What's new?
Control Types
- Azure > CIS v3.0
- Azure > CIS v3.0 > 02 - Identity
- Azure > CIS v3.0 > 02 - Identity > 02.01 - Security Defaults (Per-User MFA)
- Azure > CIS v3.0 > 02 - Identity > 02.01 - Security Defaults (Per-User MFA) > 02.01.01 - Ensure Security Defaults is enabled on Microsoft Entra ID
- Azure > CIS v3.0 > 02 - Identity > 02.01 - Security Defaults (Per-User MFA) > 02.01.02 - Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users
- Azure > CIS v3.0 > 02 - Identity > 02.01 - Security Defaults (Per-User MFA) > 02.01.03 - Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users
- Azure > CIS v3.0 > 02 - Identity > 02.01 - Security Defaults (Per-User MFA) > 02.01.04 - Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is Disabled
- Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access
- Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.01 - Ensure Trusted Locations Are Defined
- Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.02 - Ensure that an exclusionary Geographic Access Policy is considered
- Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.03 - Ensure that an exclusionary Device code flow policy is considered
- Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.04 - Ensure that A Multi-factor Authentication Policy Exists for Administrative Groups
- Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.05 - Ensure that A Multi-factor Authentication Policy Exists for All Users
- Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.06 - Ensure Multi-factor Authentication is Required for Risky Sign-ins
- Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.07 - Ensure Multi-factor Authentication is Required for Windows Azure Service Management API
- Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.08 - Ensure Multi-factor Authentication is Required to access Microsoft Admin Portals
- Azure > CIS v3.0 > 02 - Identity > 02.03 - Ensure that 'Restrict non-admin users from creating tenants' is set to 'Yes'
- Azure > CIS v3.0 > 02 - Identity > 02.04 - Ensure Guest Users Are Reviewed on a Regular Basis
- Azure > CIS v3.0 > 02 - Identity > 02.05 - Ensure That 'Number of methods required to reset' is set to '2'
- Azure > CIS v3.0 > 02 - Identity > 02.06 - Ensure that account 'Lockout Threshold' is less than or equal to '10'
- Azure > CIS v3.0 > 02 - Identity > 02.07 - Ensure that account 'Lockout duration in seconds' is greater than or equal to '60'
- Azure > CIS v3.0 > 02 - Identity > 02.08 - Ensure that a Custom Bad Password List is set to 'Enforce' for your Organization
- Azure > CIS v3.0 > 02 - Identity > 02.09 - Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0'
- Azure > CIS v3.0 > 02 - Identity > 02.10 - Ensure that 'Notify users on password resets?' is set to 'Yes'
- Azure > CIS v3.0 > 02 - Identity > 02.11 - Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes'
- Azure > CIS v3.0 > 02 - Identity > 02.12 - Ensure
User consent for applications
is set toDo not allow user consent
- Azure > CIS v3.0 > 02 - Identity > 02.13 - Ensure 'User consent for applications' Is Set To 'Allow for Verified Publishers'
- Azure > CIS v3.0 > 02 - Identity > 02.14 - Ensure That 'Users Can Register Applications' Is Set to 'No'
- Azure > CIS v3.0 > 02 - Identity > 02.15 - Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects'
- Azure > CIS v3.0 > 02 - Identity > 02.16 - Ensure that 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles can invite guest users'
- Azure > CIS v3.0 > 02 - Identity > 02.17 - Ensure That 'Restrict access to Microsoft Entra admin center' is Set to 'Yes'
- Azure > CIS v3.0 > 02 - Identity > 02.18 - Ensure that 'Restrict user ability to access groups features in the Access Pane' is Set to 'Yes'
- Azure > CIS v3.0 > 02 - Identity > 02.19 - Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No'
- Azure > CIS v3.0 > 02 - Identity > 02.20 - Ensure that 'Owners can manage group membership requests in My Groups' is set to 'No'
- Azure > CIS v3.0 > 02 - Identity > 02.21 - Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No'
- Azure > CIS v3.0 > 02 - Identity > 02.22 - Ensure that 'Require Multifactor Authentication to register or join devices with Microsoft Entra' is set to 'Yes'
- Azure > CIS v3.0 > 02 - Identity > 02.23 - Ensure That No Custom Subscription Administrator Roles Exist
- Azure > CIS v3.0 > 02 - Identity > 02.24 - Ensure a Custom Role is Assigned Permissions for Administering Resource Locks
- Azure > CIS v3.0 > 02 - Identity > 02.25 - Ensure That 'Subscription leaving Microsoft Entra tenant' and 'Subscription entering Microsoft Entra tenant' Is Set To 'Permit no one'
- Azure > CIS v3.0 > 02 - Identity > 02.26 - Ensure fewer than 5 users have global administrator assignment
- Azure > CIS v3.0 > 03 - Security
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.01 - Microsoft Cloud Security Posture Management (CSPM)
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.01 - Microsoft Cloud Security Posture Management (CSPM) > 03.01.01.01 - Ensure that Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On'
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.01 - Microsoft Cloud Security Posture Management (CSPM) > 03.01.01.02 - Ensure that Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is Selected
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.02 - Defender Plan APIs
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.03 - Defender Plan Servers
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.03 - Defender Plan Servers > 03.01.03.01 - Ensure That Microsoft Defender for Servers Is Set to 'On'
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.03 - Defender Plan Servers > 03.01.03.02 - Ensure that 'Vulnerability assessment for machines' component status is set to 'On'
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.03 - Defender Plan Servers > 03.01.03.03 - Ensure that 'Endpoint protection' component status is set to 'On'
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.03 - Defender Plan Servers > 03.01.03.04 - Ensure that 'Agentless scanning for machines' component status is set to 'On'
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.03 - Defender Plan Servers > 03.01.03.05 - Ensure that 'File Integrity Monitoring' component status is set to 'On'
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.04 - Defender Plan Containers
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.04 - Defender Plan Containers > 03.01.04.01 - Ensure That Microsoft Defender for Containers Is Set To 'On'
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.04 - Defender Plan Containers > 03.01.04.02 - Ensure that 'Agentless discovery for Kubernetes' component status 'On'
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.04 - Defender Plan Containers > 03.01.04.03 - Ensure that 'Agentless container vulnerability assessment' component status is 'On'
