Policy types for @turbot/azure-cisv1-2

• Azure > CIS v1.2
• Azure > CIS v1.2 > 1 - Identity and Access Management
• Azure > CIS v1.2 > 1 - Identity and Access Management > 1.01 - Ensure that multi-factor authentication is enabled for all privileged users (Not Scored)
• Azure > CIS v1.2 > 1 - Identity and Access Management > 1.01 - Ensure that multi-factor authentication is enabled for all privileged users (Not Scored) > Attestation
• Azure > CIS v1.2 > 1 - Identity and Access Management > 1.02 - Ensure that multi-factor authentication is enabled for all non- privileged users (Not Scored)
• Azure > CIS v1.2 > 1 - Identity and Access Management > 1.02 - Ensure that multi-factor authentication is enabled for all non- privileged users (Not Scored) > Attestation
• Azure > CIS v1.2 > 1 - Identity and Access Management > 1.03 - Ensure guest users are reviewed on a monthly basis (Scored)
• Azure > CIS v1.2 > 1 - Identity and Access Management > 1.04 - Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is 'Disabled' (Not Scored)
• Azure > CIS v1.2 > 1 - Identity and Access Management > 1.04 - Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is 'Disabled' (Not Scored) > Attestation
• Azure > CIS v1.2 > 1 - Identity and Access Management > 1.05 - Ensure that 'Number of methods required to reset' is set to '2' (Not Scored)
• Azure > CIS v1.2 > 1 - Identity and Access Management > 1.05 - Ensure that 'Number of methods required to reset' is set to '2' (Not Scored) > Attestation
• Azure > CIS v1.2 > 1 - Identity and Access Management > 1.06 - Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to "0" (Not Scored)
• Azure > CIS v1.2 > 1 - Identity and Access Management > 1.06 - Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to "0" (Not Scored) > Attestation
• Azure > CIS v1.2 > 1 - Identity and Access Management > 1.07 - Ensure that 'Notify users on password resets?' is set to 'Yes' (Not Scored)
• Azure > CIS v1.2 > 1 - Identity and Access Management > 1.07 - Ensure that 'Notify users on password resets?' is set to 'Yes' (Not Scored) > Attestation
• Azure > CIS v1.2 > 1 - Identity and Access Management > 1.08 - Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes' (Not Scored)
• Azure > CIS v1.2 > 1 - Identity and Access Management > 1.08 - Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes' (Not Scored) > Attestation
• Azure > CIS v1.2 > 1 - Identity and Access Management > 1.09 - Ensure that 'Users can consent to apps accessing company data on their behalf' is set to 'No' (Not Scored)
• Azure > CIS v1.2 > 1 - Identity and Access Management > 1.09 - Ensure that 'Users can consent to apps accessing company data on their behalf' is set to 'No' (Not Scored) > Attestation
• Azure > CIS v1.2 > 1 - Identity and Access Management > 1.10 - Ensure that 'Users can add gallery apps to their Access Panel' is set to 'No' (Not Scored)
• Azure > CIS v1.2 > 1 - Identity and Access Management > 1.10 - Ensure that 'Users can add gallery apps to their Access Panel' is set to 'No' (Not Scored) > Attestation
• Azure > CIS v1.2 > 1 - Identity and Access Management > 1.11 - Ensure that 'Users can register applications' is set to 'No' (Not Scored)
• Azure > CIS v1.2 > 1 - Identity and Access Management > 1.11 - Ensure that 'Users can register applications' is set to 'No' (Not Scored) > Attestation
• Azure > CIS v1.2 > 1 - Identity and Access Management > 1.12 - Ensure that 'Guest user permissions are limited' is set to 'Yes' (Not Scored)
• Azure > CIS v1.2 > 1 - Identity and Access Management > 1.12 - Ensure that 'Guest user permissions are limited' is set to 'Yes' (Not Scored) > Attestation
• Azure > CIS v1.2 > 1 - Identity and Access Management > 1.13 - Ensure that 'Members can invite' is set to 'No' (Not Scored)
• Azure > CIS v1.2 > 1 - Identity and Access Management > 1.13 - Ensure that 'Members can invite' is set to 'No' (Not Scored) > Attestation
• Azure > CIS v1.2 > 1 - Identity and Access Management > 1.14 - Ensure that 'Guests can invite' is set to 'No' (Not Scored)
• Azure > CIS v1.2 > 1 - Identity and Access Management > 1.14 - Ensure that 'Guests can invite' is set to 'No' (Not Scored) > Attestation
• Azure > CIS v1.2 > 1 - Identity and Access Management > 1.15 - Ensure that 'Restrict access to Azure AD administration portal' is set to 'Yes' (Not Scored)
• Azure > CIS v1.2 > 1 - Identity and Access Management > 1.15 - Ensure that 'Restrict access to Azure AD administration portal' is set to 'Yes' (Not Scored) > Attestation
• Azure > CIS v1.2 > 1 - Identity and Access Management > 1.16 - Ensure that 'Restrict user ability to access groups features in the Access Pane' is set to 'No' (Not Scored)
• Azure > CIS v1.2 > 1 - Identity and Access Management > 1.16 - Ensure that 'Restrict user ability to access groups features in the Access Pane' is set to 'No' (Not Scored) > Attestation
• Azure > CIS v1.2 > 1 - Identity and Access Management > 1.17 - Ensure that 'Users can create security groups' is set to 'No' (Not Scored)
• Azure > CIS v1.2 > 1 - Identity and Access Management > 1.17 - Ensure that 'Users can create security groups' is set to 'No' (Not Scored) > Attestation
• Azure > CIS v1.2 > 1 - Identity and Access Management > 1.18 - Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No' (Not Scored)
• Azure > CIS v1.2 > 1 - Identity and Access Management > 1.18 - Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No' (Not Scored) > Attestation
• Azure > CIS v1.2 > 1 - Identity and Access Management > 1.19 - Ensure that 'Users can create Office 365 groups' is set to 'No' (Not Scored)
• Azure > CIS v1.2 > 1 - Identity and Access Management > 1.19 - Ensure that 'Users can create Office 365 groups' is set to 'No' (Not Scored) > Attestation
• Azure > CIS v1.2 > 1 - Identity and Access Management > 1.20 - Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes' (Not Scored)
• Azure > CIS v1.2 > 1 - Identity and Access Management > 1.20 - Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes' (Not Scored) > Attestation
• Azure > CIS v1.2 > 1 - Identity and Access Management > 1.21 - Ensure that no custom subscription owner roles are created (Scored)
• Azure > CIS v1.2 > 1 - Identity and Access Management > 1.22 - Ensure Security Defaults is enabled on Azure Active Directory (Not Scored)
• Azure > CIS v1.2 > 1 - Identity and Access Management > 1.22 - Ensure Security Defaults is enabled on Azure Active Directory (Not Scored) > Attestation
• Azure > CIS v1.2 > 1 - Identity and Access Management > 1.23 - Ensure Custom Role is assigned for Administering Resource Locks (Not Scored)
• Azure > CIS v1.2 > 1 - Identity and Access Management > 1.23 - Ensure Custom Role is assigned for Administering Resource Locks (Not Scored) > Attestation
• Azure > CIS v1.2 > 1 - Identity and Access Management > Maximum Attestation Duration
• Azure > CIS v1.2 > 7 - Virtual Machines
• Azure > CIS v1.2 > 7 - Virtual Machines > 7.01 - Ensure Virtual Machines are utilizing Managed Disks (Scored)
• Azure > CIS v1.2 > 7 - Virtual Machines > 7.02 - Ensure that 'OS and Data' disks are encrypted with CMK (Scored)
• Azure > CIS v1.2 > 7 - Virtual Machines > 7.03 - Ensure that 'Unattached disks' are encrypted with CMK (Scored)
• Azure > CIS v1.2 > 7 - Virtual Machines > 7.04 - Ensure that only approved extensions are installed (Not Scored)
• Azure > CIS v1.2 > 7 - Virtual Machines > 7.04 - Ensure that only approved extensions are installed (Not Scored) > Attestation
• Azure > CIS v1.2 > 7 - Virtual Machines > 7.05 - Ensure that the latest OS Patches for all Virtual Machines are applied (Not Scored)
• Azure > CIS v1.2 > 7 - Virtual Machines > 7.05 - Ensure that the latest OS Patches for all Virtual Machines are applied (Not Scored) > Attestation
• Azure > CIS v1.2 > 7 - Virtual Machines > 7.06 - Ensure that the endpoint protection for all Virtual Machines is installed (Not Scored)
• Azure > CIS v1.2 > 7 - Virtual Machines > 7.06 - Ensure that the endpoint protection for all Virtual Machines is installed (Not Scored) > Attestation
• Azure > CIS v1.2 > 7 - Virtual Machines > Maximum Attestation Duration
• Azure > CIS v1.2 > 8 - Other Security Considerations
• Azure > CIS v1.2 > 8 - Other Security Considerations > 8.01 - Ensure that the expiration date is set on all keys (Scored)
• Azure > CIS v1.2 > 8 - Other Security Considerations > 8.02 - Ensure that the expiration date is set on all secrets (Scored)
• Azure > CIS v1.2 > 8 - Other Security Considerations > 8.03 - Ensure that Resource Locks are set for mission critical Azure resources (Not Scored)
• Azure > CIS v1.2 > 8 - Other Security Considerations > 8.03 - Ensure that Resource Locks are set for mission critical Azure resources (Not Scored) > Attestation
• Azure > CIS v1.2 > 8 - Other Security Considerations > 8.04 - Ensure the key vault is recoverable (Scored)
• Azure > CIS v1.2 > 8 - Other Security Considerations > 8.05 - Enable role-based access control (RBAC) within Azure Kubernetes Services (Scored)
• Azure > CIS v1.2 > 8 - Other Security Considerations > Maximum Attestation Duration
• Azure > CIS v1.2 > Maximum Attestation Duration

