Policy types for @turbot/azure-cisv1
- Azure > CIS v1
- Azure > CIS v1 > 1 Identity and Access Management
- Azure > CIS v1 > 1 Identity and Access Management > 1.01 Ensure that multi-factor authentication is enabled for all privileged users (Not Scored)
- Azure > CIS v1 > 1 Identity and Access Management > 1.01 Ensure that multi-factor authentication is enabled for all privileged users (Not Scored) > Attestation
- Azure > CIS v1 > 1 Identity and Access Management > 1.02 Ensure that multi-factor authentication is enabled for all non- privileged users (Not Scored)
- Azure > CIS v1 > 1 Identity and Access Management > 1.02 Ensure that multi-factor authentication is enabled for all non- privileged users (Not Scored) > Attestation
- Azure > CIS v1 > 1 Identity and Access Management > 1.03 Ensure that there are no guest users (Scored)
- Azure > CIS v1 > 1 Identity and Access Management > 1.04 Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is 'Disabled' (Not Scored)
- Azure > CIS v1 > 1 Identity and Access Management > 1.04 Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is 'Disabled' (Not Scored) > Attestation
- Azure > CIS v1 > 1 Identity and Access Management > 1.05 Ensure that 'Number of methods required to reset' is set to '2' (Not Scored)
- Azure > CIS v1 > 1 Identity and Access Management > 1.05 Ensure that 'Number of methods required to reset' is set to '2' (Not Scored) > Attestation
- Azure > CIS v1 > 1 Identity and Access Management > 1.06 Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to "0" (Not Scored)
- Azure > CIS v1 > 1 Identity and Access Management > 1.06 Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to "0" (Not Scored) > Attestation
- Azure > CIS v1 > 1 Identity and Access Management > 1.07 Ensure that 'Notify users on password resets?' is set to 'Yes' (Not Scored)
- Azure > CIS v1 > 1 Identity and Access Management > 1.07 Ensure that 'Notify users on password resets?' is set to 'Yes' (Not Scored) > Attestation
- Azure > CIS v1 > 1 Identity and Access Management > 1.08 Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes' (Not Scored)
- Azure > CIS v1 > 1 Identity and Access Management > 1.08 Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes' (Not Scored) > Attestation
- Azure > CIS v1 > 1 Identity and Access Management > 1.09 Ensure that 'Users can consent to apps accessing company data on their behalf' is set to 'No' (Not Scored)
- Azure > CIS v1 > 1 Identity and Access Management > 1.09 Ensure that 'Users can consent to apps accessing company data on their behalf' is set to 'No' (Not Scored) > Attestation
- Azure > CIS v1 > 1 Identity and Access Management > 1.10 Ensure that 'Users can add gallery apps to their Access Panel' is set to 'No' (Not Scored)
- Azure > CIS v1 > 1 Identity and Access Management > 1.10 Ensure that 'Users can add gallery apps to their Access Panel' is set to 'No' (Not Scored) > Attestation
- Azure > CIS v1 > 1 Identity and Access Management > 1.11 Ensure that 'Users can register applications' is set to 'No' (Not Scored)
- Azure > CIS v1 > 1 Identity and Access Management > 1.11 Ensure that 'Users can register applications' is set to 'No' (Not Scored) > Attestation
- Azure > CIS v1 > 1 Identity and Access Management > 1.12 Ensure that 'Guest user permissions are limited' is set to 'Yes' (Not Scored)
- Azure > CIS v1 > 1 Identity and Access Management > 1.12 Ensure that 'Guest user permissions are limited' is set to 'Yes' (Not Scored) > Attestation
- Azure > CIS v1 > 1 Identity and Access Management > 1.13 Ensure that 'Members can invite' is set to 'No' (Not Scored)
- Azure > CIS v1 > 1 Identity and Access Management > 1.13 Ensure that 'Members can invite' is set to 'No' (Not Scored) > Attestation
- Azure > CIS v1 > 1 Identity and Access Management > 1.14 Ensure that 'Guests can invite' is set to 'No' (Not Scored)
- Azure > CIS v1 > 1 Identity and Access Management > 1.14 Ensure that 'Guests can invite' is set to 'No' (Not Scored) > Attestation
- Azure > CIS v1 > 1 Identity and Access Management > 1.15 Ensure that 'Restrict access to Azure AD administration portal' is set to 'Yes' (Not Scored)
- Azure > CIS v1 > 1 Identity and Access Management > 1.15 Ensure that 'Restrict access to Azure AD administration portal' is set to 'Yes' (Not Scored) > Attestation
- Azure > CIS v1 > 1 Identity and Access Management > 1.16 Ensure that 'Self-service group management enabled' is set to 'No' (Not Scored)
- Azure > CIS v1 > 1 Identity and Access Management > 1.16 Ensure that 'Self-service group management enabled' is set to 'No' (Not Scored) > Attestation
- Azure > CIS v1 > 1 Identity and Access Management > 1.17 Ensure that 'Users can create security groups' is set to 'No' (Not Scored)
- Azure > CIS v1 > 1 Identity and Access Management > 1.17 Ensure that 'Users can create security groups' is set to 'No' (Not Scored) > Attestation
- Azure > CIS v1 > 1 Identity and Access Management > 1.18 Ensure that 'Users who can manage security groups' is set to 'None' (Not Scored)
- Azure > CIS v1 > 1 Identity and Access Management > 1.18 Ensure that 'Users who can manage security groups' is set to 'None' (Not Scored) > Attestation
- Azure > CIS v1 > 1 Identity and Access Management > 1.19 Ensure that 'Users can create Office 365 groups' is set to 'No' (Not Scored)
- Azure > CIS v1 > 1 Identity and Access Management > 1.19 Ensure that 'Users can create Office 365 groups' is set to 'No' (Not Scored) > Attestation
- Azure > CIS v1 > 1 Identity and Access Management > 1.20 Ensure that 'Users who can manage Office 365 groups' is set to 'None' (Not Scored)
- Azure > CIS v1 > 1 Identity and Access Management > 1.20 Ensure that 'Users who can manage Office 365 groups' is set to 'None' (Not Scored) > Attestation
- Azure > CIS v1 > 1 Identity and Access Management > 1.21 Ensure that 'Enable "All Users" group' is set to 'Yes' (Not Scored)
- Azure > CIS v1 > 1 Identity and Access Management > 1.21 Ensure that 'Enable "All Users" group' is set to 'Yes' (Not Scored) > Attestation
- Azure > CIS v1 > 1 Identity and Access Management > 1.22 Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes' (Not Scored)
- Azure > CIS v1 > 1 Identity and Access Management > 1.22 Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes' (Not Scored) > Attestation
- Azure > CIS v1 > 1 Identity and Access Management > 1.23 Ensure that no custom subscription owner roles are created (Scored)
- Azure > CIS v1 > 2 Security Center
- Azure > CIS v1 > 2 Security Center > 2.01 Ensure that standard pricing tier is selected (Scored)
- Azure > CIS v1 > 2 Security Center > 2.02 Ensure that 'Automatic provisioning of monitoring agent' is set to 'On' (Scored)
- Azure > CIS v1 > 2 Security Center > 2.03 Ensure ASC Default policy setting "Monitor System Updates" is not "Disabled" (Scored)
- Azure > CIS v1 > 2 Security Center > 2.04 Ensure ASC Default policy setting "Monitor OS Vulnerabilities" is not "Disabled" (Scored)
- Azure > CIS v1 > 2 Security Center > 2.05 Ensure ASC Default policy setting "Monitor Endpoint Protection" is not "Disabled" (Scored)
- Azure > CIS v1 > 2 Security Center > 2.06 Ensure ASC Default policy setting "Monitor Disk Encryption" is not "Disabled" (Scored)
- Azure > CIS v1 > 2 Security Center > 2.07 Ensure ASC Default policy setting "Monitor Network Security Groups" is not "Disabled" (Scored)
- Azure > CIS v1 > 2 Security Center > 2.08 Ensure ASC Default policy setting "Monitor Web Application Firewall" is not "Disabled" (Scored)
- Azure > CIS v1 > 2 Security Center > 2.09 Ensure ASC Default policy setting "Enable Next Generation Firewall(NGFW) Monitoring" is not "Disabled" (Scored)
- Azure > CIS v1 > 2 Security Center > 2.10 Ensure ASC Default policy setting "Monitor Vulnerability Assessment" is not "Disabled" (Scored)
- Azure > CIS v1 > 2 Security Center > 2.11 Ensure ASC Default policy setting "Monitor Storage Blob Encryption" is not "Disabled" (Scored)
- Azure > CIS v1 > 2 Security Center > 2.12 Ensure ASC Default policy setting "Monitor JIT Network Access" is not "Disabled" (Scored)
- Azure > CIS v1 > 2 Security Center > 2.13 Ensure ASC Default policy setting "Monitor Adaptive Application Whitelisting" is not "Disabled" (Scored)
- Azure > CIS v1 > 2 Security Center > 2.14 Ensure ASC Default policy setting "Monitor SQL Auditing" is not "Disabled" (Scored)
- Azure > CIS v1 > 2 Security Center > 2.15 Ensure ASC Default policy setting "Monitor SQL Encryption" is not "Disabled" (Scored)
- Azure > CIS v1 > 2 Security Center > 2.16 Ensure that 'Security contact emails' is set (Scored)
- Azure > CIS v1 > 2 Security Center > 2.17 Ensure that security contact 'Phone number' is set (Scored)
- Azure > CIS v1 > 2 Security Center > 2.18 Ensure that 'Send email notification for high severity alerts' is set to 'On' (Scored)
- Azure > CIS v1 > 2 Security Center > 2.19 Ensure that 'Send email also to subscription owners' is set to 'On' (Scored)
- Azure > CIS v1 > 3 Storage
- Azure > CIS v1 > 3 Storage > 3.01 Ensure that 'Secure transfer required' is set to 'Enabled' (Scored)
- Azure > CIS v1 > 3 Storage > 3.02 Ensure that storage account access keys are periodically regenerated (Not Scored)
- Azure > CIS v1 > 3 Storage > 3.02 Ensure that storage account access keys are periodically regenerated (Not Scored) > Attestation
- Azure > CIS v1 > 3 Storage > 3.03 Ensure Storage logging is enabled for Queue service for read, write, and delete requests (Not Scored)
- Azure > CIS v1 > 3 Storage > 3.04 Ensure that shared access signature tokens expire within an hour (Not Scored)
- Azure > CIS v1 > 3 Storage > 3.04 Ensure that shared access signature tokens expire within an hour (Not Scored) > Attestation
- Azure > CIS v1 > 3 Storage > 3.05 Ensure that shared access signature tokens are allowed only over https (Not Scored)
- Azure > CIS v1 > 3 Storage > 3.05 Ensure that shared access signature tokens are allowed only over https (Not Scored) > Attestation
- Azure > CIS v1 > 3 Storage > 3.06 Ensure that 'Public access level' is set to Private for blob containers (Scored)
- Azure > CIS v1 > 3 Storage > 3.07 Ensure default network access rule for Storage Accounts is set to deny (Scored)
- Azure > CIS v1 > 3 Storage > 3.08 Ensure 'Trusted Microsoft Services' is enabled for Storage Account access (Not Scored)
- Azure > CIS v1 > 4 Database Services
- Azure > CIS v1 > 4 Database Services > 4.01 Ensure that 'Auditing' is set to 'On' (Scored)
- Azure > CIS v1 > 4 Database Services > 4.02 Ensure that 'AuditActionGroups' in 'auditing' policy for a SQL server is set properly (Scored)
- Azure > CIS v1 > 4 Database Services > 4.03 Ensure that 'Auditing' Retention is 'greater than 90 days' (Scored)
- Azure > CIS v1 > 4 Database Services > 4.04 Ensure that 'Advanced Data Security' on a SQL server is set to 'On' (Scored)
- Azure > CIS v1 > 4 Database Services > 4.05 Ensure that 'Threat Detection types' is set to 'All' (Scored)
- Azure > CIS v1 > 4 Database Services > 4.06 Ensure that 'Send alerts to' is set (Scored)
- Azure > CIS v1 > 4 Database Services > 4.07 Ensure that 'Email service and co-administrators' is 'Enabled' (Scored)
- Azure > CIS v1 > 4 Database Services > 4.08 Ensure that Azure Active Directory Admin is configured (Scored)
- Azure > CIS v1 > 4 Database Services > 4.09 Ensure that 'Data encryption' is set to 'On' on a SQL Database (Scored)
- Azure > CIS v1 > 4 Database Services > 4.10 Ensure SQL server's TDE protector is encrypted with BYOK (Use your own key) (Scored)
- Azure > CIS v1 > 4 Database Services > 4.11 Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server (Scored)
- Azure > CIS v1 > 4 Database Services > 4.12 Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server (Scored)
- Azure > CIS v1 > 4 Database Services > 4.13 Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server (Scored)
- Azure > CIS v1 > 4 Database Services > 4.14 Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server (Scored)
- Azure > CIS v1 > 4 Database Services > 4.15 Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server (Scored)
- Azure > CIS v1 > 4 Database Services > 4.16 Ensure server parameter 'log_duration' is set to 'ON' for PostgreSQL Database Server (Scored)
- Azure > CIS v1 > 4 Database Services > 4.17 Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server (Scored)
- Azure > CIS v1 > 4 Database Services > 4.18 Ensure server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server (Scored)
- Azure > CIS v1 > 5 Logging and Monitoring
- Azure > CIS v1 > 5 Logging and Monitoring > 5.1 Configuring Log Profile