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.05 - Defender Plan - Storage
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.05 - Defender Plan - Storage > 03.01.05.01 - Ensure That Microsoft Defender for Storage Is Set To 'On'
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.06 - Defender Plan - App Service
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.06 - Defender Plan - App Service > 03.01.06.01 - Ensure That Microsoft Defender for App Services Is Set To 'On'
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.07 - Defender Plan - Databases
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.07 - Defender Plan - Databases > 03.01.07.01 - Ensure That Microsoft Defender for Azure Cosmos DB Is Set To 'On'
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.07 - Defender Plan - Databases > 03.01.07.02 - Ensure That Microsoft Defender for Open-Source Relational Databases Is Set To 'On'
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.07 - Defender Plan - Databases > 03.01.07.03 - Ensure That Microsoft Defender for (Managed Instance) Azure SQL Databases Is Set To 'On'
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.07 - Defender Plan - Databases > 03.01.07.04 - Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On'
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.08 - Defender Plan - Key Vault
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.08 - Defender Plan - Key Vault > 03.01.08.01 - Ensure That Microsoft Defender for Key Vault Is Set To 'On'
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.09 - Defender Plan - Resource Manager
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.09 - Defender Plan - Resource Manager > 03.01.09.01 - Ensure That Microsoft Defender for Resource Manager Is Set To 'On'
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.10 - Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed'
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.11 - Ensure that Microsoft Cloud Security Benchmark policies are not set to 'Disabled'
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.12 - Ensure That 'All users with the following roles' is set to 'Owner'
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.13 - Ensure 'Additional email addresses' is Configured with a Security Contact Email
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.14 - Ensure That 'Notify about alerts with the following severity' is Set to 'High'
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.15 - Ensure that Microsoft Defender External Attack Surface Monitoring (EASM) is enabled
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.16 - [LEGACY] Ensure That Microsoft Defender for DNS Is Set To 'On'
- Azure > CIS v3.0 > 03 - Security > 03.02 - Microsoft Defender for IoT
- Azure > CIS v3.0 > 03 - Security > 03.02 - Microsoft Defender for IoT > 03.02.01 - Ensure That Microsoft Defender for IoT Hub Is Set To 'On'
- Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault
- Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.01 - Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults
- Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.02 - Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults
- Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.03 - Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults
- Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.04 - Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults
- Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.05 - Ensure the Key Vault is Recoverable
- Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.06 - Enable Role Based Access Control for Azure Key Vault
- Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.07 - Ensure that Private Endpoints are Used for Azure Key Vault
- Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.08 - Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services
- Azure > CIS v3.0 > 04 - Storage Accounts
- Azure > CIS v3.0 > 04 - Storage Accounts > 04.01 - Ensure that 'Secure transfer required' is set to 'Enabled'
- Azure > CIS v3.0 > 04 - Storage Accounts > 04.02 - Ensure that
Enable Infrastructure Encryption
for Each Storage Account in Azure Storage is Set toenabled
- Azure > CIS v3.0 > 04 - Storage Accounts > 04.03 - Ensure that 'Enable key rotation reminders' is enabled for each Storage Account
- Azure > CIS v3.0 > 04 - Storage Accounts > 04.04 - Ensure that Storage Account Access Keys are Periodically Regenerated
- Azure > CIS v3.0 > 04 - Storage Accounts > 04.05 - Ensure that Shared Access Signature Tokens Expire Within an Hour
- Azure > CIS v3.0 > 04 - Storage Accounts > 04.06 - Ensure that 'Public Network Access' is 'Disabled' for storage accounts
- Azure > CIS v3.0 > 04 - Storage Accounts > 04.07 - Ensure Default Network Access Rule for Storage Accounts is Set to Deny
- Azure > CIS v3.0 > 04 - Storage Accounts > 04.08 - Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access
- Azure > CIS v3.0 > 04 - Storage Accounts > 04.09 - Ensure Private Endpoints are used to access Storage Accounts
- Azure > CIS v3.0 > 04 - Storage Accounts > 04.10 - Ensure Soft Delete is Enabled for Azure Containers and Blob Storage
- Azure > CIS v3.0 > 04 - Storage Accounts > 04.11 - Ensure Storage for Critical Data are Encrypted with Customer Managed Keys (CMK)
- Azure > CIS v3.0 > 04 - Storage Accounts > 04.12 - Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests
- Azure > CIS v3.0 > 04 - Storage Accounts > 04.13 - Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests
- Azure > CIS v3.0 > 04 - Storage Accounts > 04.14 - Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' Requests
- Azure > CIS v3.0 > 04 - Storage Accounts > 04.15 - Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2'
- Azure > CIS v3.0 > 04 - Storage Accounts > 04.16 - Ensure 'Cross Tenant Replication' is not enabled
- Azure > CIS v3.0 > 04 - Storage Accounts > 04.17 - Ensure that 'Allow Blob Anonymous Access' is set to 'Disabled'
- Azure > CIS v3.0 > 05 - Database Services
- Azure > CIS v3.0 > 05 - Database Services > 05.01 - Azure SQL Database
- Azure > CIS v3.0 > 05 - Database Services > 05.01 - Azure SQL Database > 05.01.01 - Ensure that 'Auditing' is set to 'On'
- Azure > CIS v3.0 > 05 - Database Services > 05.01 - Azure SQL Database > 05.01.02 - Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)
- Azure > CIS v3.0 > 05 - Database Services > 05.01 - Azure SQL Database > 05.01.03 - Ensure SQL Server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key
- Azure > CIS v3.0 > 05 - Database Services > 05.01 - Azure SQL Database > 05.01.04 - Ensure that Microsoft Entra authentication is Configured for SQL Servers
- Azure > CIS v3.0 > 05 - Database Services > 05.01 - Azure SQL Database > 05.01.05 - Ensure that 'Data encryption' is set to 'On' on a SQL Database