Azure > CIS v1.2

Configures a default auditing level against the Microsoft Azure Foundations Benchmark, Version 1.2

[
  "Skip",
  "Check: Level 1 (Scored)",
  "Check: Level 1 (Scored & Not Scored)",
  "Check: Level 1 & Level 2 (Scored)",
  "Check: Level 1 & Level 2 (Scored & Not Scored)"
]

{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Level 1 (Scored)",
    "Check: Level 1 (Scored & Not Scored)",
    "Check: Level 1 & Level 2 (Scored)",
    "Check: Level 1 & Level 2 (Scored & Not Scored)"
  ],
  "default": "Skip"
}

Azure > CIS v1.2 > 1 - Identity and Access Management

Covers security recommendations that to follow to set identity and access management policies on an Azure Subscription.

[
  "Per Azure > CIS v1.2",
  "Skip",
  "Check: Level 1 (Scored)",
  "Check: Level 1 (Scored & Not Scored)",
  "Check: Level 1 & Level 2 (Scored)",
  "Check: Level 1 & Level 2 (Scored & Not Scored)"
]

{
  "type": "string",
  "enum": [
    "Per Azure > CIS v1.2",
    "Skip",
    "Check: Level 1 (Scored)",
    "Check: Level 1 (Scored & Not Scored)",
    "Check: Level 1 & Level 2 (Scored)",
    "Check: Level 1 & Level 2 (Scored & Not Scored)"
  ],
  "example": [
    "Skip"
  ],
  "default": "Per Azure > CIS v1.2"
}

Azure > CIS v1.2 > 1 - Identity and Access Management > 1.01 - Ensure that multi-factor authentication is enabled for all privileged users (Not Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Not Scored)

Enable multi-factor authentication for all user credentials who have write access to Azure resources. These include roles like

1. Service Co-Administrators
2. Subscription Owners
3. Contributors

[
  "Per Azure > CIS v1.2 > 1 - Identity and Access Management using attestation",
  "Skip",
  "Check: Level 1 (Not Scored) using attestation"
]

{
  "type": "string",
  "enum": [
    "Per Azure > CIS v1.2 > 1 - Identity and Access Management using attestation",
    "Skip",
    "Check: Level 1 (Not Scored) using attestation"
  ],
  "default": "Per Azure > CIS v1.2 > 1 - Identity and Access Management using attestation"
}

Azure > CIS v1.2 > 1 - Identity and Access Management > 1.01 - Ensure that multi-factor authentication is enabled for all privileged users (Not Scored) > Attestation

By setting this policy, you attest that you have manually verified that it complies with the relevant section of the CIS Benchmark.

Azure Console

1. Go to Azure Active Directory
2. Go to Users and group
3. Go to All Users
4. Click on Multi-Factor Authentication button on the top bar
5. Ensure that MULTI-FACTOR AUTH STATUS is Enabled for all users who are Service Co-Administrators OR Owners OR Contributors.

Once verified, enter the date that this attestation expires. Note that the date can not be further in the future than is specified in Azure > CIS v1.2 > Maximum Attestation Duration. Set to a blank value to clear the attestation.

{
  "type": "string",
  "format": "date-time",
  "default": ""
}

Azure > CIS v1.2 > 1 - Identity and Access Management > 1.02 - Ensure that multi-factor authentication is enabled for all non- privileged users (Not Scored)

Configures auditing against a CIS Benchmark item.

Level: 2 (Not Scored)

Enable multi-factor authentication for all non-privileged users.

[
  "Per Azure > CIS v1.2 > 1 - Identity and Access Management using attestation",
  "Skip",
  "Check: Level 2 (Not Scored) using attestation"
]

{
  "type": "string",
  "enum": [
    "Per Azure > CIS v1.2 > 1 - Identity and Access Management using attestation",
    "Skip",
    "Check: Level 2 (Not Scored) using attestation"
  ],
  "default": "Per Azure > CIS v1.2 > 1 - Identity and Access Management using attestation"
}

Azure > CIS v1.2 > 1 - Identity and Access Management > 1.02 - Ensure that multi-factor authentication is enabled for all non- privileged users (Not Scored) > Attestation

By setting this policy, you attest that you have manually verified that it complies with the relevant section of the CIS Benchmark.

Azure Console

1. Go to Azure Active Directory
2. Go to Users and group
3. Go to All Users
4. Click on Multi-Factor Authentication button on the top bar
5. Ensure that for all users MULTI-FACTOR AUTH STATUS is Enabled

Once verified, enter the date that this attestation expires. Note that the date can not be further in the future than is specified in Azure > CIS v1.2 > Maximum Attestation Duration. Set to a blank value to clear the attestation.

{
  "type": "string",
  "format": "date-time",
  "default": ""
}

Azure > CIS v1.2 > 1 - Identity and Access Management > 1.03 - Ensure guest users are reviewed on a monthly basis (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

Azure AD is extended to include Azure AD B2B collaboration, allowing you to invite people from outside your organization to be guest users in your cloud account and sign in with their own work, school, or social identities. Guest users allow you to share your company's applications and services with users from any other organization, while maintaining control over your own corporate data. Work with external partners, large or small, even if they don't have Azure AD or an IT department. A simple invitation and redemption process lets partners use their own credentials to access your company's resources a a guest user.

