Product logo
DocsBlogPricing

Policy types for @turbot/azure-cisv2-0

Azure > CIS v2.0

Configures a default auditing level against the Microsoft Azure Foundations Benchmark, Version 2.0.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/cis
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: All CIS Benchmarks except attestations",
  "Check: All CIS Benchmarks"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: All CIS Benchmarks except attestations",
    "Check: All CIS Benchmarks"
  ],
  "default": "Skip"
}

Azure > CIS v2.0 > 01 - Identity and Access Management

This section covers security recommendations to set identity and access management policies on an Azure Subscription. Identity and Access Management policies are the first step towards a defense-in-depth approach to securing an Azure Cloud Platform environment.
Many of the recommendations from this section are marked as "Manual" while the existing Azure CLI and Azure AD PowerShell support through the Azure AD Graph are being depreciated. It is now recommended to use the new Microsoft Graph in replacement of Azure AD Graph for PowerShell and API level access. From a security posture standpoint, these recommendations are still very important and should not be discounted because they are "Manual." As automation capability using Rest API is developed for this Benchmark, the related recommendations will be updated with the respective audit and remediation steps and changed to an "automated" assessment status.

If any problems are encountered running Azure CLI or PowerShell methodologies, please refer to the Overview for this benchmark where you will find additional detail on permission and required cmdlets.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/s01
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0",
  "Skip",
  "Check: All CIS Benchmarks except attestations",
  "Check: All CIS Benchmarks"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0",
    "Skip",
    "Check: All CIS Benchmarks except attestations",
    "Check: All CIS Benchmarks"
  ],
  "example": [
    "Skip"
  ],
  "default": "Per Azure > CIS v2.0"
}

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.01 - Security Defaults

The Azure "Security Defaults" recommendations represent an entry-level
set of recommendations which will be relevant to organizations and tenants that are
either just starting to use Azure as an IaaS solution, or are only utilizing a bare minimum
feature set such as the freely licensed tier of Azure Active Directory. Security Defaults
recommendations are intended to ensure that these entry-level use cases are still
capable of establishing a strong baseline of secure configuration.

If your subscription is licensed to use Azure AD Premium P1 or P2, it is strongly
recommended that the "Security Defaults" section (this section and the
recommendations therein) be bypassed in favor of the use of "Conditional
Access."

URI
tmod:@turbot/azure-cisv2-0#/policy/types/s0101
Category
Parent
Targets
Schema
{
  "type": "string",
  "default": "Skip"
}

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.01 - Security Defaults > 1.01.01 - Ensure Security Defaults is enabled on Azure Active Directory

Configures auditing against a CIS Benchmark item.

Level: 1

Security defaults in Azure Active Directory (Azure AD) make it easier to be secure and help protect your organization. Security defaults contain preconfigured security settings for common attacks.

Security defaults is available to everyone. The goal is to ensure that all organizations have a basic level of security enabled at no extra cost. You may turn on security defaults in the Azure portal.

Security defaults provide secure default settings that we manage on behalf of organizations to keep customers safe until they are ready to manage their own identity security settings. For example, doing the following:
1. Requiring all users and admins to register for MFA.
2. Challenging users with MFA - when necessary, based on factors such as location, device, role, and task.
3. Disabling authentication from legacy authentication clients, which can't do MFA.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r010101
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 01 - Identity and Access Management",
  "Skip",
  "Check: Benchmark using attestation"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 01 - Identity and Access Management",
    "Skip",
    "Check: Benchmark using attestation"
  ],
  "default": "Per Azure > CIS v2.0 > 01 - Identity and Access Management"
}

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.01 - Security Defaults > 1.01.01 - Ensure Security Defaults is enabled on Azure Active Directory > Attestation

By setting this policy, you attest that you have manually verified that
it complies with the relevant section of the CIS Benchmark.

Azure Console
To enable security defaults in your directory:
1. From Azure Home select the Portal Menu.
2. Browse to Azure Active Directory > Properties
3. Select Manage security defaults
4. Set the Enable security defaults toggle to Yes
5. Select Save

Once verified, enter the date that this attestation expires. Note that the
date can not be further in the future than is specified in
Azure > CIS v2.0 > Maximum Attestation Duration.
Set to a blank value to clear the attestation.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r010101Attestation
Category
Parent
Targets
Schema
{
  "type": "string",
  "format": "date-time",
  "default": ""
}

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.01 - Security Defaults > 1.01.02 Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users

Configures auditing against a CIS Benchmark item.

Level: 1

Enable multi-factor authentication for all roles, groups, and users that have write access or permissions to Azure resources. These include custom created objects or built-in roles such as;
• Service Co-Administrators
• Subscription Owners
• Contributors

Multi-factor authentication requires an individual to present a minimum of two separate forms of authentication before access is granted. Multi-factor authentication provides additional assurance that the individual attempting to gain access is who they claim to be. With multi-factor authentication, an attacker would need to compromise at least two different authentication mechanisms, increasing the difficulty of compromise and thus reducing the risk.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r010102
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 01 - Identity and Access Management",
  "Skip",
  "Check: Benchmark using attestation"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 01 - Identity and Access Management",
    "Skip",
    "Check: Benchmark using attestation"
  ],
  "default": "Per Azure > CIS v2.0 > 01 - Identity and Access Management"
}

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.01 - Security Defaults > 1.01.02 Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users > Attestation

From Azure Portal

1. From Azure Home select the Portal Menu
2. Select the Azure Active Directory blade
3. Select Users
4. Take note of all users with the role Service Co-Administrators, Owners or
Contributors
5. Click on the Per-User MFA button in the top row menu
6. Ensure that MULTI-FACTOR AUTH STATUS is Enabled for all noted users

Once verified, enter the date that this attestation expires. Note that the
date can not be further in the future than is specified in
Azure > CIS v2.0 > Maximum Attestation Duration.
Set to a blank value to clear the attestation.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r010102Attestation
Category
Parent
Targets
Schema
{
  "type": "string",
  "format": "date-time",
  "default": ""
}

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.01 - Security Defaults > 1.01.03 Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users

Configures auditing against a CIS Benchmark item.

Level: 2

Enable multi-factor authentication for all non-privileged users.