- Azure > CIS v3.0 > 05 - Database Services > 05.01 - Azure SQL Database > 05.01.06 - Ensure that 'Auditing' Retention is 'greater than 90 days'
- Azure > CIS v3.0 > 05 - Database Services > 05.01 - Azure SQL Database > 05.01.07 - Ensure Public Network Access is Disabled
- Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL
- Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.01 - Ensure server parameter 'require_secure_transport' is set to 'ON' for PostgreSQL flexible server
- Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.02 - Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL flexible server
- Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.03 - Ensure server parameter 'connection_throttle.enable' is set to 'ON' for PostgreSQL flexible server
- Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.04 - Ensure server parameter 'logfiles.retention_days' is greater than 3 days for PostgreSQL flexible server
- Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.05 - Ensure 'Allow public access from any Azure service within Azure to this server' for PostgreSQL flexible server is disabled
- Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.06 - [LEGACY] Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL single server
- Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.07 - [LEGACY] Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL single server
- Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.08 - [LEGACY] Ensure 'Infrastructure double encryption' for PostgreSQL single server is 'Enabled'
- Azure > CIS v3.0 > 05 - Database Services > 05.03 - Azure Database for MySQL
- Azure > CIS v3.0 > 05 - Database Services > 05.03 - Azure Database for MySQL > 05.03.01 - Ensure server parameter 'require_secure_transport' is set to 'ON' for MySQL flexible server
- Azure > CIS v3.0 > 05 - Database Services > 05.03 - Azure Database for MySQL > 05.03.02 - Ensure server parameter 'tls_version' is set to 'TLSv1.2' (or higher) for MySQL flexible server
- Azure > CIS v3.0 > 05 - Database Services > 05.03 - Azure Database for MySQL > 05.03.03 - Ensure server parameter 'audit_log_enabled' is set to 'ON' for MySQL flexible server
- Azure > CIS v3.0 > 05 - Database Services > 05.03 - Azure Database for MySQL > 05.03.04 - Ensure server parameter 'audit_log_events' has 'CONNECTION' set for MySQL flexible server
- Azure > CIS v3.0 > 05 - Database Services > 05.04 - Azure Cosmos DB
- Azure > CIS v3.0 > 05 - Database Services > 05.04 - Azure Cosmos DB > 05.04.01 - Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks
- Azure > CIS v3.0 > 05 - Database Services > 05.04 - Azure Cosmos DB > 05.04.02 - Ensure That Private Endpoints Are Used Where Possible
- Azure > CIS v3.0 > 05 - Database Services > 05.04 - Azure Cosmos DB > 05.04.03 - Use Entra ID Client Authentication and Azure RBAC where possible
- Azure > CIS v3.0 > 06 - Logging & Monitoring
- Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.01 - Configuring Diagnostic Settings
- Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.01 - Configuring Diagnostic Settings > 06.01.01 - Ensure that a 'Diagnostic Setting' exists for Subscription Activity Logs
- Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.01 - Configuring Diagnostic Settings > 06.01.02 - Ensure Diagnostic Setting captures appropriate categories
- Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.01 - Configuring Diagnostic Settings > 06.01.03 - Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key (CMK)
- Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.01 - Configuring Diagnostic Settings > 06.01.04 - Ensure that logging for Azure Key Vault is 'Enabled'
- Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.01 - Configuring Diagnostic Settings > 06.01.05 - Ensure that Network Security Group Flow logs are captured and sent to Log Analytics
- Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.01 - Configuring Diagnostic Settings > 06.01.06 - Ensure that logging for Azure AppService 'HTTP logs' is enabled
- Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts
- Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.01 - Ensure that Activity Log Alert exists for Create Policy Assignment
- Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.02 - Ensure that Activity Log Alert exists for Delete Policy Assignment
- Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.03 - Ensure that Activity Log Alert exists for Create or Update Network Security Group
- Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.04 - Ensure that Activity Log Alert exists for Delete Network Security Group
- Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.05 - Ensure that Activity Log Alert exists for Create or Update Security Solution
- Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.06 - Ensure that Activity Log Alert exists for Delete Security Solution
- Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.07 - Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule
- Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.08 - Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule
- Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.09 - Ensure that Activity Log Alert exists for Create or Update Public IP Address rule
- Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.10 - Ensure that Activity Log Alert exists for Delete Public IP Address rule
- Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.03 - Configuring Application Insights
- Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.03 - Configuring Application Insights > 06.03.01 - Ensure Application Insights are Configured
- Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.04 - Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it
- Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.05 - Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads)
- Azure > CIS v3.0 > 07 - Networking
- Azure > CIS v3.0 > 07 - Networking > 07.01 - Ensure that RDP access from the Internet is evaluated and restricted
- Azure > CIS v3.0 > 07 - Networking > 07.02 - Ensure that SSH access from the Internet is evaluated and restricted
- Azure > CIS v3.0 > 07 - Networking > 07.03 - Ensure that UDP access from the Internet is evaluated and restricted
- Azure > CIS v3.0 > 07 - Networking > 07.04 - Ensure that HTTP(S) access from the Internet is evaluated and restricted
- Azure > CIS v3.0 > 07 - Networking > 07.05 - Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'
- Azure > CIS v3.0 > 07 - Networking > 07.06 - Ensure that Network Watcher is 'Enabled' for Azure Regions that are in use
- Azure > CIS v3.0 > 07 - Networking > 07.07 - Ensure that Public IP addresses are evaluated on a periodic basis
- Azure > CIS v3.0 > 08 - Virtual Machines
- Azure > CIS v3.0 > 08 - Virtual Machines > 08.01 - Ensure an Azure Bastion Host Exists
- Azure > CIS v3.0 > 08 - Virtual Machines > 08.02 - Ensure Virtual Machines are utilizing Managed Disks
