Product logo
DocsBlogPricing

Control types for @turbot/azure-cisv2-0

Azure > CIS v2.0

Configures a default auditing level against the Microsoft Azure Foundations Benchmark, Version 2.0.

URI
tmod:@turbot/azure-cisv2-0#/control/types/cis
Parent
Category

Azure > CIS v2.0 > 01 - Identity and Access Management

This section covers security recommendations to set identity and access management policies on an Azure Subscription. Identity and Access Management policies are the first step towards a defense-in-depth approach to securing an Azure Cloud Platform environment.

Many of the recommendations from this section are marked as "Manual" while the existing Azure CLI and Azure AD PowerShell support through the Azure AD Graph are being depreciated. It is now recommended to use the new Microsoft Graph in replacement of Azure AD Graph for PowerShell and API level access. From a security posture standpoint, these recommendations are still very important and should not be discounted because they are "Manual." As automation capability using Rest API is developed for this Benchmark, the related recommendations will be updated with the respective audit and remediation steps and changed to an "automated" assessment status.

If any problems are encountered running Azure CLI or PowerShell methodologies, please refer to the Overview for this benchmark where you will find additional detail on permission and required cmdlets.

URI
tmod:@turbot/azure-cisv2-0#/control/types/s01
Parent
Category

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.01 - Security Defaults

The Azure "Security Defaults" recommendations represent an entry-level
set of recommendations which will be relevant to organizations and tenants that are
either just starting to use Azure as an IaaS solution, or are only utilizing a bare minimum
feature set such as the freely licensed tier of Azure Active Directory. Security Defaults
recommendations are intended to ensure that these entry-level use cases are still
capable of establishing a strong baseline of secure configuration.

If your subscription is licensed to use Azure AD Premium P1 or P2, it is strongly
recommended that the "Security Defaults" section (this section and the
recommendations therein) be bypassed in favor of the use of "Conditional
Access."

URI
tmod:@turbot/azure-cisv2-0#/control/types/s0101
Parent
Category

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.01 - Security Defaults > 1.01.01 - Ensure Security Defaults is enabled on Azure Active Directory

Configures auditing against a CIS Benchmark item.

Level: 1

Security defaults in Azure Active Directory (Azure AD) make it easier to be secure and help protect your organization. Security defaults contain preconfigured security settings for common attacks.

Security defaults is available to everyone. The goal is to ensure that all organizations have a basic level of security enabled at no extra cost. You may turn on security defaults in the Azure portal.

Security defaults provide secure default settings that we manage on behalf of organizations to keep customers safe until they are ready to manage their own identity security settings. For example, doing the following:
1. Requiring all users and admins to register for MFA.
2. Challenging users with MFA - when necessary, based on factors such as location, device, role, and task.
3. Disabling authentication from legacy authentication clients, which can't do MFA.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r010101
Parent
Category
Targets

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.01 - Security Defaults > 1.01.02 Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users

Configures auditing against a CIS Benchmark item.

Level: 1

Enable multi-factor authentication for all roles, groups, and users that have write access or permissions to Azure resources. These include custom created objects or built-in roles such as;
• Service Co-Administrators
• Subscription Owners
• Contributors

Multi-factor authentication requires an individual to present a minimum of two separate forms of authentication before access is granted. Multi-factor authentication provides additional assurance that the individual attempting to gain access is who they claim to be. With multi-factor authentication, an attacker would need to compromise at least two different authentication mechanisms, increasing the difficulty of compromise and thus reducing the risk.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r010102
Parent
Category
Targets

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.01 - Security Defaults > 1.01.03 Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users

Configures auditing against a CIS Benchmark item.

Level: 2

Enable multi-factor authentication for all non-privileged users.

Multi-factor authentication requires an individual to present a minimum of two separate forms of authentication before access is granted. Multi-factor authentication provides additional assurance that the individual attempting to gain access is who they claim to be. With multi-factor authentication, an attacker would need to compromise at least two different authentication mechanisms, increasing the difficulty of compromise and thus reducing the risk.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r010103
Parent
Category
Targets

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.01 - Security Defaults > 1.01.04 Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is Disabled

Configures auditing against a CIS Benchmark item.

Level: 1

Do not allow users to remember multi-factor authentication on devices.

Remembering Multi-Factor Authentication (MFA) for devices and browsers allows users to have the option to bypass MFA for a set number of days after performing a successful sign-in using MFA. This can enhance usability by minimizing the number of times a user may need to perform two-step verification on the same device. However, if an account or device is compromised, remembering MFA for trusted devices may affect security. Hence, it is recommended that users not be allowed to bypass MFA.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r010104
Parent
Category
Targets

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access

For most Azure tenants, and certainly for organizations with a significant use of Azure
Active Directory, Conditional Access policies are recommended and preferred. To use
conditional access policies, a licensing plan is required, and Security Defaults must be
disabled.
Conditional Access requires one of the following plans:
• Azure Active Directory Premium P1 or P2
• Microsoft 365 Business Premium
• Microsoft 365 E3 or E5
• Microsoft 365 F1, F3, F5 Security and F5 Security + Compliance
• Enterprise Mobility & Security E3 or E5

URI
tmod:@turbot/azure-cisv2-0#/control/types/s0102
Parent
Category

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.01 - Ensure Trusted Locations Are Defined

Configures auditing against a CIS Benchmark item.

Level: 1

Azure Active Directory Conditional Access allows an organization to configure Named
locations and configure whether those locations are trusted or untrusted. These
settings provide organizations the means to specify Geographical locations for use in
conditional access policies, or define actual IP addresses and IP ranges and whether or
not those IP addresses and/or ranges are trusted by the organization.

Defining trusted source IP addresses or ranges helps organizations create and enforce
Conditional Access policies around those trusted or untrusted IP addresses and ranges.
Users authenticating from trusted IP addresses and/or ranges may have less access
restrictions or access requirements when compared to users that try to authenticate
to Azure Active Directory from untrusted locations or untrusted source IP addresses/ranges.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r010201
Parent
Category
Targets

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.02 - Ensure that an exclusionary Geographic Access Policy is considered

Configures auditing against a CIS Benchmark item.

Level: 1

Conditional Access Policies can be used to block access from geographic
locations that are deemed out-of-scope for your organization or application.
The scope and variables for this policy should be carefully examined and defined.

Conditional Access, when used as a deny list for the tenant or subscription, is able
to prevent ingress or egress of traffic to countries that are outside of the scope of
interest (e.g.: customers, suppliers) or jurisdiction of an organization.
This is an effective way to prevent unnecessary and long-lasting exposure to international
threats such as APTs.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r010202
Parent
Category
Targets

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.03 - Ensure that A Multi-factor Authentication Policy Exists for Administrative Groups

Configures auditing against a CIS Benchmark item.

Level: 1

For designated users, they will be prompted to use their multi-factor authentication (MFA) process on login.

Enabling multi-factor authentication is a recommended setting to limit the use of Administrative accounts to authenticated personnel.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r010203
Parent
Category
Targets

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.04 - Ensure that A Multi-factor Authentication Policy Exists for All Users

Configures auditing against a CIS Benchmark item.

Level: 1

For designated users, they will be prompted to use their multi-factor authentication (MFA) process on logins.

Enabling multi-factor authentication is a recommended setting to limit the potential of accounts being compromised and limiting access to authenticated personnel.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r010204
Parent
Category
Targets

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.05 - Ensure Multi-factor Authentication is Required for Risky Sign-ins

Configures auditing against a CIS Benchmark item.

Level: 1

For designated users, they will be prompted to use their multi-factor authentication (MFA) process on login.

Enabling multi-factor authentication is a recommended setting to limit the potential of accounts being compromised and limiting access to authenticated personnel.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r010205
Parent
Category
Targets

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.06 - Ensure Multi-factor Authentication is Required for Azure Management

Configures auditing against a CIS Benchmark item.

Level: 1

For designated users, they will be prompted to use their multi-factor authentication (MFA) process on logins.

Enabling multi-factor authentication is a recommended setting to limit the use of Administrative actions and to prevent intruders from changing settings.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r010206
Parent
Category
Targets

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.03 - Ensure that 'Users can create Azure AD Tenants' is set to 'No'

Configures auditing against a CIS Benchmark item.

Level: 1

Require administrators or appropriately delegated users to create new tenants.

It is recommended to only allow an administrator to create new tenants. This prevent users from creating new Azure AD or Azure AD B2C tenants and ensures that only authorized users are able to do so.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r0103
Parent
Category
Targets

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.04 - Ensure Access Review is Set Up for External Users in Azure AD Privileged Identity Management

Configures auditing against a CIS Benchmark item.

Level: 2

This recommendation extends guest access review by utilizing the Azure AD Privileged Identity Management feature provided in Azure AD Premium P2.

Azure AD is extended to include Azure AD B2B collaboration, allowing you to invite people from outside your organization to be guest users in your cloud account and sign in with their own work, school, or social identities. Guest users allow you to share your company's applications and services with users from any other organization, while maintaining control over your own corporate data.

