azure > CIS v5.0 > 5 - Identity Services > 5.13 - Ensure that 'User consent for applications' is set to 'Allow user consent for apps from verified publishers, for selected permissions'
Azure > CIS v5.0 > 5 - Identity Services > 5.13 - Ensure that 'User consent for applications' is set to 'Allow user consent for apps from verified publishers, for selected permissions' > Attestation
Azure > CIS v5.0 > 5 - Identity Services > 5.14 - Ensure that 'Users can register applications' is set to 'No'
Azure > CIS v5.0 > 5 - Identity Services > 5.15 - Ensure that 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects'
Azure > CIS v5.0 > 5 - Identity Services > 5.15 - Ensure that 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects' > Attestation
Azure > CIS v5.0 > 5 - Identity Services > 5.16 - Ensure that 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles [...]' or 'No one [..]'
Azure > CIS v5.0 > 5 - Identity Services > 5.16 - Ensure that 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles [...]' or 'No one [..]' > Attestation
Azure > CIS v5.0 > 5 - Identity Services > 5.17 - Ensure that 'Restrict access to Microsoft Entra admin center' is set to 'Yes'
Azure > CIS v5.0 > 5 - Identity Services > 5.17 - Ensure that 'Restrict access to Microsoft Entra admin center' is set to 'Yes' > Attestation
Azure > CIS v5.0 > 5 - Identity Services > 5.18 - Ensure that 'Restrict user ability to access groups features in My Groups' is set to 'Yes'
Azure > CIS v5.0 > 5 - Identity Services > 5.18 - Ensure that 'Restrict user ability to access groups features in My Groups' is set to 'Yes' > Attestation
Azure > CIS v5.0 > 5 - Identity Services > 5.19 - Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No'
Azure > CIS v5.0 > 5 - Identity Services > 5.20 - Ensure that 'Owners can manage group membership requests in My Groups' is set to 'No'
Azure > CIS v5.0 > 5 - Identity Services > 5.20 - Ensure that 'Owners can manage group membership requests in My Groups' is set to 'No' > Attestation
Azure > CIS v5.0 > 5 - Identity Services > 5.21 - Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No'
Azure > CIS v5.0 > 5 - Identity Services > 5.21 - Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No' > Attestation
Azure > CIS v5.0 > 5 - Identity Services > 5.22 - Ensure that 'Require Multifactor Authentication to register or join devices with Microsoft Entra' is set to 'Yes'
Azure > CIS v5.0 > 5 - Identity Services > 5.22 - Ensure that 'Require Multifactor Authentication to register or join devices with Microsoft Entra' is set to 'Yes' > Attestation
Azure > CIS v5.0 > 5 - Identity Services > 5.23 - Ensure That No Custom Subscription Administrator Roles Exist
Azure > CIS v5.0 > 5 - Identity Services > 5.24 - Ensure that a custom role is assigned permissions for administering resource locks
Azure > CIS v5.0 > 5 - Identity Services > 5.24 - Ensure that a custom role is assigned permissions for administering resource locks > Attestation
Azure > CIS v5.0 > 5 - Identity Services > 5.25 - Ensure that 'Subscription leaving Microsoft Entra tenant' and 'Subscription entering Microsoft Entra tenant' is set to 'Permit no one'
Azure > CIS v5.0 > 5 - Identity Services > 5.25 - Ensure that 'Subscription leaving Microsoft Entra tenant' and 'Subscription entering Microsoft Entra tenant' is set to 'Permit no one' > Attestation
Azure > CIS v5.0 > 5 - Identity Services > 5.26 - Ensure fewer than 5 users have global administrator assignment
Azure > CIS v5.0 > 5 - Identity Services > 5.27 - Ensure there are between 2 and 3 subscription owners
Azure > CIS v5.0 > 5 - Identity Services > 5.27 - Ensure there are between 2 and 3 subscription owners > Attestation
Azure > CIS v5.0 > 5 - Identity Services > 5.28 - Ensure passwordless authentication methods are considered
Azure > CIS v5.0 > 5 - Identity Services > 5.28 - Ensure passwordless authentication methods are considered > Attestation
Azure > CIS v5.0 > 5 - Identity Services > Maximum Attestation Duration
Azure > CIS v5.0 > 6 - Management and Governance Services
Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring
Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.01 - Configuring Diagnostic Settings
Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.01 - Configuring Diagnostic Settings > 6.01.01.01 - Ensure that a 'Diagnostic Setting' exists for Subscription Activity Logs
Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.01 - Configuring Diagnostic Settings > 6.01.01.01 - Ensure that a 'Diagnostic Setting' exists for Subscription Activity Logs > Attestation
Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.01 - Configuring Diagnostic Settings > 6.01.01.02 - Ensure Diagnostic Setting captures appropriate categories
Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.01 - Configuring Diagnostic Settings > 6.01.01.03 - Ensure the storage account containing the container with activity logs is encrypted with customer-managed key (CMK)
Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.01 - Configuring Diagnostic Settings > 6.01.01.04 - Ensure that logging for Azure Key Vault is 'Enabled'
Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.01 - Configuring Diagnostic Settings > 6.01.01.05 - Ensure that Network Security Group Flow logs are captured and sent to Log Analytics
Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.01 - Configuring Diagnostic Settings > 6.01.01.06 - Ensure that logging for Azure AppService 'HTTP logs' is enabled
Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.01 - Configuring Diagnostic Settings > 6.01.01.07 - Ensure that virtual network flow logs are captured and sent to Log Analytics
Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.01 - Configuring Diagnostic Settings > 6.01.01.07 - Ensure that virtual network flow logs are captured and sent to Log Analytics > Attestation
Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.01 - Configuring Diagnostic Settings > 6.01.01.08 - Ensure that a Microsoft Entra diagnostic setting exists to send Microsoft Graph activity logs to an appropriate destination
Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.01 - Configuring Diagnostic Settings > 6.01.01.08 - Ensure that a Microsoft Entra diagnostic setting exists to send Microsoft Graph activity logs to an appropriate destination > Attestation
Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.01 - Configuring Diagnostic Settings > 6.01.01.09 - Ensure that a Microsoft Entra diagnostic setting exists to send Microsoft Entra activity logs to an appropriate destination
Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.01 - Configuring Diagnostic Settings > 6.01.01.09 - Ensure that a Microsoft Entra diagnostic setting exists to send Microsoft Entra activity logs to an appropriate destination > Attestation
Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.01 - Configuring Diagnostic Settings > 6.01.01.10 - Ensure that Intune logs are captured and sent to Log Analytics
Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.01 - Configuring Diagnostic Settings > 6.01.01.10 - Ensure that Intune logs are captured and sent to Log Analytics > Attestation
Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.02 - Monitoring using Activity Log Alerts
Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.02 - Monitoring using Activity Log Alerts > 6.01.02.01 - Ensure that Activity Log Alert exists for Create Policy Assignment
Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.02 - Monitoring using Activity Log Alerts > 6.01.02.02 - Ensure that Activity Log Alert exists for Delete Policy Assignment
Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.02 - Monitoring using Activity Log Alerts > 6.01.02.03 - Ensure that Activity Log Alert exists for Create or Update Network Security Group
Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.02 - Monitoring using Activity Log Alerts > 6.01.02.04 - Ensure that Activity Log Alert exists for Delete Network Security Group
Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.02 - Monitoring using Activity Log Alerts > 6.01.02.05 - Ensure that Activity Log Alert exists for Create or Update Security Solution
Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.02 - Monitoring using Activity Log Alerts > 6.01.02.06 - Ensure that Activity Log Alert exists for Delete Security Solution
Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.02 - Monitoring using Activity Log Alerts > 6.01.02.07 - Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule
Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.02 - Monitoring using Activity Log Alerts > 6.01.02.08 - Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule
Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.02 - Monitoring using Activity Log Alerts > 6.01.02.09 - Ensure that Activity Log Alert exists for Create or Update Public IP Address rule
Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.02 - Monitoring using Activity Log Alerts > 6.01.02.10 - Ensure that Activity Log Alert exists for Delete Public IP Address rule
Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.02 - Monitoring using Activity Log Alerts > 6.01.02.11 - Ensure that an Activity Log Alert exists for Service Health
Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.03 - Configuring Application Insights
Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.03 - Configuring Application Insights > 6.01.03.01 - Ensure Application Insights are Configured
Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.04 - Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it
Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.04 - Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it > Attestation
Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.05 - Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads)
Azure > CIS v5.0 > 6 - Management and Governance Services > 6.02 - Ensure that Resource Locks are set for Mission-Critical Azure Resources
Azure > CIS v5.0 > 6 - Management and Governance Services > 6.02 - Ensure that Resource Locks are set for Mission-Critical Azure Resources > Attestation
Azure > CIS v5.0 > 6 - Management and Governance Services > Maximum Attestation Duration