- Azure > CIS v3.0 > 08 - Virtual Machines > 08.03 - Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK)
- Azure > CIS v3.0 > 08 - Virtual Machines > 08.04 - Ensure that 'Unattached disks' are encrypted with 'Customer Managed Key' (CMK)
- Azure > CIS v3.0 > 08 - Virtual Machines > 08.05 - Ensure that 'Disk Network Access' is NOT set to 'Enable public access from all networks'
- Azure > CIS v3.0 > 08 - Virtual Machines > 08.06 - Ensure that 'Enable Data Access Authentication Mode' is 'Checked'
- Azure > CIS v3.0 > 08 - Virtual Machines > 08.07 - Ensure that Only Approved Extensions Are Installed
- Azure > CIS v3.0 > 08 - Virtual Machines > 08.08 - Ensure that Endpoint Protection for all Virtual Machines is installed
- Azure > CIS v3.0 > 08 - Virtual Machines > 08.09 - [Legacy] Ensure that VHDs are Encrypted
- Azure > CIS v3.0 > 08 - Virtual Machines > 08.10 - Ensure only MFA enabled identities can access privileged Virtual Machine
- Azure > CIS v3.0 > 08 - Virtual Machines > 08.11 - Ensure Trusted Launch is enabled on Virtual Machines
- Azure > CIS v3.0 > 09 - Application Services
- Azure > CIS v3.0 > 09 - Application Services > 09.01 - Ensure 'HTTPS Only' is set to
On
- Azure > CIS v3.0 > 09 - Application Services > 09.02 - Ensure App Service Authentication is set up for apps in Azure App Service
- Azure > CIS v3.0 > 09 - Application Services > 09.03 - Ensure 'FTP State' is set to 'FTPS Only' or 'Disabled'
- Azure > CIS v3.0 > 09 - Application Services > 09.04 - Ensure Web App is using the latest version of TLS encryption
- Azure > CIS v3.0 > 09 - Application Services > 09.05 - Ensure that Register with Entra ID is enabled on App Service
- Azure > CIS v3.0 > 09 - Application Services > 09.06 - Ensure that 'Basic Authentication' is 'Disabled'
- Azure > CIS v3.0 > 09 - Application Services > 09.07 - Ensure that 'PHP version' is currently supported (if in use)
- Azure > CIS v3.0 > 09 - Application Services > 09.08 - Ensure that 'Python version' is currently supported (if in use)
- Azure > CIS v3.0 > 09 - Application Services > 09.09 - Ensure that 'Java version' is currently supported (if in use)
- Azure > CIS v3.0 > 09 - Application Services > 09.10 - Ensure that 'HTTP20enabled' is set to 'true' (if in use)
- Azure > CIS v3.0 > 09 - Application Services > 09.11 - Ensure Azure Key Vaults are Used to Store Secrets
- Azure > CIS v3.0 > 09 - Application Services > 09.12 - Ensure that 'Remote debugging' is set to 'Off'
- Azure > CIS v3.0 > 10 - Miscellaneous
- Azure > CIS v3.0 > 10 - Miscellaneous > 10.01 - Ensure that Resource Locks are set for Mission-Critical Azure Resources
Policy Types
- Azure > CIS v3.0
- Azure > CIS v3.0 > 02 - Identity
- Azure > CIS v3.0 > 02 - Identity > 02.01 - Security Defaults (Per-User MFA)
- Azure > CIS v3.0 > 02 - Identity > 02.01 - Security Defaults (Per-User MFA) > 02.01.01 - Ensure Security Defaults is enabled on Microsoft Entra ID
- Azure > CIS v3.0 > 02 - Identity > 02.01 - Security Defaults (Per-User MFA) > 02.01.01 - Ensure Security Defaults is enabled on Microsoft Entra ID > Attestation
- Azure > CIS v3.0 > 02 - Identity > 02.01 - Security Defaults (Per-User MFA) > 02.01.02 - Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users
- Azure > CIS v3.0 > 02 - Identity > 02.01 - Security Defaults (Per-User MFA) > 02.01.02 - Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users > Attestation
- Azure > CIS v3.0 > 02 - Identity > 02.01 - Security Defaults (Per-User MFA) > 02.01.03 - Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users
- Azure > CIS v3.0 > 02 - Identity > 02.01 - Security Defaults (Per-User MFA) > 02.01.03 - Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users > Attestation
- Azure > CIS v3.0 > 02 - Identity > 02.01 - Security Defaults (Per-User MFA) > 02.01.04 - Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is Disabled
- Azure > CIS v3.0 > 02 - Identity > 02.01 - Security Defaults (Per-User MFA) > 02.01.04 - Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is Disabled > Attestation
- Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access
- Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.01 - Ensure Trusted Locations Are Defined
- Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.02 - Ensure that an exclusionary Geographic Access Policy is considered
- Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.02 - Ensure that an exclusionary Geographic Access Policy is considered > Attestation
- Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.03 - Ensure that an exclusionary Device code flow policy is considered
- Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.03 - Ensure that an exclusionary Device code flow policy is considered > Attestation
- Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.04 - Ensure that A Multi-factor Authentication Policy Exists for Administrative Groups
- Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.04 - Ensure that A Multi-factor Authentication Policy Exists for Administrative Groups > Attestation
- Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.05 - Ensure that A Multi-factor Authentication Policy Exists for All Users
- Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.05 - Ensure that A Multi-factor Authentication Policy Exists for All Users > Attestation
- Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.06 - Ensure Multi-factor Authentication is Required for Risky Sign-ins
- Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.06 - Ensure Multi-factor Authentication is Required for Risky Sign-ins > Attestation
- Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.07 - Ensure Multi-factor Authentication is Required for Windows Azure Service Management API
- Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.08 - Ensure Multi-factor Authentication is Required to access Microsoft Admin Portals
- Azure > CIS v3.0 > 02 - Identity > 02.03 - Ensure that 'Restrict non-admin users from creating tenants' is set to 'Yes'
- Azure > CIS v3.0 > 02 - Identity > 02.03 - Ensure that 'Restrict non-admin users from creating tenants' is set to 'Yes' > Attestation
- Azure > CIS v3.0 > 02 - Identity > 02.04 - Ensure Guest Users Are Reviewed on a Regular Basis
- Azure > CIS v3.0 > 02 - Identity > 02.05 - Ensure That 'Number of methods required to reset' is set to '2'
- Azure > CIS v3.0 > 02 - Identity > 02.05 - Ensure That 'Number of methods required to reset' is set to '2' > Attestation
- Azure > CIS v3.0 > 02 - Identity > 02.06 - Ensure that account 'Lockout Threshold' is less than or equal to '10'
- Azure > CIS v3.0 > 02 - Identity > 02.06 - Ensure that account 'Lockout Threshold' is less than or equal to '10' > Attestation
- Azure > CIS v3.0 > 02 - Identity > 02.07 - Ensure that account 'Lockout duration in seconds' is greater than or equal to '60'