Multi-factor authentication requires an individual to present a minimum of two separate forms of authentication before access is granted. Multi-factor authentication provides additional assurance that the individual attempting to gain access is who they claim to be. With multi-factor authentication, an attacker would need to compromise at least two different authentication mechanisms, increasing the difficulty of compromise and thus reducing the risk.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r010103
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 01 - Identity and Access Management",
  "Skip",
  "Check: Benchmark using attestation"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 01 - Identity and Access Management",
    "Skip",
    "Check: Benchmark using attestation"
  ],
  "default": "Per Azure > CIS v2.0 > 01 - Identity and Access Management"
}

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.01 - Security Defaults > 1.01.03 Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users > Attestation

From Azure Portal

1. From Azure Home select the Portal Menu
2. Select the Azure Active Directory blade
3. Then Users
4. Select All Users
5. Click on Per-User MFA button on the top bar
6. Ensure that for all users MULTI-FACTOR AUTH STATUS is Enabled

Once verified, enter the date that this attestation expires. Note that the
date can not be further in the future than is specified in
Azure > CIS v2.0 > Maximum Attestation Duration.
Set to a blank value to clear the attestation.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r010103Attestation
Category
Parent
Targets
Schema
{
  "type": "string",
  "format": "date-time",
  "default": ""
}

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.01 - Security Defaults > 1.01.04 Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is Disabled

Configures auditing against a CIS Benchmark item.

Level: 1

Do not allow users to remember multi-factor authentication on devices.

Remembering Multi-Factor Authentication (MFA) for devices and browsers allows users to have the option to bypass MFA for a set number of days after performing a successful sign-in using MFA. This can enhance usability by minimizing the number of times a user may need to perform two-step verification on the same device. However, if an account or device is compromised, remembering MFA for trusted devices may affect security. Hence, it is recommended that users not be allowed to bypass MFA.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r010104
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 01 - Identity and Access Management",
  "Skip",
  "Check: Benchmark using attestation"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 01 - Identity and Access Management",
    "Skip",
    "Check: Benchmark using attestation"
  ],
  "default": "Per Azure > CIS v2.0 > 01 - Identity and Access Management"
}

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.01 - Security Defaults > 1.01.04 Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is Disabled > Attestation

From Azure Portal

1. From Azure Home select the Portal Menu
2. Select Azure Active Directory
3. Select Users
4. Click the Per-user MFA button on the top bar
5. Click on service settings
6. Uncheck the box next to Allow users to remember multi-factor authentication on devices they trust

Once verified, enter the date that this attestation expires. Note that the
date can not be further in the future than is specified in
Azure > CIS v2.0 > Maximum Attestation Duration.
Set to a blank value to clear the attestation.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r010104Attestation
Category
Parent
Targets
Schema
{
  "type": "string",
  "format": "date-time",
  "default": ""
}

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access

For most Azure tenants, and certainly for organizations with a significant use of Azure
Active Directory, Conditional Access policies are recommended and preferred. To use
conditional access policies, a licensing plan is required, and Security Defaults must be
disabled.
Conditional Access requires one of the following plans:
• Azure Active Directory Premium P1 or P2
• Microsoft 365 Business Premium
• Microsoft 365 E3 or E5
• Microsoft 365 F1, F3, F5 Security and F5 Security + Compliance
• Enterprise Mobility & Security E3 or E5

URI
tmod:@turbot/azure-cisv2-0#/policy/types/s0102
Category
Parent
Targets
Schema
{
  "type": "string",
  "default": "Skip"
}

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.01 - Ensure Trusted Locations Are Defined

Configures auditing against a CIS Benchmark item.

Level: 1

Azure Active Directory Conditional Access allows an organization to configure Named
locations and configure whether those locations are trusted or untrusted. These
settings provide organizations the means to specify Geographical locations for use in
conditional access policies, or define actual IP addresses and IP ranges and whether or
not those IP addresses and/or ranges are trusted by the organization.

Defining trusted source IP addresses or ranges helps organizations create and enforce
Conditional Access policies around those trusted or untrusted IP addresses and ranges.
Users authenticating from trusted IP addresses and/or ranges may have less access
restrictions or access requirements when compared to users that try to authenticate
to Azure Active Directory from untrusted locations or untrusted source IP addresses/ranges.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r010201
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 01 - Identity and Access Management",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 01 - Identity and Access Management",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 01 - Identity and Access Management"
}

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.02 - Ensure that an exclusionary Geographic Access Policy is considered

Configures auditing against a CIS Benchmark item.

Level: 1

Conditional Access Policies can be used to block access from geographic
locations that are deemed out-of-scope for your organization or application.
The scope and variables for this policy should be carefully examined and defined.

Conditional Access, when used as a deny list for the tenant or subscription, is able
to prevent ingress or egress of traffic to countries that are outside of the scope of
interest (e.g.: customers, suppliers) or jurisdiction of an organization.
This is an effective way to prevent unnecessary and long-lasting exposure to international
threats such as APTs.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r010202
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 01 - Identity and Access Management",
  "Skip",
  "Check: Benchmark using attestation"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 01 - Identity and Access Management",
    "Skip",
    "Check: Benchmark using attestation"
  ],
  "default": "Per Azure > CIS v2.0 > 01 - Identity and Access Management"
}

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.02 - Ensure that an exclusionary Geographic Access Policy is considered > Attestation

From Azure Portal

Part 1 of 2 - Create the policy and enable it in Report-only mode.
1. From Azure Home open the portal menu in the top left, and select Azure Active Directory.
2. Scroll down in the menu on the left, and select Security.
3. Select on the left side Conditional Access.
4. Click the + New policy button, then:
5. Provide a name for the policy.
6. Under Assignments, select Users or workload identities then:
o Under Include, select All users
o Under Exclude, check Users and groups and only select emergency access accounts and service accounts (NOTE: Service accounts are excluded here because service accounts are non-interactive and cannot complete MFA)
7. Under Assignments, select Cloud apps or actions then:
o Under Include, select All cloud apps
o Leave Exclude blank unless you have a well defined exception
8. Under Conditions, select Locations then:
o Select Include, then add entries for locations for those that should be blocked
o Select Exclude, then add entries for those that should be allowed
(IMPORTANT: Ensure that all Trusted Locations are in the Exclude list.)
9. Under Access Controls, select Grant and Confirm that Block Access is selected.
10.Set Enable policy to Report-only.
11.Click Create.