Work with external partners, large or small, even if they don't have Azure AD or an IT department. A simple invitation and redemption process lets partners use their own credentials to access your company's resources a a guest user.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r0104
Parent
Category
Targets

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.05 - Ensure Guest Users Are Reviewed on a Regular Basis

Configures auditing against a CIS Benchmark item.

Level: 1

Azure AD is extended to include Azure AD B2B collaboration, allowing you to invite people from outside your organization to be guest users in your cloud account and sign in with their own work, school, or social identities. Guest users allow you to share your company's applications and services with users from any other organization, while maintaining control over your own corporate data.

Work with external partners, large or small, even if they don't have Azure AD or an IT department. A simple invitation and redemption process lets partners use their own credentials to access your company's resources as a guest user.

Guest users in every subscription should be review on a regular basis to ensure that inactive and unneeded accounts are removed.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r0105
Parent
Category
Targets

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.06 Ensure That 'Number of methods required to reset' is set to '2'

Configures auditing against a CIS Benchmark item.

Level: 1

Ensures that two alternate forms of identification are provided before allowing a password reset.

A Self-service Password Reset (SSPR) through Azure Multi-factor Authentication (MFA) ensures the user's identity is confirmed using two separate methods of identification. With multiple methods set, an attacker would have to compromise both methods before they could maliciously reset a user's password.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r0106
Parent
Category
Targets

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.07 - Ensure that a Custom Bad Password List is set to 'Enforce' for your Organization

Configures auditing against a CIS Benchmark item.

Level: 1

Microsoft Azure provides a Global Banned Password policy that applies to Azure administrative and normal user accounts. This is not applied to user accounts that are synced from an on-premise Active Directory unless Azure AD Connect is used and you enable EnforceCloudPasswordPolicyForPasswordSyncedUsers. Please see the list in default values on the specifics of this policy. To further password security, it is recommended to further define a custom banned password policy.

Enabling this gives your organization further customization on what secure passwords are allowed. Setting a bad password list enables your organization to fine-tune its password policy further, depending on your needs. Removing easy-to-guess passwords increases the security of access to your Azure resources.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r0107
Parent
Category
Targets

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.08 Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0'

Configures auditing against a CIS Benchmark item.

Level: 1

Ensure that the number of days before users are asked to re-confirm their authentication information is not set to 0.

This setting is necessary if you have setup 'Require users to register when signing in option'. If authentication re-confirmation is disabled, registered users will never be prompted to re-confirm their existing authentication information. If the authentication information for a user changes, such as a phone number or email, then the password reset information for that user reverts to the previously registered authentication information.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r0108
Parent
Category
Targets

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.09 Ensure that 'Notify users on password resets?' is set to 'Yes'

Configures auditing against a CIS Benchmark item.

Level: 1

Ensure that users are notified on their primary and secondary emails on password resets.

User notification on password reset is a proactive way of confirming password reset activity. It helps the user to recognize unauthorized password reset activities.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r0109
Parent
Category
Targets

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.10 Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes'

Configures auditing against a CIS Benchmark item.

Level: 1

Ensure that all Global Administrators are notified if any other administrator resets their password.

Global Administrator accounts are sensitive. Any password reset activity notification, when sent to all Global Administrators, ensures that all Global administrators can passively confirm if such a reset is a common pattern within their group. For example, if all Global Administrators change their password every 30 days, any password reset activity before that may require administrator(s) to evaluate any unusual activity and confirm its origin.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r0110
Parent
Category
Targets

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.11 - Ensure User consent for applications is set to Do not allow user consent

Configures auditing against a CIS Benchmark item.

Level: 1

Require administrators to provide consent for applications before use.

If Azure Active Directory is running as an identity provider for third-party applications, permissions and consent should be limited to administrators or pre-approved. Malicious applications may attempt to exfiltrate data or abuse privileged user accounts.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r0111
Parent
Category
Targets

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.12 Ensure 'User consent for applications' Is Set To 'Allow for Verified Publishers'

Configures auditing against a CIS Benchmark item.

Level: 2

Allow users to provide consent for selected permissions when a request is coming from a verified publisher.

If Azure Active Directory is running as an identity provider for third-party applications, permissions and consent should be limited to administrators or pre-approved. Malicious applications may attempt to exfiltrate data or abuse privileged user accounts.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r0112
Parent
Category
Targets

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.13 Ensure that 'Users can add gallery apps to My Apps' is set to 'No'

Configures auditing against a CIS Benchmark item.

Level: 1

Require administrators to provide consent for the apps before use.

Unless Azure Active Directory is running as an identity provider for third-party applications, do not allow users to use their identity outside of your cloud environment. User profiles contain private information such as phone numbers and email addresses which could then be sold off to other third parties without requiring any further consent from the user.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r0113
Parent
Category
Targets

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.14 - Ensure That 'Users Can Register Applications' Is Set to 'No'

Configures auditing against a CIS Benchmark item.

Level: 1

Require administrators or appropriately delegated users to register third-party applications.

It is recommended to only allow an administrator to register custom-developed applications. This ensures that the application undergoes a formal security review and approval process prior to exposing Azure Active Directory data. Certain users like developers or other high-request users may also be delegated permissions to prevent them from waiting on an administrative user. Your organization should review your policies and decide your needs.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r0114
Parent
Category
Targets

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.15 Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects'

Configures auditing against a CIS Benchmark item.

Level: 1

Limit guest user permissions.

Limiting guest access ensures that guest accounts do not have permission for certain directory tasks, such as enumerating users, groups or other directory resources, and cannot be assigned to administrative roles in your directory. Guest access has three levels of restriction.

Guest users have the same access as members (most inclusive),
Guest users have limited access to properties and memberships of directory objects (default value),
Guest user access is restricted to properties and memberships of their own directory objects (most restrictive).
The recommended option is the 3rd, most restrictive: "Guest user access is restricted to their own directory object".

URI
tmod:@turbot/azure-cisv2-0#/control/types/r0115
Parent
Category
Targets

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.16 Ensure that 'Guest invite restrictions' is set to "Only users assigned to specific admin roles can invite guest users"

Configures auditing against a CIS Benchmark item.

Level: 2

Restrict invitations to users with specific administrative roles only.

Restricting invitations to users with specific administrator roles ensures that only authorized accounts have access to cloud resources. This helps to maintain "Need to Know" permissions and prevents inadvertent access to data.

By default the setting Guest invite restrictions is set to Anyone in the organization can invite guest users including guests and non-admins. This would allow anyone within the organization to invite guests and non-admins to the tenant, posing a security risk.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r0116
Parent
Category
Targets

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.17 Ensure That 'Restrict access to Azure AD administration portal' is Set to 'Yes'

Configures auditing against a CIS Benchmark item.

Level: 1

Restrict access to the Azure AD administration portal to administrators only.

NOTE: This only affects access to the Azure AD administrator's web portal. This setting does not prohibit privileged users from using other methods such as Rest API or Powershell to obtain sensitive information from Azure AD.

The Azure AD administrative portal has sensitive data and permission settings. All non- administrators should be prohibited from accessing any Azure AD data in the administration portal to avoid exposure.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r0117
Parent
Category
Targets

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.18 Ensure that 'Restrict user ability to access groups features in the Access Pane' is Set to 'Yes'

Configures auditing against a CIS Benchmark item.

Level: 2

Restricts group creation to administrators with permissions only.

Self-service group management enables users to create and manage security groups or Office 365 groups in Azure Active Directory (Azure AD). Unless a business requires this day-to-day delegation for some users, self-service group management should be disabled.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r0118
Parent
Category
Targets

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.19 - Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No'

Configures auditing against a CIS Benchmark item.

Level: 2

Restrict security group creation to administrators only.

When creating security groups is enabled, all users in the directory are allowed to create new security groups and add members to those groups. Unless a business requires this day-to-day delegation, security group creation should be restricted to administrators only.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r0119
Parent
Category
Targets

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.20 Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No'

Configures auditing against a CIS Benchmark item.

Level: 2

Restrict security group management to administrators only.

Restricting security group management to administrators only prohibits users from making changes to security groups. This ensures that security groups are appropriately managed and their management is not delegated to non-administrators.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r0120
Parent
Category
Targets

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.21 Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No'

Configures auditing against a CIS Benchmark item.

Level: 2

Restrict Microsoft 365 group creation to administrators only.

Restricting Microsoft 365 group creation to administrators only ensures that creation of Microsoft 365 groups is controlled by the administrator. Appropriate groups should be created and managed by the administrator and group creation rights should not be delegated to any other user.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r0121
Parent
Category
Targets

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.22 Ensure that 'Require Multi-Factor Authentication to register or join devices with Azure AD' is set to 'Yes'

Configures auditing against a CIS Benchmark item.

Level: 1

Joining or registering devices to the active directory should require Multi-factor authentication.