[
  "Per Azure > CIS v1.2 > 1 - Identity and Access Management",
  "Skip",
  "Check: Level 1 (Scored)"
]

{
  "type": "string",
  "enum": [
    "Per Azure > CIS v1.2 > 1 - Identity and Access Management",
    "Skip",
    "Check: Level 1 (Scored)"
  ],
  "default": "Per Azure > CIS v1.2 > 1 - Identity and Access Management"
}

Azure > CIS v1.2 > 1 - Identity and Access Management > 1.04 - Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is 'Disabled' (Not Scored)

Configures auditing against a CIS Benchmark item.

Level: 2 (Not Scored)

Do not allow users to remember multi-factor authentication on devices.

[
  "Per Azure > CIS v1.2 > 1 - Identity and Access Management using attestation",
  "Skip",
  "Check: Level 2 (Not Scored) using attestation"
]

{
  "type": "string",
  "enum": [
    "Per Azure > CIS v1.2 > 1 - Identity and Access Management using attestation",
    "Skip",
    "Check: Level 2 (Not Scored) using attestation"
  ],
  "default": "Per Azure > CIS v1.2 > 1 - Identity and Access Management using attestation"
}

Azure > CIS v1.2 > 1 - Identity and Access Management > 1.04 - Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is 'Disabled' (Not Scored) > Attestation

By setting this policy, you attest that you have manually verified that it complies with the relevant section of the CIS Benchmark.

Azure Console

1. Go to Azure Active Directory
2. Go to Users and group
3. Go to All Users
4. Click on Multi-Factor Authentication button on the top bar
5. Click on service settings
6. Disable Allow users to remember multi-factor authentication on devices they trust

Once verified, enter the date that this attestation expires. Note that the date can not be further in the future than is specified in Azure > CIS v1.2 > Maximum Attestation Duration. Set to a blank value to clear the attestation.

{
  "type": "string",
  "format": "date-time",
  "default": ""
}

Azure > CIS v1.2 > 1 - Identity and Access Management > 1.05 - Ensure that 'Number of methods required to reset' is set to '2' (Not Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Not Scored)

Ensure that two alternate forms of identification are provided before allowing a password reset.

[
  "Per Azure > CIS v1.2 > 1 - Identity and Access Management using attestation",
  "Skip",
  "Check: Level 1 (Not Scored) using attestation"
]

{
  "type": "string",
  "enum": [
    "Per Azure > CIS v1.2 > 1 - Identity and Access Management using attestation",
    "Skip",
    "Check: Level 1 (Not Scored) using attestation"
  ],
  "default": "Per Azure > CIS v1.2 > 1 - Identity and Access Management using attestation"
}

Azure > CIS v1.2 > 1 - Identity and Access Management > 1.05 - Ensure that 'Number of methods required to reset' is set to '2' (Not Scored) > Attestation

By setting this policy, you attest that you have manually verified that it complies with the relevant section of the CIS Benchmark.

Azure Console

1. Go to Azure Active Directory
2. Go to Users and group
3. Go to Password reset
4. Go to Authentication methods
5. Ensure that Number of methods required to reset is set to 2

Once verified, enter the date that this attestation expires. Note that the date can not be further in the future than is specified in Azure > CIS v1.2 > Maximum Attestation Duration. Set to a blank value to clear the attestation.

{
  "type": "string",
  "format": "date-time",
  "default": ""
}

Azure > CIS v1.2 > 1 - Identity and Access Management > 1.06 - Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to "0" (Not Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Not Scored)

Ensure that the number of days before users are asked to re-confirm their authentication information is not set to 0.

[
  "Per Azure > CIS v1.2 > 1 - Identity and Access Management using attestation",
  "Skip",
  "Check: Level 1 (Not Scored) using attestation"
]

{
  "type": "string",
  "enum": [
    "Per Azure > CIS v1.2 > 1 - Identity and Access Management using attestation",
    "Skip",
    "Check: Level 1 (Not Scored) using attestation"
  ],
  "default": "Per Azure > CIS v1.2 > 1 - Identity and Access Management using attestation"
}

Azure > CIS v1.2 > 1 - Identity and Access Management > 1.06 - Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to "0" (Not Scored) > Attestation

By setting this policy, you attest that you have manually verified that it complies with the relevant section of the CIS Benchmark.

Azure Console

1. Go to Azure Active Directory
2. Go to Users and group
3. Go to Password reset
4. Go to Registration
5. Ensure that Number of days before users are asked to re-confirm their authentication information is not set to 0

Once verified, enter the date that this attestation expires. Note that the date can not be further in the future than is specified in Azure > CIS v1.2 > Maximum Attestation Duration. Set to a blank value to clear the attestation.

{
  "type": "string",
  "format": "date-time",
  "default": ""
}

Azure > CIS v1.2 > 1 - Identity and Access Management > 1.07 - Ensure that 'Notify users on password resets?' is set to 'Yes' (Not Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Not Scored)

Ensure that users are notified on their primary and secondary emails on password resets.

[
  "Per Azure > CIS v1.2 > 1 - Identity and Access Management using attestation",
  "Skip",
  "Check: Level 1 (Not Scored) using attestation"
]

{
  "type": "string",
  "enum": [
    "Per Azure > CIS v1.2 > 1 - Identity and Access Management using attestation",
    "Skip",
    "Check: Level 1 (Not Scored) using attestation"
  ],
  "default": "Per Azure > CIS v1.2 > 1 - Identity and Access Management using attestation"
}

Azure > CIS v1.2 > 1 - Identity and Access Management > 1.07 - Ensure that 'Notify users on password resets?' is set to 'Yes' (Not Scored) > Attestation

By setting this policy, you attest that you have manually verified that it complies with the relevant section of the CIS Benchmark.

Azure Console

1. Go to Azure Active Directory
2. Go to Users and group
3. Go to Password reset
4. Go to Notification
5. Ensure that Notify users on password resets? is set to Yes

Once verified, enter the date that this attestation expires. Note that the date can not be further in the future than is specified in Azure > CIS v1.2 > Maximum Attestation Duration. Set to a blank value to clear the attestation.

{
  "type": "string",
  "format": "date-time",
  "default": ""
}

Azure > CIS v1.2 > 1 - Identity and Access Management > 1.08 - Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes' (Not Scored)

Configures auditing against a CIS Benchmark item.

Level: 2 (Not Scored)

Ensure that all administrators are notified if any other administrator resets their password.

[
  "Per Azure > CIS v1.2 > 1 - Identity and Access Management using attestation",
  "Skip",
  "Check: Level 2 (Not Scored) using attestation"
]

{
  "type": "string",
  "enum": [
    "Per Azure > CIS v1.2 > 1 - Identity and Access Management using attestation",
    "Skip",
    "Check: Level 2 (Not Scored) using attestation"
  ],
  "default": "Per Azure > CIS v1.2 > 1 - Identity and Access Management using attestation"
}

Azure > CIS v1.2 > 1 - Identity and Access Management > 1.08 - Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes' (Not Scored) > Attestation

By setting this policy, you attest that you have manually verified that it complies with the relevant section of the CIS Benchmark.

Azure Console

1. Go to Azure Active Directory
2. Go to Users and group
3. Go to Password reset
4. Go to Notification
5. Ensure that notify all admins when other admins reset their password? is set to Yes

Once verified, enter the date that this attestation expires. Note that the date can not be further in the future than is specified in Azure > CIS v1.2 > Maximum Attestation Duration. Set to a blank value to clear the attestation.