NOTE: The policy is not yet 'live,' since Report-only is being used to audit the effect of the policy.
Part 2 of 2 - Confirm that the policy is not blocking access that should be granted, then toggle to On.
1. With your policy now in report-only mode, return to the Azure Active Directory blade and click on Sign-in logs.
2. Review the recent sign-in events - click an event then review the event details (specifically the Report-only tab) to ensure:
o The sign-in event you're reviewing occurred after turning on the policy in report-only mode
o The policy name from step 5 above is listed in the Policy Name column
o The Result column for the new policy shows that the policy was Not applied (indicating the location origin was not blocked)
3. If the above conditions are present, navigate back to the policy name in Conditional Access and open it.
4. Toggle the policy from Report-only to On.
5. Click Save.

Once verified, enter the date that this attestation expires. Note that the
date can not be further in the future than is specified in
Azure > CIS v2.0 > Maximum Attestation Duration.
Set to a blank value to clear the attestation.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r010202Attestation
Category
Parent
Targets
Schema
{
  "type": "string",
  "format": "date-time",
  "default": ""
}

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.03 - Ensure that A Multi-factor Authentication Policy Exists for Administrative Groups

Configures auditing against a CIS Benchmark item.

Level: 1

For designated users, they will be prompted to use their multi-factor authentication (MFA) process on login.

Enabling multi-factor authentication is a recommended setting to limit the use of Administrative accounts to authenticated personnel.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r010203
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 01 - Identity and Access Management",
  "Skip",
  "Check: Benchmark using attestation"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 01 - Identity and Access Management",
    "Skip",
    "Check: Benchmark using attestation"
  ],
  "default": "Per Azure > CIS v2.0 > 01 - Identity and Access Management"
}

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.03 - Ensure that A Multi-factor Authentication Policy Exists for Administrative Groups > Attestation

From Azure Portal

1. From Azure Home open the Portal Menu in top left, and select Azure Active Directory.
2. Select Security.
3. Select Conditional Access.
4. Click + New policy.
5. Enter a name for the policy.
6. Select Users or workload identities.
7. Check Users and groups.
8. Select administrative groups this policy should apply to and click Select.
9. Under Exclude, check Users and groups.
10.Select users this policy not should apply to and click Select.
11.Select Cloud apps or actions.
12.Select All cloud apps.
13.Select Grant.
14.Under Grant access, check Require multifactor authentication and click Select.
15.Set Enable policy to Report-only.
16.Click Create.

After testing the policy in report-only mode, update the Enable policy setting from Report-only to On.

Once verified, enter the date that this attestation expires. Note that the
date can not be further in the future than is specified in
Azure > CIS v2.0 > Maximum Attestation Duration.
Set to a blank value to clear the attestation.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r010203Attestation
Category
Parent
Targets
Schema
{
  "type": "string",
  "format": "date-time",
  "default": ""
}

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.04 - Ensure that A Multi-factor Authentication Policy Exists for All Users

Configures auditing against a CIS Benchmark item.

Level: 1

For designated users, they will be prompted to use their multi-factor authentication (MFA) process on logins.

Enabling multi-factor authentication is a recommended setting to limit the potential of accounts being compromised and limiting access to authenticated personnel.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r010204
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 01 - Identity and Access Management",
  "Skip",
  "Check: Benchmark using attestation"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 01 - Identity and Access Management",
    "Skip",
    "Check: Benchmark using attestation"
  ],
  "default": "Per Azure > CIS v2.0 > 01 - Identity and Access Management"
}

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.04 - Ensure that A Multi-factor Authentication Policy Exists for All Users > Attestation

From Azure Portal

1. From Azure Home open Portal menu in the top left, and select Azure Active Directory.
2. Select Security.
3. Select Conditional Access.
4. Click + New policy.
5. Enter a name for the policy.
6. Select Users or workload identities.
7. Under Include, select All users.
8. Under Exclude, check Users and groups.
9. Select users this policy should not apply to and click Select.
10.Select Cloud apps or actions.
11.Select All cloud apps.
12.Select Grant.
13.Under Grant access, check Require multifactor authentication and click Select.
14.Set Enable policy to Report-only.
15.Click Create.

After testing the policy in report-only mode, update the Enable policy setting from Report-only to On.

Once verified, enter the date that this attestation expires. Note that the
date can not be further in the future than is specified in
Azure > CIS v2.0 > Maximum Attestation Duration.
Set to a blank value to clear the attestation.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r010204Attestation
Category
Parent
Targets
Schema
{
  "type": "string",
  "format": "date-time",
  "default": ""
}

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.05 - Ensure Multi-factor Authentication is Required for Risky Sign-ins

Configures auditing against a CIS Benchmark item.

Level: 1

For designated users, they will be prompted to use their multi-factor authentication (MFA) process on login.

Enabling multi-factor authentication is a recommended setting to limit the potential of accounts being compromised and limiting access to authenticated personnel.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r010205
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 01 - Identity and Access Management",
  "Skip",
  "Check: Benchmark using attestation"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 01 - Identity and Access Management",
    "Skip",
    "Check: Benchmark using attestation"
  ],
  "default": "Per Azure > CIS v2.0 > 01 - Identity and Access Management"
}

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.05 - Ensure Multi-factor Authentication is Required for Risky Sign-ins > Attestation

From Azure Portal

1. From Azure Home select the Portal Menu in the top left, and select Azure Active Directory.
2. Select Security
3. Select Conditional Access.
4. Click + New policy.
5. Enter a name for the policy.
6. Select Users or workload identities.
7. Under Include, select All users.
8. Under Exclude, check Users and groups.
9. Select users this policy should not apply to and click Select.
10.Select Cloud apps or actions.
11.Select All cloud apps.
12.Select Conditions.
13.Select Sign-in risk.
14.Update the Configure toggle to Yes.
15.Check the sign-in risk level this policy should apply to, e.g. High and Medium.
16.Select Done.
17.Select Grant.
18.Under Grant access, check Require multifactor authentication and click Select.
19.Set Enable policy to Report-only.
20.Click Create.

After testing the policy in report-only mode, update the Enable policy setting from Report-only to On.

Once verified, enter the date that this attestation expires. Note that the
date can not be further in the future than is specified in
Azure > CIS v2.0 > Maximum Attestation Duration.
Set to a blank value to clear the attestation.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r010205Attestation
Category
Parent
Targets
Schema
{
  "type": "string",
  "format": "date-time",
  "default": ""
}

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.06 - Ensure Multi-factor Authentication is Required for Azure Management

Configures auditing against a CIS Benchmark item.

Level: 1

For designated users, they will be prompted to use their multi-factor authentication (MFA) process on logins.