Multi-factor authentication is recommended when adding devices to Azure AD. When set to Yes, users who are adding devices from the internet must first use the second method of authentication before their device is successfully added to the directory.
This ensures that rogue devices are not added to the domain using a compromised user account. Note: Some Microsoft documentation suggests to use conditional access policies for joining a domain from certain whitelisted networks or devices.
Even with these in place, using Multi-Factor Authentication is still recommended, as it creates a process for review before joining the domain.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r0122
Parent
Category
Targets

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.23 - Ensure That No Custom Subscription Administrator Roles Exist

Configures auditing against a CIS Benchmark item.

Level: 1

The principle of least privilege should be followed and only necessary privileges should be assigned instead of allowing full administrative access.

Classic subscription admin roles offer basic access management and include Account Administrator, Service Administrator, and Co-Administrators. It is recommended the least necessary permissions be given initially. Permissions can be added as needed by the account holder. This ensures the account holder cannot perform actions which were not intended.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r0123
Parent
Category
Targets

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.24 Ensure a Custom Role is Assigned Permissions for Administering Resource Locks

Configures auditing against a CIS Benchmark item.

Level: 2

Resource locking is a powerful protection mechanism that can prevent inadvertent modification/deletion of resources within Azure subscriptions/Resource Groups and is a recommended NIST configuration.

Given the resource lock functionality is outside of standard Role Based Access Control(RBAC), it would be prudent to create a resource lock administrator role to prevent inadvertent unlocking of resources.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r0124
Parent
Category
Targets

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.25 Ensure That 'Subscription Entering AAD Directory' and 'Subscription Leaving AAD Directory' Is Set To 'Permit No One'

Configures auditing against a CIS Benchmark item.

Level: 2

Users who are set as subscription owners are able to make administrative changes to the subscriptions and move them into and out of Azure Active Directories.

Permissions to move subscriptions in and out of Azure Active Directory must only be given to appropriate administrative personnel. A subscription that is moved into an Azure Active Directory may be within a folder to which other users have elevated permissions. This prevents loss of data or unapproved changes of the objects within by potential bad actors.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r0125
Parent
Category
Targets

Azure > CIS v2.0 > 02 - Microsoft Defender

This section covers recommendations to consider for tenant-wide security policies and plans related to Microsoft Defender. Please note that because Microsoft Defender products require additional licensing, all Microsoft Defender plan recommendations in subsection 2.1 are assigned as “Level 2.”
Microsoft Defender products addressed in this section include:
• Microsoft Defender for Cloud
• Microsoft Defender for IoT
• Microsoft Defender External Attack Surface Management

URI
tmod:@turbot/azure-cisv2-0#/control/types/s02
Parent
Category

Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud

This subsection is dedicated to providing guidance on Microsoft Defender for Cloud
product plans. This guidance is intended to ensure that - at a minimum - the protective
measures offered by these plans are being considered. Organizations may find that
they have existing products or services that provide the same utility as some Microsoft
Defender for Cloud products. Security and Administrative personnel need to make the
determination on their organization's behalf regarding which - if any - of these
recommendations are relevant to their organization's needs. In consideration of the
above, and because of the potential for increased cost and complexity, please be aware
that all Defender Plan recommendations are profiled as "Level 2" recommendations.

URI
tmod:@turbot/azure-cisv2-0#/control/types/s0201
Parent
Category

Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.01 - Ensure That Microsoft Defender for Servers Is Set to 'On'

Configures auditing against a CIS Benchmark item.

Level: 2

Turning on Microsoft Defender for Servers enables threat detection for Servers, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.

Enabling Microsoft Defender for Servers allows for greater defense-in-depth, with threat detection provided by the Microsoft Security Response Center (MSRC).

URI
tmod:@turbot/azure-cisv2-0#/control/types/r020101
Parent
Category
Targets

Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.02 - Ensure That Microsoft Defender for App Services Is Set To 'On'

Configures auditing against a CIS Benchmark item.

Level: 2

Turning on Microsoft Defender for App Service enables threat detection for App Service, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.

Enabling Microsoft Defender for App Service allows for greater defense-in-depth, with threat detection provided by the Microsoft Security Response Center (MSRC).

URI
tmod:@turbot/azure-cisv2-0#/control/types/r020102
Parent
Category
Targets

Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.03 - Ensure That Microsoft Defender for Databases Is Set To 'On'

Configures auditing against a CIS Benchmark item.

Level: 2

Turning on Microsoft Defender for Databases enables threat detection for the instances running your database software. This provides threat intelligence, anomaly detection, and behavior analytics in the Azure Microsoft Defender for Cloud. Instead of being enabled on services like Platform as a Service (PaaS), this implementation will run within your instances as Infrastructure as a Service (IaaS) on the Operating Systems hosting your databases.

Enabling Microsoft Defender for Azure SQL Databases allows your organization more granular control of the infrastructure running your database software. Instead of waiting on Microsoft release updates or other similar processes, you can manage them yourself. Threat detection is provided by the Microsoft Security Response Center (MSRC).

URI
tmod:@turbot/azure-cisv2-0#/control/types/r020103
Parent
Category
Targets

Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.04 - Ensure That Microsoft Defender for Azure SQL Databases Is Set To 'On'

Configures auditing against a CIS Benchmark item.

Level: 2

Turning on Microsoft Defender for Azure SQL Databases enables threat detection for Azure SQL database servers, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.

Enabling Microsoft Defender for Azure SQL Databases allows for greater defense-in- depth, with threat detection provided by the Microsoft Security Response Center (MSRC).

URI
tmod:@turbot/azure-cisv2-0#/control/types/r020104
Parent
Category
Targets

Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.05 - Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On'

Configures auditing against a CIS Benchmark item.

Level: 2

Turning on Microsoft Defender for SQL servers on machines enables threat detection for SQL servers on machines, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.

Enabling Microsoft Defender for SQL servers on machines allows for greater defense- in-depth, with threat detection provided by the Microsoft Security Response Center (MSRC).

URI
tmod:@turbot/azure-cisv2-0#/control/types/r020105
Parent
Category
Targets

Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.06 - Ensure That Microsoft Defender for Open-Source Relational Databases Is Set To 'On'

Configures auditing against a CIS Benchmark item.

Level: 2

Turning on Microsoft Defender for Open-source relational databases enables threat detection for Open-source relational databases, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.

Enabling Microsoft Defender for Open-source relational databases allows for greater defense-in-depth, with threat detection provided by the Microsoft Security Response Center (MSRC).

URI
tmod:@turbot/azure-cisv2-0#/control/types/r020106
Parent
Category
Targets

Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.07 - Ensure That Microsoft Defender for Storage Is Set To 'On'

Configures auditing against a CIS Benchmark item.

Level: 2

Turning on Microsoft Defender for Storage enables threat detection for Storage, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.

Enabling Microsoft Defender for Storage allows for greater defense-in-depth, with threat detection provided by the Microsoft Security Response Center (MSRC).

URI
tmod:@turbot/azure-cisv2-0#/control/types/r020107
Parent
Category
Targets

Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.08 - Ensure That Microsoft Defender for Containers Is Set To 'On'

Configures auditing against a CIS Benchmark item.

Level: 2

Turning on Microsoft Defender for Containers enables threat detection for Container Registries including Kubernetes, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.

Enabling Microsoft Defender for Container Registries allows for greater defense-in- depth, with threat detection provided by the Microsoft Security Response Center (MSRC).

URI
tmod:@turbot/azure-cisv2-0#/control/types/r020108
Parent
Category
Targets

Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.09 - Ensure That Microsoft Defender for Azure Cosmos DB Is Set To 'On'

Configures auditing against a CIS Benchmark item.

Level: 2

Microsoft Defender for Azure Cosmos DB scans all incoming network requests for threats to your Azure Cosmos DB resources.

In scanning Azure Cosmos DB requests within a subscription, requests are compared to a heuristic list of potential security threats. These threats could be a result of a security breach within your services, thus scanning for them could prevent a potential security threat from being introduced.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r020109
Parent
Category
Targets

Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.10 - Ensure That Microsoft Defender for Key Vault Is Set To 'On'

Configures auditing against a CIS Benchmark item.

Level: 2

Turning on Microsoft Defender for Key Vault enables threat detection for Key Vault, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.

Enabling Microsoft Defender for Key Vault allows for greater defense-in-depth, with threat detection provided by the Microsoft Security Response Center (MSRC).

URI
tmod:@turbot/azure-cisv2-0#/control/types/r020110
Parent
Category
Targets

Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.11 - Ensure That Microsoft Defender for DNS Is Set To 'On'

Configures auditing against a CIS Benchmark item.

Level: 2

Microsoft Defender for DNS scans all network traffic exiting from within a subscription.

DNS lookups within a subscription are scanned and compared to a dynamic list of websites that might be potential security threats. These threats could be a result of a security breach within your services, thus scanning for them could prevent a potential security threat from being introduced.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r020111
Parent
Category
Targets

Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.12 - Ensure That Microsoft Defender for Resource Manager Is Set To 'On'

Configures auditing against a CIS Benchmark item.

