Product logo
DocsHubBlogPricing
← Back

azure-cisv3-0 v5.0.0 is now available

Aug 01, 2025
Mods

What's new?

Control Types

  • Azure > CIS v3.0
  • Azure > CIS v3.0 > 02 - Identity
  • Azure > CIS v3.0 > 02 - Identity > 02.01 - Security Defaults (Per-User MFA)
  • Azure > CIS v3.0 > 02 - Identity > 02.01 - Security Defaults (Per-User MFA) > 02.01.01 - Ensure Security Defaults is enabled on Microsoft Entra ID
  • Azure > CIS v3.0 > 02 - Identity > 02.01 - Security Defaults (Per-User MFA) > 02.01.02 - Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users
  • Azure > CIS v3.0 > 02 - Identity > 02.01 - Security Defaults (Per-User MFA) > 02.01.03 - Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users
  • Azure > CIS v3.0 > 02 - Identity > 02.01 - Security Defaults (Per-User MFA) > 02.01.04 - Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is Disabled
  • Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access
  • Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.01 - Ensure Trusted Locations Are Defined
  • Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.02 - Ensure that an exclusionary Geographic Access Policy is considered
  • Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.03 - Ensure that an exclusionary Device code flow policy is considered
  • Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.04 - Ensure that A Multi-factor Authentication Policy Exists for Administrative Groups
  • Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.05 - Ensure that A Multi-factor Authentication Policy Exists for All Users
  • Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.06 - Ensure Multi-factor Authentication is Required for Risky Sign-ins
  • Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.07 - Ensure Multi-factor Authentication is Required for Windows Azure Service Management API
  • Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.08 - Ensure Multi-factor Authentication is Required to access Microsoft Admin Portals
  • Azure > CIS v3.0 > 02 - Identity > 02.03 - Ensure that 'Restrict non-admin users from creating tenants' is set to 'Yes'
  • Azure > CIS v3.0 > 02 - Identity > 02.04 - Ensure Guest Users Are Reviewed on a Regular Basis
  • Azure > CIS v3.0 > 02 - Identity > 02.05 - Ensure That 'Number of methods required to reset' is set to '2'
  • Azure > CIS v3.0 > 02 - Identity > 02.06 - Ensure that account 'Lockout Threshold' is less than or equal to '10'
  • Azure > CIS v3.0 > 02 - Identity > 02.07 - Ensure that account 'Lockout duration in seconds' is greater than or equal to '60'
  • Azure > CIS v3.0 > 02 - Identity > 02.08 - Ensure that a Custom Bad Password List is set to 'Enforce' for your Organization
  • Azure > CIS v3.0 > 02 - Identity > 02.09 - Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0'
  • Azure > CIS v3.0 > 02 - Identity > 02.10 - Ensure that 'Notify users on password resets?' is set to 'Yes'
  • Azure > CIS v3.0 > 02 - Identity > 02.11 - Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes'
  • Azure > CIS v3.0 > 02 - Identity > 02.12 - Ensure User consent for applications is set to Do not allow user consent
  • Azure > CIS v3.0 > 02 - Identity > 02.13 - Ensure 'User consent for applications' Is Set To 'Allow for Verified Publishers'
  • Azure > CIS v3.0 > 02 - Identity > 02.14 - Ensure That 'Users Can Register Applications' Is Set to 'No'
  • Azure > CIS v3.0 > 02 - Identity > 02.15 - Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects'
  • Azure > CIS v3.0 > 02 - Identity > 02.16 - Ensure that 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles can invite guest users'
  • Azure > CIS v3.0 > 02 - Identity > 02.17 - Ensure That 'Restrict access to Microsoft Entra admin center' is Set to 'Yes'
  • Azure > CIS v3.0 > 02 - Identity > 02.18 - Ensure that 'Restrict user ability to access groups features in the Access Pane' is Set to 'Yes'
  • Azure > CIS v3.0 > 02 - Identity > 02.19 - Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No'
  • Azure > CIS v3.0 > 02 - Identity > 02.20 - Ensure that 'Owners can manage group membership requests in My Groups' is set to 'No'
  • Azure > CIS v3.0 > 02 - Identity > 02.21 - Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No'
  • Azure > CIS v3.0 > 02 - Identity > 02.22 - Ensure that 'Require Multifactor Authentication to register or join devices with Microsoft Entra' is set to 'Yes'
  • Azure > CIS v3.0 > 02 - Identity > 02.23 - Ensure That No Custom Subscription Administrator Roles Exist
  • Azure > CIS v3.0 > 02 - Identity > 02.24 - Ensure a Custom Role is Assigned Permissions for Administering Resource Locks
  • Azure > CIS v3.0 > 02 - Identity > 02.25 - Ensure That 'Subscription leaving Microsoft Entra tenant' and 'Subscription entering Microsoft Entra tenant' Is Set To 'Permit no one'
  • Azure > CIS v3.0 > 02 - Identity > 02.26 - Ensure fewer than 5 users have global administrator assignment
  • Azure > CIS v3.0 > 03 - Security
  • Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud
  • Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.01 - Microsoft Cloud Security Posture Management (CSPM)
  • Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.01 - Microsoft Cloud Security Posture Management (CSPM) > 03.01.01.01 - Ensure that Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On'
  • Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.01 - Microsoft Cloud Security Posture Management (CSPM) > 03.01.01.02 - Ensure that Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is Selected
  • Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.02 - Defender Plan APIs
  • Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.03 - Defender Plan Servers
  • Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.03 - Defender Plan Servers > 03.01.03.01 - Ensure That Microsoft Defender for Servers Is Set to 'On'
  • Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.03 - Defender Plan Servers > 03.01.03.02 - Ensure that 'Vulnerability assessment for machines' component status is set to 'On'
  • Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.03 - Defender Plan Servers > 03.01.03.03 - Ensure that 'Endpoint protection' component status is set to 'On'
  • Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.03 - Defender Plan Servers > 03.01.03.04 - Ensure that 'Agentless scanning for machines' component status is set to 'On'
  • Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.03 - Defender Plan Servers > 03.01.03.05 - Ensure that 'File Integrity Monitoring' component status is set to 'On'
  • Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.04 - Defender Plan Containers
  • Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.04 - Defender Plan Containers > 03.01.04.01 - Ensure That Microsoft Defender for Containers Is Set To 'On'
  • Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.04 - Defender Plan Containers > 03.01.04.02 - Ensure that 'Agentless discovery for Kubernetes' component status 'On'
  • Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.04 - Defender Plan Containers > 03.01.04.03 - Ensure that 'Agentless container vulnerability assessment' component status is 'On'
  • Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.05 - Defender Plan - Storage
  • Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.05 - Defender Plan - Storage > 03.01.05.01 - Ensure That Microsoft Defender for Storage Is Set To 'On'
  • Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.06 - Defender Plan - App Service
  • Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.06 - Defender Plan - App Service > 03.01.06.01 - Ensure That Microsoft Defender for App Services Is Set To 'On'
  • Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.07 - Defender Plan - Databases
  • Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.07 - Defender Plan - Databases > 03.01.07.01 - Ensure That Microsoft Defender for Azure Cosmos DB Is Set To 'On'
  • Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.07 - Defender Plan - Databases > 03.01.07.02 - Ensure That Microsoft Defender for Open-Source Relational Databases Is Set To 'On'
  • Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.07 - Defender Plan - Databases > 03.01.07.03 - Ensure That Microsoft Defender for (Managed Instance) Azure SQL Databases Is Set To 'On'
  • Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.07 - Defender Plan - Databases > 03.01.07.04 - Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On'
  • Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.08 - Defender Plan - Key Vault
  • Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.08 - Defender Plan - Key Vault > 03.01.08.01 - Ensure That Microsoft Defender for Key Vault Is Set To 'On'
  • Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.09 - Defender Plan - Resource Manager
  • Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.09 - Defender Plan - Resource Manager > 03.01.09.01 - Ensure That Microsoft Defender for Resource Manager Is Set To 'On'
  • Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.10 - Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed'
  • Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.11 - Ensure that Microsoft Cloud Security Benchmark policies are not set to 'Disabled'
  • Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.12 - Ensure That 'All users with the following roles' is set to 'Owner'
  • Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.13 - Ensure 'Additional email addresses' is Configured with a Security Contact Email
  • Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.14 - Ensure That 'Notify about alerts with the following severity' is Set to 'High'
  • Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.15 - Ensure that Microsoft Defender External Attack Surface Monitoring (EASM) is enabled
  • Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.16 - [LEGACY] Ensure That Microsoft Defender for DNS Is Set To 'On'
  • Azure > CIS v3.0 > 03 - Security > 03.02 - Microsoft Defender for IoT
  • Azure > CIS v3.0 > 03 - Security > 03.02 - Microsoft Defender for IoT > 03.02.01 - Ensure That Microsoft Defender for IoT Hub Is Set To 'On'
  • Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault
  • Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.01 - Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults
  • Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.02 - Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults
  • Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.03 - Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults
  • Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.04 - Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults
  • Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.05 - Ensure the Key Vault is Recoverable
  • Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.06 - Enable Role Based Access Control for Azure Key Vault
  • Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.07 - Ensure that Private Endpoints are Used for Azure Key Vault
  • Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.08 - Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services
  • Azure > CIS v3.0 > 04 - Storage Accounts
  • Azure > CIS v3.0 > 04 - Storage Accounts > 04.01 - Ensure that 'Secure transfer required' is set to 'Enabled'
  • Azure > CIS v3.0 > 04 - Storage Accounts > 04.02 - Ensure that Enable Infrastructure Encryption for Each Storage Account in Azure Storage is Set to enabled
  • Azure > CIS v3.0 > 04 - Storage Accounts > 04.03 - Ensure that 'Enable key rotation reminders' is enabled for each Storage Account
  • Azure > CIS v3.0 > 04 - Storage Accounts > 04.04 - Ensure that Storage Account Access Keys are Periodically Regenerated
  • Azure > CIS v3.0 > 04 - Storage Accounts > 04.05 - Ensure that Shared Access Signature Tokens Expire Within an Hour
  • Azure > CIS v3.0 > 04 - Storage Accounts > 04.06 - Ensure that 'Public Network Access' is 'Disabled' for storage accounts
  • Azure > CIS v3.0 > 04 - Storage Accounts > 04.07 - Ensure Default Network Access Rule for Storage Accounts is Set to Deny
  • Azure > CIS v3.0 > 04 - Storage Accounts > 04.08 - Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access
  • Azure > CIS v3.0 > 04 - Storage Accounts > 04.09 - Ensure Private Endpoints are used to access Storage Accounts
  • Azure > CIS v3.0 > 04 - Storage Accounts > 04.10 - Ensure Soft Delete is Enabled for Azure Containers and Blob Storage
  • Azure > CIS v3.0 > 04 - Storage Accounts > 04.11 - Ensure Storage for Critical Data are Encrypted with Customer Managed Keys (CMK)
  • Azure > CIS v3.0 > 04 - Storage Accounts > 04.12 - Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests
  • Azure > CIS v3.0 > 04 - Storage Accounts > 04.13 - Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests
  • Azure > CIS v3.0 > 04 - Storage Accounts > 04.14 - Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' Requests
  • Azure > CIS v3.0 > 04 - Storage Accounts > 04.15 - Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2'
  • Azure > CIS v3.0 > 04 - Storage Accounts > 04.16 - Ensure 'Cross Tenant Replication' is not enabled
  • Azure > CIS v3.0 > 04 - Storage Accounts > 04.17 - Ensure that 'Allow Blob Anonymous Access' is set to 'Disabled'
  • Azure > CIS v3.0 > 05 - Database Services
  • Azure > CIS v3.0 > 05 - Database Services > 05.01 - Azure SQL Database
  • Azure > CIS v3.0 > 05 - Database Services > 05.01 - Azure SQL Database > 05.01.01 - Ensure that 'Auditing' is set to 'On'
  • Azure > CIS v3.0 > 05 - Database Services > 05.01 - Azure SQL Database > 05.01.02 - Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)
  • Azure > CIS v3.0 > 05 - Database Services > 05.01 - Azure SQL Database > 05.01.03 - Ensure SQL Server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key
  • Azure > CIS v3.0 > 05 - Database Services > 05.01 - Azure SQL Database > 05.01.04 - Ensure that Microsoft Entra authentication is Configured for SQL Servers
  • Azure > CIS v3.0 > 05 - Database Services > 05.01 - Azure SQL Database > 05.01.05 - Ensure that 'Data encryption' is set to 'On' on a SQL Database