{
  "type": "string",
  "format": "date-time",
  "default": ""
}

Azure > CIS v1.2 > 1 - Identity and Access Management > 1.09 - Ensure that 'Users can consent to apps accessing company data on their behalf' is set to 'No' (Not Scored)

Configures auditing against a CIS Benchmark item.

Level: 2 (Not Scored)

Require administrators to provide consent for the apps before use.

[
  "Per Azure > CIS v1.2 > 1 - Identity and Access Management using attestation",
  "Skip",
  "Check: Level 2 (Not Scored) using attestation"
]

{
  "type": "string",
  "enum": [
    "Per Azure > CIS v1.2 > 1 - Identity and Access Management using attestation",
    "Skip",
    "Check: Level 2 (Not Scored) using attestation"
  ],
  "default": "Per Azure > CIS v1.2 > 1 - Identity and Access Management using attestation"
}

Azure > CIS v1.2 > 1 - Identity and Access Management > 1.09 - Ensure that 'Users can consent to apps accessing company data on their behalf' is set to 'No' (Not Scored) > Attestation

By setting this policy, you attest that you have manually verified that it complies with the relevant section of the CIS Benchmark.

Azure Console

1. Go to Azure Active Directory
2. Go to Users and group
3. Go to User settings
4. Ensure that Users can consent to apps accessing company data on their behalf is set to No

Once verified, enter the date that this attestation expires. Note that the date can not be further in the future than is specified in Azure > CIS v1.2 > Maximum Attestation Duration. Set to a blank value to clear the attestation.

{
  "type": "string",
  "format": "date-time",
  "default": ""
}

Azure > CIS v1.2 > 1 - Identity and Access Management > 1.10 - Ensure that 'Users can add gallery apps to their Access Panel' is set to 'No' (Not Scored)

Configures auditing against a CIS Benchmark item.

Level: 2 (Not Scored)

Require administrators to provide consent for the apps before use.

[
  "Per Azure > CIS v1.2 > 1 - Identity and Access Management using attestation",
  "Skip",
  "Check: Level 2 (Not Scored) using attestation"
]

{
  "type": "string",
  "enum": [
    "Per Azure > CIS v1.2 > 1 - Identity and Access Management using attestation",
    "Skip",
    "Check: Level 2 (Not Scored) using attestation"
  ],
  "default": "Per Azure > CIS v1.2 > 1 - Identity and Access Management using attestation"
}

Azure > CIS v1.2 > 1 - Identity and Access Management > 1.10 - Ensure that 'Users can add gallery apps to their Access Panel' is set to 'No' (Not Scored) > Attestation

By setting this policy, you attest that you have manually verified that it complies with the relevant section of the CIS Benchmark.

Azure Console

1. Go to Azure Active Directory
2. Go to Users and group
3. Go to User settings
4. Ensure that Users can add gallery apps to their Access Panel is set to No

Once verified, enter the date that this attestation expires. Note that the date can not be further in the future than is specified in Azure > CIS v1.2 > Maximum Attestation Duration. Set to a blank value to clear the attestation.

{
  "type": "string",
  "format": "date-time",
  "default": ""
}

Azure > CIS v1.2 > 1 - Identity and Access Management > 1.11 - Ensure that 'Users can register applications' is set to 'No' (Not Scored)

Configures auditing against a CIS Benchmark item.

Level: 2 (Not Scored)

Require administrators to register third-party applications.

[
  "Per Azure > CIS v1.2 > 1 - Identity and Access Management using attestation",
  "Skip",
  "Check: Level 2 (Not Scored) using attestation"
]

{
  "type": "string",
  "enum": [
    "Per Azure > CIS v1.2 > 1 - Identity and Access Management using attestation",
    "Skip",
    "Check: Level 2 (Not Scored) using attestation"
  ],
  "default": "Per Azure > CIS v1.2 > 1 - Identity and Access Management using attestation"
}

Azure > CIS v1.2 > 1 - Identity and Access Management > 1.11 - Ensure that 'Users can register applications' is set to 'No' (Not Scored) > Attestation

By setting this policy, you attest that you have manually verified that it complies with the relevant section of the CIS Benchmark.

Azure Console

1. Go to Azure Active Directory
2. Go to Users and group
3. Go to User settings
4. Ensure that Users can register applications is set to No

Once verified, enter the date that this attestation expires. Note that the date can not be further in the future than is specified in Azure > CIS v1.2 > Maximum Attestation Duration. Set to a blank value to clear the attestation.

{
  "type": "string",
  "format": "date-time",
  "default": ""
}

Azure > CIS v1.2 > 1 - Identity and Access Management > 1.12 - Ensure that 'Guest user permissions are limited' is set to 'Yes' (Not Scored)

Configures auditing against a CIS Benchmark item.

Level: 2 (Not Scored)

Limit guest user permissions.

[
  "Per Azure > CIS v1.2 > 1 - Identity and Access Management using attestation",
  "Skip",
  "Check: Level 2 (Not Scored) using attestation"
]

{
  "type": "string",
  "enum": [
    "Per Azure > CIS v1.2 > 1 - Identity and Access Management using attestation",
    "Skip",
    "Check: Level 2 (Not Scored) using attestation"
  ],
  "default": "Per Azure > CIS v1.2 > 1 - Identity and Access Management using attestation"
}

Azure > CIS v1.2 > 1 - Identity and Access Management > 1.12 - Ensure that 'Guest user permissions are limited' is set to 'Yes' (Not Scored) > Attestation

By setting this policy, you attest that you have manually verified that it complies with the relevant section of the CIS Benchmark.

Azure Console

1. Go to Azure Active Directory
2. Go to Users and group
3. Go to User settings
4. Ensure that Guest users permissions are limited is set to Yes

Once verified, enter the date that this attestation expires. Note that the date can not be further in the future than is specified in Azure > CIS v1.2 > Maximum Attestation Duration. Set to a blank value to clear the attestation.

{
  "type": "string",
  "format": "date-time",
  "default": ""
}

Azure > CIS v1.2 > 1 - Identity and Access Management > 1.13 - Ensure that 'Members can invite' is set to 'No' (Not Scored)

Configures auditing against a CIS Benchmark item.

Level: 2 (Not Scored)

Restrict invitations to administrators only.

[
  "Per Azure > CIS v1.2 > 1 - Identity and Access Management using attestation",
  "Skip",
  "Check: Level 2 (Not Scored) using attestation"
]

{
  "type": "string",
  "enum": [
    "Per Azure > CIS v1.2 > 1 - Identity and Access Management using attestation",
    "Skip",
    "Check: Level 2 (Not Scored) using attestation"
  ],
  "default": "Per Azure > CIS v1.2 > 1 - Identity and Access Management using attestation"
}

Azure > CIS v1.2 > 1 - Identity and Access Management > 1.13 - Ensure that 'Members can invite' is set to 'No' (Not Scored) > Attestation

By setting this policy, you attest that you have manually verified that it complies with the relevant section of the CIS Benchmark.

Azure Console

1. Go to Azure Active Directory
2. Go to Users and group
3. Go to User settings
4. Set Members can invite to No

Once verified, enter the date that this attestation expires. Note that the date can not be further in the future than is specified in Azure > CIS v1.2 > Maximum Attestation Duration. Set to a blank value to clear the attestation.

{
  "type": "string",
  "format": "date-time",
  "default": ""
}

Azure > CIS v1.2 > 1 - Identity and Access Management > 1.14 - Ensure that 'Guests can invite' is set to 'No' (Not Scored)

Configures auditing against a CIS Benchmark item.

Level: 2 (Not Scored)

Restrict guest invitations.