Enabling multi-factor authentication is a recommended setting to limit the use of Administrative actions and to prevent intruders from changing settings.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r010206
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 01 - Identity and Access Management",
  "Skip",
  "Check: Benchmark using attestation"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 01 - Identity and Access Management",
    "Skip",
    "Check: Benchmark using attestation"
  ],
  "default": "Per Azure > CIS v2.0 > 01 - Identity and Access Management"
}

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.06 - Ensure Multi-factor Authentication is Required for Azure Management > Attestation

From Azure Portal

1. From Azure Home select the Portal Menu and select Azure Active Directory.
2. Select Security.
3. Select Conditional Access.
4. Click + New policy.
5. Enter a name for the policy.
6. Select Users or workload identities.
7. Under Include, select All users.
8. Under Exclude, check Users and groups.
9. Select users this policy should not apply to and click Select.
10.Select Cloud apps or actions.
11.Select Select apps.
12.Check the box next to Microsoft Azure Management and click Select.
13.Select Grant.
14.Under Grant access, check Require multifactor authentication and click Select.
15.Set Enable policy to Report-only.
16.Click Create.

After testing the policy in report-only mode, update the Enable policy setting from Report-only to On.

Once verified, enter the date that this attestation expires. Note that the
date can not be further in the future than is specified in
Azure > CIS v2.0 > Maximum Attestation Duration.
Set to a blank value to clear the attestation.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r010206Attestation
Category
Parent
Targets
Schema
{
  "type": "string",
  "format": "date-time",
  "default": ""
}

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.03 - Ensure that 'Users can create Azure AD Tenants' is set to 'No'

Configures auditing against a CIS Benchmark item.

Level: 1

Require administrators or appropriately delegated users to create new tenants.

It is recommended to only allow an administrator to create new tenants. This prevent users from creating new Azure AD or Azure AD B2C tenants and ensures that only authorized users are able to do so.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0103
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 01 - Identity and Access Management",
  "Skip",
  "Check: Benchmark using attestation"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 01 - Identity and Access Management",
    "Skip",
    "Check: Benchmark using attestation"
  ],
  "default": "Per Azure > CIS v2.0 > 01 - Identity and Access Management"
}

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.03 - Ensure that 'Users can create Azure AD Tenants' is set to 'No' > Attestation

From Azure Portal

1. From Azure Home select the Portal Menu
2. Select Azure Active Directory
3. Select Users
4. Select User settings
5. Set Users can create Azure AD Tenants to No

Once verified, enter the date that this attestation expires. Note that the
date can not be further in the future than is specified in
Azure > CIS v2.0 > Maximum Attestation Duration.
Set to a blank value to clear the attestation.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0103Attestation
Category
Parent
Targets
Schema
{
  "type": "string",
  "format": "date-time",
  "default": ""
}

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.04 - Ensure Access Review is Set Up for External Users in Azure AD Privileged Identity Management

Configures auditing against a CIS Benchmark item.

Level: 2

This recommendation extends guest access review by utilizing the Azure AD Privileged Identity Management feature provided in Azure AD Premium P2.

Azure AD is extended to include Azure AD B2B collaboration, allowing you to invite people from outside your organization to be guest users in your cloud account and sign in with their own work, school, or social identities. Guest users allow you to share your company's applications and services with users from any other organization, while maintaining control over your own corporate data.

Work with external partners, large or small, even if they don't have Azure AD or an IT department. A simple invitation and redemption process lets partners use their own credentials to access your company's resources a a guest user.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0104
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 01 - Identity and Access Management",
  "Skip",
  "Check: Benchmark using attestation"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 01 - Identity and Access Management",
    "Skip",
    "Check: Benchmark using attestation"
  ],
  "default": "Per Azure > CIS v2.0 > 01 - Identity and Access Management"
}

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.04 - Ensure Access Review is Set Up for External Users in Azure AD Privileged Identity Management > Attestation

From Azure Portal

1. From the Azure Portal home page click the portal menu in the top left.
2. Select Azure Active Directory
3. Select Users in the left column under the Manage heading.
4. Next to the search box select the filter option.
5. Search for and select User Type
6. In the third drop down Value select Guest.
7. Review the guest users in your Active Directory.
8. For those you wish to delete, select the checkbox on the left then the Delete option in the top row.

Once verified, enter the date that this attestation expires. Note that the
date can not be further in the future than is specified in
Azure > CIS v2.0 > Maximum Attestation Duration.
Set to a blank value to clear the attestation.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0104Attestation
Category
Parent
Targets
Schema
{
  "type": "string",
  "format": "date-time",
  "default": ""
}

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.05 - Ensure Guest Users Are Reviewed on a Regular Basis

Configures auditing against a CIS Benchmark item.

Level: 1

Azure AD is extended to include Azure AD B2B collaboration, allowing you to invite people from outside your organization to be guest users in your cloud account and sign in with their own work, school, or social identities. Guest users allow you to share your company's applications and services with users from any other organization, while maintaining control over your own corporate data.

Work with external partners, large or small, even if they don't have Azure AD or an IT department. A simple invitation and redemption process lets partners use their own credentials to access your company's resources as a guest user.

Guest users in every subscription should be review on a regular basis to ensure that inactive and unneeded accounts are removed.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0105
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 01 - Identity and Access Management",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 01 - Identity and Access Management",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 01 - Identity and Access Management"
}

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.06 - Ensure That 'Number of methods required to reset' is set to '2'

Configures auditing against a CIS Benchmark item.

Level: 1

Ensures that two alternate forms of identification are provided before allowing a password reset.

A Self-service Password Reset (SSPR) through Azure Multi-factor Authentication (MFA) ensures the user's identity is confirmed using two separate methods of identification. With multiple methods set, an attacker would have to compromise both methods before they could maliciously reset a user's password.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0106
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 01 - Identity and Access Management",
  "Skip",
  "Check: Benchmark using attestation"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 01 - Identity and Access Management",
    "Skip",
    "Check: Benchmark using attestation"
  ],
  "default": "Per Azure > CIS v2.0 > 01 - Identity and Access Management"
}

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.06 - Ensure That 'Number of methods required to reset' is set to '2' > Attestation

From Azure Portal

1. From Azure Home select the Portal Menu
2. Select Azure Active Directory
3. Then Users
4. Select Password reset
5. Then Authentication methods
6. Set the Number of methods required to reset to 2

Once verified, enter the date that this attestation expires. Note that the
date can not be further in the future than is specified in
Azure > CIS v2.0 > Maximum Attestation Duration.
Set to a blank value to clear the attestation.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0106Attestation
Category
Parent
Targets
Schema
{
  "type": "string",
  "format": "date-time",
  "default": ""
}

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.07 - Ensure that a Custom Bad Password List is set to 'Enforce' for your Organization

Configures auditing against a CIS Benchmark item.