- Azure > CIS v3.0 > 02 - Identity > 02.07 - Ensure that account 'Lockout duration in seconds' is greater than or equal to '60' > Attestation
- Azure > CIS v3.0 > 02 - Identity > 02.08 - Ensure that a Custom Bad Password List is set to 'Enforce' for your Organization
- Azure > CIS v3.0 > 02 - Identity > 02.08 - Ensure that a Custom Bad Password List is set to 'Enforce' for your Organization > Attestation
- Azure > CIS v3.0 > 02 - Identity > 02.09 - Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0'
- Azure > CIS v3.0 > 02 - Identity > 02.09 - Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0' > Attestation
- Azure > CIS v3.0 > 02 - Identity > 02.10 - Ensure that 'Notify users on password resets?' is set to 'Yes'
- Azure > CIS v3.0 > 02 - Identity > 02.10 - Ensure that 'Notify users on password resets?' is set to 'Yes' > Attestation
- Azure > CIS v3.0 > 02 - Identity > 02.11 - Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes'
- Azure > CIS v3.0 > 02 - Identity > 02.11 - Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes' > Attestation
- Azure > CIS v3.0 > 02 - Identity > 02.12 - Ensure
User consent for applications
is set toDo not allow user consent
- Azure > CIS v3.0 > 02 - Identity > 02.12 - Ensure
User consent for applications
is set toDo not allow user consent
> Attestation - Azure > CIS v3.0 > 02 - Identity > 02.13 - Ensure 'User consent for applications' Is Set To 'Allow for Verified Publishers'
- Azure > CIS v3.0 > 02 - Identity > 02.13 - Ensure 'User consent for applications' Is Set To 'Allow for Verified Publishers' > Attestation
- Azure > CIS v3.0 > 02 - Identity > 02.14 - Ensure That 'Users Can Register Applications' Is Set to 'No'
- Azure > CIS v3.0 > 02 - Identity > 02.15 - Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects'
- Azure > CIS v3.0 > 02 - Identity > 02.15 - Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects' > Attestation
- Azure > CIS v3.0 > 02 - Identity > 02.16 - Ensure that 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles can invite guest users'
- Azure > CIS v3.0 > 02 - Identity > 02.16 - Ensure that 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles can invite guest users' > Attestation
- Azure > CIS v3.0 > 02 - Identity > 02.17 - Ensure That 'Restrict access to Microsoft Entra admin center' is Set to 'Yes'
- Azure > CIS v3.0 > 02 - Identity > 02.17 - Ensure That 'Restrict access to Microsoft Entra admin center' is Set to 'Yes' > Attestation
- Azure > CIS v3.0 > 02 - Identity > 02.18 - Ensure that 'Restrict user ability to access groups features in the Access Pane' is Set to 'Yes'
- Azure > CIS v3.0 > 02 - Identity > 02.18 - Ensure that 'Restrict user ability to access groups features in the Access Pane' is Set to 'Yes' > Attestation
- Azure > CIS v3.0 > 02 - Identity > 02.19 - Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No'
- Azure > CIS v3.0 > 02 - Identity > 02.20 - Ensure that 'Owners can manage group membership requests in My Groups' is set to 'No'
- Azure > CIS v3.0 > 02 - Identity > 02.20 - Ensure that 'Owners can manage group membership requests in My Groups' is set to 'No' > Attestation
- Azure > CIS v3.0 > 02 - Identity > 02.21 - Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No'
- Azure > CIS v3.0 > 02 - Identity > 02.21 - Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No' > Attestation
- Azure > CIS v3.0 > 02 - Identity > 02.22 - Ensure that 'Require Multifactor Authentication to register or join devices with Microsoft Entra' is set to 'Yes'
- Azure > CIS v3.0 > 02 - Identity > 02.22 - Ensure that 'Require Multifactor Authentication to register or join devices with Microsoft Entra' is set to 'Yes' > Attestation
- Azure > CIS v3.0 > 02 - Identity > 02.23 - Ensure That No Custom Subscription Administrator Roles Exist
- Azure > CIS v3.0 > 02 - Identity > 02.24 - Ensure a Custom Role is Assigned Permissions for Administering Resource Locks
- Azure > CIS v3.0 > 02 - Identity > 02.24 - Ensure a Custom Role is Assigned Permissions for Administering Resource Locks > Attestation
- Azure > CIS v3.0 > 02 - Identity > 02.25 - Ensure That 'Subscription leaving Microsoft Entra tenant' and 'Subscription entering Microsoft Entra tenant' Is Set To 'Permit no one'
- Azure > CIS v3.0 > 02 - Identity > 02.25 - Ensure That 'Subscription leaving Microsoft Entra tenant' and 'Subscription entering Microsoft Entra tenant' Is Set To 'Permit no one' > Attestation
- Azure > CIS v3.0 > 02 - Identity > 02.26 - Ensure fewer than 5 users have global administrator assignment
- Azure > CIS v3.0 > 02 - Identity > Maximum Attestation Duration
- Azure > CIS v3.0 > 03 - Security
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.01 - Microsoft Cloud Security Posture Management (CSPM)
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.01 - Microsoft Cloud Security Posture Management (CSPM) > 03.01.01.01 - Ensure that Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On'
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.01 - Microsoft Cloud Security Posture Management (CSPM) > 03.01.01.02 - Ensure that Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is Selected
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.02 - Defender Plan APIs
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.03 - Defender Plan Servers
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.03 - Defender Plan Servers > 03.01.03.01 - Ensure That Microsoft Defender for Servers Is Set to 'On'
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.03 - Defender Plan Servers > 03.01.03.02 - Ensure that 'Vulnerability assessment for machines' component status is set to 'On'
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.03 - Defender Plan Servers > 03.01.03.02 - Ensure that 'Vulnerability assessment for machines' component status is set to 'On' > Attestation
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.03 - Defender Plan Servers > 03.01.03.03 - Ensure that 'Endpoint protection' component status is set to 'On'
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.03 - Defender Plan Servers > 03.01.03.04 - Ensure that 'Agentless scanning for machines' component status is set to 'On'
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.03 - Defender Plan Servers > 03.01.03.04 - Ensure that 'Agentless scanning for machines' component status is set to 'On' > Attestation
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.03 - Defender Plan Servers > 03.01.03.05 - Ensure that 'File Integrity Monitoring' component status is set to 'On'
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.03 - Defender Plan Servers > 03.01.03.05 - Ensure that 'File Integrity Monitoring' component status is set to 'On' > Attestation
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.04 - Defender Plan Containers
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.04 - Defender Plan Containers > 03.01.04.01 - Ensure That Microsoft Defender for Containers Is Set To 'On'