[
  "Per Azure > CIS v1.2 > 1 - Identity and Access Management using attestation",
  "Skip",
  "Check: Level 2 (Not Scored) using attestation"
]

{
  "type": "string",
  "enum": [
    "Per Azure > CIS v1.2 > 1 - Identity and Access Management using attestation",
    "Skip",
    "Check: Level 2 (Not Scored) using attestation"
  ],
  "default": "Per Azure > CIS v1.2 > 1 - Identity and Access Management using attestation"
}

Azure > CIS v1.2 > 1 - Identity and Access Management > 1.14 - Ensure that 'Guests can invite' is set to 'No' (Not Scored) > Attestation

By setting this policy, you attest that you have manually verified that it complies with the relevant section of the CIS Benchmark.

Azure Console

1. Go to Azure Active Directory
2. Go to Users and group
3. Go to User settings
4. Ensure that Guests can invite is set to No

Once verified, enter the date that this attestation expires. Note that the date can not be further in the future than is specified in Azure > CIS v1.2 > Maximum Attestation Duration. Set to a blank value to clear the attestation.

{
  "type": "string",
  "format": "date-time",
  "default": ""
}

Azure > CIS v1.2 > 1 - Identity and Access Management > 1.15 - Ensure that 'Restrict access to Azure AD administration portal' is set to 'Yes' (Not Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Not Scored)

Restrict access to the Azure AD administration portal to administrators only.

[
  "Per Azure > CIS v1.2 > 1 - Identity and Access Management using attestation",
  "Skip",
  "Check: Level 1 (Not Scored) using attestation"
]

{
  "type": "string",
  "enum": [
    "Per Azure > CIS v1.2 > 1 - Identity and Access Management using attestation",
    "Skip",
    "Check: Level 1 (Not Scored) using attestation"
  ],
  "default": "Per Azure > CIS v1.2 > 1 - Identity and Access Management using attestation"
}

Azure > CIS v1.2 > 1 - Identity and Access Management > 1.15 - Ensure that 'Restrict access to Azure AD administration portal' is set to 'Yes' (Not Scored) > Attestation

By setting this policy, you attest that you have manually verified that it complies with the relevant section of the CIS Benchmark.

Azure Console

1. Go to Azure Active Directory
2. Go to Users and group
3. Go to User settings
4. Ensure that Restrict access to Azure AD administration portal is set to Yes

Once verified, enter the date that this attestation expires. Note that the date can not be further in the future than is specified in Azure > CIS v1.2 > Maximum Attestation Duration. Set to a blank value to clear the attestation.

{
  "type": "string",
  "format": "date-time",
  "default": ""
}

Azure > CIS v1.2 > 1 - Identity and Access Management > 1.16 - Ensure that 'Restrict user ability to access groups features in the Access Pane' is set to 'No' (Not Scored)

Configures auditing against a CIS Benchmark item.

Level: 2 (Not Scored)

Restrict group creation to administrators only.

[
  "Per Azure > CIS v1.2 > 1 - Identity and Access Management using attestation",
  "Skip",
  "Check: Level 2 (Not Scored) using attestation"
]

{
  "type": "string",
  "enum": [
    "Per Azure > CIS v1.2 > 1 - Identity and Access Management using attestation",
    "Skip",
    "Check: Level 2 (Not Scored) using attestation"
  ],
  "default": "Per Azure > CIS v1.2 > 1 - Identity and Access Management using attestation"
}

Azure > CIS v1.2 > 1 - Identity and Access Management > 1.16 - Ensure that 'Restrict user ability to access groups features in the Access Pane' is set to 'No' (Not Scored) > Attestation

By setting this policy, you attest that you have manually verified that it complies with the relevant section of the CIS Benchmark.

Azure Console

1. Go to Azure Active Directory
2. Go to Groups
3. Go to General in setting
4. Ensure that Restrict user ability to access groups features in the Access Pane is set to No

Once verified, enter the date that this attestation expires. Note that the date can not be further in the future than is specified in Azure > CIS v1.2 > Maximum Attestation Duration. Set to a blank value to clear the attestation.

{
  "type": "string",
  "format": "date-time",
  "default": ""
}

Azure > CIS v1.2 > 1 - Identity and Access Management > 1.17 - Ensure that 'Users can create security groups' is set to 'No' (Not Scored)

Configures auditing against a CIS Benchmark item.

Level: 2 (Not Scored)

Restrict security group creation to administrators only.

[
  "Per Azure > CIS v1.2 > 1 - Identity and Access Management using attestation",
  "Skip",
  "Check: Level 2 (Not Scored) using attestation"
]

{
  "type": "string",
  "enum": [
    "Per Azure > CIS v1.2 > 1 - Identity and Access Management using attestation",
    "Skip",
    "Check: Level 2 (Not Scored) using attestation"
  ],
  "default": "Per Azure > CIS v1.2 > 1 - Identity and Access Management using attestation"
}

Azure > CIS v1.2 > 1 - Identity and Access Management > 1.17 - Ensure that 'Users can create security groups' is set to 'No' (Not Scored) > Attestation

By setting this policy, you attest that you have manually verified that it complies with the relevant section of the CIS Benchmark.

Azure Console

1. Go to Azure Active Directory
2. Go to Users and group
3. Go to Group settings
4. Ensure that Users can create security groups is set to No

Once verified, enter the date that this attestation expires. Note that the date can not be further in the future than is specified in Azure > CIS v1.2 > Maximum Attestation Duration. Set to a blank value to clear the attestation.

{
  "type": "string",
  "format": "date-time",
  "default": ""
}

Azure > CIS v1.2 > 1 - Identity and Access Management > 1.18 - Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No' (Not Scored)

Configures auditing against a CIS Benchmark item.

Level: 2 (Not Scored)

Restrict security group management to administrators only.

[
  "Per Azure > CIS v1.2 > 1 - Identity and Access Management using attestation",
  "Skip",
  "Check: Level 2 (Not Scored) using attestation"
]

{
  "type": "string",
  "enum": [
    "Per Azure > CIS v1.2 > 1 - Identity and Access Management using attestation",
    "Skip",
    "Check: Level 2 (Not Scored) using attestation"
  ],
  "default": "Per Azure > CIS v1.2 > 1 - Identity and Access Management using attestation"
}

Azure > CIS v1.2 > 1 - Identity and Access Management > 1.18 - Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No' (Not Scored) > Attestation

By setting this policy, you attest that you have manually verified that it complies with the relevant section of the CIS Benchmark.

Azure Console

1. Go to Azure Active Directory
2. Go to Groups
3. Go to General in settings
4. Ensure that Owners can manage group membership requests in the Access Panel is set to No

Once verified, enter the date that this attestation expires. Note that the date can not be further in the future than is specified in Azure > CIS v1.2 > Maximum Attestation Duration. Set to a blank value to clear the attestation.

{
  "type": "string",
  "format": "date-time",
  "default": ""
}

Azure > CIS v1.2 > 1 - Identity and Access Management > 1.19 - Ensure that 'Users can create Office 365 groups' is set to 'No' (Not Scored)

Configures auditing against a CIS Benchmark item.

Level: 2 (Not Scored)

Restrict Office 365 group creation to administrators only.

[
  "Per Azure > CIS v1.2 > 1 - Identity and Access Management using attestation",
  "Skip",
  "Check: Level 2 (Not Scored) using attestation"
]

{
  "type": "string",
  "enum": [
    "Per Azure > CIS v1.2 > 1 - Identity and Access Management using attestation",
    "Skip",
    "Check: Level 2 (Not Scored) using attestation"
  ],
  "default": "Per Azure > CIS v1.2 > 1 - Identity and Access Management using attestation"
}

Azure > CIS v1.2 > 1 - Identity and Access Management > 1.19 - Ensure that 'Users can create Office 365 groups' is set to 'No' (Not Scored) > Attestation

By setting this policy, you attest that you have manually verified that it complies with the relevant section of the CIS Benchmark.