- Azure > CIS v1 > 5 Logging and Monitoring > 5.1 Configuring Log Profile > 5.1.1 Ensure that a Log Profile exists (Scored)
- Azure > CIS v1 > 5 Logging and Monitoring > 5.1 Configuring Log Profile > 5.1.2 Ensure that Activity Log Retention is set 365 days or greater (Scored)
- Azure > CIS v1 > 5 Logging and Monitoring > 5.1 Configuring Log Profile > 5.1.3 Ensure audit profile captures all the activities (Scored)
- Azure > CIS v1 > 5 Logging and Monitoring > 5.1 Configuring Log Profile > 5.1.4 Ensure the log profile captures activity logs for all regions including global (Scored)
- Azure > CIS v1 > 5 Logging and Monitoring > 5.1 Configuring Log Profile > 5.1.5 Ensure the storage container storing the activity logs is not publicly accessible (Scored)
- Azure > CIS v1 > 5 Logging and Monitoring > 5.1 Configuring Log Profile > 5.1.6 Ensure the storage account containing the container with activity logs is encrypted with BYOK (Use Your Own Key) (Scored)
- Azure > CIS v1 > 5 Logging and Monitoring > 5.1 Configuring Log Profile > 5.1.7 Ensure that logging for Azure KeyVault is 'Enabled' (Scored)
- Azure > CIS v1 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log alerts
- Azure > CIS v1 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log alerts > 5.2.1 Ensure that Activity Log Alert exists for Create Policy Assignment (Scored)
- Azure > CIS v1 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log alerts > 5.2.2 Ensure that Activity Log Alert exists for Create or Update Network Security Group (Scored)
- Azure > CIS v1 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log alerts > 5.2.3 Ensure that Activity Log Alert exists for Delete Network Security Group (Scored)
- Azure > CIS v1 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log alerts > 5.2.4 Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule (Scored)
- Azure > CIS v1 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log alerts > 5.2.5 Ensure that activity log alert exists for the Delete Network Security Group Rule (Scored)
- Azure > CIS v1 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log alerts > 5.2.6 Ensure that Activity Log Alert exists for Create or Update Security Solution (Scored)
- Azure > CIS v1 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log alerts > 5.2.7 Ensure that Activity Log Alert exists for Delete Security Solution (Scored)
- Azure > CIS v1 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log alerts > 5.2.8 Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule (Scored)
- Azure > CIS v1 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log alerts > 5.2.9 Ensure that Activity Log Alert exists for Update Security Policy (Scored)
- Azure > CIS v1 > 6 Networking
- Azure > CIS v1 > 6 Networking > 6.01 Ensure that RDP access is restricted from the internet (Scored)
- Azure > CIS v1 > 6 Networking > 6.02 Ensure that SSH access is restricted from the internet (Scored)
- Azure > CIS v1 > 6 Networking > 6.03 Ensure no SQL Databases allow ingress 0.0.0.0/0 (ANY IP) (Scored)
- Azure > CIS v1 > 6 Networking > 6.04 Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' (Scored)
- Azure > CIS v1 > 6 Networking > 6.05 Ensure that Network Watcher is 'Enabled' (Scored)
- Azure > CIS v1 > 7 Virtual Machines
- Azure > CIS v1 > 7 Virtual Machines > 7.01 Ensure that 'OS disk' are encrypted (Scored)
- Azure > CIS v1 > 7 Virtual Machines > 7.02 Ensure that 'Data disks' are encrypted (Scored)
- Azure > CIS v1 > 7 Virtual Machines > 7.03 Ensure that 'Unattached disks' are encrypted (Scored)
- Azure > CIS v1 > 7 Virtual Machines > 7.04 Ensure that only approved extensions are installed (Not Scored)
- Azure > CIS v1 > 7 Virtual Machines > 7.04 Ensure that only approved extensions are installed (Not Scored) > Attestation
- Azure > CIS v1 > 7 Virtual Machines > 7.05 Ensure that the latest OS Patches for all Virtual Machines are applied (Not Scored)
- Azure > CIS v1 > 7 Virtual Machines > 7.05 Ensure that the latest OS Patches for all Virtual Machines are applied (Not Scored) > Attestation
- Azure > CIS v1 > 7 Virtual Machines > 7.06 Ensure that the endpoint protection for all Virtual Machines is installed (Not Scored)
- Azure > CIS v1 > 7 Virtual Machines > 7.06 Ensure that the endpoint protection for all Virtual Machines is installed (Not Scored) > Attestation
- Azure > CIS v1 > 8 Other Security Considerations
- Azure > CIS v1 > 8 Other Security Considerations > 8.01 Ensure that the expiration date is set on all keys (Scored)
- Azure > CIS v1 > 8 Other Security Considerations > 8.02 Ensure that the expiration date is set on all Secrets (Scored)
- Azure > CIS v1 > 8 Other Security Considerations > 8.03 Ensure that Resource Locks are set for mission critical Azure resources (Not Scored)
- Azure > CIS v1 > 8 Other Security Considerations > 8.03 Ensure that Resource Locks are set for mission critical Azure resources (Not Scored) > Attestation
- Azure > CIS v1 > 8 Other Security Considerations > 8.04 Ensure the key vault is recoverable (Scored)
- Azure > CIS v1 > 8 Other Security Considerations > 8.05 Enable role-based access control (RBAC) within Azure Kubernetes Services (Scored)
- Azure > CIS v1 > 9 Application Services
- Azure > CIS v1 > 9 Application Services > 9.01 Ensure App Service Authentication is set on Azure App Service (Scored)
- Azure > CIS v1 > 9 Application Services > 9.02 Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service (Scored)
- Azure > CIS v1 > 9 Application Services > 9.03 Ensure web app is using the latest version of TLS encryption (Scored)
- Azure > CIS v1 > 9 Application Services > 9.04 Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On' (Scored)
- Azure > CIS v1 > 9 Application Services > 9.05 Ensure that Register with Azure Active Directory is enabled on App Service (Scored)
- Azure > CIS v1 > 9 Application Services > 9.06 Ensure that '.Net Framework' version is the latest, if used as a part of the web app (Not Scored)
- Azure > CIS v1 > 9 Application Services > 9.07 Ensure that 'PHP version' is the latest, if used to run the web app (Not Scored)
- Azure > CIS v1 > 9 Application Services > 9.08 Ensure that 'Python version' is the latest, if used to run the web app (Not Scored)
- Azure > CIS v1 > 9 Application Services > 9.09 Ensure that 'Java version' is the latest, if used to run the web app (Not Scored)
- Azure > CIS v1 > 9 Application Services > 9.10 Ensure that 'HTTP Version' is the latest, if used to run the web app (Not Scored)
- Azure > CIS v1 > Maximum Attestation Duration
Azure > CIS v1
Configures a default auditing level against the Microsoft Azure Foundations Benchmark, Version 1.*
tmod:@turbot/azure-cisv1#/policy/types/cis
[ "Skip", "Check: Level 1 (Scored)", "Check: Level 1 (Scored & Not Scored)", "Check: Level 1 & Level 2 (Scored)", "Check: Level 1 & Level 2 (Scored & Not Scored)"]
{ "type": "string", "enum": [ "Skip", "Check: Level 1 (Scored)", "Check: Level 1 (Scored & Not Scored)", "Check: Level 1 & Level 2 (Scored)", "Check: Level 1 & Level 2 (Scored & Not Scored)" ], "default": "Skip"}
Azure > CIS v1 > 1 Identity and Access Management
covers security recommendations that to follow to set identity and access management policies on an Azure Subscription.
tmod:@turbot/azure-cisv1#/policy/types/s01
[ "Skip"]
{ "type": "string", "enum": [ "Skip" ], "example": [ "Skip" ], "default": "Skip"}
Azure > CIS v1 > 1 Identity and Access Management > 1.01 Ensure that multi-factor authentication is enabled for all privileged users (Not Scored)
Configures auditing against a CIS Benchmark item.
Level: 1 (Not Scored)
Enable multi-factor authentication for all user credentials who have write access to Azure resources. These include roles like
- Service Co-Administrators
- Subscription Owners
- Contributors
tmod:@turbot/azure-cisv1#/policy/types/r0101
[ "Per Azure > CIS v1 using attestation", "Skip", "Check: Level 1 (Not Scored) using attestation"]
{ "type": "string", "enum": [ "Per Azure > CIS v1 using attestation", "Skip", "Check: Level 1 (Not Scored) using attestation" ], "default": "Per Azure > CIS v1 using attestation"}
Azure > CIS v1 > 1 Identity and Access Management > 1.01 Ensure that multi-factor authentication is enabled for all privileged users (Not Scored) > Attestation
By setting this policy, you attest that you have manually verified that it complies with the relevant section of the CIS Benchmark.
Azure Console
- Go to Azure Active Directory
- Go to Users and group
- Go to All Users
- Click on Multi-Factor Authentication button on the top bar
- Ensure that MULTI-FACTOR AUTH STATUS is Enabled for all users who are Service Co-Administrators OR Owners OR Contributors.
Once verified, enter the date that this attestation expires. Note that the date can not be further in the future than is specified in Azure > CIS v1 > Maximum Attestation Duration. Set to a blank value to clear the attestation.
tmod:@turbot/azure-cisv1#/policy/types/r0101Attestation
{ "type": "string", "format": "date-time", "default": ""}
Azure > CIS v1 > 1 Identity and Access Management > 1.02 Ensure that multi-factor authentication is enabled for all non- privileged users (Not Scored)
Configures auditing against a CIS Benchmark item.
Level: 2 (Not Scored)
Enable multi-factor authentication for all non-privileged users.
tmod:@turbot/azure-cisv1#/policy/types/r0102
[ "Per Azure > CIS v1 using attestation", "Skip", "Check: Level 2 (Not Scored) using attestation"]
{ "type": "string", "enum": [ "Per Azure > CIS v1 using attestation", "Skip", "Check: Level 2 (Not Scored) using attestation" ], "default": "Per Azure > CIS v1 using attestation"}
Azure > CIS v1 > 1 Identity and Access Management > 1.02 Ensure that multi-factor authentication is enabled for all non- privileged users (Not Scored) > Attestation
By setting this policy, you attest that you have manually verified that it complies with the relevant section of the CIS Benchmark.
Azure Console
- Go to Azure Active Directory
- Go to Users and group
- Go to All Users
- Click on Multi-Factor Authentication button on the top bar
- Ensure that for all users MULTI-FACTOR AUTH STATUS is Enabled
Once verified, enter the date that this attestation expires. Note that the date can not be further in the future than is specified in Azure > CIS v1 > Maximum Attestation Duration. Set to a blank value to clear the attestation.
tmod:@turbot/azure-cisv1#/policy/types/r0102Attestation
{ "type": "string", "format": "date-time", "default": ""}
Azure > CIS v1 > 1 Identity and Access Management > 1.03 Ensure that there are no guest users (Scored)
Configures auditing against a CIS Benchmark item.
Level: 1 (Scored)
Do not add guest users if not needed.
tmod:@turbot/azure-cisv1#/policy/types/r0103
[ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)"]
{ "type": "string", "enum": [ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)" ], "default": "Per Azure > CIS v1"}
Azure > CIS v1 > 1 Identity and Access Management > 1.04 Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is 'Disabled' (Not Scored)
Configures auditing against a CIS Benchmark item.
Level: 2 (Not Scored)
Do not allow users to remember multi-factor authentication on devices.
tmod:@turbot/azure-cisv1#/policy/types/r0104
[ "Per Azure > CIS v1 using attestation", "Skip", "Check: Level 2 (Not Scored) using attestation"]
{ "type": "string", "enum": [ "Per Azure > CIS v1 using attestation", "Skip", "Check: Level 2 (Not Scored) using attestation" ], "default": "Per Azure > CIS v1 using attestation"}
Azure > CIS v1 > 1 Identity and Access Management > 1.04 Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is 'Disabled' (Not Scored) > Attestation
By setting this policy, you attest that you have manually verified that it complies with the relevant section of the CIS Benchmark.
Azure Console
- Go to Azure Active Directory
- Go to Users and group
- Go to All Users
- Click on Multi-Factor Authentication button on the top bar
- Click on service settings
- Disable Allow users to remember multi-factor authentication on devices they trust
Once verified, enter the date that this attestation expires. Note that the date can not be further in the future than is specified in Azure > CIS v1 > Maximum Attestation Duration. Set to a blank value to clear the attestation.
tmod:@turbot/azure-cisv1#/policy/types/r0104Attestation
{ "type": "string", "format": "date-time", "default": ""}
Azure > CIS v1 > 1 Identity and Access Management > 1.05 Ensure that 'Number of methods required to reset' is set to '2' (Not Scored)
Configures auditing against a CIS Benchmark item.