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.04 - Defender Plan Containers > 03.01.04.02 - Ensure that 'Agentless discovery for Kubernetes' component status 'On'
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.04 - Defender Plan Containers > 03.01.04.02 - Ensure that 'Agentless discovery for Kubernetes' component status 'On' > Attestation
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.04 - Defender Plan Containers > 03.01.04.03 - Ensure that 'Agentless container vulnerability assessment' component status is 'On'
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.04 - Defender Plan Containers > 03.01.04.03 - Ensure that 'Agentless container vulnerability assessment' component status is 'On' > Attestation
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.05 - Defender Plan - Storage
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.05 - Defender Plan - Storage > 03.01.05.01 - Ensure That Microsoft Defender for Containers Is Set To 'On'
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.06 - Defender Plan App - Service
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.06 - Defender Plan App - Service > 03.01.06.01 - Ensure That Microsoft Defender for App Services Is Set To 'On'
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.07 - Defender Plan - Databases
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.07 - Defender Plan - Databases > 03.01.07.01 - Ensure That Microsoft Defender for Azure Cosmos DB Is Set To 'On'
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.07 - Defender Plan - Databases > 03.01.07.02 - Ensure That Microsoft Defender for Open-Source Relational Databases Is Set To 'On'
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.07 - Defender Plan - Databases > 03.01.07.03 - Ensure That Microsoft Defender for (Managed Instance) Azure SQL Databases Is Set To 'On'
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.07 - Defender Plan - Databases > 03.01.07.04 - Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On'
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.08 - Defender Plan - Key Vault
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.08 - Defender Plan - Key Vault > 03.01.08.01 - Ensure That Microsoft Defender for Key Vault Is Set To 'On'
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.09 - Defender Plan - Resource Manager
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.09 - Defender Plan - Resource Manager > 03.01.09.01 - Ensure That Microsoft Defender for Resource Manager Is Set To 'On'
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.10 - Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed'
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.10 - Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed' > Attestation
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.11 - Ensure that Microsoft Cloud Security Benchmark policies are not set to 'Disabled'
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.11 - Ensure that Microsoft Cloud Security Benchmark policies are not set to 'Disabled' > Attestation
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.12 - Ensure That 'All users with the following roles' is set to 'Owner'
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.13 - Ensure 'Additional email addresses' is Configured with a Security Contact Email
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.14 - Ensure That 'Notify about alerts with the following severity' is Set to 'High'
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.15 - Ensure that Microsoft Defender External Attack Surface Monitoring (EASM) is enabled
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.15 - Ensure that Microsoft Defender External Attack Surface Monitoring (EASM) is enabled > Attestation
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.16 - [LEGACY] Ensure That Microsoft Defender for DNS Is Set To 'On'
- Azure > CIS v3.0 > 03 - Security > 03.02 - Microsoft Defender for IoT
- Azure > CIS v3.0 > 03 - Security > 03.02 - Microsoft Defender for IoT > 03.02.01 - Ensure That Microsoft Defender for IoT Hub Is Set To 'On'
- Azure > CIS v3.0 > 03 - Security > 03.02 - Microsoft Defender for IoT > Attestation
- Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault
- Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.01 - Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults
- Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.02 - Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults
- Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.03 - Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults
- Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.04 - Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults
- Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.05 - Ensure the Key Vault is Recoverable
- Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.06 - Enable Role Based Access Control for Azure Key Vault
- Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.07 - Ensure that Private Endpoints are Used for Azure Key Vault
- Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.08 - Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services
- Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.08 - Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services > Attestation
- Azure > CIS v3.0 > 03 - Security > Maximum Attestation Duration
- Azure > CIS v3.0 > 04 - Storage Accounts
- Azure > CIS v3.0 > 04 - Storage Accounts > 04.01 - Ensure that 'Secure transfer required' is set to 'Enabled'
- Azure > CIS v3.0 > 04 - Storage Accounts > 04.02 - Ensure that
Enable Infrastructure Encryption
for Each Storage Account in Azure Storage is Set toenabled
- Azure > CIS v3.0 > 04 - Storage Accounts > 04.03 - Ensure that 'Enable key rotation reminders' is enabled for each Storage Account
- Azure > CIS v3.0 > 04 - Storage Accounts > 04.04 - Ensure that Storage Account Access Keys are Periodically Regenerated
- Azure > CIS v3.0 > 04 - Storage Accounts > 04.04 - Ensure that Storage Account Access Keys are Periodically Regenerated > Attestation
- Azure > CIS v3.0 > 04 - Storage Accounts > 04.05 - Ensure that Shared Access Signature Tokens Expire Within an Hour
- Azure > CIS v3.0 > 04 - Storage Accounts > 04.05 - Ensure that Shared Access Signature Tokens Expire Within an Hour > Attestation
- Azure > CIS v3.0 > 04 - Storage Accounts > 04.06 - Ensure that 'Public Network Access' is 'Disabled' for storage accounts
- Azure > CIS v3.0 > 04 - Storage Accounts > 04.07 - Ensure Default Network Access Rule for Storage Accounts is Set to Deny
- Azure > CIS v3.0 > 04 - Storage Accounts > 04.08 - Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access
- Azure > CIS v3.0 > 04 - Storage Accounts > 04.09 - Ensure Private Endpoints are used to access Storage Accounts