Level: 1

Microsoft Azure provides a Global Banned Password policy that applies to Azure administrative and normal user accounts. This is not applied to user accounts that are synced from an on-premise Active Directory unless Azure AD Connect is used and you enable EnforceCloudPasswordPolicyForPasswordSyncedUsers. Please see the list in default values on the specifics of this policy. To further password security, it is recommended to further define a custom banned password policy.

Enabling this gives your organization further customization on what secure passwords are allowed. Setting a bad password list enables your organization to fine-tune its password policy further, depending on your needs. Removing easy-to-guess passwords increases the security of access to your Azure resources.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0107
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 01 - Identity and Access Management",
  "Skip",
  "Check: Benchmark using attestation"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 01 - Identity and Access Management",
    "Skip",
    "Check: Benchmark using attestation"
  ],
  "default": "Per Azure > CIS v2.0 > 01 - Identity and Access Management"
}

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.07 - Ensure that a Custom Bad Password List is set to 'Enforce' for your Organization > Attestation

From Azure Portal

1. From Azure Home select the Portal Menu
2. Select Azure Active Directory
3. Select Security.
4. Under Manage, select Authentication Methods.
5. Select Password Protection.
6. Set the Enforce custom list option to Yes.
7. Double click the custom banned password list to add a string.

Once verified, enter the date that this attestation expires. Note that the
date can not be further in the future than is specified in
Azure > CIS v2.0 > Maximum Attestation Duration.
Set to a blank value to clear the attestation.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0107Attestation
Category
Parent
Targets
Schema
{
  "type": "string",
  "format": "date-time",
  "default": ""
}

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.08 Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0'

Configures auditing against a CIS Benchmark item.

Level: 1

Ensure that the number of days before users are asked to re-confirm their authentication information is not set to 0.

This setting is necessary if you have setup 'Require users to register when signing in option'. If authentication re-confirmation is disabled, registered users will never be prompted to re-confirm their existing authentication information. If the authentication information for a user changes, such as a phone number or email, then the password reset information for that user reverts to the previously registered authentication information.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0108
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 01 - Identity and Access Management",
  "Skip",
  "Check: Benchmark using attestation"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 01 - Identity and Access Management",
    "Skip",
    "Check: Benchmark using attestation"
  ],
  "default": "Per Azure > CIS v2.0 > 01 - Identity and Access Management"
}

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.08 Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0' > Attestation

From Azure Portal

1. From Azure Home select the Portal Menu
2. Select Azure Active Directory
3. Then Users
4. Select Password reset
5. Then Registration
6. Set the Number of days before users are asked to re-confirm their authentication information to your organization-defined frequency.

Once verified, enter the date that this attestation expires. Note that the
date can not be further in the future than is specified in
Azure > CIS v2.0 > Maximum Attestation Duration.
Set to a blank value to clear the attestation.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0108Attestation
Category
Parent
Targets
Schema
{
  "type": "string",
  "format": "date-time",
  "default": ""
}

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.09 Ensure that 'Notify users on password resets?' is set to 'Yes'

Configures auditing against a CIS Benchmark item.

Level: 1

Ensure that users are notified on their primary and secondary emails on password resets.

User notification on password reset is a proactive way of confirming password reset activity. It helps the user to recognize unauthorized password reset activities.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0109
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 01 - Identity and Access Management",
  "Skip",
  "Check: Benchmark using attestation"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 01 - Identity and Access Management",
    "Skip",
    "Check: Benchmark using attestation"
  ],
  "default": "Per Azure > CIS v2.0 > 01 - Identity and Access Management"
}

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.09 Ensure that 'Notify users on password resets?' is set to 'Yes' > Attestation

From Azure Portal

1. From Azure Home select the Portal Menu
2. Select Azure Active Directory
3. Select Users
4. Select Password reset
5. Under Manage, select Notifications
6. Set Notify users on password resets? to Yes

Once verified, enter the date that this attestation expires. Note that the
date can not be further in the future than is specified in
Azure > CIS v2.0 > Maximum Attestation Duration.
Set to a blank value to clear the attestation.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0109Attestation
Category
Parent
Targets
Schema
{
  "type": "string",
  "format": "date-time",
  "default": ""
}

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.10 Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes'

Configures auditing against a CIS Benchmark item.

Level: 1

Ensure that all Global Administrators are notified if any other administrator resets their password.

Global Administrator accounts are sensitive. Any password reset activity notification, when sent to all Global Administrators, ensures that all Global administrators can passively confirm if such a reset is a common pattern within their group. For example, if all Global Administrators change their password every 30 days, any password reset activity before that may require administrator(s) to evaluate any unusual activity and confirm its origin.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0110
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 01 - Identity and Access Management",
  "Skip",
  "Check: Benchmark using attestation"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 01 - Identity and Access Management",
    "Skip",
    "Check: Benchmark using attestation"
  ],
  "default": "Per Azure > CIS v2.0 > 01 - Identity and Access Management"
}

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.10 Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes' > Attestation

From Azure Portal

1. From Azure Home select the Portal Menu
2. Select Azure Active Directory
3. Select Users
4. Select Password reset
5. Under Manage, select Notifications
6. Set Notify all admins when other admins reset their password? to Yes

Once verified, enter the date that this attestation expires. Note that the
date can not be further in the future than is specified in
Azure > CIS v2.0 > Maximum Attestation Duration.
Set to a blank value to clear the attestation.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0110Attestation
Category
Parent
Targets
Schema
{
  "type": "string",
  "format": "date-time",
  "default": ""
}

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.11 - Ensure User consent for applications is set to Do not allow user consent

Configures auditing against a CIS Benchmark item.

Level: 1

Require administrators to provide consent for applications before use.