Azure Console

1. Go to Azure Active Directory
2. Go to Users and group
3. Go to Group settings
4. Ensure that Users can create Office 365 groups is set to No

Once verified, enter the date that this attestation expires. Note that the date can not be further in the future than is specified in Azure > CIS v1.2 > Maximum Attestation Duration. Set to a blank value to clear the attestation.

{
  "type": "string",
  "format": "date-time",
  "default": ""
}

Azure > CIS v1.2 > 1 - Identity and Access Management > 1.20 - Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes' (Not Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Not Scored)

Joining devices to the active directory should require Multi-factor authentication.

[
  "Per Azure > CIS v1.2 > 1 - Identity and Access Management using attestation",
  "Skip",
  "Check: Level 1 (Not Scored) using attestation"
]

{
  "type": "string",
  "enum": [
    "Per Azure > CIS v1.2 > 1 - Identity and Access Management using attestation",
    "Skip",
    "Check: Level 1 (Not Scored) using attestation"
  ],
  "default": "Per Azure > CIS v1.2 > 1 - Identity and Access Management using attestation"
}

Azure > CIS v1.2 > 1 - Identity and Access Management > 1.20 - Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes' (Not Scored) > Attestation

By setting this policy, you attest that you have manually verified that it complies with the relevant section of the CIS Benchmark.

Azure Console

1. Go to Azure Active Directory
2. Go to Devices
3. Go to Device settings
4. Ensure that Require Multi-Factor Auth to join devices is set to Yes

Once verified, enter the date that this attestation expires. Note that the date can not be further in the future than is specified in Azure > CIS v1.2 > Maximum Attestation Duration. Set to a blank value to clear the attestation.

{
  "type": "string",
  "format": "date-time",
  "default": ""
}

Azure > CIS v1.2 > 1 - Identity and Access Management > 1.21 - Ensure that no custom subscription owner roles are created (Scored)

Configures auditing against a CIS Benchmark item.

Level: 2 (Scored)

Subscription ownership should not include permission to create custom owner roles. The principle of least privilege should be followed and only necessary privileges should be assigned instead of allowing full administrative access.

[
  "Per Azure > CIS v1.2 > 1 - Identity and Access Management",
  "Skip",
  "Check: Level 2 (Scored)"
]

{
  "type": "string",
  "enum": [
    "Per Azure > CIS v1.2 > 1 - Identity and Access Management",
    "Skip",
    "Check: Level 2 (Scored)"
  ],
  "default": "Per Azure > CIS v1.2 > 1 - Identity and Access Management"
}

Azure > CIS v1.2 > 1 - Identity and Access Management > 1.22 - Ensure Security Defaults is enabled on Azure Active Directory (Not Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Not Scored)

Security defaults in Azure Active Directory (Azure AD) make it easier to be secure and help protect your organization. Security defaults contain preconfigured security settings for common attacks. Microsoft is making security defaults available to everyone. The goal is to ensure that all organizations have a basic level of security-enabled at no extra cost. You turn on security defaults in the Azure portal.

[
  "Per Azure > CIS v1.2 > 1 - Identity and Access Management using attestation",
  "Skip",
  "Check: Level 1 (Not Scored) using attestation"
]

{
  "type": "string",
  "enum": [
    "Per Azure > CIS v1.2 > 1 - Identity and Access Management using attestation",
    "Skip",
    "Check: Level 1 (Not Scored) using attestation"
  ],
  "default": "Per Azure > CIS v1.2 > 1 - Identity and Access Management using attestation"
}

Azure > CIS v1.2 > 1 - Identity and Access Management > 1.22 - Ensure Security Defaults is enabled on Azure Active Directory (Not Scored) > Attestation

By setting this policy, you attest that you have manually verified that it complies with the relevant section of the CIS Benchmark.

Azure Console

1. Sign in to the Azure portal as a security administrator, Conditional Access administrator, or global administrator.
2. Browse to Azure Active Directory > Properties.
3. Select Manage security defaults.
4. Verify the Enable security defaults toggle to Yes.

Once verified, enter the date that this attestation expires. Note that the date can not be further in the future than is specified in Azure > CIS v1.2 > Maximum Attestation Duration. Set to a blank value to clear the attestation.

{
  "type": "string",
  "format": "date-time",
  "default": ""
}

Azure > CIS v1.2 > 1 - Identity and Access Management > 1.23 - Ensure Custom Role is assigned for Administering Resource Locks (Not Scored)

Configures auditing against a CIS Benchmark item.

Level: 2 (Not Scored)

Resource locking is a powerful protection mechanism that can prevent inadvertent modification/deletion of resources within Azure subscriptions/Resource Groups and is a recommended NIST configuration.

[
  "Per Azure > CIS v1.2 > 1 - Identity and Access Management using attestation",
  "Skip",
  "Check: Level 2 (Not Scored) using attestation"
]

{
  "type": "string",
  "enum": [
    "Per Azure > CIS v1.2 > 1 - Identity and Access Management using attestation",
    "Skip",
    "Check: Level 2 (Not Scored) using attestation"
  ],
  "default": "Per Azure > CIS v1.2 > 1 - Identity and Access Management using attestation"
}

Azure > CIS v1.2 > 1 - Identity and Access Management > 1.23 - Ensure Custom Role is assigned for Administering Resource Locks (Not Scored) > Attestation

By setting this policy, you attest that you have manually verified that it complies with the relevant section of the CIS Benchmark.

Azure Console

1. In the Azure portal, open a subscription or resource group where you want the view assigned roles.
2. Select Access control (IAM)
3. Select Roles
4. Search for the custom role named <role_name> Ex. from remediation "Resource Lock Administrator"
5. ensure that the role is assigned the appropriate user/users

Once verified, enter the date that this attestation expires. Note that the date can not be further in the future than is specified in Azure > CIS v1.2 > Maximum Attestation Duration. Set to a blank value to clear the attestation.

{
  "type": "string",
  "format": "date-time",
  "default": ""
}

Azure > CIS v1.2 > 1 - Identity and Access Management > Maximum Attestation Duration

The maximum duration for CIS Attestations. Attestation policies can not be set further in the future than is specified here

[
  "Per Azure > CIS v1.2 > Maximum Attestation Duration",
  "Skip",
  "30 days",
  "60 days",
  "90 days",
  "1 year",
  "2 years",
  "3 years"
]

{
  "type": "string",
  "enum": [
    "Per Azure > CIS v1.2 > Maximum Attestation Duration",
    "Skip",
    "30 days",
    "60 days",
    "90 days",
    "1 year",
    "2 years",
    "3 years"
  ],
  "default": "Per Azure > CIS v1.2 > Maximum Attestation Duration"
}

Azure > CIS v1.2 > 7 - Virtual Machines

Covers security recommendations for Azure Compute.