Level: 1 (Not Scored)
Ensure that two alternate forms of identification are provided before allowing a password reset.
tmod:@turbot/azure-cisv1#/policy/types/r0105
[ "Per Azure > CIS v1 using attestation", "Skip", "Check: Level 1 (Not Scored) using attestation"]
{ "type": "string", "enum": [ "Per Azure > CIS v1 using attestation", "Skip", "Check: Level 1 (Not Scored) using attestation" ], "default": "Per Azure > CIS v1 using attestation"}
Azure > CIS v1 > 1 Identity and Access Management > 1.05 Ensure that 'Number of methods required to reset' is set to '2' (Not Scored) > Attestation
By setting this policy, you attest that you have manually verified that it complies with the relevant section of the CIS Benchmark.
Azure Console
- Go to Azure Active Directory
- Go to Users and group
- Go to Password reset
- Go to Authentication methods
- Ensure that Number of methods required to reset is set to 2
Once verified, enter the date that this attestation expires. Note that the date can not be further in the future than is specified in Azure > CIS v1 > Maximum Attestation Duration. Set to a blank value to clear the attestation.
tmod:@turbot/azure-cisv1#/policy/types/r0105Attestation
{ "type": "string", "format": "date-time", "default": ""}
Azure > CIS v1 > 1 Identity and Access Management > 1.06 Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to "0" (Not Scored)
Configures auditing against a CIS Benchmark item.
Level: 1 (Not Scored)
Ensure that the number of days before users are asked to re-confirm their authentication information is not set to 0.
tmod:@turbot/azure-cisv1#/policy/types/r0106
[ "Per Azure > CIS v1 using attestation", "Skip", "Check: Level 1 (Not Scored) using attestation"]
{ "type": "string", "enum": [ "Per Azure > CIS v1 using attestation", "Skip", "Check: Level 1 (Not Scored) using attestation" ], "default": "Per Azure > CIS v1 using attestation"}
Azure > CIS v1 > 1 Identity and Access Management > 1.06 Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to "0" (Not Scored) > Attestation
By setting this policy, you attest that you have manually verified that it complies with the relevant section of the CIS Benchmark.
Azure Console
- Go to Azure Active Directory
- Go to Users and group
- Go to Password reset
- Go to Registration
- Ensure that Number of days before users are asked to re-confirm their authentication information is not set to 0
Once verified, enter the date that this attestation expires. Note that the date can not be further in the future than is specified in Azure > CIS v1 > Maximum Attestation Duration. Set to a blank value to clear the attestation.
tmod:@turbot/azure-cisv1#/policy/types/r0106Attestation
{ "type": "string", "format": "date-time", "default": ""}
Azure > CIS v1 > 1 Identity and Access Management > 1.07 Ensure that 'Notify users on password resets?' is set to 'Yes' (Not Scored)
Configures auditing against a CIS Benchmark item.
Level: 1 (Not Scored)
Ensure that users are notified on their primary and secondary emails on password resets.
tmod:@turbot/azure-cisv1#/policy/types/r0107
[ "Per Azure > CIS v1 using attestation", "Skip", "Check: Level 1 (Not Scored) using attestation"]
{ "type": "string", "enum": [ "Per Azure > CIS v1 using attestation", "Skip", "Check: Level 1 (Not Scored) using attestation" ], "default": "Per Azure > CIS v1 using attestation"}
Azure > CIS v1 > 1 Identity and Access Management > 1.07 Ensure that 'Notify users on password resets?' is set to 'Yes' (Not Scored) > Attestation
By setting this policy, you attest that you have manually verified that it complies with the relevant section of the CIS Benchmark.
Azure Console
- Go to Azure Active Directory
- Go to Users and group
- Go to Password reset
- Go to Notification
- Ensure that Notify users on password resets? is set to Yes
Once verified, enter the date that this attestation expires. Note that the date can not be further in the future than is specified in Azure > CIS v1 > Maximum Attestation Duration. Set to a blank value to clear the attestation.
tmod:@turbot/azure-cisv1#/policy/types/r0107Attestation
{ "type": "string", "format": "date-time", "default": ""}
Azure > CIS v1 > 1 Identity and Access Management > 1.08 Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes' (Not Scored)
Configures auditing against a CIS Benchmark item.
Level: 2 (Not Scored)
Ensure that all administrators are notified if any other administrator resets their password.
tmod:@turbot/azure-cisv1#/policy/types/r0108
[ "Per Azure > CIS v1 using attestation", "Skip", "Check: Level 2 (Not Scored) using attestation"]
{ "type": "string", "enum": [ "Per Azure > CIS v1 using attestation", "Skip", "Check: Level 2 (Not Scored) using attestation" ], "default": "Per Azure > CIS v1 using attestation"}
Azure > CIS v1 > 1 Identity and Access Management > 1.08 Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes' (Not Scored) > Attestation
By setting this policy, you attest that you have manually verified that it complies with the relevant section of the CIS Benchmark.
Azure Console
- Go to Azure Active Directory
- Go to Users and group
- Go to Password reset
- Go to Notification
- Ensure that notify all admins when other admins reset their password? is set to Yes
Once verified, enter the date that this attestation expires. Note that the date can not be further in the future than is specified in Azure > CIS v1 > Maximum Attestation Duration. Set to a blank value to clear the attestation.
tmod:@turbot/azure-cisv1#/policy/types/r0108Attestation
{ "type": "string", "format": "date-time", "default": ""}
Azure > CIS v1 > 1 Identity and Access Management > 1.09 Ensure that 'Users can consent to apps accessing company data on their behalf' is set to 'No' (Not Scored)
Configures auditing against a CIS Benchmark item.
Level: 2 (Not Scored)
Require administrators to provide consent for the apps before use.
tmod:@turbot/azure-cisv1#/policy/types/r0109
[ "Per Azure > CIS v1 using attestation", "Skip", "Check: Level 2 (Not Scored) using attestation"]
{ "type": "string", "enum": [ "Per Azure > CIS v1 using attestation", "Skip", "Check: Level 2 (Not Scored) using attestation" ], "default": "Per Azure > CIS v1 using attestation"}
Azure > CIS v1 > 1 Identity and Access Management > 1.09 Ensure that 'Users can consent to apps accessing company data on their behalf' is set to 'No' (Not Scored) > Attestation
By setting this policy, you attest that you have manually verified that it complies with the relevant section of the CIS Benchmark.
Azure Console
- Go to Azure Active Directory
- Go to Users and group
- Go to User settings
- Ensure that Users can consent to apps accessing company data on their behalf is set to No
Once verified, enter the date that this attestation expires. Note that the date can not be further in the future than is specified in Azure > CIS v1 > Maximum Attestation Duration. Set to a blank value to clear the attestation.
tmod:@turbot/azure-cisv1#/policy/types/r0109Attestation
{ "type": "string", "format": "date-time", "default": ""}
Azure > CIS v1 > 1 Identity and Access Management > 1.10 Ensure that 'Users can add gallery apps to their Access Panel' is set to 'No' (Not Scored)
Configures auditing against a CIS Benchmark item.
Level: 2 (Not Scored)
Require administrators to provide consent for the apps before use.
tmod:@turbot/azure-cisv1#/policy/types/r0110
[ "Per Azure > CIS v1 using attestation", "Skip", "Check: Level 2 (Not Scored) using attestation"]
{ "type": "string", "enum": [ "Per Azure > CIS v1 using attestation", "Skip", "Check: Level 2 (Not Scored) using attestation" ], "default": "Per Azure > CIS v1 using attestation"}
Azure > CIS v1 > 1 Identity and Access Management > 1.10 Ensure that 'Users can add gallery apps to their Access Panel' is set to 'No' (Not Scored) > Attestation
By setting this policy, you attest that you have manually verified that it complies with the relevant section of the CIS Benchmark.
Azure Console
- Go to Azure Active Directory
- Go to Users and group
- Go to User settings
- Ensure that Users can add gallery apps to their Access Panel is set to No
Once verified, enter the date that this attestation expires. Note that the date can not be further in the future than is specified in Azure > CIS v1 > Maximum Attestation Duration. Set to a blank value to clear the attestation.
tmod:@turbot/azure-cisv1#/policy/types/r0110Attestation
{ "type": "string", "format": "date-time", "default": ""}
Azure > CIS v1 > 1 Identity and Access Management > 1.11 Ensure that 'Users can register applications' is set to 'No' (Not Scored)
Configures auditing against a CIS Benchmark item.
Level: 2 (Not Scored)
Require administrators to register third-party applications.
tmod:@turbot/azure-cisv1#/policy/types/r0111
[ "Per Azure > CIS v1 using attestation", "Skip", "Check: Level 2 (Not Scored) using attestation"]
{ "type": "string", "enum": [ "Per Azure > CIS v1 using attestation", "Skip", "Check: Level 2 (Not Scored) using attestation" ], "default": "Per Azure > CIS v1 using attestation"}
Azure > CIS v1 > 1 Identity and Access Management > 1.11 Ensure that 'Users can register applications' is set to 'No' (Not Scored) > Attestation
By setting this policy, you attest that you have manually verified that it complies with the relevant section of the CIS Benchmark.
Azure Console
- Go to Azure Active Directory
- Go to Users and group
- Go to User settings
- Ensure that Users can register applications is set to No
Once verified, enter the date that this attestation expires. Note that the date can not be further in the future than is specified in Azure > CIS v1 > Maximum Attestation Duration. Set to a blank value to clear the attestation.
tmod:@turbot/azure-cisv1#/policy/types/r0111Attestation
{ "type": "string", "format": "date-time", "default": ""}
Azure > CIS v1 > 1 Identity and Access Management > 1.12 Ensure that 'Guest user permissions are limited' is set to 'Yes' (Not Scored)
Configures auditing against a CIS Benchmark item.
Level: 2 (Not Scored)
Limit guest user permissions.
tmod:@turbot/azure-cisv1#/policy/types/r0112
[ "Per Azure > CIS v1 using attestation", "Skip", "Check: Level 2 (Not Scored) using attestation"]
{ "type": "string", "enum": [ "Per Azure > CIS v1 using attestation", "Skip", "Check: Level 2 (Not Scored) using attestation" ], "default": "Per Azure > CIS v1 using attestation"}
Azure > CIS v1 > 1 Identity and Access Management > 1.12 Ensure that 'Guest user permissions are limited' is set to 'Yes' (Not Scored) > Attestation
By setting this policy, you attest that you have manually verified that it complies with the relevant section of the CIS Benchmark.
Azure Console
- Go to Azure Active Directory
- Go to Users and group
- Go to User settings
- Ensure that Guest users permissions are limited is set to Yes
Once verified, enter the date that this attestation expires. Note that the date can not be further in the future than is specified in Azure > CIS v1 > Maximum Attestation Duration. Set to a blank value to clear the attestation.
tmod:@turbot/azure-cisv1#/policy/types/r0112Attestation
{ "type": "string", "format": "date-time", "default": ""}
Azure > CIS v1 > 1 Identity and Access Management > 1.13 Ensure that 'Members can invite' is set to 'No' (Not Scored)
Configures auditing against a CIS Benchmark item.
Level: 2 (Not Scored)
Restrict invitations to administrators only.
tmod:@turbot/azure-cisv1#/policy/types/r0113
[ "Per Azure > CIS v1 using attestation", "Skip", "Check: Level 2 (Not Scored) using attestation"]
{ "type": "string", "enum": [ "Per Azure > CIS v1 using attestation", "Skip", "Check: Level 2 (Not Scored) using attestation" ], "default": "Per Azure > CIS v1 using attestation"}
Azure > CIS v1 > 1 Identity and Access Management > 1.13 Ensure that 'Members can invite' is set to 'No' (Not Scored) > Attestation
By setting this policy, you attest that you have manually verified that it complies with the relevant section of the CIS Benchmark.
Azure Console
- Go to Azure Active Directory
- Go to Users and group
- Go to User settings
- Set Members can invite to No
Once verified, enter the date that this attestation expires. Note that the date can not be further in the future than is specified in Azure > CIS v1 > Maximum Attestation Duration. Set to a blank value to clear the attestation.
tmod:@turbot/azure-cisv1#/policy/types/r0113Attestation
{ "type": "string", "format": "date-time", "default": ""}
Azure > CIS v1 > 1 Identity and Access Management > 1.14 Ensure that 'Guests can invite' is set to 'No' (Not Scored)
Configures auditing against a CIS Benchmark item.
Level: 2 (Not Scored)
Restrict guest invitations.
tmod:@turbot/azure-cisv1#/policy/types/r0114
[ "Per Azure > CIS v1 using attestation", "Skip", "Check: Level 2 (Not Scored) using attestation"]
{ "type": "string", "enum": [ "Per Azure > CIS v1 using attestation", "Skip", "Check: Level 2 (Not Scored) using attestation" ], "default": "Per Azure > CIS v1 using attestation"}
Azure > CIS v1 > 1 Identity and Access Management > 1.14 Ensure that 'Guests can invite' is set to 'No' (Not Scored) > Attestation
By setting this policy, you attest that you have manually verified that it complies with the relevant section of the CIS Benchmark.