If Azure Active Directory is running as an identity provider for third-party applications, permissions and consent should be limited to administrators or pre-approved. Malicious applications may attempt to exfiltrate data or abuse privileged user accounts.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0111
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 01 - Identity and Access Management",
  "Skip",
  "Check: Benchmark using attestation"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 01 - Identity and Access Management",
    "Skip",
    "Check: Benchmark using attestation"
  ],
  "default": "Per Azure > CIS v2.0 > 01 - Identity and Access Management"
}

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.11 - Ensure User consent for applications is set to Do not allow user consent > Attestation

From Azure Portal

1. From Azure Home select the Portal Menu
2. Select Azure Active Directory
3. Select Enterprise Applications
4. Select Consent and permissions
5. Select User consent settings
6. Set User consent for applications to Do not allow user consent
7. Click save

Once verified, enter the date that this attestation expires. Note that the
date can not be further in the future than is specified in
Azure > CIS v2.0 > Maximum Attestation Duration.
Set to a blank value to clear the attestation.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0111Attestation
Category
Parent
Targets
Schema
{
  "type": "string",
  "format": "date-time",
  "default": ""
}

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.12 Ensure 'User consent for applications' Is Set To 'Allow for Verified Publishers'

Configures auditing against a CIS Benchmark item.

Level: 2

Allow users to provide consent for selected permissions when a request is coming from a verified publisher.

If Azure Active Directory is running as an identity provider for third-party applications, permissions and consent should be limited to administrators or pre-approved. Malicious applications may attempt to exfiltrate data or abuse privileged user accounts.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0112
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 01 - Identity and Access Management",
  "Skip",
  "Check: Benchmark using attestation"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 01 - Identity and Access Management",
    "Skip",
    "Check: Benchmark using attestation"
  ],
  "default": "Per Azure > CIS v2.0 > 01 - Identity and Access Management"
}

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.12 Ensure 'User consent for applications' Is Set To 'Allow for Verified Publishers' > Attestation

From Azure Portal

1. From Azure Home select the Portal Menu
2. Select Azure Active Directory
3. Select Enterprise Applications
4. Select Consent and permissions
5. Select User consent settings
6. Under User consent for applications, select Allow user consent for apps from verified publishers, for selected permissions
7. Select Save

Once verified, enter the date that this attestation expires. Note that the
date can not be further in the future than is specified in
Azure > CIS v2.0 > Maximum Attestation Duration.
Set to a blank value to clear the attestation.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0112Attestation
Category
Parent
Targets
Schema
{
  "type": "string",
  "format": "date-time",
  "default": ""
}

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.13 Ensure that 'Users can add gallery apps to My Apps' is set to 'No'

Configures auditing against a CIS Benchmark item.

Level: 1

Require administrators to provide consent for the apps before use.

Unless Azure Active Directory is running as an identity provider for third-party applications, do not allow users to use their identity outside of your cloud environment. User profiles contain private information such as phone numbers and email addresses which could then be sold off to other third parties without requiring any further consent from the user.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0113
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 01 - Identity and Access Management",
  "Skip",
  "Check: Benchmark using attestation"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 01 - Identity and Access Management",
    "Skip",
    "Check: Benchmark using attestation"
  ],
  "default": "Per Azure > CIS v2.0 > 01 - Identity and Access Management"
}

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.13 Ensure that 'Users can add gallery apps to My Apps' is set to 'No' > Attestation

From Azure Portal

1. From Azure Home select the Portal Menu
2. Select Azure Active Directory
3. Then Users
4. Select User settings
5. Then Manage how end users launch and view their applications
6. Set Users can add gallery apps to My Apps to No

Once verified, enter the date that this attestation expires. Note that the
date can not be further in the future than is specified in
Azure > CIS v2.0 > Maximum Attestation Duration.
Set to a blank value to clear the attestation.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0113Attestation
Category
Parent
Targets
Schema
{
  "type": "string",
  "format": "date-time",
  "default": ""
}

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.14 - Ensure That 'Users Can Register Applications' Is Set to 'No'

Configures auditing against a CIS Benchmark item.

Level: 1

Require administrators or appropriately delegated users to register third-party applications.

It is recommended to only allow an administrator to register custom-developed applications. This ensures that the application undergoes a formal security review and approval process prior to exposing Azure Active Directory data. Certain users like developers or other high-request users may also be delegated permissions to prevent them from waiting on an administrative user. Your organization should review your policies and decide your needs.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0114
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 01 - Identity and Access Management",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 01 - Identity and Access Management",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 01 - Identity and Access Management"
}

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.15 Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects'

Configures auditing against a CIS Benchmark item.

Level: 1

Limit guest user permissions.

Limiting guest access ensures that guest accounts do not have permission for certain directory tasks, such as enumerating users, groups or other directory resources, and cannot be assigned to administrative roles in your directory. Guest access has three levels of restriction.

Guest users have the same access as members (most inclusive),
Guest users have limited access to properties and memberships of directory objects (default value),
Guest user access is restricted to properties and memberships of their own directory objects (most restrictive).
The recommended option is the 3rd, most restrictive: "Guest user access is restricted to their own directory object".

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0115
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 01 - Identity and Access Management",
  "Skip",
  "Check: Benchmark using attestation"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 01 - Identity and Access Management",
    "Skip",
    "Check: Benchmark using attestation"
  ],
  "default": "Per Azure > CIS v2.0 > 01 - Identity and Access Management"
}

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.15 Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects' > Attestation

From Azure Portal

1. From Azure Home select the Portal Menu
2. Select Azure Active Directory
3. Then External Identities
4. Select External collaboration settings
5. Under Guest user access, change Guest user access restrictions to be Guest user access is restricted to properties and memberships of their own directory objects

Once verified, enter the date that this attestation expires. Note that the
date can not be further in the future than is specified in
Azure > CIS v2.0 > Maximum Attestation Duration.
Set to a blank value to clear the attestation.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0115Attestation
Category
Parent
Targets
Schema
{
  "type": "string",
  "format": "date-time",
  "default": ""
}

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.16 Ensure that 'Guest invite restrictions' is set to "Only users assigned to specific admin roles can invite guest users"

Configures auditing against a CIS Benchmark item.

Level: 2

Restrict invitations to users with specific administrative roles only.

Restricting invitations to users with specific administrator roles ensures that only authorized accounts have access to cloud resources. This helps to maintain "Need to Know" permissions and prevents inadvertent access to data.