  • Azure > CIS v3.0 > 05 - Database Services > 05.01 - Azure SQL Database > 05.01.06 - Ensure that 'Auditing' Retention is 'greater than 90 days'
  • Azure > CIS v3.0 > 05 - Database Services > 05.01 - Azure SQL Database > 05.01.07 - Ensure Public Network Access is Disabled
  • Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL
  • Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.01 - Ensure server parameter 'require_secure_transport' is set to 'ON' for PostgreSQL flexible server
  • Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.02 - Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL flexible server
  • Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.03 - Ensure server parameter 'connection_throttle.enable' is set to 'ON' for PostgreSQL flexible server
  • Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.04 - Ensure server parameter 'logfiles.retention_days' is greater than 3 days for PostgreSQL flexible server
  • Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.05 - Ensure 'Allow public access from any Azure service within Azure to this server' for PostgreSQL flexible server is disabled
  • Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.06 - [LEGACY] Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL single server
  • Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.07 - [LEGACY] Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL single server
  • Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.08 - [LEGACY] Ensure 'Infrastructure double encryption' for PostgreSQL single server is 'Enabled'
  • Azure > CIS v3.0 > 05 - Database Services > 05.03 - Azure Database for MySQL
  • Azure > CIS v3.0 > 05 - Database Services > 05.03 - Azure Database for MySQL > 05.03.01 - Ensure server parameter 'require_secure_transport' is set to 'ON' for MySQL flexible server
  • Azure > CIS v3.0 > 05 - Database Services > 05.03 - Azure Database for MySQL > 05.03.02 - Ensure server parameter 'tls_version' is set to 'TLSv1.2' (or higher) for MySQL flexible server
  • Azure > CIS v3.0 > 05 - Database Services > 05.03 - Azure Database for MySQL > 05.03.03 - Ensure server parameter 'audit_log_enabled' is set to 'ON' for MySQL flexible server
  • Azure > CIS v3.0 > 05 - Database Services > 05.03 - Azure Database for MySQL > 05.03.04 - Ensure server parameter 'audit_log_events' has 'CONNECTION' set for MySQL flexible server
  • Azure > CIS v3.0 > 05 - Database Services > 05.04 - Azure Cosmos DB
  • Azure > CIS v3.0 > 05 - Database Services > 05.04 - Azure Cosmos DB > 05.04.01 - Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks
  • Azure > CIS v3.0 > 05 - Database Services > 05.04 - Azure Cosmos DB > 05.04.02 - Ensure That Private Endpoints Are Used Where Possible
  • Azure > CIS v3.0 > 05 - Database Services > 05.04 - Azure Cosmos DB > 05.04.03 - Use Entra ID Client Authentication and Azure RBAC where possible
  • Azure > CIS v3.0 > 06 - Logging & Monitoring
  • Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.01 - Configuring Diagnostic Settings
  • Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.01 - Configuring Diagnostic Settings > 06.01.01 - Ensure that a 'Diagnostic Setting' exists for Subscription Activity Logs
  • Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.01 - Configuring Diagnostic Settings > 06.01.02 - Ensure Diagnostic Setting captures appropriate categories
  • Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.01 - Configuring Diagnostic Settings > 06.01.03 - Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key (CMK)
  • Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.01 - Configuring Diagnostic Settings > 06.01.04 - Ensure that logging for Azure Key Vault is 'Enabled'
  • Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.01 - Configuring Diagnostic Settings > 06.01.05 - Ensure that Network Security Group Flow logs are captured and sent to Log Analytics
  • Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.01 - Configuring Diagnostic Settings > 06.01.06 - Ensure that logging for Azure AppService 'HTTP logs' is enabled
  • Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts
  • Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.01 - Ensure that Activity Log Alert exists for Create Policy Assignment
  • Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.02 - Ensure that Activity Log Alert exists for Delete Policy Assignment
  • Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.03 - Ensure that Activity Log Alert exists for Create or Update Network Security Group
  • Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.04 - Ensure that Activity Log Alert exists for Delete Network Security Group
  • Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.05 - Ensure that Activity Log Alert exists for Create or Update Security Solution
  • Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.06 - Ensure that Activity Log Alert exists for Delete Security Solution
  • Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.07 - Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule
  • Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.08 - Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule
  • Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.09 - Ensure that Activity Log Alert exists for Create or Update Public IP Address rule
  • Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.10 - Ensure that Activity Log Alert exists for Delete Public IP Address rule
  • Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.03 - Configuring Application Insights
  • Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.03 - Configuring Application Insights > 06.03.01 - Ensure Application Insights are Configured
  • Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.04 - Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it
  • Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.05 - Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads)
  • Azure > CIS v3.0 > 07 - Networking
  • Azure > CIS v3.0 > 07 - Networking > 07.01 - Ensure that RDP access from the Internet is evaluated and restricted
  • Azure > CIS v3.0 > 07 - Networking > 07.02 - Ensure that SSH access from the Internet is evaluated and restricted
  • Azure > CIS v3.0 > 07 - Networking > 07.03 - Ensure that UDP access from the Internet is evaluated and restricted
  • Azure > CIS v3.0 > 07 - Networking > 07.04 - Ensure that HTTP(S) access from the Internet is evaluated and restricted
  • Azure > CIS v3.0 > 07 - Networking > 07.05 - Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'
  • Azure > CIS v3.0 > 07 - Networking > 07.06 - Ensure that Network Watcher is 'Enabled' for Azure Regions that are in use
  • Azure > CIS v3.0 > 07 - Networking > 07.07 - Ensure that Public IP addresses are evaluated on a periodic basis
  • Azure > CIS v3.0 > 08 - Virtual Machines
  • Azure > CIS v3.0 > 08 - Virtual Machines > 08.01 - Ensure an Azure Bastion Host Exists