Azure Console
- Go to Azure Active Directory
- Go to Users and group
- Go to User settings
- Ensure that Guests can invite is set to No
Once verified, enter the date that this attestation expires. Note that the date can not be further in the future than is specified in Azure > CIS v1 > Maximum Attestation Duration. Set to a blank value to clear the attestation.
tmod:@turbot/azure-cisv1#/policy/types/r0114Attestation
{ "type": "string", "format": "date-time", "default": ""}
Azure > CIS v1 > 1 Identity and Access Management > 1.15 Ensure that 'Restrict access to Azure AD administration portal' is set to 'Yes' (Not Scored)
Configures auditing against a CIS Benchmark item.
Level: 1 (Not Scored)
Restrict access to the Azure AD administration portal to administrators only.
tmod:@turbot/azure-cisv1#/policy/types/r0115
[ "Per Azure > CIS v1 using attestation", "Skip", "Check: Level 1 (Not Scored) using attestation"]
{ "type": "string", "enum": [ "Per Azure > CIS v1 using attestation", "Skip", "Check: Level 1 (Not Scored) using attestation" ], "default": "Per Azure > CIS v1 using attestation"}
Azure > CIS v1 > 1 Identity and Access Management > 1.15 Ensure that 'Restrict access to Azure AD administration portal' is set to 'Yes' (Not Scored) > Attestation
By setting this policy, you attest that you have manually verified that it complies with the relevant section of the CIS Benchmark.
Azure Console
- Go to Azure Active Directory
- Go to Users and group
- Go to User settings
- Ensure that Restrict access to Azure AD administration portal is set to Yes
Once verified, enter the date that this attestation expires. Note that the date can not be further in the future than is specified in Azure > CIS v1 > Maximum Attestation Duration. Set to a blank value to clear the attestation.
tmod:@turbot/azure-cisv1#/policy/types/r0115Attestation
{ "type": "string", "format": "date-time", "default": ""}
Azure > CIS v1 > 1 Identity and Access Management > 1.16 Ensure that 'Self-service group management enabled' is set to 'No' (Not Scored)
Configures auditing against a CIS Benchmark item.
Level: 2 (Not Scored)
Restrict group creation to administrators only.
tmod:@turbot/azure-cisv1#/policy/types/r0116
[ "Per Azure > CIS v1 using attestation", "Skip", "Check: Level 2 (Not Scored) using attestation"]
{ "type": "string", "enum": [ "Per Azure > CIS v1 using attestation", "Skip", "Check: Level 2 (Not Scored) using attestation" ], "default": "Per Azure > CIS v1 using attestation"}
Azure > CIS v1 > 1 Identity and Access Management > 1.16 Ensure that 'Self-service group management enabled' is set to 'No' (Not Scored) > Attestation
By setting this policy, you attest that you have manually verified that it complies with the relevant section of the CIS Benchmark.
Azure Console
- Go to Azure Active Directory
- Go to Users and group
- Go to Group settings
- Ensure that Self-service group management enabled is set to No
Once verified, enter the date that this attestation expires. Note that the date can not be further in the future than is specified in Azure > CIS v1 > Maximum Attestation Duration. Set to a blank value to clear the attestation.
tmod:@turbot/azure-cisv1#/policy/types/r0116Attestation
{ "type": "string", "format": "date-time", "default": ""}
Azure > CIS v1 > 1 Identity and Access Management > 1.17 Ensure that 'Users can create security groups' is set to 'No' (Not Scored)
Configures auditing against a CIS Benchmark item.
Level: 2 (Not Scored)
Restrict security group creation to administrators only.
tmod:@turbot/azure-cisv1#/policy/types/r0117
[ "Per Azure > CIS v1 using attestation", "Skip", "Check: Level 2 (Not Scored) using attestation"]
{ "type": "string", "enum": [ "Per Azure > CIS v1 using attestation", "Skip", "Check: Level 2 (Not Scored) using attestation" ], "default": "Per Azure > CIS v1 using attestation"}
Azure > CIS v1 > 1 Identity and Access Management > 1.17 Ensure that 'Users can create security groups' is set to 'No' (Not Scored) > Attestation
By setting this policy, you attest that you have manually verified that it complies with the relevant section of the CIS Benchmark.
Azure Console
- Go to Azure Active Directory
- Go to Users and group
- Go to Group settings
- Ensure that Users can create security groups is set to No
Once verified, enter the date that this attestation expires. Note that the date can not be further in the future than is specified in Azure > CIS v1 > Maximum Attestation Duration. Set to a blank value to clear the attestation.
tmod:@turbot/azure-cisv1#/policy/types/r0117Attestation
{ "type": "string", "format": "date-time", "default": ""}
Azure > CIS v1 > 1 Identity and Access Management > 1.18 Ensure that 'Users who can manage security groups' is set to 'None' (Not Scored)
Configures auditing against a CIS Benchmark item.
Level: 2 (Not Scored)
Restrict security group management to administrators only.
tmod:@turbot/azure-cisv1#/policy/types/r0118
[ "Per Azure > CIS v1 using attestation", "Skip", "Check: Level 2 (Not Scored) using attestation"]
{ "type": "string", "enum": [ "Per Azure > CIS v1 using attestation", "Skip", "Check: Level 2 (Not Scored) using attestation" ], "default": "Per Azure > CIS v1 using attestation"}
Azure > CIS v1 > 1 Identity and Access Management > 1.18 Ensure that 'Users who can manage security groups' is set to 'None' (Not Scored) > Attestation
By setting this policy, you attest that you have manually verified that it complies with the relevant section of the CIS Benchmark.
Azure Console
- Go to Azure Active Directory
- Go to Users and group
- Go to Group settings
- Ensure that Users who can manage security groups is set to None
Once verified, enter the date that this attestation expires. Note that the date can not be further in the future than is specified in Azure > CIS v1 > Maximum Attestation Duration. Set to a blank value to clear the attestation.
tmod:@turbot/azure-cisv1#/policy/types/r0118Attestation
{ "type": "string", "format": "date-time", "default": ""}
Azure > CIS v1 > 1 Identity and Access Management > 1.19 Ensure that 'Users can create Office 365 groups' is set to 'No' (Not Scored)
Configures auditing against a CIS Benchmark item.
Level: 2 (Not Scored)
Restrict Office 365 group creation to administrators only.
tmod:@turbot/azure-cisv1#/policy/types/r0119
[ "Per Azure > CIS v1 using attestation", "Skip", "Check: Level 2 (Not Scored) using attestation"]
{ "type": "string", "enum": [ "Per Azure > CIS v1 using attestation", "Skip", "Check: Level 2 (Not Scored) using attestation" ], "default": "Per Azure > CIS v1 using attestation"}
Azure > CIS v1 > 1 Identity and Access Management > 1.19 Ensure that 'Users can create Office 365 groups' is set to 'No' (Not Scored) > Attestation
By setting this policy, you attest that you have manually verified that it complies with the relevant section of the CIS Benchmark.
Azure Console
- Go to Azure Active Directory
- Go to Users and group
- Go to Group settings
- Ensure that Users can create Office 365 groups is set to No
Once verified, enter the date that this attestation expires. Note that the date can not be further in the future than is specified in Azure > CIS v1 > Maximum Attestation Duration. Set to a blank value to clear the attestation.
tmod:@turbot/azure-cisv1#/policy/types/r0119Attestation
{ "type": "string", "format": "date-time", "default": ""}
Azure > CIS v1 > 1 Identity and Access Management > 1.20 Ensure that 'Users who can manage Office 365 groups' is set to 'None' (Not Scored)
Configures auditing against a CIS Benchmark item.
Level: 2 (Not Scored)
Restrict Office 365 group management to administrators only.
tmod:@turbot/azure-cisv1#/policy/types/r0120
[ "Per Azure > CIS v1 using attestation", "Skip", "Check: Level 2 (Not Scored) using attestation"]
{ "type": "string", "enum": [ "Per Azure > CIS v1 using attestation", "Skip", "Check: Level 2 (Not Scored) using attestation" ], "default": "Per Azure > CIS v1 using attestation"}
Azure > CIS v1 > 1 Identity and Access Management > 1.20 Ensure that 'Users who can manage Office 365 groups' is set to 'None' (Not Scored) > Attestation
By setting this policy, you attest that you have manually verified that it complies with the relevant section of the CIS Benchmark.
Azure Console
- Go to Azure Active Directory
- Go to Users and group
- Go to Group settings
- Ensure that Users who can manage Office 365 groups is set to None
Once verified, enter the date that this attestation expires. Note that the date can not be further in the future than is specified in Azure > CIS v1 > Maximum Attestation Duration. Set to a blank value to clear the attestation.
tmod:@turbot/azure-cisv1#/policy/types/r0120Attestation
{ "type": "string", "format": "date-time", "default": ""}
Azure > CIS v1 > 1 Identity and Access Management > 1.21 Ensure that 'Enable "All Users" group' is set to 'Yes' (Not Scored)
Configures auditing against a CIS Benchmark item.
Level: 1 (Not Scored)
Enable All Users group for centralized administration of all users.
tmod:@turbot/azure-cisv1#/policy/types/r0121
[ "Per Azure > CIS v1 using attestation", "Skip", "Check: Level 1 (Not Scored) using attestation"]
{ "type": "string", "enum": [ "Per Azure > CIS v1 using attestation", "Skip", "Check: Level 1 (Not Scored) using attestation" ], "default": "Per Azure > CIS v1 using attestation"}
Azure > CIS v1 > 1 Identity and Access Management > 1.21 Ensure that 'Enable "All Users" group' is set to 'Yes' (Not Scored) > Attestation
By setting this policy, you attest that you have manually verified that it complies with the relevant section of the CIS Benchmark.
Azure Console
- Go to Azure Active Directory
- Go to Users and group
- Go to Group settings
- Ensure that Enable "All Users" group is set to Yes
Once verified, enter the date that this attestation expires. Note that the date can not be further in the future than is specified in Azure > CIS v1 > Maximum Attestation Duration. Set to a blank value to clear the attestation.
tmod:@turbot/azure-cisv1#/policy/types/r0121Attestation
{ "type": "string", "format": "date-time", "default": ""}
Azure > CIS v1 > 1 Identity and Access Management > 1.22 Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes' (Not Scored)
Configures auditing against a CIS Benchmark item.
Level: 1 (Not Scored)
Joining devices to the active directory should require Multi-factor authentication.
tmod:@turbot/azure-cisv1#/policy/types/r0122
[ "Per Azure > CIS v1 using attestation", "Skip", "Check: Level 1 (Not Scored) using attestation"]
{ "type": "string", "enum": [ "Per Azure > CIS v1 using attestation", "Skip", "Check: Level 1 (Not Scored) using attestation" ], "default": "Per Azure > CIS v1 using attestation"}
Azure > CIS v1 > 1 Identity and Access Management > 1.22 Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes' (Not Scored) > Attestation
By setting this policy, you attest that you have manually verified that it complies with the relevant section of the CIS Benchmark.
Azure Console
- Go to Azure Active Directory
- Go to Users and group
- Go to Device settings
- Ensure that Require Multi-Factor Auth to join devices is set to Yes
Once verified, enter the date that this attestation expires. Note that the date can not be further in the future than is specified in Azure > CIS v1 > Maximum Attestation Duration. Set to a blank value to clear the attestation.
tmod:@turbot/azure-cisv1#/policy/types/r0122Attestation
{ "type": "string", "format": "date-time", "default": ""}
Azure > CIS v1 > 1 Identity and Access Management > 1.23 Ensure that no custom subscription owner roles are created (Scored)
Configures auditing against a CIS Benchmark item.
Level: 2 (Scored)
Subscription ownership should not include permission to create custom owner roles. The principle of least privilege should be followed and only necessary privileges should be assigned instead of allowing full administrative access.
tmod:@turbot/azure-cisv1#/policy/types/r0123
[ "Per Azure > CIS v1", "Skip", "Check: Level 2 (Scored)"]
{ "type": "string", "enum": [ "Per Azure > CIS v1", "Skip", "Check: Level 2 (Scored)" ], "default": "Per Azure > CIS v1"}
Azure > CIS v1 > 2 Security Center
Covers security recommendations for Azure Security Center.
tmod:@turbot/azure-cisv1#/policy/types/s02
[ "Skip"]
{ "type": "string", "enum": [ "Skip" ], "example": [ "Skip" ], "default": "Skip"}
Azure > CIS v1 > 2 Security Center > 2.01 Ensure that standard pricing tier is selected (Scored)
Configures auditing against a CIS Benchmark item.
Level: 2 (Scored)
The standard pricing tier enables threat detection for networks and virtual machines, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center.
tmod:@turbot/azure-cisv1#/policy/types/r0201
[ "Per Azure > CIS v1", "Skip", "Check: Level 2 (Scored)"]
{ "type": "string", "enum": [ "Per Azure > CIS v1", "Skip", "Check: Level 2 (Scored)" ], "default": "Per Azure > CIS v1"}
Azure > CIS v1 > 2 Security Center > 2.02 Ensure that 'Automatic provisioning of monitoring agent' is set to 'On' (Scored)
Configures auditing against a CIS Benchmark item.