Level: 2

Microsoft Defender for Resource Manager scans incoming administrative requests to change your infrastructure from both CLI and the Azure portal.

Scanning resource requests lets you be alerted every time there is suspicious activity in order to prevent a security threat from being introduced.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r020112
Parent
Category
Targets

Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.13 - Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed'

Configures auditing against a CIS Benchmark item.

Level: 1

Ensure that the latest OS patches for all virtual machines are applied.

Windows and Linux virtual machines should be kept updated to:

Address a specific bug or flaw
Improve an OS or application's general stability
Fix a security vulnerability
The Azure Security Center retrieves a list of available security and critical updates from Windows Update or Windows Server Update Services (WSUS), depending on which service is configured on a Windows VM. The security center also checks for the latest updates in Linux systems. If a VM is missing a system update, the security center will recommend system updates be applied.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r020113
Parent
Category
Targets

Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.14 - Ensure Any of the ASC Default Policy Settings are Not Set to 'Disabled'

Configures auditing against a CIS Benchmark item.

Level: 1

None of the settings offered by ASC Default policy should be set to effect Disabled.

A security policy defines the desired configuration of your workloads and helps ensure compliance with company or regulatory security requirements. ASC Default policy is associated with every subscription by default. ASC default policy assignment is a set of security recommendations based on best practices. Enabling recommendations in ASC default policy ensures that Azure security center provides the ability to monitor all of the supported recommendations and optionally allow automated action for a few of the supported recommendations.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r020114
Parent
Category
Targets

Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.15 - Ensure that Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On'

Configures auditing against a CIS Benchmark item.

Level: 1

Enable automatic provisioning of the monitoring agent to collect security data.

When Log Analytics agent for Azure VMs is turned on, Microsoft Defender for Cloud provisions the Microsoft Monitoring Agent on all existing supported Azure virtual machines and any new ones that are created. The Microsoft Monitoring Agent scans for various security-related configurations and events such as system updates, OS vulnerabilities, endpoint protection, and provides alerts.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r020115
Parent
Category
Targets

Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.16 - Ensure that Auto provisioning of 'Vulnerability assessment for machines' is Set to 'On'

Configures auditing against a CIS Benchmark item.

Level: 2

Enable automatic provisioning of vulnerability assessment for machines on both Azure and hybrid (Arc enabled) machines.

Vulnerability assessment for machines scans for various security-related configurations and events such as system updates, OS vulnerabilities, and endpoint protection, then produces alerts on threat and vulnerability findings.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r020116
Parent
Category
Targets

Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.17 - Ensure that Auto provisioning of 'Microsoft Defender for Containers components' is Set to 'On'

Configures auditing against a CIS Benchmark item.

Level: 2

Enable automatic provisioning of the Microsoft Defender for Containers components.

As with any compute resource, Container environments require hardening and run-time protection to ensure safe operations and detection of threats and vulnerabilities.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r020117
Parent
Category
Targets

Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.18 - Ensure That 'All users with the following roles' is set to 'Owner'

Configures auditing against a CIS Benchmark item.

Level: 1

Enable security alert emails to subscription owners.

Enabling security alert emails to subscription owners ensures that they receive security alert emails from Microsoft. This ensures that they are aware of any potential security issues and can mitigate the risk in a timely fashion.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r020118
Parent
Category
Targets

Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.19 - Ensure 'Additional email addresses' is Configured with a Security Contact Email

Configures auditing against a CIS Benchmark item.

Level: 1

Microsoft Defender for Cloud emails the subscription owners whenever a high-severity alert is triggered for their subscription. You should provide a security contact email address as an additional email address.

Microsoft Defender for Cloud emails the Subscription Owner to notify them about security alerts. Adding your Security Contact's email address to the 'Additional email addresses' field ensures that your organization's Security Team is included in these alerts. This ensures that the proper people are aware of any potential compromise in order to mitigate the risk in a timely fashion.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r020119
Parent
Category
Targets

Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.20 - Ensure That 'Notify about alerts with the following severity' is Set to 'High'

Configures auditing against a CIS Benchmark item.

Level: 1

Enables emailing security alerts to the subscription owner or other designated security contact.

Enabling security alert emails ensures that security alert emails are received from Microsoft. This ensures that the right people are aware of any potential security issues and are able to mitigate the risk.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r020120
Parent
Category
Targets

Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.21 - Ensure that Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is Selected

Configures auditing against a CIS Benchmark item.

Level: 2

This integration setting enables Microsoft Defender for Cloud Apps (formerly 'Microsoft Cloud App Security' or 'MCAS' - see additional info) to communicate with Microsoft Defender for Cloud.

Microsoft Defender for Cloud offers an additional layer of protection by using Azure Resource Manager events, which is considered to be the control plane for Azure. By analyzing the Azure Resource Manager records, Microsoft Defender for Cloud detects unusual or potentially harmful operations in the Azure subscription environment. Several of the preceding analytics are powered by Microsoft Defender for Cloud Apps. To benefit from these analytics, subscription must have a Cloud App Security license.

Microsoft Defender for Cloud Apps works only with Standard Tier subscriptions.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r020121
Parent
Category
Targets

Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.22 - Ensure that Microsoft Defender for Endpoint integration with Microsoft Defender for Cloud is selected

Configures auditing against a CIS Benchmark item.

Level: 2

This integration setting enables Microsoft Defender for Endpoint (formerly 'Advanced Threat Protection' or 'ATP' or 'WDATP' - see additional info) to communicate with Microsoft Defender for Cloud.

IMPORTANT: When enabling integration between DfE & DfC it needs to be taken into account that this will have some side effects that may be undesirable.

1. For server 2019 & above if defender is installed (default for these server SKU's) this will trigger a deployment of the new unified agent and link to any of the extended configuration in the Defender portal.
2. If the new unified agent is required for server SKU's of Win 2016 or Linux and lower there is additional integration that needs to be switched on and agents need to be aligned.

Microsoft Defender for Endpoint integration brings comprehensive Endpoint Detection and Response (EDR) capabilities within Microsoft Defender for Cloud. This integration helps to spot abnormalities, as well as detect and respond to advanced attacks on endpoints monitored by Microsoft Defender for Cloud.

MDE works only with Standard Tier subscriptions.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r020122
Parent
Category
Targets

Azure > CIS v2.0 > 02 - Microsoft Defender > 2.02 - Microsoft Defender for IoT

This section covers requirements for Microsoft Defender for IoT.

URI
tmod:@turbot/azure-cisv2-0#/control/types/s0202
Parent
Category

Azure > CIS v2.0 > 02 - Microsoft Defender > 2.02 - Microsoft Defender for IoT > 2.02.01 - Ensure That Microsoft Defender for IoT Hub Is Set To 'On'

Configures auditing against a CIS Benchmark item.

Level: 2

Microsoft Defender for IoT acts as a central security hub for IoT devices within your organization.

IoT devices are very rarely patched and can be potential attack vectors for enterprise networks. Updating their network configuration to use a central security hub allows for detection of these breaches.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r020201
Parent
Category
Targets

Azure > CIS v2.0 > 02 - Microsoft Defender > 2.03 - Microsoft Defender for External Attack Surface Monitoring

As more services are exposed to the public internet it is important to be able to monitor the externally exposed surface of your Azure Tenant, to this end it is recommended that tools that monitor this surface are implemented.

Microsoft have a new tool to do this in their Defender Suite of products. Defender EASM, this tool is configured very simply to scan specified domains and report on them, specific domains and addresses can be excluded from the scan.

Typically these tools will report on any vulnerability that is identified (CVE) and will also identify ports and protocols that are open on devices.

Results are classified Critical/High/Medium & Low with proposed mitigations.

URI
tmod:@turbot/azure-cisv2-0#/control/types/s0203
Parent
Category

Azure > CIS v2.0 > 03 - Storage Accounts

Covers security recommendations to follow to set storage account policies on an Azure Subscription. An Azure storage account provides a unique namespace to store and access Azure Storage data objects.

URI
tmod:@turbot/azure-cisv2-0#/control/types/s03
Parent
Category

Azure > CIS v2.0 > 03 - Storage Accounts > 3.01 - Ensure that 'Secure transfer required' is set to 'Enabled'

Configures auditing against a CIS Benchmark item.

Level: 1

Enable data encryption in transit.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r0301
Parent
Category
Targets

Azure > CIS v2.0 > 03 - Storage Accounts > 3.02 - Ensure that Enable Infrastructure Encryption for Each Storage Account in Azure Storage is Set to enabled

Configures auditing against a CIS Benchmark item.

Level: 2

Enabling encryption at the hardware level on top of the default software encryption for Storage Accounts accessing Azure storage solutions.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r0302
Parent
Category
Targets

Azure > CIS v2.0 > 03 - Storage Accounts > 3.03 - Ensure that 'Enable key rotation reminders' is enabled for each Storage Account

Configures auditing against a CIS Benchmark item.