[
  "Per Azure > CIS v1.2",
  "Skip",
  "Check: Level 1 (Scored)",
  "Check: Level 1 (Scored & Not Scored)",
  "Check: Level 1 & Level 2 (Scored)",
  "Check: Level 1 & Level 2 (Scored & Not Scored)"
]

{
  "type": "string",
  "enum": [
    "Per Azure > CIS v1.2",
    "Skip",
    "Check: Level 1 (Scored)",
    "Check: Level 1 (Scored & Not Scored)",
    "Check: Level 1 & Level 2 (Scored)",
    "Check: Level 1 & Level 2 (Scored & Not Scored)"
  ],
  "example": [
    "Skip"
  ],
  "default": "Per Azure > CIS v1.2"
}

Azure > CIS v1.2 > 7 - Virtual Machines > 7.01 - Ensure Virtual Machines are utilizing Managed Disks (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

Migrate BLOB based VHD's to Managed Disks on Virtual Machines to exploit the default features of this configuration. The features include

1. Default Disk Encryption
2. Resilience as Microsoft will managed the disk storage and move around if underlying hardware goes faulty
3. Reduction of costs over storage accounts

[
  "Per Azure > CIS v1.2 > 7 - Virtual Machines",
  "Skip",
  "Check: Level 1 (Scored)"
]

{
  "type": "string",
  "enum": [
    "Per Azure > CIS v1.2 > 7 - Virtual Machines",
    "Skip",
    "Check: Level 1 (Scored)"
  ],
  "default": "Per Azure > CIS v1.2 > 7 - Virtual Machines"
}

Azure > CIS v1.2 > 7 - Virtual Machines > 7.02 - Ensure that 'OS and Data' disks are encrypted with CMK (Scored)

Configures auditing against a CIS Benchmark item.

Level: 2 (Scored)

Ensure that OS disks (boot volumes) and data disks (non-boot volumes) are encrypted with CMK.

[
  "Per Azure > CIS v1.2 > 7 - Virtual Machines",
  "Skip",
  "Check: Level 2 (Scored)"
]

{
  "type": "string",
  "enum": [
    "Per Azure > CIS v1.2 > 7 - Virtual Machines",
    "Skip",
    "Check: Level 2 (Scored)"
  ],
  "default": "Per Azure > CIS v1.2 > 7 - Virtual Machines"
}

Azure > CIS v1.2 > 7 - Virtual Machines > 7.03 - Ensure that 'Unattached disks' are encrypted with CMK (Scored)

Configures auditing against a CIS Benchmark item.

Level: 2 (Scored)

Ensure that unattached disks in a subscription are encrypted with a Customer Managed Key (CMK).

[
  "Per Azure > CIS v1.2 > 7 - Virtual Machines",
  "Skip",
  "Check: Level 2 (Scored)"
]

{
  "type": "string",
  "enum": [
    "Per Azure > CIS v1.2 > 7 - Virtual Machines",
    "Skip",
    "Check: Level 2 (Scored)"
  ],
  "default": "Per Azure > CIS v1.2 > 7 - Virtual Machines"
}

Azure > CIS v1.2 > 7 - Virtual Machines > 7.04 - Ensure that only approved extensions are installed (Not Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Not Scored)

Only install organization-approved extensions on VMs.

[
  "Per Azure > CIS v1.2 > 7 - Virtual Machines using attestation",
  "Skip",
  "Check: Level 1 (Not Scored) using attestation"
]

{
  "type": "string",
  "enum": [
    "Per Azure > CIS v1.2 > 7 - Virtual Machines using attestation",
    "Skip",
    "Check: Level 1 (Not Scored) using attestation"
  ],
  "default": "Per Azure > CIS v1.2 > 7 - Virtual Machines using attestation"
}

Azure > CIS v1.2 > 7 - Virtual Machines > 7.04 - Ensure that only approved extensions are installed (Not Scored) > Attestation

By setting this policy, you attest that you have manually verified that it complies with the relevant section of the CIS Benchmark.

Azure Console

1. Go to Virtual machines
2. For each virtual machine, go to Settings
3. Click on Extensions
4. Ensure that the listed extensions are approved for use.

Azure Command Line Interface 2.0 Use the below command to list the extensions attached to a VM, and ensure the listed extensions are approved for use. az vm extension list --vm-name <vmName> --resource-group <sourceGroupName> -- query [*].name

Once verified, enter the date that this attestation expires. Note that the date can not be further in the future than is specified in Azure > CIS v1.2 > Maximum Attestation Duration. Set to a blank value to clear the attestation.

{
  "type": "string",
  "format": "date-time",
  "default": ""
}

Azure > CIS v1.2 > 7 - Virtual Machines > 7.05 - Ensure that the latest OS Patches for all Virtual Machines are applied (Not Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Not Scored)

Ensure that the latest OS patches for all virtual machines are applied.

[
  "Per Azure > CIS v1.2 > 7 - Virtual Machines using attestation",
  "Skip",
  "Check: Level 1 (Not Scored) using attestation"
]

{
  "type": "string",
  "enum": [
    "Per Azure > CIS v1.2 > 7 - Virtual Machines using attestation",
    "Skip",
    "Check: Level 1 (Not Scored) using attestation"
  ],
  "default": "Per Azure > CIS v1.2 > 7 - Virtual Machines using attestation"
}

Azure > CIS v1.2 > 7 - Virtual Machines > 7.05 - Ensure that the latest OS Patches for all Virtual Machines are applied (Not Scored) > Attestation

By setting this policy, you attest that you have manually verified that it complies with the relevant section of the CIS Benchmark.

Azure Console

1. Go to Security Center - Recommendations
2. Ensure that there are no recommendations for Apply system updates

Alternatively, you can employ your own patch assessment and management tool to periodically assess, report and install the required security patches for your OS.

Once verified, enter the date that this attestation expires. Note that the date can not be further in the future than is specified in Azure > CIS v1.2 > Maximum Attestation Duration. Set to a blank value to clear the attestation.

{
  "type": "string",
  "format": "date-time",
  "default": ""
}

Azure > CIS v1.2 > 7 - Virtual Machines > 7.06 - Ensure that the endpoint protection for all Virtual Machines is installed (Not Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Not Scored)

Install endpoint protection for all virtual machines.

[
  "Per Azure > CIS v1.2 > 7 - Virtual Machines using attestation",
  "Skip",
  "Check: Level 1 (Not Scored) using attestation"
]

{
  "type": "string",
  "enum": [
    "Per Azure > CIS v1.2 > 7 - Virtual Machines using attestation",
    "Skip",
    "Check: Level 1 (Not Scored) using attestation"
  ],
  "default": "Per Azure > CIS v1.2 > 7 - Virtual Machines using attestation"
}

Azure > CIS v1.2 > 7 - Virtual Machines > 7.06 - Ensure that the endpoint protection for all Virtual Machines is installed (Not Scored) > Attestation

By setting this policy, you attest that you have manually verified that it complies with the relevant section of the CIS Benchmark.

Azure Console

1. Go to Security Center - Recommendations
2. Ensure that there are no recommendations for Endpoint Protection not installed on Azure VMs

Azure Command Line Interface 2.0 az vm show -g MyResourceGroup -n MyVm -d It should list below or any other endpoint extensions as one of the installed extensions. EndpointSecurity || TrendMicroDSA || Antimalware || EndpointProtection || SCWPAgent || PortalProtectExtension || FileSecurity*

Alternatively, you can employ your own endpoint protection tool for your OS.

Once verified, enter the date that this attestation expires. Note that the date can not be further in the future than is specified in Azure > CIS v1.2 > Maximum Attestation Duration. Set to a blank value to clear the attestation.

{
  "type": "string",
  "format": "date-time",
  "default": ""
}

Azure > CIS v1.2 > 7 - Virtual Machines > Maximum Attestation Duration

The maximum duration for CIS Attestations. Attestation policies can not be set further in the future than is specified here

[
  "Per Azure > CIS v1.2 > Maximum Attestation Duration",
  "Skip",
  "30 days",
  "60 days",
  "90 days",
  "1 year",
  "2 years",
  "3 years"
]

{
  "type": "string",
  "enum": [
    "Per Azure > CIS v1.2 > Maximum Attestation Duration",
    "Skip",
    "30 days",
    "60 days",
    "90 days",
    "1 year",
    "2 years",
    "3 years"
  ],
  "default": "Per Azure > CIS v1.2 > Maximum Attestation Duration"
}

Azure > CIS v1.2 > 8 - Other Security Considerations

Covers security recommendations to follow in order to set general security and operational controls on an Azure Subscription.