Level: 1 (Scored)
Enable automatic provisioning of the monitoring agent to collect security data.
tmod:@turbot/azure-cisv1#/policy/types/r0202
[ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)"]
{ "type": "string", "enum": [ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)" ], "default": "Per Azure > CIS v1"}
Azure > CIS v1 > 2 Security Center > 2.03 Ensure ASC Default policy setting "Monitor System Updates" is not "Disabled" (Scored)
Configures auditing against a CIS Benchmark item.
Level: 1 (Scored)
Enable system updates recommendations for virtual machines.
tmod:@turbot/azure-cisv1#/policy/types/r0203
[ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)"]
{ "type": "string", "enum": [ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)" ], "default": "Per Azure > CIS v1"}
Azure > CIS v1 > 2 Security Center > 2.04 Ensure ASC Default policy setting "Monitor OS Vulnerabilities" is not "Disabled" (Scored)
Configures auditing against a CIS Benchmark item.
Level: 1 (Scored)
Enable Monitor OS vulnerability recommendations for virtual machines.
tmod:@turbot/azure-cisv1#/policy/types/r0204
[ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)"]
{ "type": "string", "enum": [ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)" ], "default": "Per Azure > CIS v1"}
Azure > CIS v1 > 2 Security Center > 2.05 Ensure ASC Default policy setting "Monitor Endpoint Protection" is not "Disabled" (Scored)
Configures auditing against a CIS Benchmark item.
Level: 1 (Scored)
Enable Endpoint protection recommendations for virtual machines.
tmod:@turbot/azure-cisv1#/policy/types/r0205
[ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)"]
{ "type": "string", "enum": [ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)" ], "default": "Per Azure > CIS v1"}
Azure > CIS v1 > 2 Security Center > 2.06 Ensure ASC Default policy setting "Monitor Disk Encryption" is not "Disabled" (Scored)
Configures auditing against a CIS Benchmark item.
Level: 1 (Scored)
Enable Disk encryption recommendations for virtual machines.
tmod:@turbot/azure-cisv1#/policy/types/r0206
[ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)"]
{ "type": "string", "enum": [ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)" ], "default": "Per Azure > CIS v1"}
Azure > CIS v1 > 2 Security Center > 2.07 Ensure ASC Default policy setting "Monitor Network Security Groups" is not "Disabled" (Scored)
Configures auditing against a CIS Benchmark item.
Level: 1 (Scored)
Enable Network security group recommendations for virtual machines.
tmod:@turbot/azure-cisv1#/policy/types/r0207
[ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)"]
{ "type": "string", "enum": [ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)" ], "default": "Per Azure > CIS v1"}
Azure > CIS v1 > 2 Security Center > 2.08 Ensure ASC Default policy setting "Monitor Web Application Firewall" is not "Disabled" (Scored)
Configures auditing against a CIS Benchmark item.
Level: 1 (Scored)
Enable Web application firewall recommendations for virtual machines.
tmod:@turbot/azure-cisv1#/policy/types/r0208
[ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)"]
{ "type": "string", "enum": [ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)" ], "default": "Per Azure > CIS v1"}
Azure > CIS v1 > 2 Security Center > 2.09 Ensure ASC Default policy setting "Enable Next Generation Firewall(NGFW) Monitoring" is not "Disabled" (Scored)
Configures auditing against a CIS Benchmark item.
Level: 1 (Scored)
Enable next generation firewall recommendations for virtual machines.
tmod:@turbot/azure-cisv1#/policy/types/r0209
[ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)"]
{ "type": "string", "enum": [ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)" ], "default": "Per Azure > CIS v1"}
Azure > CIS v1 > 2 Security Center > 2.10 Ensure ASC Default policy setting "Monitor Vulnerability Assessment" is not "Disabled" (Scored)
Configures auditing against a CIS Benchmark item.
Level: 1 (Scored)
Enable vulnerability assessment recommendations for virtual machines.
tmod:@turbot/azure-cisv1#/policy/types/r0210
[ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)"]
{ "type": "string", "enum": [ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)" ], "default": "Per Azure > CIS v1"}
Azure > CIS v1 > 2 Security Center > 2.11 Ensure ASC Default policy setting "Monitor Storage Blob Encryption" is not "Disabled" (Scored)
Configures auditing against a CIS Benchmark item.
Level: 1 (Scored)
Enable storage encryption recommendations.
tmod:@turbot/azure-cisv1#/policy/types/r0211
[ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)"]
{ "type": "string", "enum": [ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)" ], "default": "Per Azure > CIS v1"}
Azure > CIS v1 > 2 Security Center > 2.12 Ensure ASC Default policy setting "Monitor JIT Network Access" is not "Disabled" (Scored)
Configures auditing against a CIS Benchmark item.
Level: 2 (Scored)
Enable JIT Network Access for virtual machines.
tmod:@turbot/azure-cisv1#/policy/types/r0212
[ "Per Azure > CIS v1", "Skip", "Check: Level 2 (Scored)"]
{ "type": "string", "enum": [ "Per Azure > CIS v1", "Skip", "Check: Level 2 (Scored)" ], "default": "Per Azure > CIS v1"}
Azure > CIS v1 > 2 Security Center > 2.13 Ensure ASC Default policy setting "Monitor Adaptive Application Whitelisting" is not "Disabled" (Scored)
Configures auditing against a CIS Benchmark item.
Level: 1 (Scored)
Enable adaptive application controls.
tmod:@turbot/azure-cisv1#/policy/types/r0213
[ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)"]
{ "type": "string", "enum": [ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)" ], "default": "Per Azure > CIS v1"}
Azure > CIS v1 > 2 Security Center > 2.14 Ensure ASC Default policy setting "Monitor SQL Auditing" is not "Disabled" (Scored)
Configures auditing against a CIS Benchmark item.
Level: 1 (Scored)
Enable SQL auditing recommendations.
tmod:@turbot/azure-cisv1#/policy/types/r0214
[ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)"]
{ "type": "string", "enum": [ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)" ], "default": "Per Azure > CIS v1"}
Azure > CIS v1 > 2 Security Center > 2.15 Ensure ASC Default policy setting "Monitor SQL Encryption" is not "Disabled" (Scored)
Configures auditing against a CIS Benchmark item.
Level: 1 (Scored)
Enable SQL encryption recommendations.
tmod:@turbot/azure-cisv1#/policy/types/r0215
[ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)"]
{ "type": "string", "enum": [ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)" ], "default": "Per Azure > CIS v1"}
Azure > CIS v1 > 2 Security Center > 2.16 Ensure that 'Security contact emails' is set (Scored)
Configures auditing against a CIS Benchmark item.
Level: 1 (Scored)
Provide a security contact email address.
tmod:@turbot/azure-cisv1#/policy/types/r0216
[ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)"]
{ "type": "string", "enum": [ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)" ], "default": "Per Azure > CIS v1"}
Azure > CIS v1 > 2 Security Center > 2.17 Ensure that security contact 'Phone number' is set (Scored)
Configures auditing against a CIS Benchmark item.
Level: 1 (Scored)
Provide a security contact phone number.
tmod:@turbot/azure-cisv1#/policy/types/r0217
[ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)"]
{ "type": "string", "enum": [ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)" ], "default": "Per Azure > CIS v1"}
Azure > CIS v1 > 2 Security Center > 2.18 Ensure that 'Send email notification for high severity alerts' is set to 'On' (Scored)
Configures auditing against a CIS Benchmark item.
Level: 1 (Scored)
Enable emailing security alerts to the security contact.
tmod:@turbot/azure-cisv1#/policy/types/r0218
[ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)"]
{ "type": "string", "enum": [ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)" ], "default": "Per Azure > CIS v1"}
Azure > CIS v1 > 2 Security Center > 2.19 Ensure that 'Send email also to subscription owners' is set to 'On' (Scored)
Configures auditing against a CIS Benchmark item.
Level: 1 (Scored)
Enable security alert emails to subscription owners.
tmod:@turbot/azure-cisv1#/policy/types/r0219
[ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)"]
{ "type": "string", "enum": [ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)" ], "default": "Per Azure > CIS v1"}
Azure > CIS v1 > 3 Storage
Covers security recommendations for Azure Storage.
tmod:@turbot/azure-cisv1#/policy/types/s03
[ "Skip"]
{ "type": "string", "enum": [ "Skip" ], "example": [ "Skip" ], "default": "Skip"}
Azure > CIS v1 > 3 Storage > 3.01 Ensure that 'Secure transfer required' is set to 'Enabled' (Scored)
Configures auditing against a CIS Benchmark item.
Level: 1 (Scored)
Enable data encryption is transit.
tmod:@turbot/azure-cisv1#/policy/types/r0301
[ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)"]
{ "type": "string", "enum": [ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)" ], "default": "Per Azure > CIS v1"}
Azure > CIS v1 > 3 Storage > 3.02 Ensure that storage account access keys are periodically regenerated (Not Scored)
Configures auditing against a CIS Benchmark item.
Level: 1 (Not Scored)
Regenerate storage account access keys periodically.
tmod:@turbot/azure-cisv1#/policy/types/r0302
[ "Per Azure > CIS v1 using attestation", "Skip", "Check: Level 1 (Not Scored) using attestation"]
{ "type": "string", "enum": [ "Per Azure > CIS v1 using attestation", "Skip", "Check: Level 1 (Not Scored) using attestation" ], "default": "Per Azure > CIS v1 using attestation"}
Azure > CIS v1 > 3 Storage > 3.02 Ensure that storage account access keys are periodically regenerated (Not Scored) > Attestation
By setting this policy, you attest that you have manually verified that it complies with the relevant section of the CIS Benchmark.
Azure Console
- Go to Storage Accounts
- For each storage account, go to Activity log
- Under Timespan drop-down, select Custom and choose Start time and End time such that it ranges 90 days
- Enter RegenerateKey in the Search text box
- Click Apply It should list out all RegenerateKey events. If no such event exists, then this is a finding.
Azure Command Line Interface 2.0 Step 1 - Get a list of storage accounts az storage account list Make a note of id, name and resourceGroup. Step 2 For every storage account make sure that key is regenerated in past 90 days. az monitor activity-log list --resource-group
The output should contain"authorization"/"scope": <your_storage_account> AND "authorization"/"action": "Microsoft.Storage/storageAccounts/regenerateKey/action" AND "status"/"localizedValue": "Succeeded" "status"/"Value": "Succeeded" AND "eventTimestamp" : (Should return time and date should be less than past 90 days)
Once verified, enter the date that this attestation expires. Note that the date can not be further in the future than is specified in Azure > CIS v1 > Maximum Attestation Duration. Set to a blank value to clear the attestation.
tmod:@turbot/azure-cisv1#/policy/types/r0302Attestation
{ "type": "string", "format": "date-time", "default": ""}
Azure > CIS v1 > 3 Storage > 3.03 Ensure Storage logging is enabled for Queue service for read, write, and delete requests (Not Scored)
Configures auditing against a CIS Benchmark item.
Level: 2 (Not Scored)
The Storage Queue service stores messages that may be read by any client who has access to the storage account. A queue can contain an unlimited number of messages, each of which can be up to 64KB in size using version 2011-08-18 or newer. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the queues. Storage Logging log entries contain the following information about individual requests:Timing information such as start time, end-to-end latency, and server latency, authentication details , concurrency information and the sizes of the request and response messages.
tmod:@turbot/azure-cisv1#/policy/types/r0303
[ "Per Azure > CIS v1", "Skip", "Check: Level 2 (Not Scored)"]
{ "type": "string", "enum": [ "Per Azure > CIS v1", "Skip", "Check: Level 2 (Not Scored)" ], "default": "Per Azure > CIS v1"}
Azure > CIS v1 > 3 Storage > 3.04 Ensure that shared access signature tokens expire within an hour (Not Scored)
Configures auditing against a CIS Benchmark item.
Level: 1 (Not Scored)
Expire shared access signature tokens within an hour.
tmod:@turbot/azure-cisv1#/policy/types/r0304
[ "Per Azure > CIS v1 using attestation", "Skip", "Check: Level 1 (Not Scored) using attestation"]
{ "type": "string", "enum": [ "Per Azure > CIS v1 using attestation", "Skip", "Check: Level 1 (Not Scored) using attestation" ], "default": "Per Azure > CIS v1 using attestation"}
Azure > CIS v1 > 3 Storage > 3.04 Ensure that shared access signature tokens expire within an hour (Not Scored) > Attestation
By setting this policy, you attest that you have manually verified that it complies with the relevant section of the CIS Benchmark.
Currently, SAS token expiration times cannot be audited. Until Microsoft makes token expiration time a setting rather than a token creation parameter, this recommendation would require a manual verification.
Once verified, enter the date that this attestation expires. Note that the date can not be further in the future than is specified in Azure > CIS v1 > Maximum Attestation Duration. Set to a blank value to clear the attestation.
tmod:@turbot/azure-cisv1#/policy/types/r0304Attestation
{ "type": "string", "format": "date-time", "default": ""}
Azure > CIS v1 > 3 Storage > 3.05 Ensure that shared access signature tokens are allowed only over https (Not Scored)
Configures auditing against a CIS Benchmark item.