Azure > CIS v5.0 > 7 - Networking Services
Azure > CIS v5.0 > 7 - Networking Services > Maximum Attestation Duration
Azure > CIS v5.0 > 7 - Networking Services > 7.01 - Ensure that RDP access from the Internet is evaluated and restricted
Azure > CIS v5.0 > 7 - Networking Services > 7.02 - Ensure that SSH access from the Internet is evaluated and restricted
Azure > CIS v5.0 > 7 - Networking Services > 7.03 - Ensure that UDP access from the Internet is evaluated and restricted
Azure > CIS v5.0 > 7 - Networking Services > 7.04 - Ensure that HTTP(S) access from the Internet is evaluated and restricted
Azure > CIS v5.0 > 7 - Networking Services > 7.05 - Ensure that network security group flow log retention days is set to greater than or equal to 90
Azure > CIS v5.0 > 7 - Networking Services > 7.06 - Ensure that Network Watcher is 'Enabled' for Azure Regions that are in use
Azure > CIS v5.0 > 7 - Networking Services > 7.07 - Ensure that Public IP addresses are Evaluated on a Periodic Basis
Azure > CIS v5.0 > 7 - Networking Services > 7.07 - Ensure that Public IP addresses are Evaluated on a Periodic Basis > Attestation
Azure > CIS v5.0 > 7 - Networking Services > 7.08 - Ensure that virtual network flow log retention days is set to greater than or equal to 90
Azure > CIS v5.0 > 7 - Networking Services > 7.09 - Ensure 'Authentication type' is set to 'Azure Active Directory' only for Azure VPN Gateway point-to-site configuration
Azure > CIS v5.0 > 7 - Networking Services > 7.10 - Ensure Azure Web Application Firewall (WAF) is enabled on Azure Application Gateway
Azure > CIS v5.0 > 7 - Networking Services > 7.11 - Ensure subnets are associated with network security groups
Azure > CIS v5.0 > 7 - Networking Services > 7.12 - Ensure the SSL policy's 'Min protocol version' is set to 'TLSv1_2' or higher on Azure Application Gateway
Azure > CIS v5.0 > 7 - Networking Services > 7.13 - Ensure 'HTTP2' is set to 'Enabled' on Azure Application Gateway
Azure > CIS v5.0 > 7 - Networking Services > 7.14 - Ensure request body inspection is enabled in Azure Web Application Firewall policy on Azure Application Gateway
Azure > CIS v5.0 > 7 - Networking Services > 7.15 - Ensure bot protection is enabled in Azure Web Application Firewall policy on Azure Application Gateway
Azure > CIS v5.0 > 7 - Networking Services > 7.16 - Ensure Azure Network Security Perimeter is used to secure Azure platform-as-a-service resources
Azure > CIS v5.0 > 7 - Networking Services > 7.16 - Ensure Azure Network Security Perimeter is used to secure Azure platform-as-a-service resources > Attestation
Azure > CIS v5.0 > 8 - Security Services
Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud
Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.01 - Microsoft Cloud Security Posture Management (CSPM)
Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.01 - Microsoft Cloud Security Posture Management (CSPM) > 8.01.01.01 - Ensure Microsoft Defender CSPM is set to 'On'
Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.02 - Defender Plan: APIs
Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.02 - Defender Plan: APIs > 8.01.02.01 - Ensure Microsoft Defender for APIs is set to 'On'
Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.03 - Defender Plan: Servers
Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.03 - Defender Plan: Servers > 8.01.03.01 - Ensure that Defender for Servers is set to 'On'
Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.03 - Defender Plan: Servers > 8.01.03.02 - Ensure that 'Vulnerability assessment for machines' component status is set to 'On'
Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.03 - Defender Plan: Servers > 8.01.03.02 - Ensure that 'Vulnerability assessment for machines' component status is set to 'On' > Attestation
Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.03 - Defender Plan: Servers > 8.01.03.03 - Ensure that 'Endpoint protection' component status is set to 'On'
Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.03 - Defender Plan: Servers > 8.01.03.04 - Ensure that 'Agentless scanning for machines' component status is set to 'On'
Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.03 - Defender Plan: Servers > 8.01.03.04 - Ensure that 'Agentless scanning for machines' component status is set to 'On' > Attestation
Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.03 - Defender Plan: Servers > 8.01.03.05 - Ensure that 'File Integrity Monitoring' component status is set to 'On'
Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.03 - Defender Plan: Servers > 8.01.03.05 - Ensure that 'File Integrity Monitoring' component status is set to 'On' > Attestation
Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.04 - Defender Plan: Containers
Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.04 - Defender Plan: Containers > 8.01.04.01 - Ensure That Microsoft Defender for Containers Is Set To 'On'
Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.05 - Defender Plan: Storage
Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.05 - Defender Plan: Storage > 8.01.05.01 - Ensure That Microsoft Defender for Storage Is Set To 'On'
Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.05 - Defender Plan: Storage > 8.01.05.02 - Ensure Advanced Threat Protection Alerts for Storage Accounts Are Monitored
Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.05 - Defender Plan: Storage > 8.01.05.02 - Ensure Advanced Threat Protection Alerts for Storage Accounts Are Monitored > Attestation
Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.06 - Defender Plan: App Service
Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.06 - Defender Plan: App Service > 8.01.06.01 - Ensure That Microsoft Defender for App Services Is Set To 'On'
Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.07 - Defender Plan: Databases
Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.07 - Defender Plan: Databases > 8.01.07.01 - Ensure That Microsoft Defender for Azure Cosmos DB Is Set To 'On'
Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.07 - Defender Plan: Databases > 8.01.07.02 - Ensure That Microsoft Defender for Open-Source Relational Databases Is Set To 'On'
Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.07 - Defender Plan: Databases > 8.01.07.03 - Ensure That Microsoft Defender for (Managed Instance) Azure SQL Databases Is Set To 'On'
Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.07 - Defender Plan: Databases > 8.01.07.04 - Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On'
Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.08 - Defender Plan: Key Vault
Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.08 - Defender Plan: Key Vault > 8.01.08.01 - Ensure That Microsoft Defender for Key Vault Is Set To 'On'
Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.09 - Defender Plan: Resource Manager
Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.09 - Defender Plan: Resource Manager > 8.01.09.01 - Ensure That Microsoft Defender for Resource Manager Is Set To 'On'
Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.10 - Ensure that Microsoft Defender for Cloud is configured to check VM operating systems for updates
Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.10 - Ensure that Microsoft Defender for Cloud is configured to check VM operating systems for updates > Attestation
Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.11 - Ensure That Microsoft Cloud Security Benchmark policies are not set to 'Disabled'
Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.11 - Ensure That Microsoft Cloud Security Benchmark policies are not set to 'Disabled' > Attestation
Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.12 - Ensure That 'All users with the following roles' is set to 'Owner'
Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.13 - Ensure 'Additional email addresses' is Configured with a Security Contact Email
Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.14 - Ensure that 'Notify about alerts with the following severity (or higher)' is enabled
Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.15 - Ensure that 'Notify about attack paths with the following risk level (or higher)' is enabled
Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.16 - Ensure that Microsoft Defender External Attack Surface Monitoring (EASM) is enabled
Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.16 - Ensure that Microsoft Defender External Attack Surface Monitoring (EASM) is enabled > Attestation
Azure > CIS v5.0 > 8 - Security Services > 8.02 - Microsoft Defender for IoT
Azure > CIS v5.0 > 8 - Security Services > 8.02 - Microsoft Defender for IoT > 8.02.01 - Ensure That Microsoft Defender for IoT Hub Is Set To 'On'
Azure > CIS v5.0 > 8 - Security Services > 8.02 - Microsoft Defender for IoT > 8.02.01 - Ensure That Microsoft Defender for IoT Hub Is Set To 'On' > Attestation
Azure > CIS v5.0 > 8 - Security Services > 8.03 - Key Vault
Azure > CIS v5.0 > 8 - Security Services > 8.03 - Key Vault > 8.03.01 - Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults
Azure > CIS v5.0 > 8 - Security Services > 8.03 - Key Vault > 8.03.02 - Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults
Azure > CIS v5.0 > 8 - Security Services > 8.03 - Key Vault > 8.03.03 - Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults
Azure > CIS v5.0 > 8 - Security Services > 8.03 - Key Vault > 8.03.04 - Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults
Azure > CIS v5.0 > 8 - Security Services > 8.03 - Key Vault > 8.03.05 - Ensure 'Purge protection' is set to 'Enabled'
Azure > CIS v5.0 > 8 - Security Services > 8.03 - Key Vault > 8.03.06 - Ensure that Role Based Access Control for Azure Key Vault is enabled
Azure > CIS v5.0 > 8 - Security Services > 8.03 - Key Vault > 8.03.07 - Ensure Public Network Access is Disabled
Azure > CIS v5.0 > 8 - Security Services > 8.03 - Key Vault > 8.03.08 - Ensure Private Endpoints are used to access Azure Key Vault
Azure > CIS v5.0 > 8 - Security Services > 8.03 - Key Vault > 8.03.09 - Ensure automatic key rotation is enabled within Azure Key Vault