Level: 1

Access Keys authenticate application access requests to data contained in Storage Accounts. A periodic rotation of these keys is recommended to ensure that potentially compromised keys cannot result in a long-term exploitable credential. The "Rotation Reminder" is an automatic reminder feature for a manual procedure.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r0303
Parent
Category
Targets

Azure > CIS v2.0 > 03 - Storage Accounts > 3.04 - Ensure that Storage Account Access Keys are Periodically Regenerated

Configures auditing against a CIS Benchmark item.

Level: 1

For increased security, regenerate storage account access keys periodically.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r0304
Parent
Category
Targets

Azure > CIS v2.0 > 03 - Storage Accounts > 3.05 - Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests

Configures auditing against a CIS Benchmark item.

Level: 2

The Storage Queue service stores messages that may be read by any client who has access to the storage account. A queue can contain an unlimited number of messages, each of which can be up to 64KB in size using version 2011-08-18 or newer. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the queues. Storage Logging log entries contain the following information about individual requests: Timing information such as start time, end-to-end latency, and server latency, authentication details, concurrency information, and the sizes of the request and response messages.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r0305
Parent
Category
Targets

Azure > CIS v2.0 > 03 - Storage Accounts > 3.06 - Ensure that Shared Access Signature Tokens Expire Within an Hour

Configures auditing against a CIS Benchmark item.

Level: 1

Expire shared access signature tokens within an hour.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r0306
Parent
Category
Targets

Azure > CIS v2.0 > 03 - Storage Accounts > 3.08 - Ensure Default Network Access Rule for Storage Accounts is Set to Deny

Configures auditing against a CIS Benchmark item.

Level: 1

Restricting default network access helps to provide a new layer of security, since storage accounts accept connections from clients on any network. To limit access to selected networks, the default action must be changed.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r0308
Parent
Category
Targets

Azure > CIS v2.0 > 03 - Storage Accounts > 3.09 - Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access

Configures auditing against a CIS Benchmark item.

Level: 2

Some Azure services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trusted Azure services to bypass the network rules. These services will then use strong authentication to access the storage account. If the Allow trusted Azure services exception is enabled, the following services are granted access to the storage account: Azure Backup, Azure Site Recovery, Azure DevTest Labs, Azure Event Grid, Azure Event Hubs, Azure Networking, Azure Monitor, and Azure SQL Data Warehouse (when registered in the subscription).

URI
tmod:@turbot/azure-cisv2-0#/control/types/r0309
Parent
Category
Targets

Azure > CIS v2.0 > 03 - Storage Accounts > 3.10 - Ensure Private Endpoints are used to access Storage Accounts

Configures auditing against a CIS Benchmark item.

Level: 1

Use private endpoints for your Azure Storage accounts to allow clients and services to securely access data located over a network via an encrypted Private Link. To do this, the private endpoint uses an IP address from the VNet for each service. Network traffic between disparate services securely traverses encrypted over the VNet. This VNet can also link addressing space, extending your network and accessing resources on it. Similarly, it can be a tunnel through public networks to connect remote infrastructures together. This creates further security through segmenting network traffic and preventing outside sources from accessing it.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r0310
Parent
Category
Targets

Azure > CIS v2.0 > 03 - Storage Accounts > 3.11 - Ensure Soft Delete is Enabled for Azure Containers and Blob Storage

Configures auditing against a CIS Benchmark item.

Level: 1

The Azure Storage blobs contain data like ePHI or Financial, which can be secret or personal. Data that is erroneously modified or deleted by an application or other storage account user will cause data loss or unavailability.

It is recommended that both Azure Containers with attached Blob Storage and standalone containers with Blob Storage be made recoverable by enabling the soft delete configuration. This is to save and recover data when blobs or blob snapshots are deleted.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r0311
Parent
Category
Targets

Azure > CIS v2.0 > 03 - Storage Accounts > 3.12 - Ensure Storage for Critical Data are Encrypted with Customer Managed Keys

Configures auditing against a CIS Benchmark item.

Level: 2

Enable sensitive data encryption at rest using Customer Managed Keys rather than Microsoft Managed keys.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r0312
Parent
Category
Targets

Azure > CIS v2.0 > 03 - Storage Accounts > 3.13 - Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests

Configures auditing against a CIS Benchmark item.

Level: 2

The Storage Blob service provides scalable, cost-efficient object storage in the cloud. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the blobs. Storage Logging log entries contain the following information about individual requests: timing information such as start time, end-to-end latency, and server latency; authentication details; concurrency information; and the sizes of the request and response messages.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r0313
Parent
Category
Targets

Azure > CIS v2.0 > 03 - Storage Accounts > 3.15 - Ensure the "Minimum TLS version" for storage accounts is set to "Version 1.2"

Configures auditing against a CIS Benchmark item.

Level: 1

In some cases, Azure Storage sets the minimum TLS version to be version 1.0 by default. TLS 1.0 is a legacy version and has known vulnerabilities. This minimum TLS version can be configured to be later protocols such as TLS 1.2.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r0315
Parent
Category
Targets

Azure > CIS v2.0 > 04 - Database Services

Covers security recommendations to follow to set general database services policies on an Azure Subscription. Subsections will address specific database types.

URI
tmod:@turbot/azure-cisv2-0#/control/types/s04
Parent
Category

Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing

Auditing for Azure SQL Servers and SQL Databases tracks database events and writes them to an audit log Azure storage account, Log Analytics workspace or Event Hubs. Auditing helps to maintain regulatory compliance, understand database activity, and gain insight into discrepancies and anomalies that could indicate business concerns or suspected security violations. Auditing enables and facilitates adherence to compliance standards, although it doesn't guarantee compliance. The Default SQL Server Auditing profile set for SQL server is inherited by all the SQL Databases which are part of the SQL server.

URI
tmod:@turbot/azure-cisv2-0#/control/types/s0401
Parent
Category

Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.01 - Ensure that 'Auditing' is set to 'On'

Configures auditing against a CIS Benchmark item.

Level: 1

Enable auditing on SQL Servers.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r040101
Parent
Category
Targets

Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.02 - Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)

Configures auditing against a CIS Benchmark item.

Level: 1

Ensure that no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP).

URI
tmod:@turbot/azure-cisv2-0#/control/types/r040102
Parent
Category
Targets

Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.03 - Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key

Configures auditing against a CIS Benchmark item.

Level: 2

Transparent Data Encryption (TDE) with Customer-managed key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. With TDE, data is encrypted at rest with a symmetric key (called the database encryption key) stored in the database or data warehouse distribution. To protect this data encryption key (DEK) in the past, only a certificate that the Azure SQL Service managed could be used. Now, with Customer-managed key support for TDE, the DEK can be protected with an asymmetric key that is stored in the Azure Key Vault. The Azure Key Vault is a highly available and scalable cloud-based key store which offers central key management, leverages FIPS 140-2 Level 2 validated hardware security modules (HSMs), and allows separation of management of keys and data for additional security.

Based on business needs or criticality of data/databases hosted on a SQL server, it is recommended that the TDE protector is encrypted by a key that is managed by the data owner (Customer-managed key).

URI
tmod:@turbot/azure-cisv2-0#/control/types/r040103
Parent
Category
Targets

Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.04 - Ensure that Azure Active Directory Admin is Configured for SQL Servers

Configures auditing against a CIS Benchmark item.

Level: 1

Use Azure Active Directory Authentication for authentication with SQL Database to manage credentials in a single place.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r040104
Parent
Category
Targets

Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.05 - Ensure that 'Data encryption' is set to 'On' on a SQL Database

Configures auditing against a CIS Benchmark item.

Level: 1

Enable Transparent Data Encryption on every SQL server.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r040105
Parent
Category
Targets

Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.06 - Ensure that 'Auditing' Retention is 'greater than 90 days'

Configures auditing against a CIS Benchmark item.

Level: 1

SQL Server Audit Retention should be configured to be greater than 90 days.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r040106
Parent
Category
Targets

Azure > CIS v2.0 > 04 - Database Services > 4.02 SQL Server - Microsoft Defender for SQL

Microsoft Defender for SQL provides a layer of security which enables customers to detect and respond to potential threats as they occur through security alerts on anomalous activities. Users will receive an alert upon suspicious database activities, potential vulnerabilities, and SQL injection attacks, as well as anomalous database access patterns. SQL Server Threat Detection alerts provide details of suspicious activity and recommend action on how to investigate and mitigate the threat. Microsoft Defender for SQL may incur additional cost per SQL server.

URI
tmod:@turbot/azure-cisv2-0#/control/types/s0402
Parent
Category

Azure > CIS v2.0 > 04 - Database Services > 4.02 SQL Server - Microsoft Defender for SQL > 4.02.01 - Ensure that Microsoft Defender for SQL is set to 'On' for critical SQL Servers

Configures auditing against a CIS Benchmark item.

Level: 2

Enable "Microsoft Defender for SQL" on critical SQL Servers.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r040201
Parent
Category
Targets

Azure > CIS v2.0 > 04 - Database Services > 4.02 SQL Server - Microsoft Defender for SQL > 4.02.02 - Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account

Configures auditing against a CIS Benchmark item.