Level: 1 (Not Scored)
Shared access signature tokens should be allowed only over HTTPS protocol.
tmod:@turbot/azure-cisv1#/policy/types/r0305
[ "Per Azure > CIS v1 using attestation", "Skip", "Check: Level 1 (Not Scored) using attestation"]
{ "type": "string", "enum": [ "Per Azure > CIS v1 using attestation", "Skip", "Check: Level 1 (Not Scored) using attestation" ], "default": "Per Azure > CIS v1 using attestation"}
Azure > CIS v1 > 3 Storage > 3.05 Ensure that shared access signature tokens are allowed only over https (Not Scored) > Attestation
By setting this policy, you attest that you have manually verified that it complies with the relevant section of the CIS Benchmark.
Currently, SAS token protocols cannot be audited. Until Microsoft makes SAS transfer protocols a setting rather than a token creation parameter, this recommendation will require a manual verification.
Once verified, enter the date that this attestation expires. Note that the date can not be further in the future than is specified in Azure > CIS v1 > Maximum Attestation Duration. Set to a blank value to clear the attestation.
tmod:@turbot/azure-cisv1#/policy/types/r0305Attestation
{ "type": "string", "format": "date-time", "default": ""}
Azure > CIS v1 > 3 Storage > 3.06 Ensure that 'Public access level' is set to Private for blob containers (Scored)
Configures auditing against a CIS Benchmark item.
Level: 1 (Scored)
Disable anonymous access to blob containers.
tmod:@turbot/azure-cisv1#/policy/types/r0306
[ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)"]
{ "type": "string", "enum": [ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)" ], "default": "Per Azure > CIS v1"}
Azure > CIS v1 > 3 Storage > 3.07 Ensure default network access rule for Storage Accounts is set to deny (Scored)
Configures auditing against a CIS Benchmark item.
Level: 2 (Scored)
Restricting default network access helps to provide a new layer of security, since storage accounts accept connections from clients on any network. To limit access to selected networks, the default action must be changed.
tmod:@turbot/azure-cisv1#/policy/types/r0307
[ "Per Azure > CIS v1", "Skip", "Check: Level 2 (Scored)"]
{ "type": "string", "enum": [ "Per Azure > CIS v1", "Skip", "Check: Level 2 (Scored)" ], "default": "Per Azure > CIS v1"}
Azure > CIS v1 > 3 Storage > 3.08 Ensure 'Trusted Microsoft Services' is enabled for Storage Account access (Not Scored)
Configures auditing against a CIS Benchmark item.
Level: 2 (Not Scored)
Some Microsoft services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules. These services will then use strong authentication to access the storage account. If the Allow trusted Microsoft services exception is enabled, the following services: Azure Backup, Azure Site Recovery, Azure DevTest Labs, Azure Event Grid, Azure Event Hubs, Azure Networking, Azure Monitor and Azure SQL Data Warehouse (when registered in the subscription), are granted access to the storage account.
tmod:@turbot/azure-cisv1#/policy/types/r0308
[ "Per Azure > CIS v1", "Skip", "Check: Level 2 (Not Scored)"]
{ "type": "string", "enum": [ "Per Azure > CIS v1", "Skip", "Check: Level 2 (Not Scored)" ], "default": "Per Azure > CIS v1"}
Azure > CIS v1 > 4 Database Services
Covers recommendations addressing Database Services.
tmod:@turbot/azure-cisv1#/policy/types/s04
[ "Skip"]
{ "type": "string", "enum": [ "Skip" ], "example": [ "Skip" ], "default": "Skip"}
Azure > CIS v1 > 4 Database Services > 4.01 Ensure that 'Auditing' is set to 'On' (Scored)
Configures auditing against a CIS Benchmark item.
Level: 1 (Scored)
Enable auditing on SQL Servers.
tmod:@turbot/azure-cisv1#/policy/types/r0401
[ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)"]
{ "type": "string", "enum": [ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)" ], "default": "Per Azure > CIS v1"}
Azure > CIS v1 > 4 Database Services > 4.02 Ensure that 'AuditActionGroups' in 'auditing' policy for a SQL server is set properly (Scored)
Configures auditing against a CIS Benchmark item.
Level: 1 (Scored)
Configure the 'AuditActionGroups' property to appropriate groups to capture all the critical activities on the SQL Server and all the SQL databases hosted on the SQL server.
tmod:@turbot/azure-cisv1#/policy/types/r0402
[ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)"]
{ "type": "string", "enum": [ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)" ], "default": "Per Azure > CIS v1"}
Azure > CIS v1 > 4 Database Services > 4.03 Ensure that 'Auditing' Retention is 'greater than 90 days' (Scored)
Configures auditing against a CIS Benchmark item.
Level: 1 (Scored)
SQL Server Audit Retention should be configured to be greater than 90 days.
tmod:@turbot/azure-cisv1#/policy/types/r0403
[ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)"]
{ "type": "string", "enum": [ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)" ], "default": "Per Azure > CIS v1"}
Azure > CIS v1 > 4 Database Services > 4.04 Ensure that 'Advanced Data Security' on a SQL server is set to 'On' (Scored)
Configures auditing against a CIS Benchmark item.
Level: 2 (Scored)
Enable "Advanced Data Security" on critical SQL Servers.
tmod:@turbot/azure-cisv1#/policy/types/r0404
[ "Per Azure > CIS v1", "Skip", "Check: Level 2 (Scored)"]
{ "type": "string", "enum": [ "Per Azure > CIS v1", "Skip", "Check: Level 2 (Scored)" ], "default": "Per Azure > CIS v1"}
Azure > CIS v1 > 4 Database Services > 4.05 Ensure that 'Threat Detection types' is set to 'All' (Scored)
Configures auditing against a CIS Benchmark item.
Level: 2 (Scored)
Enable all types of threat detection on SQL servers.
tmod:@turbot/azure-cisv1#/policy/types/r0405
[ "Per Azure > CIS v1", "Skip", "Check: Level 2 (Scored)"]
{ "type": "string", "enum": [ "Per Azure > CIS v1", "Skip", "Check: Level 2 (Scored)" ], "default": "Per Azure > CIS v1"}
Azure > CIS v1 > 4 Database Services > 4.06 Ensure that 'Send alerts to' is set (Scored)
Configures auditing against a CIS Benchmark item.
Level: 2 (Scored)
Provide the email address where alerts will be sent when anomalous activities are detected on SQL servers.
tmod:@turbot/azure-cisv1#/policy/types/r0406
[ "Per Azure > CIS v1", "Skip", "Check: Level 2 (Scored)"]
{ "type": "string", "enum": [ "Per Azure > CIS v1", "Skip", "Check: Level 2 (Scored)" ], "default": "Per Azure > CIS v1"}
Azure > CIS v1 > 4 Database Services > 4.07 Ensure that 'Email service and co-administrators' is 'Enabled' (Scored)
Configures auditing against a CIS Benchmark item.
Level: 2 (Scored)
Enable service and co-administrators to receive security alerts from the SQL server.
tmod:@turbot/azure-cisv1#/policy/types/r0407
[ "Per Azure > CIS v1", "Skip", "Check: Level 2 (Scored)"]
{ "type": "string", "enum": [ "Per Azure > CIS v1", "Skip", "Check: Level 2 (Scored)" ], "default": "Per Azure > CIS v1"}
Azure > CIS v1 > 4 Database Services > 4.08 Ensure that Azure Active Directory Admin is configured (Scored)
Configures auditing against a CIS Benchmark item.
Level: 1 (Scored)
Use Azure Active Directory Authentication for authentication with SQL Database.
tmod:@turbot/azure-cisv1#/policy/types/r0408
[ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)"]
{ "type": "string", "enum": [ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)" ], "default": "Per Azure > CIS v1"}
Azure > CIS v1 > 4 Database Services > 4.09 Ensure that 'Data encryption' is set to 'On' on a SQL Database (Scored)
Configures auditing against a CIS Benchmark item.
Level: 1 (Scored)
Enable Transparent Data Encryption on every SQL server.
tmod:@turbot/azure-cisv1#/policy/types/r0409
[ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)"]
{ "type": "string", "enum": [ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)" ], "default": "Per Azure > CIS v1"}
Azure > CIS v1 > 4 Database Services > 4.10 Ensure SQL server's TDE protector is encrypted with BYOK (Use your own key) (Scored)
Configures auditing against a CIS Benchmark item.
Level: 2 (Scored)
TDE with BYOK support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. With TDE, data is encrypted at rest with a symmetric key (called the database encryption key) stored in the database or data warehouse distribution. To protect this data encryption key (DEK) in the past, only a certificate that the Azure SQL Service managed could be used. Now, with BYOK support for TDE, the DEK can be protected with an asymmetric key that is stored in the Key Vault. Key Vault is a highly available and scalable cloud-based key store which offers central key management, leverages FIPS 140-2 Level 2 validated hardware security modules (HSMs), and allows separation of management of keys and data, for additional security. Based on business needs or criticality of data/databases hosted a SQL server, it is recommended that the TDE protector is encrypted by a key that is managed by the data owner (BYOK).
tmod:@turbot/azure-cisv1#/policy/types/r0410
[ "Per Azure > CIS v1", "Skip", "Check: Level 2 (Scored)"]
{ "type": "string", "enum": [ "Per Azure > CIS v1", "Skip", "Check: Level 2 (Scored)" ], "default": "Per Azure > CIS v1"}
Azure > CIS v1 > 4 Database Services > 4.11 Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server (Scored)
Configures auditing against a CIS Benchmark item.
Level: 1 (Scored)
SSL connectivity helps to provide a new layer of security, by connecting database server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between database server and client applications helps protect against "man in the middle" attacks by encrypting the data stream between the server and application.
tmod:@turbot/azure-cisv1#/policy/types/r0411
[ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)"]
{ "type": "string", "enum": [ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)" ], "default": "Per Azure > CIS v1"}
Azure > CIS v1 > 4 Database Services > 4.12 Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server (Scored)
Configures auditing against a CIS Benchmark item.
Level: 1 (Scored)
Enable log_checkpoints on PostgreSQL Servers.
tmod:@turbot/azure-cisv1#/policy/types/r0412
[ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)"]
{ "type": "string", "enum": [ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)" ], "default": "Per Azure > CIS v1"}
Azure > CIS v1 > 4 Database Services > 4.13 Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server (Scored)
Configures auditing against a CIS Benchmark item.
Level: 1 (Scored)
Enable SSL connection on PostgreSQL Servers.
tmod:@turbot/azure-cisv1#/policy/types/r0413
[ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)"]
{ "type": "string", "enum": [ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)" ], "default": "Per Azure > CIS v1"}
Azure > CIS v1 > 4 Database Services > 4.14 Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server (Scored)
Configures auditing against a CIS Benchmark item.
Level: 1 (Scored)
Enable log_connections on PostgreSQL Servers
tmod:@turbot/azure-cisv1#/policy/types/r0414
[ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)"]
{ "type": "string", "enum": [ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)" ], "default": "Per Azure > CIS v1"}
Azure > CIS v1 > 4 Database Services > 4.15 Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server (Scored)
Configures auditing against a CIS Benchmark item.
Level: 1 (Scored)
Enable log_disconnections on PostgreSQL Servers.
tmod:@turbot/azure-cisv1#/policy/types/r0415
[ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)"]
{ "type": "string", "enum": [ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)" ], "default": "Per Azure > CIS v1"}
Azure > CIS v1 > 4 Database Services > 4.16 Ensure server parameter 'log_duration' is set to 'ON' for PostgreSQL Database Server (Scored)
Configures auditing against a CIS Benchmark item.
Level: 1 (Scored)
Enable log_duration on PostgreSQL Servers.
tmod:@turbot/azure-cisv1#/policy/types/r0416
[ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)"]
{ "type": "string", "enum": [ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)" ], "default": "Per Azure > CIS v1"}
Azure > CIS v1 > 4 Database Services > 4.17 Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server (Scored)
Configures auditing against a CIS Benchmark item.
Level: 1 (Scored)
Enable connection_throttling on PostgreSQL Servers.
tmod:@turbot/azure-cisv1#/policy/types/r0417
[ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)"]
{ "type": "string", "enum": [ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)" ], "default": "Per Azure > CIS v1"}
Azure > CIS v1 > 4 Database Services > 4.18 Ensure server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server (Scored)
Configures auditing against a CIS Benchmark item.
Level: 1 (Scored)
Enable log_retention_days on PostgreSQL Servers.
tmod:@turbot/azure-cisv1#/policy/types/r0418
[ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)"]
{ "type": "string", "enum": [ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)" ], "default": "Per Azure > CIS v1"}
Azure > CIS v1 > 5 Logging and Monitoring
Azure > CIS v1 > 5 Logging and Monitoring > 5.1 Configuring Log Profile
Covers recommendations addressing Log Profile.
tmod:@turbot/azure-cisv1#/policy/types/s0501
[ "Skip"]
{ "type": "string", "enum": [ "Skip" ], "example": [ "Skip" ], "default": "Skip"}
Azure > CIS v1 > 5 Logging and Monitoring > 5.1 Configuring Log Profile > 5.1.1 Ensure that a Log Profile exists (Scored)
Configures auditing against a CIS Benchmark item.
Level: 1 (Scored)
Enable log profile for exporting activity logs.
tmod:@turbot/azure-cisv1#/policy/types/r050101
[ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)"]
{ "type": "string", "enum": [ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)" ], "default": "Per Azure > CIS v1"}
Azure > CIS v1 > 5 Logging and Monitoring > 5.1 Configuring Log Profile > 5.1.2 Ensure that Activity Log Retention is set 365 days or greater (Scored)
Configures auditing against a CIS Benchmark item.