Azure > CIS v5.0 > 8 - Security Services > 8.03 - Key Vault > 8.03.10 - Ensure that Azure Key Vault Managed HSM is used when required
Azure > CIS v5.0 > 8 - Security Services > 8.03 - Key Vault > 8.03.10 - Ensure that Azure Key Vault Managed HSM is used when required > Attestation
Azure > CIS v5.0 > 8 - Security Services > 8.03 - Key Vault > 8.03.11 - Ensure certificate 'Validity Period (in months)' is less than or equal to '12'
Azure > CIS v5.0 > 8 - Security Services > 8.04 - Azure Bastion
Azure > CIS v5.0 > 8 - Security Services > 8.04 - Azure Bastion > 8.04.01 - Ensure an Azure Bastion Host Exists
Azure > CIS v5.0 > 8 - Security Services > 8.05 - Ensure Azure DDoS Network Protection is enabled on virtual networks
Azure > CIS v5.0 > 8 - Security Services > Maximum Attestation Duration
Azure > CIS v5.0 > 9 - Storage Services
Azure > CIS v5.0 > 9 - Storage Services > 9.01 - Azure Files
Azure > CIS v5.0 > 9 - Storage Services > 9.01 - Azure Files > 9.01.01 - Ensure soft delete for Azure File Shares is Enabled
Azure > CIS v5.0 > 9 - Storage Services > 9.01 - Azure Files > 9.01.02 - Ensure 'SMB protocol version' is set to 'SMB 3.1.1' or higher for SMB file shares
Azure > CIS v5.0 > 9 - Storage Services > 9.01 - Azure Files > 9.01.03 - Ensure 'SMB channel encryption' is set to 'AES-256-GCM' or higher for SMB file shares
Azure > CIS v5.0 > 9 - Storage Services > 9.02 - Azure Blob Storage
Azure > CIS v5.0 > 9 - Storage Services > 9.02 - Azure Blob Storage > 9.02.01 - Ensure that soft delete for blobs on Azure Blob Storage storage accounts is Enabled
Azure > CIS v5.0 > 9 - Storage Services > 9.02 - Azure Blob Storage > 9.02.02 - Ensure that soft delete for containers on Azure Blob Storage storage accounts is Enabled
Azure > CIS v5.0 > 9 - Storage Services > 9.02 - Azure Blob Storage > 9.02.03 - Ensure 'Versioning' is set to 'Enabled' on Azure Blob Storage storage accounts
Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts
Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.01 - Secrets and Keys
Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.01 - Secrets and Keys > 9.03.01.01 - Ensure that 'Enable key rotation reminders' is enabled for each Storage Account
Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.01 - Secrets and Keys > 9.03.01.02 - Ensure that Storage Account Access Keys are Periodically Regenerated
Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.01 - Secrets and Keys > 9.03.01.02 - Ensure that Storage Account Access Keys are Periodically Regenerated > Attestation
Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.01 - Secrets and Keys > 9.03.01.03 - Ensure 'Allow storage account key access' for Azure Storage Accounts is 'Disabled'
Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.02 - Networking
Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.02 - Networking > 9.03.02.01 - Ensure Private Endpoints are used to access Storage Accounts
Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.02 - Networking > 9.03.02.02 - Ensure that 'Public Network Access' is 'Disabled' for storage accounts
Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.02 - Networking > 9.03.02.03 - Ensure default network access rule for storage accounts is set to deny
Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.03 - Identity and Access Management
Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.03 - Identity and Access Management > 9.03.03.01 - Ensure that 'Default to Microsoft Entra authorization in the Azure portal' is set to 'Enabled'
Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.04 - Ensure that 'Secure transfer required' is set to 'Enabled'
Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.05 - Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access
Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.06 - Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2'
Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.07 - Ensure 'Cross Tenant Replication' is not enabled
Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.08 - Ensure that 'Allow Blob Anonymous Access' is set to 'Disabled'
Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.09 - Ensure Azure Resource Manager Delete locks are applied to Azure Storage Accounts
Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.09 - Ensure Azure Resource Manager Delete locks are applied to Azure Storage Accounts > Attestation
Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.10 - Ensure Azure Resource Manager ReadOnly locks are considered for Azure Storage Accounts
Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.10 - Ensure Azure Resource Manager ReadOnly locks are considered for Azure Storage Accounts > Attestation
Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.11 - Ensure Redundancy is set to 'geo-redundant storage (GRS)' on critical Azure Storage Accounts
Azure > CIS v5.0 > 9 - Storage Services > Maximum Attestation Duration
Azure > CIS v5.0 > Maximum Attestation Duration

Note

This mod requires @turbot/azure-storage v5.31.0 or higher for the Storage Services (Section 9) controls to function correctly.