  • Azure > CIS v3.0 > 08 - Virtual Machines > 08.02 - Ensure Virtual Machines are utilizing Managed Disks
  • Azure > CIS v3.0 > 08 - Virtual Machines > 08.03 - Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK)
  • Azure > CIS v3.0 > 08 - Virtual Machines > 08.04 - Ensure that 'Unattached disks' are encrypted with 'Customer Managed Key' (CMK)
  • Azure > CIS v3.0 > 08 - Virtual Machines > 08.05 - Ensure that 'Disk Network Access' is NOT set to 'Enable public access from all networks'
  • Azure > CIS v3.0 > 08 - Virtual Machines > 08.06 - Ensure that 'Enable Data Access Authentication Mode' is 'Checked'
  • Azure > CIS v3.0 > 08 - Virtual Machines > 08.07 - Ensure that Only Approved Extensions Are Installed
  • Azure > CIS v3.0 > 08 - Virtual Machines > 08.08 - Ensure that Endpoint Protection for all Virtual Machines is installed
  • Azure > CIS v3.0 > 08 - Virtual Machines > 08.09 - [Legacy] Ensure that VHDs are Encrypted
  • Azure > CIS v3.0 > 08 - Virtual Machines > 08.10 - Ensure only MFA enabled identities can access privileged Virtual Machine
  • Azure > CIS v3.0 > 08 - Virtual Machines > 08.11 - Ensure Trusted Launch is enabled on Virtual Machines
  • Azure > CIS v3.0 > 09 - Application Services
  • Azure > CIS v3.0 > 09 - Application Services > 09.01 - Ensure 'HTTPS Only' is set to On
  • Azure > CIS v3.0 > 09 - Application Services > 09.02 - Ensure App Service Authentication is set up for apps in Azure App Service
  • Azure > CIS v3.0 > 09 - Application Services > 09.03 - Ensure 'FTP State' is set to 'FTPS Only' or 'Disabled'
  • Azure > CIS v3.0 > 09 - Application Services > 09.04 - Ensure Web App is using the latest version of TLS encryption
  • Azure > CIS v3.0 > 09 - Application Services > 09.05 - Ensure that Register with Entra ID is enabled on App Service
  • Azure > CIS v3.0 > 09 - Application Services > 09.06 - Ensure that 'Basic Authentication' is 'Disabled'
  • Azure > CIS v3.0 > 09 - Application Services > 09.07 - Ensure that 'PHP version' is currently supported (if in use)
  • Azure > CIS v3.0 > 09 - Application Services > 09.08 - Ensure that 'Python version' is currently supported (if in use)
  • Azure > CIS v3.0 > 09 - Application Services > 09.09 - Ensure that 'Java version' is currently supported (if in use)
  • Azure > CIS v3.0 > 09 - Application Services > 09.10 - Ensure that 'HTTP20enabled' is set to 'true' (if in use)
  • Azure > CIS v3.0 > 09 - Application Services > 09.11 - Ensure Azure Key Vaults are Used to Store Secrets
  • Azure > CIS v3.0 > 09 - Application Services > 09.12 - Ensure that 'Remote debugging' is set to 'Off'
  • Azure > CIS v3.0 > 10 - Miscellaneous
  • Azure > CIS v3.0 > 10 - Miscellaneous > 10.01 - Ensure that Resource Locks are set for Mission-Critical Azure Resources

Policy Types

  • Azure > CIS v3.0
  • Azure > CIS v3.0 > 02 - Identity
  • Azure > CIS v3.0 > 02 - Identity > 02.01 - Security Defaults (Per-User MFA)
  • Azure > CIS v3.0 > 02 - Identity > 02.01 - Security Defaults (Per-User MFA) > 02.01.01 - Ensure Security Defaults is enabled on Microsoft Entra ID
  • Azure > CIS v3.0 > 02 - Identity > 02.01 - Security Defaults (Per-User MFA) > 02.01.01 - Ensure Security Defaults is enabled on Microsoft Entra ID > Attestation
  • Azure > CIS v3.0 > 02 - Identity > 02.01 - Security Defaults (Per-User MFA) > 02.01.02 - Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users
  • Azure > CIS v3.0 > 02 - Identity > 02.01 - Security Defaults (Per-User MFA) > 02.01.02 - Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users > Attestation
  • Azure > CIS v3.0 > 02 - Identity > 02.01 - Security Defaults (Per-User MFA) > 02.01.03 - Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users
  • Azure > CIS v3.0 > 02 - Identity > 02.01 - Security Defaults (Per-User MFA) > 02.01.03 - Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users > Attestation
  • Azure > CIS v3.0 > 02 - Identity > 02.01 - Security Defaults (Per-User MFA) > 02.01.04 - Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is Disabled
  • Azure > CIS v3.0 > 02 - Identity > 02.01 - Security Defaults (Per-User MFA) > 02.01.04 - Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is Disabled > Attestation
  • Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access
  • Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.01 - Ensure Trusted Locations Are Defined
  • Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.02 - Ensure that an exclusionary Geographic Access Policy is considered
  • Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.02 - Ensure that an exclusionary Geographic Access Policy is considered > Attestation
  • Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.03 - Ensure that an exclusionary Device code flow policy is considered
  • Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.03 - Ensure that an exclusionary Device code flow policy is considered > Attestation
  • Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.04 - Ensure that A Multi-factor Authentication Policy Exists for Administrative Groups
  • Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.04 - Ensure that A Multi-factor Authentication Policy Exists for Administrative Groups > Attestation
  • Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.05 - Ensure that A Multi-factor Authentication Policy Exists for All Users
  • Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.05 - Ensure that A Multi-factor Authentication Policy Exists for All Users > Attestation
  • Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.06 - Ensure Multi-factor Authentication is Required for Risky Sign-ins
  • Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.06 - Ensure Multi-factor Authentication is Required for Risky Sign-ins > Attestation
  • Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.07 - Ensure Multi-factor Authentication is Required for Windows Azure Service Management API
  • Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.08 - Ensure Multi-factor Authentication is Required to access Microsoft Admin Portals
  • Azure > CIS v3.0 > 02 - Identity > 02.03 - Ensure that 'Restrict non-admin users from creating tenants' is set to 'Yes'
  • Azure > CIS v3.0 > 02 - Identity > 02.03 - Ensure that 'Restrict non-admin users from creating tenants' is set to 'Yes' > Attestation
  • Azure > CIS v3.0 > 02 - Identity > 02.04 - Ensure Guest Users Are Reviewed on a Regular Basis
  • Azure > CIS v3.0 > 02 - Identity > 02.05 - Ensure That 'Number of methods required to reset' is set to '2'
  • Azure > CIS v3.0 > 02 - Identity > 02.05 - Ensure That 'Number of methods required to reset' is set to '2' > Attestation
  • Azure > CIS v3.0 > 02 - Identity > 02.06 - Ensure that account 'Lockout Threshold' is less than or equal to '10'
  • Azure > CIS v3.0 > 02 - Identity > 02.06 - Ensure that account 'Lockout Threshold' is less than or equal to '10' > Attestation
  • Azure > CIS v3.0 > 02 - Identity > 02.07 - Ensure that account 'Lockout duration in seconds' is greater than or equal to '60'