Level: 2

Enable Vulnerability Assessment (VA) service scans for critical SQL servers and corresponding SQL databases.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r040202
Parent
Category
Targets

Azure > CIS v2.0 > 04 - Database Services > 4.02 SQL Server - Microsoft Defender for SQL > 4.02.03 - Ensure that Vulnerability Assessment (VA) setting 'Periodic recurring scans' is set to 'on' for each SQL server

Configures auditing against a CIS Benchmark item.

Level: 2

Enable Vulnerability Assessment (VA) Periodic recurring scans for critical SQL servers and corresponding SQL databases.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r040203
Parent
Category
Targets

Azure > CIS v2.0 > 04 - Database Services > 4.02 SQL Server - Microsoft Defender for SQL > 4.02.04 - Ensure that Vulnerability Assessment (VA) setting 'Send scan reports to' is configured for a SQL server

Configures auditing against a CIS Benchmark item.

Level: 2

Configure 'Send scan reports to' with email addresses of concerned data owners/stakeholders for a critical SQL servers.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r040204
Parent
Category
Targets

Azure > CIS v2.0 > 04 - Database Services > 4.02 SQL Server - Microsoft Defender for SQL > 4.02.05 - Ensure that Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners' is set for each SQL Server

Configures auditing against a CIS Benchmark item.

Level: 1

Enable Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners'.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r040205
Parent
Category
Targets

Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server

Covers security best practices/recommendations for Azure PostgreSQL Database Servers.

URI
tmod:@turbot/azure-cisv2-0#/control/types/s0403
Parent
Category

Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.01 - Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server

Configures auditing against a CIS Benchmark item.

Level: 1

Enable SSL connection on PostgreSQL Servers.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r040301
Parent
Category
Targets

Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.02 - Ensure Server Parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server

Configures auditing against a CIS Benchmark item.

Level: 1

Enable log_checkpoints on PostgreSQL Servers.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r040302
Parent
Category
Targets

Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.03 - Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server

Configures auditing against a CIS Benchmark item.

Level: 1

Enable log_connections on PostgreSQL Servers.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r040303
Parent
Category
Targets

Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.04 - Ensure Server Parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server

Configures auditing against a CIS Benchmark item.

Level: 1

Enable log_disconnections on PostgreSQL Servers.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r040304
Parent
Category
Targets

Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.05 - Ensure Server Parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server

Configures auditing against a CIS Benchmark item.

Level: 1

Enable connection_throttling on PostgreSQL Servers.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r040305
Parent
Category
Targets

Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.06 - Ensure Server Parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server

Configures auditing against a CIS Benchmark item.

Level: 1

Enable log_retention_days on PostgreSQL Servers is set to an appropriate value.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r040306
Parent
Category
Targets

Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.07 - Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled

Configures auditing against a CIS Benchmark item.

Level: 1

Disable access from Azure services to PostgreSQL Database Server.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r040307
Parent
Category
Targets

Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.08 - Ensure 'Infrastructure double encryption' for PostgreSQL Database Server is 'Enabled'

Configures auditing against a CIS Benchmark item.

Level: 1

Azure Database for PostgreSQL servers should be created with 'infrastructure double encryption' enabled.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r040308
Parent
Category
Targets

Azure > CIS v2.0 > 04 - Database Services > 4.04 - MySQL Database

Covers security best practices/recommendations for Azure MySQL Database Servers.

URI
tmod:@turbot/azure-cisv2-0#/control/types/s0404
Parent
Category

Azure > CIS v2.0 > 04 - Database Services > 4.04 - MySQL Database > 4.04.01 - Ensure 'Enforce SSL connection' is set to 'Enabled' for Standard MySQL Database Server

Configures auditing against a CIS Benchmark item.

Level: 1

Enable SSL connection on MYSQL Servers.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r040401
Parent
Category
Targets

Azure > CIS v2.0 > 04 - Database Services > 4.04 - MySQL Database > 4.04.02 - Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server

Configures auditing against a CIS Benchmark item.

Level: 1

Private endpoints limit network traffic to approved sources.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r040402
Parent
Category
Targets

Azure > CIS v2.0 > 04 - Database Services > 4.04 - MySQL Database > 4.04.03 - Ensure server parameter 'audit_log_enabled' is set to 'ON' for MySQL Database Server

Configures auditing against a CIS Benchmark item.

Level: 2

Enable audit_log_enabled on MySQL Servers.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r040403
Parent
Category
Targets

Azure > CIS v2.0 > 04 - Database Services > 4.04 - MySQL Database > 4.04.04 - Ensure server parameter 'audit_log_events' has 'CONNECTION' set for MySQL Database Server

Configures auditing against a CIS Benchmark item.

Level: 2

Set audit_log_enabled to include CONNECTION on MySQL Servers.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r040404
Parent
Category
Targets

Azure > CIS v2.0 > 04 - Database Services > 4.05 - Cosmos DB

Covers security best practices/recommendations for Azure Cosmos DB Database Servers.

URI
tmod:@turbot/azure-cisv2-0#/control/types/s0405
Parent
Category

Azure > CIS v2.0 > 04 - Database Services > 4.05 - Cosmos DB > 4.05.01 - Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks

Configures auditing against a CIS Benchmark item.

Level: 2

Limiting your Cosmos DB to only communicate on whitelisted networks lowers its attack footprint.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r040501
Parent
Category
Targets

Azure > CIS v2.0 > 04 - Database Services > 4.05 - Cosmos DB > 4.05.02 - Ensure That Private Endpoints Are Used Where Possible

Configures auditing against a CIS Benchmark item.

Level: 2

Private endpoints limit network traffic to approved sources.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r040502
Parent
Category
Targets

Azure > CIS v2.0 > 04 - Database Services > 4.05 - Cosmos DB > 4.05.03 - Use Azure Active Directory (AAD) Client Authentication and Azure RBAC where possible

Configures auditing against a CIS Benchmark item.

Level: 1

Cosmos DB can use tokens or AAD for client authentication which in turn will use Azure RBAC for authorization. Using AAD is significantly more secure because AAD handles the credentials and allows for MFA and centralized management, and the Azure RBAC better integrated with the rest of Azure.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r040503
Parent
Category
Targets

Azure > CIS v2.0 > 05 - Logging and Monitoring

Covers security recommendations to follow to set logging and monitoring policies on an Azure Subscription.

URI
tmod:@turbot/azure-cisv2-0#/control/types/s05
Parent
Category

Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.01 - Configuring Diagnostic Settings

The Azure Diagnostic Settings capture control/management activities performed on a subscription or Azure AD Tenant. By default, the Azure Portal retains activity logs only for 90 days. The Diagnostic Settings define the type of events that are stored or streamed and the outputs—storage account, log analytics workspace, event hub, and others. The Diagnostic Settings, if configured properly, can ensure that all logs are retained for longer duration. This section has recommendations for correctly configuring the Diagnostic Settings so that all logs captured are retained for longer periods.

URI
tmod:@turbot/azure-cisv2-0#/control/types/s0501
Parent
Category

Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.01 - Configuring Diagnostic Settings > 5.01.03 - Ensure the Storage Container Storing the Activity Logs is not Publicly Accessible

Configures auditing against a CIS Benchmark item.

Level: 1

The storage account container containing the activity log export should not be publicly accessible.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r050103
Parent
Category
Targets

Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.01 - Configuring Diagnostic Settings > 5.01.04 - Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key

Configures auditing against a CIS Benchmark item.

Level: 2

Storage accounts with the activity log exports can be configured to use Customer Managed Keys (CMK).

URI
tmod:@turbot/azure-cisv2-0#/control/types/r050104
Parent
Category
Targets

Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.01 - Configuring Diagnostic Settings > 5.01.05 - Ensure that logging for Azure Key Vault is 'Enabled'

Configures auditing against a CIS Benchmark item.

Level: 1

Enable AuditEvent logging for key vault instances to ensure interactions with key vaults are logged and available.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r050105
Parent
Category
Targets

Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.01 - Configuring Diagnostic Settings > 5.01.07 - Ensure that logging for Azure AppService 'HTTP logs' is enabled

Configures auditing against a CIS Benchmark item.

Level: 2

Enable AppServiceHTTPLogs diagnostic log category for Azure App Service instances to ensure all http requests are captured and centrally logged.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r050107
Parent
Category
Targets

Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts

The recommendations provided in this section are intended to provide entry-level alerting for crucial activities on a tenant account. These recommended activities should be tuned to your needs. By default, each of these Activity Log Alerts tends to guide the reader to alerting at the "Subscription-wide" level which will capture and alert on rules triggered by all resources and resource groups contained within a subscription. This is not an ideal rule set for Alerting within larger and more complex organizations. While this section provides recommendations for the creation of Activity Log Alerts specifically, Microsoft Azure supports four different types of alerts:
- Metric Alerts
- Log Alerts
- Activity Log Alerts
- Smart Detection Alerts

All Azure services (Microsoft provided or otherwise) that can generate alerts are assigned a "Resource provider namespace" when they are registered in an Azure tenant. The recommendations in this section are in no way exhaustive of the plethora of available "Providers" or "Resource Types." The Resource Providers that are registered in your Azure Tenant can be located in your Subscription. Each registered Provider in your environment may have available "Conditions" to raise alerts via Activity Log Alerts. These providers should be considered for inclusion in Activity Log Alert rules of your own making.
To view the registered resource providers in your Subscription(s), use this guide:
- https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/resource-providers-and-types

If you wish to create custom alerting rules for Activity Log Alerts or other alert types, please refer to Microsoft documentation:
- https://docs.microsoft.com/en-us/azure/azure-monitor/alerts/alerts-create-new-alert-rule

URI
tmod:@turbot/azure-cisv2-0#/control/types/s0502
Parent
Category

Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.01 - Ensure that Activity Log Alert exists for Create Policy Assignment

Configures auditing against a CIS Benchmark item.