By default the setting Guest invite restrictions is set to Anyone in the organization can invite guest users including guests and non-admins. This would allow anyone within the organization to invite guests and non-admins to the tenant, posing a security risk.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0116
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 01 - Identity and Access Management",
  "Skip",
  "Check: Benchmark using attestation"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 01 - Identity and Access Management",
    "Skip",
    "Check: Benchmark using attestation"
  ],
  "default": "Per Azure > CIS v2.0 > 01 - Identity and Access Management"
}

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.16 Ensure that 'Guest invite restrictions' is set to "Only users assigned to specific admin roles can invite guest users" > Attestation

From Azure Portal

1. From Azure Home select the Portal Menu
2. Select Azure Active Directory
3. Then External Identities
4. Select External collaboration settings
5. Under Guest invite settings, for Guest invite restrictions, ensure that Only users assigned to specific admin roles can invite guest users is selected

Once verified, enter the date that this attestation expires. Note that the
date can not be further in the future than is specified in
Azure > CIS v2.0 > Maximum Attestation Duration.
Set to a blank value to clear the attestation.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0116Attestation
Category
Parent
Targets
Schema
{
  "type": "string",
  "format": "date-time",
  "default": ""
}

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.17 Ensure That 'Restrict access to Azure AD administration portal' is Set to 'Yes'

Configures auditing against a CIS Benchmark item.

Level: 1

Restrict access to the Azure AD administration portal to administrators only.

NOTE: This only affects access to the Azure AD administrator's web portal. This setting does not prohibit privileged users from using other methods such as Rest API or Powershell to obtain sensitive information from Azure AD.

The Azure AD administrative portal has sensitive data and permission settings. All non- administrators should be prohibited from accessing any Azure AD data in the administration portal to avoid exposure.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0117
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 01 - Identity and Access Management",
  "Skip",
  "Check: Benchmark using attestation"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 01 - Identity and Access Management",
    "Skip",
    "Check: Benchmark using attestation"
  ],
  "default": "Per Azure > CIS v2.0 > 01 - Identity and Access Management"
}

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.17 Ensure That 'Restrict access to Azure AD administration portal' is Set to 'Yes' > Attestation

From Azure Portal

1. From Azure Home select the Portal Menu
2. Select Azure Active Directory
3. Then Users
4. Select User settings
5. Set Restrict access to Azure AD administration portal to Yes

Once verified, enter the date that this attestation expires. Note that the
date can not be further in the future than is specified in
Azure > CIS v2.0 > Maximum Attestation Duration.
Set to a blank value to clear the attestation.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0117Attestation
Category
Parent
Targets
Schema
{
  "type": "string",
  "format": "date-time",
  "default": ""
}

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.18 Ensure that 'Restrict user ability to access groups features in the Access Pane' is Set to 'Yes'

Configures auditing against a CIS Benchmark item.

Level: 2

Restricts group creation to administrators with permissions only.

Self-service group management enables users to create and manage security groups or Office 365 groups in Azure Active Directory (Azure AD). Unless a business requires this day-to-day delegation for some users, self-service group management should be disabled.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0118
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 01 - Identity and Access Management",
  "Skip",
  "Check: Benchmark using attestation"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 01 - Identity and Access Management",
    "Skip",
    "Check: Benchmark using attestation"
  ],
  "default": "Per Azure > CIS v2.0 > 01 - Identity and Access Management"
}

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.18 Ensure that 'Restrict user ability to access groups features in the Access Pane' is Set to 'Yes' > Attestation

From Azure Portal

1. From Azure Home select the Portal Menu
2. Select Azure Active Directory
3. Select Groups
4. Select General under Settings
5. Ensure that Restrict user ability to access groups features in the Access Panel is set to Yes

Once verified, enter the date that this attestation expires. Note that the
date can not be further in the future than is specified in
Azure > CIS v2.0 > Maximum Attestation Duration.
Set to a blank value to clear the attestation.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0118Attestation
Category
Parent
Targets
Schema
{
  "type": "string",
  "format": "date-time",
  "default": ""
}

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.19 - Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No'

Configures auditing against a CIS Benchmark item.

Level: 2

Restrict security group creation to administrators only.

When creating security groups is enabled, all users in the directory are allowed to create new security groups and add members to those groups. Unless a business requires this day-to-day delegation, security group creation should be restricted to administrators only.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0119
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 01 - Identity and Access Management",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 01 - Identity and Access Management",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 01 - Identity and Access Management"
}

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.20 Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No'

Configures auditing against a CIS Benchmark item.

Level: 2

Restrict security group management to administrators only.

Restricting security group management to administrators only prohibits users from making changes to security groups. This ensures that security groups are appropriately managed and their management is not delegated to non-administrators.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0120
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 01 - Identity and Access Management",
  "Skip",
  "Check: Benchmark using attestation"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 01 - Identity and Access Management",
    "Skip",
    "Check: Benchmark using attestation"
  ],
  "default": "Per Azure > CIS v2.0 > 01 - Identity and Access Management"
}

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.20 Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No' > Attestation

From Azure Portal

1. From Azure Home select the Portal Menu
2. Select Azure Active Directory
3. Then Groups
4. Select General in settings
5. Set Owners can manage group membership requests in the Access Panel to No

Once verified, enter the date that this attestation expires. Note that the
date can not be further in the future than is specified in
Azure > CIS v2.0 > Maximum Attestation Duration.
Set to a blank value to clear the attestation.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0120Attestation
Category
Parent
Targets
Schema
{
  "type": "string",
  "format": "date-time",
  "default": ""
}

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.21 Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No'

Configures auditing against a CIS Benchmark item.

Level: 2

Restrict Microsoft 365 group creation to administrators only.

Restricting Microsoft 365 group creation to administrators only ensures that creation of Microsoft 365 groups is controlled by the administrator. Appropriate groups should be created and managed by the administrator and group creation rights should not be delegated to any other user.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0121
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 01 - Identity and Access Management",
  "Skip",
  "Check: Benchmark using attestation"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 01 - Identity and Access Management",
    "Skip",
    "Check: Benchmark using attestation"
  ],
  "default": "Per Azure > CIS v2.0 > 01 - Identity and Access Management"
}

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.21 Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No' > Attestation

From Azure Portal

1. From Azure Home select the Portal Menu
2. Select Azure Active Directory
3. Then Groups
4. Select General in settings
5. Set Users can create Microsoft 365 groups in Azure portals, API or PowerShell to No

Once verified, enter the date that this attestation expires. Note that the
date can not be further in the future than is specified in
Azure > CIS v2.0 > Maximum Attestation Duration.
Set to a blank value to clear the attestation.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0121Attestation
Category
Parent
Targets
Schema
{
  "type": "string",
  "format": "date-time",
  "default": ""
}

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.22 Ensure that 'Require Multi-Factor Authentication to register or join devices with Azure AD' is set to 'Yes'

Configures auditing against a CIS Benchmark item.

Level: 1

Joining or registering devices to the active directory should require Multi-factor authentication.