[
  "Per Azure > CIS v1.2",
  "Skip",
  "Check: Level 1 (Scored)",
  "Check: Level 1 (Scored & Not Scored)",
  "Check: Level 1 & Level 2 (Scored)",
  "Check: Level 1 & Level 2 (Scored & Not Scored)"
]

{
  "type": "string",
  "enum": [
    "Per Azure > CIS v1.2",
    "Skip",
    "Check: Level 1 (Scored)",
    "Check: Level 1 (Scored & Not Scored)",
    "Check: Level 1 & Level 2 (Scored)",
    "Check: Level 1 & Level 2 (Scored & Not Scored)"
  ],
  "example": [
    "Skip"
  ],
  "default": "Per Azure > CIS v1.2"
}

Azure > CIS v1.2 > 8 - Other Security Considerations > 8.01 - Ensure that the expiration date is set on all keys (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

Ensure that all keys in Azure Key Vault have an expiration time set.

[
  "Per Azure > CIS v1.2 > 8 - Other Security Considerations",
  "Skip",
  "Check: Level 1 (Scored)"
]

{
  "type": "string",
  "enum": [
    "Per Azure > CIS v1.2 > 8 - Other Security Considerations",
    "Skip",
    "Check: Level 1 (Scored)"
  ],
  "default": "Per Azure > CIS v1.2 > 8 - Other Security Considerations"
}

Azure > CIS v1.2 > 8 - Other Security Considerations > 8.02 - Ensure that the expiration date is set on all secrets (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

Ensure that all secrets in Azure Key Vault have an expiration time set.

[
  "Per Azure > CIS v1.2 > 8 - Other Security Considerations",
  "Skip",
  "Check: Level 1 (Scored)"
]

{
  "type": "string",
  "enum": [
    "Per Azure > CIS v1.2 > 8 - Other Security Considerations",
    "Skip",
    "Check: Level 1 (Scored)"
  ],
  "default": "Per Azure > CIS v1.2 > 8 - Other Security Considerations"
}

Azure > CIS v1.2 > 8 - Other Security Considerations > 8.03 - Ensure that Resource Locks are set for mission critical Azure resources (Not Scored)

Configures auditing against a CIS Benchmark item.

Level: 2 (Not Scored)

Resource Manager Locks provide a way for administrators to lock down Azure resources to prevent deletion of, or modifications to, a resource. These locks sit outside of the Role Based Access Controls (RBAC) hierarchy and, when applied, will place restrictions on the resource for all users. These are very useful when there is have an important resource in a subscription that users should not be able to delete or change and can help prevent accidental and malicious changes or deletion.

[
  "Per Azure > CIS v1.2 > 8 - Other Security Considerations using attestation",
  "Skip",
  "Check: Level 2 (Not Scored) using attestation"
]

{
  "type": "string",
  "enum": [
    "Per Azure > CIS v1.2 > 8 - Other Security Considerations using attestation",
    "Skip",
    "Check: Level 2 (Not Scored) using attestation"
  ],
  "default": "Per Azure > CIS v1.2 > 8 - Other Security Considerations using attestation"
}

Azure > CIS v1.2 > 8 - Other Security Considerations > 8.03 - Ensure that Resource Locks are set for mission critical Azure resources (Not Scored) > Attestation

By setting this policy, you attest that you have manually verified that it complies with the relevant section of the CIS Benchmark.

Azure Console

1. Navigate to the specific Azure Resource or Resource Group
2. Click on Locks
3. Ensure the lock is defined with name and description, type as CanNotDelete or ReadOnly as appropriate.

Azure Command Line Interface 2.0 Review the list of all locks set currently: az lock list --resource-group <resourcegroupname> --resource-name <resourcename> --namespace <Namespace> --resource-type <type> --parent ""

Once verified, enter the date that this attestation expires. Note that the date can not be further in the future than is specified in Azure > CIS v1.2 > Maximum Attestation Duration. Set to a blank value to clear the attestation.

{
  "type": "string",
  "format": "date-time",
  "default": ""
}

Azure > CIS v1.2 > 8 - Other Security Considerations > 8.04 - Ensure the key vault is recoverable (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

The key vault contains object keys, secrets and certificates. Accidental unavailability of a key vault can cause immediate data loss or loss of security functions (authentication, validation, verification, non-repudiation, etc.) supported by the key vault objects. It is recommended the key vault be made recoverable by enabling the "Do Not Purge" and "Soft Delete" functions. This is in order to prevent loss of encrypted data including storage accounts, SQL databases, and/or dependent services provided by key vault objects (Keys, Secrets, Certificates) etc., as may happen in the case of accidental deletion by a user or from disruptive activity by a malicious user.

[
  "Per Azure > CIS v1.2 > 8 - Other Security Considerations",
  "Skip",
  "Check: Level 1 (Scored)"
]

{
  "type": "string",
  "enum": [
    "Per Azure > CIS v1.2 > 8 - Other Security Considerations",
    "Skip",
    "Check: Level 1 (Scored)"
  ],
  "default": "Per Azure > CIS v1.2 > 8 - Other Security Considerations"
}

Azure > CIS v1.2 > 8 - Other Security Considerations > 8.05 - Enable role-based access control (RBAC) within Azure Kubernetes Services (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

Azure Kubernetes Services has the capability to integrate Azure Active Directory users and groups into Kubernetes RBAC controls within the AKS Kubernetes API Server. This should be utilized to enable granular access to Kubernetes resources within the AKS clusters supporting RBAC controls not just of the overarching AKS instance but also the individual resources managed within Kubernetes.

[
  "Per Azure > CIS v1.2 > 8 - Other Security Considerations",
  "Skip",
  "Check: Level 1 (Scored)"
]

{
  "type": "string",
  "enum": [
    "Per Azure > CIS v1.2 > 8 - Other Security Considerations",
    "Skip",
    "Check: Level 1 (Scored)"
  ],
  "default": "Per Azure > CIS v1.2 > 8 - Other Security Considerations"
}

Azure > CIS v1.2 > 8 - Other Security Considerations > Maximum Attestation Duration

The maximum duration for CIS Attestations. Attestation policies can not be set further in the future than is specified here

[
  "Per Azure > CIS v1.2 > Maximum Attestation Duration",
  "Skip",
  "30 days",
  "60 days",
  "90 days",
  "1 year",
  "2 years",
  "3 years"
]

{
  "type": "string",
  "enum": [
    "Per Azure > CIS v1.2 > Maximum Attestation Duration",
    "Skip",
    "30 days",
    "60 days",
    "90 days",
    "1 year",
    "2 years",
    "3 years"
  ],
  "default": "Per Azure > CIS v1.2 > Maximum Attestation Duration"
}

Azure > CIS v1.2 > Maximum Attestation Duration

The maximum duration for CIS Attestations. Attestation policies can not be set further in the future than is specified here

[
  "Skip",
  "30 days",
  "60 days",
  "90 days",
  "1 year",
  "2 years",
  "3 years"
]

{
  "type": "string",
  "enum": [
    "Skip",
    "30 days",
    "60 days",
    "90 days",
    "1 year",
    "2 years",
    "3 years"
  ],
  "default": "Skip"
}