Level: 1

Create an activity log alert for the Create Policy Assignment event.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r050201
Parent
Category
Targets

Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.02 - Ensure that Activity Log Alert exists for Delete Policy Assignment

Configures auditing against a CIS Benchmark item.

Level: 1

Create an activity log alert for the Delete Policy Assignment event.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r050202
Parent
Category
Targets

Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.03 - Ensure that Activity Log Alert exists for Create or Update Network Security Group

Configures auditing against a CIS Benchmark item.

Level: 1

Create an Activity Log Alert for the Create or Update Network Security Group event.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r050203
Parent
Category
Targets

Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.04 - Ensure that Activity Log Alert exists for Delete Network Security Group

Configures auditing against a CIS Benchmark item.

Level: 1

Create an activity log alert for the Delete Network Security Group event.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r050204
Parent
Category
Targets

Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.05 - Ensure that Activity Log Alert exists for Create or Update Security Solution

Configures auditing against a CIS Benchmark item.

Level: 1

Create an activity log alert for the Create or Update Security Solution event.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r050205
Parent
Category
Targets

Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.06 - Ensure that Activity Log Alert exists for Delete Security Solution

Configures auditing against a CIS Benchmark item.

Level: 1

Create an activity log alert for the Delete Security Solution event.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r050206
Parent
Category
Targets

Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.07 - Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule

Configures auditing against a CIS Benchmark item.

Level: 1

Create an activity log alert for the Create or Update SQL Server Firewall Rule event.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r050207
Parent
Category
Targets

Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.08 - Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule

Configures auditing against a CIS Benchmark item.

Level: 1

Create an activity log alert for the "Delete SQL Server Firewall Rule."

URI
tmod:@turbot/azure-cisv2-0#/control/types/r050208
Parent
Category
Targets

Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.09 - Ensure that Activity Log Alert exists for Create or Update Public IP Address rule

Configures auditing against a CIS Benchmark item.

Level: 1

Create an activity log alert for the Create or Update Public IP Addresses rule.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r050209
Parent
Category
Targets

Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.10 - Ensure that Activity Log Alert exists for Delete Public IP Address rule

Configures auditing against a CIS Benchmark item.

Level: 1

Create an activity log alert for the Delete Public IP Address rule.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r050210
Parent
Category
Targets

Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.03 - Configuring Application Insights

Covers recommendations addressing Application Insights.

URI
tmod:@turbot/azure-cisv2-0#/control/types/s0503
Parent
Category

Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.03 - Configuring Application Insights > 5.03.01 - Ensure Application Insights are Configured

Configures auditing against a CIS Benchmark item.

Level: 2

Application Insights within Azure act as an Application Performance Monitoring solution providing valuable data into how well an application performs and additional information when performing incident response. The types of log data collected include application metrics, telemetry data, and application trace logging data providing organizations with detailed information about application activity and application transactions. Both data sets help organizations adopt a proactive and retroactive means to handle security and performance related metrics within their modern applications.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r050301
Parent
Category
Targets

Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.04 - Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it

Configures auditing against a CIS Benchmark item.

Level: 1

Resource Logs capture activity to the data access plane while the Activity log is a subscription-level log for the control plane. Resource-level diagnostic logs provide insight into operations that were performed within that resource itself; for example, reading or updating a secret from a Key Vault. Currently, 95 Azure resources support Azure Monitoring (See the more information section for a complete list), including Network Security Groups, Load Balancers, Key Vault, AD, Logic Apps, and CosmosDB. The content of these logs varies by resource type. A number of back-end services were not configured to log and store Resource Logs for certain activities or for a sufficient length. It is crucial that monitoring is correctly configured to log all relevant activities and retain those logs for a sufficient length of time. Given that the mean time to detection in an enterprise is 240 days, a minimum retention period of two years is recommended.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r0504
Parent
Category
Targets

Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.05 - Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads)

Configures auditing against a CIS Benchmark item.

Level: 2

The use of Basic or Free SKUs in Azure whilst cost effective have significant limitations in terms of what can be monitored and what support can be realized from Microsoft. Typically, these SKU's do not have a service SLA and Microsoft will usually refuse to provide support for them. Consequently Basic/Free SKUs should never be used for production workloads.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r0505
Parent
Category
Targets

Azure > CIS v2.0 > 06 - Networking

Covers security recommendations to follow in order to set networking policies on an Azure subscription.

URI
tmod:@turbot/azure-cisv2-0#/control/types/s06
Parent
Category

Azure > CIS v2.0 > 06 - Networking > 6.01 - Ensure that RDP access from the Internet is evaluated and restricted

Configures auditing against a CIS Benchmark item.

Level: 1

Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r0601
Parent
Category
Targets

Azure > CIS v2.0 > 06 - Networking > 6.02 - Ensure that SSH access from the Internet is evaluated and restricted

Configures auditing against a CIS Benchmark item.

Level: 1

Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r0602
Parent
Category
Targets

Azure > CIS v2.0 > 06 - Networking > 6.03 - Ensure that UDP access from the Internet is evaluated and restricted

Configures auditing against a CIS Benchmark item.

Level: 1

Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r0603
Parent
Category
Targets

Azure > CIS v2.0 > 06 - Networking > 6.04 - Ensure that HTTP(S) access from the Internet is evaluated and restricted

Configures auditing against a CIS Benchmark item.

Level: 1

Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required and narrowly configured.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r0604
Parent
Category
Targets

Azure > CIS v2.0 > 06 - Networking > 6.05 - Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'

Configures auditing against a CIS Benchmark item.

Level: 2

Network Security Group Flow Logs should be enabled and the retention period set to greater than or equal to 90 days.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r0605
Parent
Category
Targets

Azure > CIS v2.0 > 06 - Networking > 6.06 - Ensure that Network Watcher is 'Enabled'

Configures auditing against a CIS Benchmark item.

Level: 2

Enable Network Watcher for Azure subscriptions.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r0606
Parent
Category
Targets

Azure > CIS v2.0 > 06 - Networking > 6.07 - Ensure that Public IP addresses are Evaluated on a Periodic Basis

Configures auditing against a CIS Benchmark item.

Level: 1

Public IP Addresses provide tenant accounts with Internet connectivity for resources contained within the tenant. During the creation of certain resources in Azure, a Public IP Address may be created. All Public IP Addresses within the tenant should be periodically reviewed for accuracy and necessity.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r0607
Parent
Category
Targets

Azure > CIS v2.0 > 07 - Virtual Machines

Covers recommendations to follow for the configuration of Virtual Machines on an Azure subscription.

URI
tmod:@turbot/azure-cisv2-0#/control/types/s07
Parent
Category

Azure > CIS v2.0 > 07 - Virtual Machines > 7.02 - Ensure Virtual Machines are utilizing Managed Disks

Configures auditing against a CIS Benchmark item.

Level: 1

Migrate BLOB based VHD's to Managed Disks on Virtual Machines to exploit the default features of this configuration. The features include:
1. Default Disk Encryption
2. Resilience as Microsoft will managed the disk storage and move around if underlying hardware goes faulty
3. Reduction of costs over storage accounts

URI
tmod:@turbot/azure-cisv2-0#/control/types/r0702
Parent
Category
Targets

Azure > CIS v2.0 > 07 - Virtual Machines > 7.03 - Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK)

Configures auditing against a CIS Benchmark item.

Level: 2

Ensure that OS disks (boot volumes) and data disks (non-boot volumes) are encrypted with CMK (Customer Managed Keys). Customer Managed keys can be either ADE or Server Side Encryption (SSE).

URI
tmod:@turbot/azure-cisv2-0#/control/types/r0703
Parent
Category
Targets

Azure > CIS v2.0 > 07 - Virtual Machines > 7.04 - Ensure that 'Unattached disks' are encrypted with 'Customer Managed Key' (CMK)

Configures auditing against a CIS Benchmark item.

Level: 2

Ensure that unattached disks in a subscription are encrypted with a Customer Managed Key (CMK).

URI
tmod:@turbot/azure-cisv2-0#/control/types/r0704
Parent
Category
Targets

Azure > CIS v2.0 > 07 - Virtual Machines > 7.05 - Ensure that Only Approved Extensions Are Installed

Configures auditing against a CIS Benchmark item.