Level: 1 (Scored)
Ensure activity log retention is set for 365 days or greater.
tmod:@turbot/azure-cisv1#/policy/types/r050102
[ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)"]
{ "type": "string", "enum": [ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)" ], "default": "Per Azure > CIS v1"}
Azure > CIS v1 > 5 Logging and Monitoring > 5.1 Configuring Log Profile > 5.1.3 Ensure audit profile captures all the activities (Scored)
Configures auditing against a CIS Benchmark item.
Level: 1 (Scored)
The log profile should be configured to export all activities from the control/management plane.
tmod:@turbot/azure-cisv1#/policy/types/r050103
[ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)"]
{ "type": "string", "enum": [ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)" ], "default": "Per Azure > CIS v1"}
Azure > CIS v1 > 5 Logging and Monitoring > 5.1 Configuring Log Profile > 5.1.4 Ensure the log profile captures activity logs for all regions including global (Scored)
Configures auditing against a CIS Benchmark item.
Level: 1 (Scored)
Configure the log profile to export activities from all Azure supported regions/locations including global.
tmod:@turbot/azure-cisv1#/policy/types/r050104
[ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)"]
{ "type": "string", "enum": [ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)" ], "default": "Per Azure > CIS v1"}
Azure > CIS v1 > 5 Logging and Monitoring > 5.1 Configuring Log Profile > 5.1.5 Ensure the storage container storing the activity logs is not publicly accessible (Scored)
Configures auditing against a CIS Benchmark item.
Level: 1 (Scored)
The storage account container containing the activity log export should not be publicly accessible.
tmod:@turbot/azure-cisv1#/policy/types/r050105
[ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)"]
{ "type": "string", "enum": [ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)" ], "default": "Per Azure > CIS v1"}
Azure > CIS v1 > 5 Logging and Monitoring > 5.1 Configuring Log Profile > 5.1.6 Ensure the storage account containing the container with activity logs is encrypted with BYOK (Use Your Own Key) (Scored)
Configures auditing against a CIS Benchmark item.
Level: 2 (Scored)
The storage account with the activity log export container is configured to use BYOK (Use Your Own Key).
tmod:@turbot/azure-cisv1#/policy/types/r050106
[ "Per Azure > CIS v1", "Skip", "Check: Level 2 (Scored)"]
{ "type": "string", "enum": [ "Per Azure > CIS v1", "Skip", "Check: Level 2 (Scored)" ], "default": "Per Azure > CIS v1"}
Azure > CIS v1 > 5 Logging and Monitoring > 5.1 Configuring Log Profile > 5.1.7 Ensure that logging for Azure KeyVault is 'Enabled' (Scored)
Configures auditing against a CIS Benchmark item.
Level: 1 (Scored)
Enable AuditEvent logging for key vault instances to ensure interactions with key vaults are logged and available.
tmod:@turbot/azure-cisv1#/policy/types/r050107
[ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)"]
{ "type": "string", "enum": [ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)" ], "default": "Per Azure > CIS v1"}
Azure > CIS v1 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log alerts
section covers security recommendations to follow in order to set alerting and monitoring for critical activities on an Azure subscription.
tmod:@turbot/azure-cisv1#/policy/types/s0502
[ "Skip"]
{ "type": "string", "enum": [ "Skip" ], "example": [ "Skip" ], "default": "Skip"}
Azure > CIS v1 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log alerts > 5.2.1 Ensure that Activity Log Alert exists for Create Policy Assignment (Scored)
Configures auditing against a CIS Benchmark item.
Level: 1 (Scored)
Create an activity log alert for the Create Policy Assignment event.
tmod:@turbot/azure-cisv1#/policy/types/r050201
[ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)"]
{ "type": "string", "enum": [ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)" ], "default": "Per Azure > CIS v1"}
Azure > CIS v1 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log alerts > 5.2.2 Ensure that Activity Log Alert exists for Create or Update Network Security Group (Scored)
Configures auditing against a CIS Benchmark item.
Level: 1 (Scored)
Create an Activity Log Alert for the "Create" or "Update Network Security Group" event.
tmod:@turbot/azure-cisv1#/policy/types/r050202
[ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)"]
{ "type": "string", "enum": [ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)" ], "default": "Per Azure > CIS v1"}
Azure > CIS v1 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log alerts > 5.2.3 Ensure that Activity Log Alert exists for Delete Network Security Group (Scored)
Configures auditing against a CIS Benchmark item.
Level: 1 (Scored)
Create an activity log alert for the Delete Network Security Group event.
tmod:@turbot/azure-cisv1#/policy/types/r050203
[ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)"]
{ "type": "string", "enum": [ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)" ], "default": "Per Azure > CIS v1"}
Azure > CIS v1 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log alerts > 5.2.4 Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule (Scored)
Configures auditing against a CIS Benchmark item.
Level: 1 (Scored)
Create an activity log alert for the Create or Update Network Security Group Rule event.
tmod:@turbot/azure-cisv1#/policy/types/r050204
[ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)"]
{ "type": "string", "enum": [ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)" ], "default": "Per Azure > CIS v1"}
Azure > CIS v1 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log alerts > 5.2.5 Ensure that activity log alert exists for the Delete Network Security Group Rule (Scored)
Configures auditing against a CIS Benchmark item.
Level: 1 (Scored)
Create an activity log alert for the Delete Network Security Group Rule event.
tmod:@turbot/azure-cisv1#/policy/types/r050205
[ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)"]
{ "type": "string", "enum": [ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)" ], "default": "Per Azure > CIS v1"}
Azure > CIS v1 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log alerts > 5.2.6 Ensure that Activity Log Alert exists for Create or Update Security Solution (Scored)
Configures auditing against a CIS Benchmark item.
Level: 1 (Scored)
Create an activity log alert for the Create or Update Security Solution event.
tmod:@turbot/azure-cisv1#/policy/types/r050206
[ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)"]
{ "type": "string", "enum": [ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)" ], "default": "Per Azure > CIS v1"}
Azure > CIS v1 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log alerts > 5.2.7 Ensure that Activity Log Alert exists for Delete Security Solution (Scored)
Configures auditing against a CIS Benchmark item.
Level: 1 (Scored)
Create an activity log alert for the Delete Security Solution event.
tmod:@turbot/azure-cisv1#/policy/types/r050207
[ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)"]
{ "type": "string", "enum": [ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)" ], "default": "Per Azure > CIS v1"}
Azure > CIS v1 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log alerts > 5.2.8 Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule (Scored)
Configures auditing against a CIS Benchmark item.
Level: 1 (Scored)
Create an activity log alert for the Create or Update or Delete SQL Server Firewall Rule event.
tmod:@turbot/azure-cisv1#/policy/types/r050208
[ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)"]
{ "type": "string", "enum": [ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)" ], "default": "Per Azure > CIS v1"}
Azure > CIS v1 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log alerts > 5.2.9 Ensure that Activity Log Alert exists for Update Security Policy (Scored)
Configures auditing against a CIS Benchmark item.
Level: 1 (Scored)
Create an activity log alert for the Update Security Policy event.
tmod:@turbot/azure-cisv1#/policy/types/r050209
[ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)"]
{ "type": "string", "enum": [ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)" ], "default": "Per Azure > CIS v1"}
Azure > CIS v1 > 6 Networking
This section covers security recommendations to follow in order to set networking policies on an Azure subscription.
tmod:@turbot/azure-cisv1#/policy/types/s06
[ "Skip"]
{ "type": "string", "enum": [ "Skip" ], "example": [ "Skip" ], "default": "Skip"}
Azure > CIS v1 > 6 Networking > 6.01 Ensure that RDP access is restricted from the internet (Scored)
Configures auditing against a CIS Benchmark item.
Level: 1 (Scored)
Disable RDP access on network security groups from the Internet.
tmod:@turbot/azure-cisv1#/policy/types/r0601
[ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)"]
{ "type": "string", "enum": [ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)" ], "default": "Per Azure > CIS v1"}
Azure > CIS v1 > 6 Networking > 6.02 Ensure that SSH access is restricted from the internet (Scored)
Configures auditing against a CIS Benchmark item.
Level: 1 (Scored)
Disable SSH access on network security groups from the Internet.
tmod:@turbot/azure-cisv1#/policy/types/r0602
[ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)"]
{ "type": "string", "enum": [ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)" ], "default": "Per Azure > CIS v1"}
Azure > CIS v1 > 6 Networking > 6.03 Ensure no SQL Databases allow ingress 0.0.0.0/0 (ANY IP) (Scored)
Configures auditing against a CIS Benchmark item.
Level: 1 (Scored)
Ensure that no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)
tmod:@turbot/azure-cisv1#/policy/types/r0603
[ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)"]
{ "type": "string", "enum": [ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)" ], "default": "Per Azure > CIS v1"}
Azure > CIS v1 > 6 Networking > 6.04 Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' (Scored)
Configures auditing against a CIS Benchmark item.
Level: 2 (Scored)
Network Security Group Flow Logs should be enabled and the retention period is set to greater than or equal to 90 days.
tmod:@turbot/azure-cisv1#/policy/types/r0604
[ "Per Azure > CIS v1", "Skip", "Check: Level 2 (Scored)"]
{ "type": "string", "enum": [ "Per Azure > CIS v1", "Skip", "Check: Level 2 (Scored)" ], "default": "Per Azure > CIS v1"}
Azure > CIS v1 > 6 Networking > 6.05 Ensure that Network Watcher is 'Enabled' (Scored)
Configures auditing against a CIS Benchmark item.
Level: 1 (Scored)
Enable Network Watcher for Azure subscriptions.
tmod:@turbot/azure-cisv1#/policy/types/r0605
[ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)"]
{ "type": "string", "enum": [ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)" ], "default": "Per Azure > CIS v1"}
Azure > CIS v1 > 7 Virtual Machines
Covers security recommendations for Azure Compute.
tmod:@turbot/azure-cisv1#/policy/types/s07
[ "Skip"]
{ "type": "string", "enum": [ "Skip" ], "example": [ "Skip" ], "default": "Skip"}
Azure > CIS v1 > 7 Virtual Machines > 7.01 Ensure that 'OS disk' are encrypted (Scored)
Configures auditing against a CIS Benchmark item.
Level: 1 (Scored)
Ensure that OS disks (boot volumes) are encrypted, where possible.
tmod:@turbot/azure-cisv1#/policy/types/r0701
[ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)"]
{ "type": "string", "enum": [ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)" ], "default": "Per Azure > CIS v1"}
Azure > CIS v1 > 7 Virtual Machines > 7.02 Ensure that 'Data disks' are encrypted (Scored)
Configures auditing against a CIS Benchmark item.
Level: 1 (Scored)
Ensure that data disks (non-boot volumes) are encrypted, where possible.
tmod:@turbot/azure-cisv1#/policy/types/r0702
[ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)"]
{ "type": "string", "enum": [ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)" ], "default": "Per Azure > CIS v1"}
Azure > CIS v1 > 7 Virtual Machines > 7.03 Ensure that 'Unattached disks' are encrypted (Scored)
Ensure that unattached disks in a subscription are encrypted. Level: 1 (Scored)
tmod:@turbot/azure-cisv1#/policy/types/r0703
[ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)"]
{ "type": "string", "enum": [ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)" ], "default": "Per Azure > CIS v1"}
Azure > CIS v1 > 7 Virtual Machines > 7.04 Ensure that only approved extensions are installed (Not Scored)
Configures auditing against a CIS Benchmark item.
Level: 1 (Not Scored)
Only install organization-approved extensions on VMs.
tmod:@turbot/azure-cisv1#/policy/types/r0704
[ "Per Azure > CIS v1 using attestation", "Skip", "Check: Level 1 (Not Scored) using attestation"]
{ "type": "string", "enum": [ "Per Azure > CIS v1 using attestation", "Skip", "Check: Level 1 (Not Scored) using attestation" ], "default": "Per Azure > CIS v1 using attestation"}
Azure > CIS v1 > 7 Virtual Machines > 7.04 Ensure that only approved extensions are installed (Not Scored) > Attestation
By setting this policy, you attest that you have manually verified that it complies with the relevant section of the CIS Benchmark.
Azure Console
- Go to Virtual machines
- For each virtual machine, go to Settings
- Click on Extensions
- Ensure that the listed extensions are approved for use.
Azure Command Line Interface 2.0 Use the below command to list the extensions attached to a VM, and ensure the listed extensions are approved for use. az vm extension list --vm-name <vmName> --resource-group <sourceGroupName> -- query [*].name
Once verified, enter the date that this attestation expires. Note that the date can not be further in the future than is specified in Azure > CIS v1 > Maximum Attestation Duration. Set to a blank value to clear the attestation.
tmod:@turbot/azure-cisv1#/policy/types/r0704Attestation
{ "type": "string", "format": "date-time", "default": ""}
Azure > CIS v1 > 7 Virtual Machines > 7.05 Ensure that the latest OS Patches for all Virtual Machines are applied (Not Scored)
Configures auditing against a CIS Benchmark item.