  • Azure > CIS v3.0 > 02 - Identity > 02.07 - Ensure that account 'Lockout duration in seconds' is greater than or equal to '60' > Attestation
  • Azure > CIS v3.0 > 02 - Identity > 02.08 - Ensure that a Custom Bad Password List is set to 'Enforce' for your Organization
  • Azure > CIS v3.0 > 02 - Identity > 02.08 - Ensure that a Custom Bad Password List is set to 'Enforce' for your Organization > Attestation
  • Azure > CIS v3.0 > 02 - Identity > 02.09 - Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0'
  • Azure > CIS v3.0 > 02 - Identity > 02.09 - Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0' > Attestation
  • Azure > CIS v3.0 > 02 - Identity > 02.10 - Ensure that 'Notify users on password resets?' is set to 'Yes'
  • Azure > CIS v3.0 > 02 - Identity > 02.10 - Ensure that 'Notify users on password resets?' is set to 'Yes' > Attestation
  • Azure > CIS v3.0 > 02 - Identity > 02.11 - Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes'
  • Azure > CIS v3.0 > 02 - Identity > 02.11 - Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes' > Attestation
  • Azure > CIS v3.0 > 02 - Identity > 02.12 - Ensure User consent for applications is set to Do not allow user consent
  • Azure > CIS v3.0 > 02 - Identity > 02.12 - Ensure User consent for applications is set to Do not allow user consent > Attestation
  • Azure > CIS v3.0 > 02 - Identity > 02.13 - Ensure 'User consent for applications' Is Set To 'Allow for Verified Publishers'
  • Azure > CIS v3.0 > 02 - Identity > 02.13 - Ensure 'User consent for applications' Is Set To 'Allow for Verified Publishers' > Attestation
  • Azure > CIS v3.0 > 02 - Identity > 02.14 - Ensure That 'Users Can Register Applications' Is Set to 'No'
  • Azure > CIS v3.0 > 02 - Identity > 02.15 - Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects'
  • Azure > CIS v3.0 > 02 - Identity > 02.15 - Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects' > Attestation
  • Azure > CIS v3.0 > 02 - Identity > 02.16 - Ensure that 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles can invite guest users'
  • Azure > CIS v3.0 > 02 - Identity > 02.16 - Ensure that 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles can invite guest users' > Attestation
  • Azure > CIS v3.0 > 02 - Identity > 02.17 - Ensure That 'Restrict access to Microsoft Entra admin center' is Set to 'Yes'
  • Azure > CIS v3.0 > 02 - Identity > 02.17 - Ensure That 'Restrict access to Microsoft Entra admin center' is Set to 'Yes' > Attestation
  • Azure > CIS v3.0 > 02 - Identity > 02.18 - Ensure that 'Restrict user ability to access groups features in the Access Pane' is Set to 'Yes'
  • Azure > CIS v3.0 > 02 - Identity > 02.18 - Ensure that 'Restrict user ability to access groups features in the Access Pane' is Set to 'Yes' > Attestation
  • Azure > CIS v3.0 > 02 - Identity > 02.19 - Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No'
  • Azure > CIS v3.0 > 02 - Identity > 02.20 - Ensure that 'Owners can manage group membership requests in My Groups' is set to 'No'
  • Azure > CIS v3.0 > 02 - Identity > 02.20 - Ensure that 'Owners can manage group membership requests in My Groups' is set to 'No' > Attestation
  • Azure > CIS v3.0 > 02 - Identity > 02.21 - Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No'
  • Azure > CIS v3.0 > 02 - Identity > 02.21 - Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No' > Attestation
  • Azure > CIS v3.0 > 02 - Identity > 02.22 - Ensure that 'Require Multifactor Authentication to register or join devices with Microsoft Entra' is set to 'Yes'
  • Azure > CIS v3.0 > 02 - Identity > 02.22 - Ensure that 'Require Multifactor Authentication to register or join devices with Microsoft Entra' is set to 'Yes' > Attestation
  • Azure > CIS v3.0 > 02 - Identity > 02.23 - Ensure That No Custom Subscription Administrator Roles Exist
  • Azure > CIS v3.0 > 02 - Identity > 02.24 - Ensure a Custom Role is Assigned Permissions for Administering Resource Locks
  • Azure > CIS v3.0 > 02 - Identity > 02.24 - Ensure a Custom Role is Assigned Permissions for Administering Resource Locks > Attestation
  • Azure > CIS v3.0 > 02 - Identity > 02.25 - Ensure That 'Subscription leaving Microsoft Entra tenant' and 'Subscription entering Microsoft Entra tenant' Is Set To 'Permit no one'
  • Azure > CIS v3.0 > 02 - Identity > 02.25 - Ensure That 'Subscription leaving Microsoft Entra tenant' and 'Subscription entering Microsoft Entra tenant' Is Set To 'Permit no one' > Attestation
  • Azure > CIS v3.0 > 02 - Identity > 02.26 - Ensure fewer than 5 users have global administrator assignment
  • Azure > CIS v3.0 > 02 - Identity > Maximum Attestation Duration
  • Azure > CIS v3.0 > 03 - Security
  • Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud
  • Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.01 - Microsoft Cloud Security Posture Management (CSPM)
  • Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.01 - Microsoft Cloud Security Posture Management (CSPM) > 03.01.01.01 - Ensure that Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On'
  • Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.01 - Microsoft Cloud Security Posture Management (CSPM) > 03.01.01.02 - Ensure that Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is Selected
  • Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.02 - Defender Plan APIs
  • Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.03 - Defender Plan Servers
  • Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.03 - Defender Plan Servers > 03.01.03.01 - Ensure That Microsoft Defender for Servers Is Set to 'On'
  • Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.03 - Defender Plan Servers > 03.01.03.02 - Ensure that 'Vulnerability assessment for machines' component status is set to 'On'
  • Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.03 - Defender Plan Servers > 03.01.03.02 - Ensure that 'Vulnerability assessment for machines' component status is set to 'On' > Attestation
  • Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.03 - Defender Plan Servers > 03.01.03.03 - Ensure that 'Endpoint protection' component status is set to 'On'
  • Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.03 - Defender Plan Servers > 03.01.03.04 - Ensure that 'Agentless scanning for machines' component status is set to 'On'
  • Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.03 - Defender Plan Servers > 03.01.03.04 - Ensure that 'Agentless scanning for machines' component status is set to 'On' > Attestation
  • Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.03 - Defender Plan Servers > 03.01.03.05 - Ensure that 'File Integrity Monitoring' component status is set to 'On'
  • Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.03 - Defender Plan Servers > 03.01.03.05 - Ensure that 'File Integrity Monitoring' component status is set to 'On' > Attestation
  • Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.04 - Defender Plan Containers
  • Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.04 - Defender Plan Containers > 03.01.04.01 - Ensure That Microsoft Defender for Containers Is Set To 'On'
  • Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.04 - Defender Plan Containers > 03.01.04.02 - Ensure that 'Agentless discovery for Kubernetes' component status 'On'
  • Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.04 - Defender Plan Containers > 03.01.04.02 - Ensure that 'Agentless discovery for Kubernetes' component status 'On' > Attestation
  • Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.04 - Defender Plan Containers > 03.01.04.03 - Ensure that 'Agentless container vulnerability assessment' component status is 'On'
  • Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.04 - Defender Plan Containers > 03.01.04.03 - Ensure that 'Agentless container vulnerability assessment' component status is 'On' > Attestation
  • Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.05 - Defender Plan - Storage
  • Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.05 - Defender Plan - Storage > 03.01.05.01 - Ensure That Microsoft Defender for Containers Is Set To 'On'
  • Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.06 - Defender Plan App - Service
  • Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.06 - Defender Plan App - Service > 03.01.06.01 - Ensure That Microsoft Defender for App Services Is Set To 'On'
  • Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.07 - Defender Plan - Databases
  • Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.07 - Defender Plan - Databases > 03.01.07.01 - Ensure That Microsoft Defender for Azure Cosmos DB Is Set To 'On'
  • Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.07 - Defender Plan - Databases > 03.01.07.02 - Ensure That Microsoft Defender for Open-Source Relational Databases Is Set To 'On'
  • Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.07 - Defender Plan - Databases > 03.01.07.03 - Ensure That Microsoft Defender for (Managed Instance) Azure SQL Databases Is Set To 'On'
  • Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.07 - Defender Plan - Databases > 03.01.07.04 - Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On'
  • Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.08 - Defender Plan - Key Vault
  • Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.08 - Defender Plan - Key Vault > 03.01.08.01 - Ensure That Microsoft Defender for Key Vault Is Set To 'On'
  • Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.09 - Defender Plan - Resource Manager
  • Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.09 - Defender Plan - Resource Manager > 03.01.09.01 - Ensure That Microsoft Defender for Resource Manager Is Set To 'On'
  • Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.10 - Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed'
  • Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.10 - Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed' > Attestation
  • Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.11 - Ensure that Microsoft Cloud Security Benchmark policies are not set to 'Disabled'
  • Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.11 - Ensure that Microsoft Cloud Security Benchmark policies are not set to 'Disabled' > Attestation
  • Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.12 - Ensure That 'All users with the following roles' is set to 'Owner'
  • Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.13 - Ensure 'Additional email addresses' is Configured with a Security Contact Email
  • Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.14 - Ensure That 'Notify about alerts with the following severity' is Set to 'High'
  • Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.15 - Ensure that Microsoft Defender External Attack Surface Monitoring (EASM) is enabled
  • Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.15 - Ensure that Microsoft Defender External Attack Surface Monitoring (EASM) is enabled > Attestation
  • Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.16 - [LEGACY] Ensure That Microsoft Defender for DNS Is Set To 'On'
  • Azure > CIS v3.0 > 03 - Security > 03.02 - Microsoft Defender for IoT
  • Azure > CIS v3.0 > 03 - Security > 03.02 - Microsoft Defender for IoT > 03.02.01 - Ensure That Microsoft Defender for IoT Hub Is Set To 'On'
  • Azure > CIS v3.0 > 03 - Security > 03.02 - Microsoft Defender for IoT > Attestation
  • Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault
  • Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.01 - Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults
  • Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.02 - Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults
  • Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.03 - Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults
  • Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.04 - Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults
  • Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.05 - Ensure the Key Vault is Recoverable
  • Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.06 - Enable Role Based Access Control for Azure Key Vault
  • Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.07 - Ensure that Private Endpoints are Used for Azure Key Vault
  • Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.08 - Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services
  • Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.08 - Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services > Attestation
  • Azure > CIS v3.0 > 03 - Security > Maximum Attestation Duration
  • Azure > CIS v3.0 > 04 - Storage Accounts
  • Azure > CIS v3.0 > 04 - Storage Accounts > 04.01 - Ensure that 'Secure transfer required' is set to 'Enabled'
  • Azure > CIS v3.0 > 04 - Storage Accounts > 04.02 - Ensure that Enable Infrastructure Encryption for Each Storage Account in Azure Storage is Set to enabled
  • Azure > CIS v3.0 > 04 - Storage Accounts > 04.03 - Ensure that 'Enable key rotation reminders' is enabled for each Storage Account
  • Azure > CIS v3.0 > 04 - Storage Accounts > 04.04 - Ensure that Storage Account Access Keys are Periodically Regenerated
  • Azure > CIS v3.0 > 04 - Storage Accounts > 04.04 - Ensure that Storage Account Access Keys are Periodically Regenerated > Attestation
  • Azure > CIS v3.0 > 04 - Storage Accounts > 04.05 - Ensure that Shared Access Signature Tokens Expire Within an Hour
  • Azure > CIS v3.0 > 04 - Storage Accounts > 04.05 - Ensure that Shared Access Signature Tokens Expire Within an Hour > Attestation
  • Azure > CIS v3.0 > 04 - Storage Accounts > 04.06 - Ensure that 'Public Network Access' is 'Disabled' for storage accounts
  • Azure > CIS v3.0 > 04 - Storage Accounts > 04.07 - Ensure Default Network Access Rule for Storage Accounts is Set to Deny
  • Azure > CIS v3.0 > 04 - Storage Accounts > 04.08 - Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access
  • Azure > CIS v3.0 > 04 - Storage Accounts > 04.09 - Ensure Private Endpoints are used to access Storage Accounts