Level: 1

For added security, only install organization-approved extensions on VMs.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r0705
Parent
Category
Targets

Azure > CIS v2.0 > 07 - Virtual Machines > 7.06 - Ensure that Endpoint Protection for all Virtual Machines is installed

Configures auditing against a CIS Benchmark item.

Level: 2

Install endpoint protection for all virtual machines.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r0706
Parent
Category
Targets

Azure > CIS v2.0 > 07 - Virtual Machines > 7.07 - [Legacy] Ensure that VHDs are Encrypted

Configures auditing against a CIS Benchmark item.

Level: 2

NOTE: This is a legacy recommendation. Managed Disks are encrypted by default and recommended for all new VM implementations.

VHD (Virtual Hard Disks) are stored in blob storage and are the old-style disks that were attached to Virtual Machines. The blob VHD was then leased to the VM. By default, storage accounts are not encrypted, and Microsoft Defender will then recommend that the OS disks should be encrypted. Storage accounts can be encrypted as a whole using PMK or CMK. This should be turned on for storage accounts containing VHDs.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r0707
Parent
Category
Targets

Azure > CIS v2.0 > 08 - Key Vault

Covers security recommendations to follow for the configuration and use of Azure Key Vault.

URI
tmod:@turbot/azure-cisv2-0#/control/types/s08
Parent
Category

Azure > CIS v2.0 > 08 - Key Vault > 8.01 - Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults

Configures auditing against a CIS Benchmark item.

Level: 1

Ensure that all Keys in Role Based Access Control (RBAC) Azure Key Vaults have an expiration date set.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r0801
Parent
Category
Targets

Azure > CIS v2.0 > 08 - Key Vault > 8.02 - Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults

Configures auditing against a CIS Benchmark item.

Level: 1

Ensure that all Keys in Non Role Based Access Control (RBAC) Azure Key Vaults have an expiration date set.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r0802
Parent
Category
Targets

Azure > CIS v2.0 > 08 - Key Vault > 8.03 - Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults

Configures auditing against a CIS Benchmark item.

Level: 1

Ensure that all Secrets in Role Based Access Control (RBAC) Azure Key Vaults have an expiration date set.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r0803
Parent
Category
Targets

Azure > CIS v2.0 > 08 - Key Vault > 8.04 - Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults

Configures auditing against a CIS Benchmark item.

Level: 1

Ensure that all Secrets in Non Role Based Access Control (RBAC) Azure Key Vaults have an expiration date set.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r0804
Parent
Category
Targets

Azure > CIS v2.0 > 08 - Key Vault > 8.05 - Ensure the key vault is recoverable

Configures auditing against a CIS Benchmark item.

Level: 1

The key vault contains object keys, secrets and certificates. Accidental unavailability of a key vault can cause immediate data loss or loss of security functions (authentication, validation, verification, non-repudiation, etc.) supported by the key vault objects.

It is recommended the key vault be made recoverable by enabling the "Do Not Purge" and "Soft Delete" functions. This is in order to prevent loss of encrypted data including storage accounts, SQL databases, and/or dependent services provided by key vault objects (Keys, Secrets, Certificates) etc., as may happen in the case of accidental deletion by a user or from disruptive activity by a malicious user.

WARNING: A current limitation of the soft-delete feature across all Azure services is
role assignments disappearing when Key Vault is deleted. All role assignments will
need to be recreated after recovery.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r0805
Parent
Category
Targets

Azure > CIS v2.0 > 08 - Key Vault > 8.06 - Ensure Role Based Access Control for Azure Key Vault

Configures auditing against a CIS Benchmark item.

Level: 2

WARNING: Role assignments disappear when a Key Vault has been deleted (soft-delete) and recovered. Afterwards it will be required to recreate all role assignments.

This is a limitation of the soft-delete feature across all Azure services.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r0806
Parent
Category
Targets

Azure > CIS v2.0 > 08 - Key Vault > 8.07 - Ensure that Private Endpoints are Used for Azure Key Vault

Configures auditing against a CIS Benchmark item.

Level: 2

Private endpoints will secure network traffic from Azure Key Vault to the resources requesting secrets and keys.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r0807
Parent
Category
Targets

Azure > CIS v2.0 > 08 - Key Vault > 8.08 - Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services

Configures auditing against a CIS Benchmark item.

Level: 2

Automatic Key Rotation is available in Public Preview. The currently supported applications are Key Vault, Managed Disks, and Storage accounts accessing keys within Key Vault. The number of supported applications will incrementally increased.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r0808
Parent
Category
Targets

Azure > CIS v2.0 > 09 - Application Services

Covers security recommendations for Azure AppService.

URI
tmod:@turbot/azure-cisv2-0#/control/types/s09
Parent
Category

Azure > CIS v2.0 > 09 - Application Services > 9.01 - Ensure App Service Authentication is set up for apps in Azure App Service

Configures auditing against a CIS Benchmark item.

Level: 2

Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching a Web Application or authenticate those with tokens before they reach the app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r0901
Parent
Category
Targets

Azure > CIS v2.0 > 09 - Application Services > 9.02 - Ensure Web App Redirects All HTTP traffic to HTTPS in Azure App Service

Configures auditing against a CIS Benchmark item.

Level: 1

Azure Web Apps allows sites to run under both HTTP and HTTPS by default. Web apps can be accessed by anyone using non-secure HTTP links by default. Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r0902
Parent
Category
Targets

Azure > CIS v2.0 > 09 - Application Services > 9.03 - Ensure Web App is using the latest version of TLS encryption

Configures auditing against a CIS Benchmark item.

Level: 1

The TLS (Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards such as PCI DSS.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r0903
Parent
Category
Targets

Azure > CIS v2.0 > 09 - Application Services > 9.04 - Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On'

Configures auditing against a CIS Benchmark item.

Level: 2

Client certificates allow for the app to request a certificate for incoming requests. Onlyclients that have a valid certificate will be able to reach the app.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r0904
Parent
Category
Targets

Azure > CIS v2.0 > 09 - Application Services > 9.05 - Ensure that Register with Azure Active Directory is enabled on App Service

Configures auditing against a CIS Benchmark item.

Level: 1

Managed service identity in App Service provides more security by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in App Service, the app will connect to other Azure services securely without the need for usernames and passwords.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r0905
Parent
Category
Targets

Azure > CIS v2.0 > 09 - Application Services > 9.06 - Ensure That 'PHP version' is the Latest, If Used to Run the Web App

Configures auditing against a CIS Benchmark item.

Level: 1

Periodically newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r0906
Parent
Category
Targets

Azure > CIS v2.0 > 09 - Application Services > 9.07 - Ensure that 'Python version' is the Latest Stable Version, if Used to Run the Web App

Configures auditing against a CIS Benchmark item.

Level: 1

Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest full Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r0907
Parent
Category
Targets

Azure > CIS v2.0 > 09 - Application Services > 9.08 - Ensure that 'Java version' is the latest, if used to run the Web App

Configures auditing against a CIS Benchmark item.

Level: 1

Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the newer version.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r0908
Parent
Category
Targets

Azure > CIS v2.0 > 09 - Application Services > 9.09 - Ensure that 'HTTP Version' is the Latest, if Used to Run the Web App

Configures auditing against a CIS Benchmark item.

Level: 1

Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r0909
Parent
Category
Targets

Azure > CIS v2.0 > 09 - Application Services > 9.10 - Ensure FTP deployments are Disabled

Configures auditing against a CIS Benchmark item.

Level: 1

By default, Azure Functions, Web, and API Services can be deployed over FTP. If FTP is required for an essential deployment workflow, FTPS should be required for FTP login for all App Service Apps and Functions.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r0910
Parent
Category
Targets

Azure > CIS v2.0 > 09 - Application Services > 9.11 - Ensure Azure Key Vaults are Used to Store Secrets

Configures auditing against a CIS Benchmark item.

Level: 2

Azure Key Vault will store multiple types of sensitive information such as encryption keys, certificate thumbprints, and Managed Identity Credentials. Access to these 'Secrets' can be controlled through granular permissions.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r0911
Parent
Category
Targets

Azure > CIS v2.0 > 10 - Miscellaneous

Covers miscellaneous security recommendations.

URI
tmod:@turbot/azure-cisv2-0#/control/types/s10
Parent
Category

Azure > CIS v2.0 > 10 - Miscellaneous > 10.01 - Ensure that Resource Locks are set for Mission-Critical Azure Resources

Configures auditing against a CIS Benchmark item.

Level: 2

Resource Manager Locks provide a way for administrators to lock down Azure resources to prevent deletion of, or modifications to, a resource. These locks sit outside of the Role Based Access Controls (RBAC) hierarchy and, when applied, will place restrictions on the resource for all users. These locks are very useful when there is an important resource in a subscription that users should not be able to delete or change. Locks can help prevent accidental and malicious changes or deletion.

URI
tmod:@turbot/azure-cisv2-0#/control/types/r1001
Parent
Category
Targets