Level: 1 (Not Scored)
Ensure that the latest OS patches for all virtual machines are applied.
tmod:@turbot/azure-cisv1#/policy/types/r0705
[ "Per Azure > CIS v1 using attestation", "Skip", "Check: Level 1 (Not Scored) using attestation"]
{ "type": "string", "enum": [ "Per Azure > CIS v1 using attestation", "Skip", "Check: Level 1 (Not Scored) using attestation" ], "default": "Per Azure > CIS v1 using attestation"}
Azure > CIS v1 > 7 Virtual Machines > 7.05 Ensure that the latest OS Patches for all Virtual Machines are applied (Not Scored) > Attestation
By setting this policy, you attest that you have manually verified that it complies with the relevant section of the CIS Benchmark.
Azure Console
- Go to Security Center - Recommendations
- Ensure that there are no recommendations for Apply system updates
Alternatively, you can employ your own patch assessment and management tool to periodically assess, report and install the required security patches for your OS.
Once verified, enter the date that this attestation expires. Note that the date can not be further in the future than is specified in Azure > CIS v1 > Maximum Attestation Duration. Set to a blank value to clear the attestation.
tmod:@turbot/azure-cisv1#/policy/types/r0705Attestation
{ "type": "string", "format": "date-time", "default": ""}
Azure > CIS v1 > 7 Virtual Machines > 7.06 Ensure that the endpoint protection for all Virtual Machines is installed (Not Scored)
Configures auditing against a CIS Benchmark item.
Level: 1 (Not Scored)
Install endpoint protection for all virtual machines.
tmod:@turbot/azure-cisv1#/policy/types/r0706
[ "Per Azure > CIS v1 using attestation", "Skip", "Check: Level 1 (Not Scored) using attestation"]
{ "type": "string", "enum": [ "Per Azure > CIS v1 using attestation", "Skip", "Check: Level 1 (Not Scored) using attestation" ], "default": "Per Azure > CIS v1 using attestation"}
Azure > CIS v1 > 7 Virtual Machines > 7.06 Ensure that the endpoint protection for all Virtual Machines is installed (Not Scored) > Attestation
By setting this policy, you attest that you have manually verified that it complies with the relevant section of the CIS Benchmark.
Azure Console
- Go to Security Center - Recommendations
- Ensure that there are no recommendations for Endpoint Protection not installed on Azure VMs
Azure Command Line Interface 2.0 az vm show -g MyResourceGroup -n MyVm -d It should list below or any other endpoint extensions as one of the installed extensions. EndpointSecurity || TrendMicroDSA || Antimalware || EndpointProtection || SCWPAgent || PortalProtectExtension || FileSecurity*
Alternatively, you can employ your own endpoint protection tool for your OS.
Once verified, enter the date that this attestation expires. Note that the date can not be further in the future than is specified in Azure > CIS v1 > Maximum Attestation Duration. Set to a blank value to clear the attestation.
tmod:@turbot/azure-cisv1#/policy/types/r0706Attestation
{ "type": "string", "format": "date-time", "default": ""}
Azure > CIS v1 > 8 Other Security Considerations
This section covers security recommendations to follow in order to set general security and operational controls on an Azure Subscription.
tmod:@turbot/azure-cisv1#/policy/types/s08
[ "Skip"]
{ "type": "string", "enum": [ "Skip" ], "example": [ "Skip" ], "default": "Skip"}
Azure > CIS v1 > 8 Other Security Considerations > 8.01 Ensure that the expiration date is set on all keys (Scored)
Configures auditing against a CIS Benchmark item.
Level: 1 (Scored)
Ensure that all keys in Azure Key Vault have an expiration time set.
tmod:@turbot/azure-cisv1#/policy/types/r0801
[ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)"]
{ "type": "string", "enum": [ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)" ], "default": "Per Azure > CIS v1"}
Azure > CIS v1 > 8 Other Security Considerations > 8.02 Ensure that the expiration date is set on all Secrets (Scored)
Configures auditing against a CIS Benchmark item.
Level: 1 (Scored)
Ensure that all Secrets in the Azure Key Vault have an expiration time set.
tmod:@turbot/azure-cisv1#/policy/types/r0802
[ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)"]
{ "type": "string", "enum": [ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)" ], "default": "Per Azure > CIS v1"}
Azure > CIS v1 > 8 Other Security Considerations > 8.03 Ensure that Resource Locks are set for mission critical Azure resources (Not Scored)
Configures auditing against a CIS Benchmark item.
Level: 2 (Not Scored)
Resource Manager Locks provide a way for administrators to lock down Azure resources to prevent deletion of, or modifications to, a resource. These locks sit outside of the Role Based Access Controls (RBAC) hierarchy and, when applied, will place restrictions on the resource for all users. These are very useful when there is have an important resource in a subscription that users should not be able to delete or change and can help prevent accidental and malicious changes or deletion.
tmod:@turbot/azure-cisv1#/policy/types/r0803
[ "Per Azure > CIS v1 using attestation", "Skip", "Check: Level 2 (Not Scored) using attestation"]
{ "type": "string", "enum": [ "Per Azure > CIS v1 using attestation", "Skip", "Check: Level 2 (Not Scored) using attestation" ], "default": "Per Azure > CIS v1 using attestation"}
Azure > CIS v1 > 8 Other Security Considerations > 8.03 Ensure that Resource Locks are set for mission critical Azure resources (Not Scored) > Attestation
By setting this policy, you attest that you have manually verified that it complies with the relevant section of the CIS Benchmark.
Azure Console
- Navigate to the specific Azure Resource or Resource Group
- Click on Locks
- Ensure the lock is defined with name and description, type as CanNotDelete or ReadOnly as appropriate.
Azure Command Line Interface 2.0 Review the list of all locks set currently: az lock list --resource-group <resourcegroupname> --resource-name <resourcename> --namespace <Namespace> --resource-type <type> --parent ""
Once verified, enter the date that this attestation expires. Note that the date can not be further in the future than is specified in Azure > CIS v1 > Maximum Attestation Duration. Set to a blank value to clear the attestation.
tmod:@turbot/azure-cisv1#/policy/types/r0803Attestation
{ "type": "string", "format": "date-time", "default": ""}
Azure > CIS v1 > 8 Other Security Considerations > 8.04 Ensure the key vault is recoverable (Scored)
Configures auditing against a CIS Benchmark item.
Level: 1 (Scored)
The key vault contains object keys, secrets and certificates. Accidental unavailability of a key vault can cause immediate data loss or loss of security functions (authentication, validation, verification, non-repudiation, etc.) supported by the key vault objects. It is recommended the key vault be made recoverable by enabling the "Do Not Purge" and "Soft Delete" functions. This is in order to prevent loss of encrypted data including storage accounts, SQL databases, and/or dependent services provided by key vault objects (Keys, Secrets, Certificates) etc., as may happen in the case of accidental deletion by a user or from disruptive activity by a malicious user.
tmod:@turbot/azure-cisv1#/policy/types/r0804
[ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)"]
{ "type": "string", "enum": [ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)" ], "default": "Per Azure > CIS v1"}
Azure > CIS v1 > 8 Other Security Considerations > 8.05 Enable role-based access control (RBAC) within Azure Kubernetes Services (Scored)
Configures auditing against a CIS Benchmark item.
Level: 1 (Scored)
Azure Kubernetes Services has the capability to integrate Azure Active Directory users and groups into Kubernetes RBAC controls within the AKS Kubernetes API Server. This should be utilized to enable granular access to Kubernetes resources within the AKS clusters supporting RBAC controls not just of the overarching AKS instance but also the individual resources managed within Kubernetes.
tmod:@turbot/azure-cisv1#/policy/types/r0805
[ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)"]
{ "type": "string", "enum": [ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)" ], "default": "Per Azure > CIS v1"}
Azure > CIS v1 > 9 Application Services
Covers security recommendations for Azure AppService.
tmod:@turbot/azure-cisv1#/policy/types/s09
[ "Skip"]
{ "type": "string", "enum": [ "Skip" ], "example": [ "Skip" ], "default": "Skip"}
Azure > CIS v1 > 9 Application Services > 9.01 Ensure App Service Authentication is set on Azure App Service (Scored)
Configures auditing against a CIS Benchmark item.
Level: 1 (Scored)
Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the API app, or authenticate those that have tokens before they reach the API app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented.
tmod:@turbot/azure-cisv1#/policy/types/r0901
[ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)"]
{ "type": "string", "enum": [ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)" ], "default": "Per Azure > CIS v1"}
Azure > CIS v1 > 9 Application Services > 9.02 Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service (Scored)
Configures auditing against a CIS Benchmark item.
Level: 1 (Scored)
Azure Web Apps allows sites to run under both HTTP and HTTPS by default. Web apps can be accessed by anyone using non-secure HTTP links by default. Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic.
tmod:@turbot/azure-cisv1#/policy/types/r0902
[ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)"]
{ "type": "string", "enum": [ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)" ], "default": "Per Azure > CIS v1"}
Azure > CIS v1 > 9 Application Services > 9.03 Ensure web app is using the latest version of TLS encryption (Scored)
Configures auditing against a CIS Benchmark item.
Level: 1 (Scored)
The TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS.
tmod:@turbot/azure-cisv1#/policy/types/r0903
[ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)"]
{ "type": "string", "enum": [ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)" ], "default": "Per Azure > CIS v1"}
Azure > CIS v1 > 9 Application Services > 9.04 Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On' (Scored)
Configures auditing against a CIS Benchmark item.
Level: 1 (Scored)
Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app.
tmod:@turbot/azure-cisv1#/policy/types/r0904
[ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)"]
{ "type": "string", "enum": [ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)" ], "default": "Per Azure > CIS v1"}
Azure > CIS v1 > 9 Application Services > 9.05 Ensure that Register with Azure Active Directory is enabled on App Service (Scored)
Configures auditing against a CIS Benchmark item.
Level: 1 (Scored)
Managed service identity in App Service makes the app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app will connect to other Azure services securely without the need of username and passwords.
tmod:@turbot/azure-cisv1#/policy/types/r0905
[ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)"]
{ "type": "string", "enum": [ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Scored)" ], "default": "Per Azure > CIS v1"}
Azure > CIS v1 > 9 Application Services > 9.06 Ensure that '.Net Framework' version is the latest, if used as a part of the web app (Not Scored)
Configures auditing against a CIS Benchmark item.
Level: 1 (Not Scored)
Periodically, newer versions are released for .Net Framework software either due to security flaws or to include additional functionality. Using the latest .Net framework version for web apps is recommended in order to to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently the latest .Net framework version for web apps is 'v4.0'. Turbot updates this option when a newer version is found.
tmod:@turbot/azure-cisv1#/policy/types/r0906
[ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Not Scored)"]
{ "type": "string", "enum": [ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Not Scored)" ], "default": "Per Azure > CIS v1"}
Azure > CIS v1 > 9 Application Services > 9.07 Ensure that 'PHP version' is the latest, if used to run the web app (Not Scored)
Configures auditing against a CIS Benchmark item.
Level: 1 (Not Scored)
Periodically newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version. Currently the latest PHP version for web apps is '7.3'. Turbot updates this option when a newer version is found.
tmod:@turbot/azure-cisv1#/policy/types/r0907
[ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Not Scored)"]
{ "type": "string", "enum": [ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Not Scored)" ], "default": "Per Azure > CIS v1"}
Azure > CIS v1 > 9 Application Services > 9.08 Ensure that 'Python version' is the latest, if used to run the web app (Not Scored)
Configures auditing against a CIS Benchmark item.
Level: 1 (Not Scored)
Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version. Currently the latest Python version for web apps is '3.7'. Turbot updates this option when a newer version is found.
tmod:@turbot/azure-cisv1#/policy/types/r0908
[ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Not Scored)"]
{ "type": "string", "enum": [ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Not Scored)" ], "default": "Per Azure > CIS v1"}
Azure > CIS v1 > 9 Application Services > 9.09 Ensure that 'Java version' is the latest, if used to run the web app (Not Scored)
Configures auditing against a CIS Benchmark item.
Level: 1 (Not Scored)
Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the newer version. Currently the latest Java version for web apps is '11'. Turbot updates this option when a newer version is found.
tmod:@turbot/azure-cisv1#/policy/types/r0909
[ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Not Scored)"]
{ "type": "string", "enum": [ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Not Scored)" ], "default": "Per Azure > CIS v1"}
Azure > CIS v1 > 9 Application Services > 9.10 Ensure that 'HTTP Version' is the latest, if used to run the web app (Not Scored)
Configures auditing against a CIS Benchmark item.
Level: 1 (Not Scored)
Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version.
tmod:@turbot/azure-cisv1#/policy/types/r0910
[ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Not Scored)"]
{ "type": "string", "enum": [ "Per Azure > CIS v1", "Skip", "Check: Level 1 (Not Scored)" ], "default": "Per Azure > CIS v1"}
Azure > CIS v1 > Maximum Attestation Duration
The maximum duration for CIS Attestations. Attestation policies can not be set further in the future than is specified here
tmod:@turbot/azure-cisv1#/policy/types/attestation
[ "Skip", "30 days", "60 days", "90 days", "1 year", "2 years", "3 years"]
{ "type": "string", "enum": [ "Skip", "30 days", "60 days", "90 days", "1 year", "2 years", "3 years" ], "default": "Skip"}