  • Azure > CIS v3.0 > 04 - Storage Accounts > 04.10 - Ensure Soft Delete is Enabled for Azure Containers and Blob Storage
  • Azure > CIS v3.0 > 04 - Storage Accounts > 04.11 - Ensure Storage for Critical Data are Encrypted with Customer Managed Keys (CMK)
  • Azure > CIS v3.0 > 04 - Storage Accounts > 04.12 - Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests
  • Azure > CIS v3.0 > 04 - Storage Accounts > 04.13 - Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests
  • Azure > CIS v3.0 > 04 - Storage Accounts > 04.14 - Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' Requests
  • Azure > CIS v3.0 > 04 - Storage Accounts > 04.15 - Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2'
  • Azure > CIS v3.0 > 04 - Storage Accounts > 04.16 - Ensure 'Cross Tenant Replication' is not enabled
  • Azure > CIS v3.0 > 04 - Storage Accounts > 04.17 - Ensure that 'Allow Blob Anonymous Access' is set to 'Disabled'
  • Azure > CIS v3.0 > 04 - Storage Accounts > Maximum Attestation Duration
  • Azure > CIS v3.0 > 05 - Database Services
  • Azure > CIS v3.0 > 05 - Database Services > 05.01 - Azure SQL Database
  • Azure > CIS v3.0 > 05 - Database Services > 05.01 - Azure SQL Database > 05.01.01 - Ensure that 'Auditing' is set to 'On'
  • Azure > CIS v3.0 > 05 - Database Services > 05.01 - Azure SQL Database > 05.01.02 - Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)
  • Azure > CIS v3.0 > 05 - Database Services > 05.01 - Azure SQL Database > 05.01.03 - Ensure SQL Server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key
  • Azure > CIS v3.0 > 05 - Database Services > 05.01 - Azure SQL Database > 05.01.04 - Ensure that Microsoft Entra authentication is Configured for SQL Servers
  • Azure > CIS v3.0 > 05 - Database Services > 05.01 - Azure SQL Database > 05.01.05 - Ensure that 'Data encryption' is set to 'On' on a SQL Database
  • Azure > CIS v3.0 > 05 - Database Services > 05.01 - Azure SQL Database > 05.01.06 - Ensure that 'Auditing' Retention is 'greater than 90 days'
  • Azure > CIS v3.0 > 05 - Database Services > 05.01 - Azure SQL Database > 05.01.07 - Ensure Public Network Access is Disabled
  • Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL
  • Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.01 - Ensure server parameter 'require_secure_transport' is set to 'ON' for PostgreSQL flexible server
  • Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.02 - Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL flexible server
  • Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.03 - Ensure server parameter 'connection_throttle.enable' is set to 'ON' for PostgreSQL flexible server
  • Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.04 - Ensure server parameter 'logfiles.retention_days' is greater than 3 days for PostgreSQL flexible server
  • Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.05 - Ensure 'Allow public access from any Azure service within Azure to this server' for PostgreSQL flexible server is disabled
  • Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.07 - [LEGACY] Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL single server
  • Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.08 - [LEGACY] Ensure 'Infrastructure double encryption' for PostgreSQL single server is 'Enabled'
  • Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 5.2.6 - [LEGACY] Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL single server
  • Azure > CIS v3.0 > 05 - Database Services > 05.03 - Azure Database for MySQL
  • Azure > CIS v3.0 > 05 - Database Services > 05.03 - Azure Database for MySQL > 05.03.01 - Ensure server parameter 'require_secure_transport' is set to 'ON' for MySQL flexible server
  • Azure > CIS v3.0 > 05 - Database Services > 05.03 - Azure Database for MySQL > 05.03.02 - Ensure server parameter 'tls_version' is set to 'TLSv1.2' (or higher) for MySQL flexible server
  • Azure > CIS v3.0 > 05 - Database Services > 05.03 - Azure Database for MySQL > 05.03.03 - Ensure server parameter 'audit_log_enabled' is set to 'ON' for MySQL flexible server
  • Azure > CIS v3.0 > 05 - Database Services > 05.03 - Azure Database for MySQL > 05.03.04 - Ensure server parameter 'audit_log_events' has 'CONNECTION' set for MySQL flexible server
  • Azure > CIS v3.0 > 05 - Database Services > 05.04 - Azure Cosmos DB
  • Azure > CIS v3.0 > 05 - Database Services > 05.04 - Azure Cosmos DB > 05.04.01 - Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks
  • Azure > CIS v3.0 > 05 - Database Services > 05.04 - Azure Cosmos DB > 05.04.02 - Ensure That Private Endpoints Are Used Where Possible
  • Azure > CIS v3.0 > 05 - Database Services > 05.04 - Azure Cosmos DB > 05.04.03 - Use Entra ID Client Authentication and Azure RBAC where possible
  • Azure > CIS v3.0 > 05 - Database Services > 05.04 - Azure Cosmos DB > 05.04.03 - Use Entra ID Client Authentication and Azure RBAC where possible > Attestation
  • Azure > CIS v3.0 > 05 - Database Services > Maximum Attestation Duration
  • Azure > CIS v3.0 > 06 - Logging & Monitoring
  • Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.01 - Configuring Diagnostic Settings
  • Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.01 - Configuring Diagnostic Settings > 06.01.01 - Ensure that a 'Diagnostic Setting' exists for Subscription Activity Logs
  • Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.01 - Configuring Diagnostic Settings > 06.01.01 - Ensure that a 'Diagnostic Setting' exists for Subscription Activity Logs > Attestation
  • Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.01 - Configuring Diagnostic Settings > 06.01.02 - Ensure Diagnostic Setting captures appropriate categories
  • Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.01 - Configuring Diagnostic Settings > 06.01.03 - Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key
  • Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.01 - Configuring Diagnostic Settings > 06.01.04 - Ensure that logging for Azure Key Vault is 'Enabled'
  • Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.01 - Configuring Diagnostic Settings > 06.01.05 - Ensure that Network Security Group Flow logs are captured and sent to Log Analytics
  • Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.01 - Configuring Diagnostic Settings > 06.01.06 - Ensure that logging for Azure AppService 'HTTP logs' is enabled
  • Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts
  • Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.01 - Ensure that Activity Log Alert exists for Create Policy Assignment
  • Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.02 - Ensure that Activity Log Alert exists for Delete Policy Assignment
  • Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.03 - Ensure that Activity Log Alert exists for Create or Update Network Security Group
  • Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.04 - Ensure that Activity Log Alert exists for Delete Network Security Group
  • Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.05 - Ensure that Activity Log Alert exists for Create or Update Security Solution
  • Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.06 - Ensure that Activity Log Alert exists for Delete Security Solution
  • Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.07 - Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule
  • Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.08 - Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule
  • Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.09 - Ensure that Activity Log Alert exists for Create or Update Public IP Address rule
  • Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.10 - Ensure that Activity Log Alert exists for Delete Public IP Address rule
  • Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.03 - Configuring Application Insights
  • Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.03 - Configuring Application Insights > 06.03.01 - Ensure Application Insights are Configured
  • Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.04 - Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it
  • Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.04 - Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it > Attestation
  • Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.05 - Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads)
  • Azure > CIS v3.0 > 06 - Logging & Monitoring > Maximum Attestation Duration
  • Azure > CIS v3.0 > 07 - Networking
  • Azure > CIS v3.0 > 07 - Networking > 07.01 - Ensure that RDP access from the Internet is evaluated and restricted
  • Azure > CIS v3.0 > 07 - Networking > 07.02 - Ensure that SSH access from the Internet is evaluated and restricted
  • Azure > CIS v3.0 > 07 - Networking > 07.03 - Ensure that UDP access from the Internet is evaluated and restricted
  • Azure > CIS v3.0 > 07 - Networking > 07.04 - Ensure that HTTP(S) access from the Internet is evaluated and restricted
  • Azure > CIS v3.0 > 07 - Networking > 07.05 - Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'
  • Azure > CIS v3.0 > 07 - Networking > 07.06 - Ensure that Network Watcher is 'Enabled' for Azure Regions that are in use
  • Azure > CIS v3.0 > 07 - Networking > 07.07 - Ensure that Public IP addresses are evaluated on a periodic basis
  • Azure > CIS v3.0 > 07 - Networking > Maximum Attestation Duration
  • Azure > CIS v3.0 > 08 - Virtual Machines
  • Azure > CIS v3.0 > 08 - Virtual Machines > 08.01 - Ensure Virtual Machines are utilizing Managed Disks
  • Azure > CIS v3.0 > 08 - Virtual Machines > 08.02 - Ensure Virtual Machines are utilizing Managed Disks
  • Azure > CIS v3.0 > 08 - Virtual Machines > 08.03 - Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK)
  • Azure > CIS v3.0 > 08 - Virtual Machines > 08.04 - Ensure that 'Unattached disks' are encrypted with 'Customer Managed Key' (CMK)
  • Azure > CIS v3.0 > 08 - Virtual Machines > 08.05 - Ensure that 'Disk Network Access' is NOT set to 'Enable public access from all networks'
  • Azure > CIS v3.0 > 08 - Virtual Machines > 08.06 - Ensure that 'Enable Data Access Authentication Mode' is 'Checked'
  • Azure > CIS v3.0 > 08 - Virtual Machines > 08.07 - Ensure that Only Approved Extensions Are Installed
  • Azure > CIS v3.0 > 08 - Virtual Machines > 08.07 - Ensure that Only Approved Extensions Are Installed > Attestation
  • Azure > CIS v3.0 > 08 - Virtual Machines > 08.08 - Ensure that Endpoint Protection for all Virtual Machines is installed
  • Azure > CIS v3.0 > 08 - Virtual Machines > 08.08 - Ensure that Endpoint Protection for all Virtual Machines is installed > Attestation
  • Azure > CIS v3.0 > 08 - Virtual Machines > 08.09 - [Legacy] Ensure that VHDs are Encrypted
  • Azure > CIS v3.0 > 08 - Virtual Machines > 08.09 - [Legacy] Ensure that VHDs are Encrypted > Attestation
  • Azure > CIS v3.0 > 08 - Virtual Machines > 08.10 - Ensure only MFA enabled identities can access privileged Virtual Machine
  • Azure > CIS v3.0 > 08 - Virtual Machines > 08.10 - Ensure only MFA enabled identities can access privileged Virtual Machine > Attestation
  • Azure > CIS v3.0 > 08 - Virtual Machines > 08.11 - Ensure Trusted Launch is enabled on Virtual Machines
  • Azure > CIS v3.0 > 08 - Virtual Machines > Maximum Attestation Duration
  • Azure > CIS v3.0 > 09 - Application Services
  • Azure > CIS v3.0 > 09 - Application Services > 09.01 - Ensure 'HTTPS Only' is set to On
  • Azure > CIS v3.0 > 09 - Application Services > 09.02 - Ensure App Service Authentication is set up for apps in Azure App Service
  • Azure > CIS v3.0 > 09 - Application Services > 09.03 - Ensure 'FTP State' is set to 'FTPS Only' or 'Disabled'
  • Azure > CIS v3.0 > 09 - Application Services > 09.04 - Ensure Web App is using the latest version of TLS encryption
  • Azure > CIS v3.0 > 09 - Application Services > 09.05 - Ensure that Register with Entra ID is enabled on App Service
  • Azure > CIS v3.0 > 09 - Application Services > 09.06 - Ensure that 'Basic Authentication' is 'Disabled'
  • Azure > CIS v3.0 > 09 - Application Services > 09.06 - Ensure that 'Basic Authentication' is 'Disabled' > Attestation
  • Azure > CIS v3.0 > 09 - Application Services > 09.07 - Ensure that 'PHP version' is currently supported (if in use)
  • Azure > CIS v3.0 > 09 - Application Services > 09.07 - Ensure that 'PHP version' is currently supported (if in use) > Attestation
  • Azure > CIS v3.0 > 09 - Application Services > 09.08 - Ensure that 'Python version' is currently supported (if in use)
  • Azure > CIS v3.0 > 09 - Application Services > 09.08 - Ensure that 'Python version' is currently supported (if in use) > Attestation
  • Azure > CIS v3.0 > 09 - Application Services > 09.09 - Ensure that 'Java version' is currently supported (if in use)
  • Azure > CIS v3.0 > 09 - Application Services > 09.09 - Ensure that 'Java version' is currently supported (if in use) > Attestation
  • Azure > CIS v3.0 > 09 - Application Services > 09.10 - Ensure that 'HTTP20enabled' is set to 'true' (if in use)
  • Azure > CIS v3.0 > 09 - Application Services > 09.11 - Ensure Azure Key Vaults are Used to Store Secrets
  • Azure > CIS v3.0 > 09 - Application Services > 09.11 - Ensure Azure Key Vaults are Used to Store Secrets > Attestation
  • Azure > CIS v3.0 > 09 - Application Services > 09.12 - Ensure that 'Remote debugging' is set to 'Off'
  • Azure > CIS v3.0 > 09 - Application Services > Maximum Attestation Duration
  • Azure > CIS v3.0 > 10 - Miscellaneous
  • Azure > CIS v3.0 > 10 - Miscellaneous > 10.01 - Ensure that Resource Locks are set for Mission-Critical Azure Resources
  • Azure > CIS v3.0 > 10 - Miscellaneous > 10.01 - Ensure that Resource Locks are set for Mission-Critical Azure Resources > Attestation
  • Azure > CIS v3.0 > 10 - Miscellaneous > Maximum Attestation Duration
  • Azure > CIS v3.0 > Maximum Attestation Duration

Note

To ensure compatibility and proper functioning of the Guardrails Azure CIS v3 mod, we recommend updating all dependent mods to their latest versions.