- Azure > CIS v3.0 > 04 - Storage Accounts > 04.10 - Ensure Soft Delete is Enabled for Azure Containers and Blob Storage
- Azure > CIS v3.0 > 04 - Storage Accounts > 04.11 - Ensure Storage for Critical Data are Encrypted with Customer Managed Keys (CMK)
- Azure > CIS v3.0 > 04 - Storage Accounts > 04.12 - Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests
- Azure > CIS v3.0 > 04 - Storage Accounts > 04.13 - Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests
- Azure > CIS v3.0 > 04 - Storage Accounts > 04.14 - Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' Requests
- Azure > CIS v3.0 > 04 - Storage Accounts > 04.15 - Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2'
- Azure > CIS v3.0 > 04 - Storage Accounts > 04.16 - Ensure 'Cross Tenant Replication' is not enabled
- Azure > CIS v3.0 > 04 - Storage Accounts > 04.17 - Ensure that 'Allow Blob Anonymous Access' is set to 'Disabled'
- Azure > CIS v3.0 > 04 - Storage Accounts > Maximum Attestation Duration
- Azure > CIS v3.0 > 05 - Database Services
- Azure > CIS v3.0 > 05 - Database Services > 05.01 - Azure SQL Database
- Azure > CIS v3.0 > 05 - Database Services > 05.01 - Azure SQL Database > 05.01.01 - Ensure that 'Auditing' is set to 'On'
- Azure > CIS v3.0 > 05 - Database Services > 05.01 - Azure SQL Database > 05.01.02 - Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)
- Azure > CIS v3.0 > 05 - Database Services > 05.01 - Azure SQL Database > 05.01.03 - Ensure SQL Server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key
- Azure > CIS v3.0 > 05 - Database Services > 05.01 - Azure SQL Database > 05.01.04 - Ensure that Microsoft Entra authentication is Configured for SQL Servers
- Azure > CIS v3.0 > 05 - Database Services > 05.01 - Azure SQL Database > 05.01.05 - Ensure that 'Data encryption' is set to 'On' on a SQL Database
- Azure > CIS v3.0 > 05 - Database Services > 05.01 - Azure SQL Database > 05.01.06 - Ensure that 'Auditing' Retention is 'greater than 90 days'
- Azure > CIS v3.0 > 05 - Database Services > 05.01 - Azure SQL Database > 05.01.07 - Ensure Public Network Access is Disabled
- Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL
- Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.01 - Ensure server parameter 'require_secure_transport' is set to 'ON' for PostgreSQL flexible server
- Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.02 - Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL flexible server
- Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.03 - Ensure server parameter 'connection_throttle.enable' is set to 'ON' for PostgreSQL flexible server
- Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.04 - Ensure server parameter 'logfiles.retention_days' is greater than 3 days for PostgreSQL flexible server
- Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.05 - Ensure 'Allow public access from any Azure service within Azure to this server' for PostgreSQL flexible server is disabled
- Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.07 - [LEGACY] Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL single server
- Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.08 - [LEGACY] Ensure 'Infrastructure double encryption' for PostgreSQL single server is 'Enabled'
- Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 5.2.6 - [LEGACY] Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL single server
- Azure > CIS v3.0 > 05 - Database Services > 05.03 - Azure Database for MySQL
- Azure > CIS v3.0 > 05 - Database Services > 05.03 - Azure Database for MySQL > 05.03.01 - Ensure server parameter 'require_secure_transport' is set to 'ON' for MySQL flexible server
- Azure > CIS v3.0 > 05 - Database Services > 05.03 - Azure Database for MySQL > 05.03.02 - Ensure server parameter 'tls_version' is set to 'TLSv1.2' (or higher) for MySQL flexible server
- Azure > CIS v3.0 > 05 - Database Services > 05.03 - Azure Database for MySQL > 05.03.03 - Ensure server parameter 'audit_log_enabled' is set to 'ON' for MySQL flexible server
- Azure > CIS v3.0 > 05 - Database Services > 05.03 - Azure Database for MySQL > 05.03.04 - Ensure server parameter 'audit_log_events' has 'CONNECTION' set for MySQL flexible server
- Azure > CIS v3.0 > 05 - Database Services > 05.04 - Azure Cosmos DB
- Azure > CIS v3.0 > 05 - Database Services > 05.04 - Azure Cosmos DB > 05.04.01 - Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks
- Azure > CIS v3.0 > 05 - Database Services > 05.04 - Azure Cosmos DB > 05.04.02 - Ensure That Private Endpoints Are Used Where Possible
- Azure > CIS v3.0 > 05 - Database Services > 05.04 - Azure Cosmos DB > 05.04.03 - Use Entra ID Client Authentication and Azure RBAC where possible
- Azure > CIS v3.0 > 05 - Database Services > 05.04 - Azure Cosmos DB > 05.04.03 - Use Entra ID Client Authentication and Azure RBAC where possible > Attestation
- Azure > CIS v3.0 > 05 - Database Services > Maximum Attestation Duration
- Azure > CIS v3.0 > 06 - Logging & Monitoring
- Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.01 - Configuring Diagnostic Settings
- Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.01 - Configuring Diagnostic Settings > 06.01.01 - Ensure that a 'Diagnostic Setting' exists for Subscription Activity Logs
- Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.01 - Configuring Diagnostic Settings > 06.01.01 - Ensure that a 'Diagnostic Setting' exists for Subscription Activity Logs > Attestation
- Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.01 - Configuring Diagnostic Settings > 06.01.02 - Ensure Diagnostic Setting captures appropriate categories
- Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.01 - Configuring Diagnostic Settings > 06.01.03 - Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key
- Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.01 - Configuring Diagnostic Settings > 06.01.04 - Ensure that logging for Azure Key Vault is 'Enabled'
- Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.01 - Configuring Diagnostic Settings > 06.01.05 - Ensure that Network Security Group Flow logs are captured and sent to Log Analytics
- Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.01 - Configuring Diagnostic Settings > 06.01.06 - Ensure that logging for Azure AppService 'HTTP logs' is enabled
- Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts
- Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.01 - Ensure that Activity Log Alert exists for Create Policy Assignment
- Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.02 - Ensure that Activity Log Alert exists for Delete Policy Assignment
- Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.03 - Ensure that Activity Log Alert exists for Create or Update Network Security Group
- Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.04 - Ensure that Activity Log Alert exists for Delete Network Security Group
- Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.05 - Ensure that Activity Log Alert exists for Create or Update Security Solution
- Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.06 - Ensure that Activity Log Alert exists for Delete Security Solution
- Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.07 - Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule
- Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.08 - Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule
- Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.09 - Ensure that Activity Log Alert exists for Create or Update Public IP Address rule
- Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.10 - Ensure that Activity Log Alert exists for Delete Public IP Address rule
- Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.03 - Configuring Application Insights
- Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.03 - Configuring Application Insights > 06.03.01 - Ensure Application Insights are Configured
- Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.04 - Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it
- Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.04 - Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it > Attestation
- Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.05 - Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads)
- Azure > CIS v3.0 > 06 - Logging & Monitoring > Maximum Attestation Duration
- Azure > CIS v3.0 > 07 - Networking
- Azure > CIS v3.0 > 07 - Networking > 07.01 - Ensure that RDP access from the Internet is evaluated and restricted
- Azure > CIS v3.0 > 07 - Networking > 07.02 - Ensure that SSH access from the Internet is evaluated and restricted
- Azure > CIS v3.0 > 07 - Networking > 07.03 - Ensure that UDP access from the Internet is evaluated and restricted
- Azure > CIS v3.0 > 07 - Networking > 07.04 - Ensure that HTTP(S) access from the Internet is evaluated and restricted
- Azure > CIS v3.0 > 07 - Networking > 07.05 - Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'
- Azure > CIS v3.0 > 07 - Networking > 07.06 - Ensure that Network Watcher is 'Enabled' for Azure Regions that are in use
- Azure > CIS v3.0 > 07 - Networking > 07.07 - Ensure that Public IP addresses are evaluated on a periodic basis
- Azure > CIS v3.0 > 07 - Networking > Maximum Attestation Duration
- Azure > CIS v3.0 > 08 - Virtual Machines
- Azure > CIS v3.0 > 08 - Virtual Machines > 08.01 - Ensure Virtual Machines are utilizing Managed Disks
- Azure > CIS v3.0 > 08 - Virtual Machines > 08.02 - Ensure Virtual Machines are utilizing Managed Disks
- Azure > CIS v3.0 > 08 - Virtual Machines > 08.03 - Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK)
- Azure > CIS v3.0 > 08 - Virtual Machines > 08.04 - Ensure that 'Unattached disks' are encrypted with 'Customer Managed Key' (CMK)
- Azure > CIS v3.0 > 08 - Virtual Machines > 08.05 - Ensure that 'Disk Network Access' is NOT set to 'Enable public access from all networks'
- Azure > CIS v3.0 > 08 - Virtual Machines > 08.06 - Ensure that 'Enable Data Access Authentication Mode' is 'Checked'
- Azure > CIS v3.0 > 08 - Virtual Machines > 08.07 - Ensure that Only Approved Extensions Are Installed
- Azure > CIS v3.0 > 08 - Virtual Machines > 08.07 - Ensure that Only Approved Extensions Are Installed > Attestation
- Azure > CIS v3.0 > 08 - Virtual Machines > 08.08 - Ensure that Endpoint Protection for all Virtual Machines is installed
- Azure > CIS v3.0 > 08 - Virtual Machines > 08.08 - Ensure that Endpoint Protection for all Virtual Machines is installed > Attestation
- Azure > CIS v3.0 > 08 - Virtual Machines > 08.09 - [Legacy] Ensure that VHDs are Encrypted
- Azure > CIS v3.0 > 08 - Virtual Machines > 08.09 - [Legacy] Ensure that VHDs are Encrypted > Attestation
- Azure > CIS v3.0 > 08 - Virtual Machines > 08.10 - Ensure only MFA enabled identities can access privileged Virtual Machine
- Azure > CIS v3.0 > 08 - Virtual Machines > 08.10 - Ensure only MFA enabled identities can access privileged Virtual Machine > Attestation
- Azure > CIS v3.0 > 08 - Virtual Machines > 08.11 - Ensure Trusted Launch is enabled on Virtual Machines
- Azure > CIS v3.0 > 08 - Virtual Machines > Maximum Attestation Duration
- Azure > CIS v3.0 > 09 - Application Services
- Azure > CIS v3.0 > 09 - Application Services > 09.01 - Ensure 'HTTPS Only' is set to
On
- Azure > CIS v3.0 > 09 - Application Services > 09.02 - Ensure App Service Authentication is set up for apps in Azure App Service
- Azure > CIS v3.0 > 09 - Application Services > 09.03 - Ensure 'FTP State' is set to 'FTPS Only' or 'Disabled'
- Azure > CIS v3.0 > 09 - Application Services > 09.04 - Ensure Web App is using the latest version of TLS encryption
- Azure > CIS v3.0 > 09 - Application Services > 09.05 - Ensure that Register with Entra ID is enabled on App Service
- Azure > CIS v3.0 > 09 - Application Services > 09.06 - Ensure that 'Basic Authentication' is 'Disabled'
- Azure > CIS v3.0 > 09 - Application Services > 09.06 - Ensure that 'Basic Authentication' is 'Disabled' > Attestation
- Azure > CIS v3.0 > 09 - Application Services > 09.07 - Ensure that 'PHP version' is currently supported (if in use)
- Azure > CIS v3.0 > 09 - Application Services > 09.07 - Ensure that 'PHP version' is currently supported (if in use) > Attestation
- Azure > CIS v3.0 > 09 - Application Services > 09.08 - Ensure that 'Python version' is currently supported (if in use)
- Azure > CIS v3.0 > 09 - Application Services > 09.08 - Ensure that 'Python version' is currently supported (if in use) > Attestation
- Azure > CIS v3.0 > 09 - Application Services > 09.09 - Ensure that 'Java version' is currently supported (if in use)
- Azure > CIS v3.0 > 09 - Application Services > 09.09 - Ensure that 'Java version' is currently supported (if in use) > Attestation
- Azure > CIS v3.0 > 09 - Application Services > 09.10 - Ensure that 'HTTP20enabled' is set to 'true' (if in use)
- Azure > CIS v3.0 > 09 - Application Services > 09.11 - Ensure Azure Key Vaults are Used to Store Secrets
- Azure > CIS v3.0 > 09 - Application Services > 09.11 - Ensure Azure Key Vaults are Used to Store Secrets > Attestation
- Azure > CIS v3.0 > 09 - Application Services > 09.12 - Ensure that 'Remote debugging' is set to 'Off'
- Azure > CIS v3.0 > 09 - Application Services > Maximum Attestation Duration
- Azure > CIS v3.0 > 10 - Miscellaneous
- Azure > CIS v3.0 > 10 - Miscellaneous > 10.01 - Ensure that Resource Locks are set for Mission-Critical Azure Resources
- Azure > CIS v3.0 > 10 - Miscellaneous > 10.01 - Ensure that Resource Locks are set for Mission-Critical Azure Resources > Attestation
- Azure > CIS v3.0 > 10 - Miscellaneous > Maximum Attestation Duration
- Azure > CIS v3.0 > Maximum Attestation Duration
Note
To ensure compatibility and proper functioning of the Guardrails Azure CIS v3 mod, we recommend updating all dependent mods to their latest versions.