Multi-factor authentication is recommended when adding devices to Azure AD. When set to Yes, users who are adding devices from the internet must first use the second method of authentication before their device is successfully added to the directory.
This ensures that rogue devices are not added to the domain using a compromised user account. Note: Some Microsoft documentation suggests to use conditional access policies for joining a domain from certain whitelisted networks or devices.
Even with these in place, using Multi-Factor Authentication is still recommended, as it creates a process for review before joining the domain.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0122
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 01 - Identity and Access Management",
  "Skip",
  "Check: Benchmark using attestation"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 01 - Identity and Access Management",
    "Skip",
    "Check: Benchmark using attestation"
  ],
  "default": "Per Azure > CIS v2.0 > 01 - Identity and Access Management"
}

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.22 Ensure that 'Require Multi-Factor Authentication to register or join devices with Azure AD' is set to 'Yes' > Attestation

From Azure Portal

1. From Azure Home select the Portal Menu
2. Select Azure Active Directory
3. Select Devices
4. Select Device settings
5. Set Require Multi-Factor Authentication to register or join devices with Azure AD to Yes

Once verified, enter the date that this attestation expires. Note that the
date can not be further in the future than is specified in
Azure > CIS v2.0 > Maximum Attestation Duration.
Set to a blank value to clear the attestation.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0122Attestation
Category
Parent
Targets
Schema
{
  "type": "string",
  "format": "date-time",
  "default": ""
}

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.23 - Ensure That No Custom Subscription Administrator Roles Exist

Configures auditing against a CIS Benchmark item.

Level: 1

The principle of least privilege should be followed and only necessary privileges should be assigned instead of allowing full administrative access.

Classic subscription admin roles offer basic access management and include Account Administrator, Service Administrator, and Co-Administrators. It is recommended the least necessary permissions be given initially. Permissions can be added as needed by the account holder. This ensures the account holder cannot perform actions which were not intended.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0123
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 01 - Identity and Access Management",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 01 - Identity and Access Management",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 01 - Identity and Access Management"
}

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.24 Ensure a Custom Role is Assigned Permissions for Administering Resource Locks

Configures auditing against a CIS Benchmark item.

Level: 2

Resource locking is a powerful protection mechanism that can prevent inadvertent modification/deletion of resources within Azure subscriptions/Resource Groups and is a recommended NIST configuration.

Given the resource lock functionality is outside of standard Role Based Access Control(RBAC), it would be prudent to create a resource lock administrator role to prevent inadvertent unlocking of resources.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0124
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 01 - Identity and Access Management",
  "Skip",
  "Check: Benchmark using attestation"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 01 - Identity and Access Management",
    "Skip",
    "Check: Benchmark using attestation"
  ],
  "default": "Per Azure > CIS v2.0 > 01 - Identity and Access Management"
}

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.24 Ensure a Custom Role is Assigned Permissions for Administering Resource Locks > Attestation

From Azure Portal

1. In the Azure portal, open a subscription or resource group where you want the custom role to be assigned.
2. Select Access control (IAM).
3. Click Add.
4. Select Add custom role.
5. In the Custom Role Name field enter Resource Lock Administrator.
6. In the Description field enter Can Administer Resource Locks.
7. For Baseline permissions select Start from scratch
8. Select next.
9. In the Permissions tab select Add permissions.
10.In the Search for a permission box, type in Microsoft.Authorization/locks to search for permissions.
11.Select the check box next to the permission Microsoft.Authorization/locks.
12.Select Add.
13.Select Review + create.
14.Select Create.
15.Assign the newly created role to the appropriate user.

Once verified, enter the date that this attestation expires. Note that the
date can not be further in the future than is specified in
Azure > CIS v2.0 > Maximum Attestation Duration.
Set to a blank value to clear the attestation.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0124Attestation
Category
Parent
Targets
Schema
{
  "type": "string",
  "format": "date-time",
  "default": ""
}

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.25 Ensure That 'Subscription Entering AAD Directory' and 'Subscription Leaving AAD Directory' Is Set To 'Permit No One'

Configures auditing against a CIS Benchmark item.

Level: 2

Users who are set as subscription owners are able to make administrative changes to the subscriptions and move them into and out of Azure Active Directories.

Permissions to move subscriptions in and out of Azure Active Directory must only be given to appropriate administrative personnel. A subscription that is moved into an Azure Active Directory may be within a folder to which other users have elevated permissions. This prevents loss of data or unapproved changes of the objects within by potential bad actors.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0125
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 01 - Identity and Access Management",
  "Skip",
  "Check: Benchmark using attestation"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 01 - Identity and Access Management",
    "Skip",
    "Check: Benchmark using attestation"
  ],
  "default": "Per Azure > CIS v2.0 > 01 - Identity and Access Management"
}

Azure > CIS v2.0 > 01 - Identity and Access Management > 1.25 Ensure That 'Subscription Entering AAD Directory' and 'Subscription Leaving AAD Directory' Is Set To 'Permit No One' > Attestation

From Azure Portal

1. From the Azure Portal Home select the portal menu
2. Select Subscriptions
3. Select Manage Policies
4. Under Subscription leaving AAD directory and Subscription entering AAD directory select Permit no one

Once verified, enter the date that this attestation expires. Note that the
date can not be further in the future than is specified in
Azure > CIS v2.0 > Maximum Attestation Duration.
Set to a blank value to clear the attestation.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0125Attestation
Category
Parent
Targets
Schema
{
  "type": "string",
  "format": "date-time",
  "default": ""
}

Azure > CIS v2.0 > 01 - Identity and Access Management > Maximum Attestation Duration

The maximum duration for CIS Attestations. Attestation policies can not be set
further in the future than is specified here

URI
tmod:@turbot/azure-cisv2-0#/policy/types/s01Attestation
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > Maximum Attestation Duration",
  "Skip",
  "30 days",
  "60 days",
  "90 days",
  "1 year",
  "2 years",
  "3 years"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > Maximum Attestation Duration",
    "Skip",
    "30 days",
    "60 days",
    "90 days",
    "1 year",
    "2 years",
    "3 years"
  ],
  "default": "Per Azure > CIS v2.0 > Maximum Attestation Duration"
}

Azure > CIS v2.0 > 02 - Microsoft Defender

This section covers recommendations to consider for tenant-wide security policies and plans related to Microsoft Defender. Please note that because Microsoft Defender products require additional licensing, all Microsoft Defender plan recommendations in subsection 2.1 are assigned as “Level 2.”
Microsoft Defender products addressed in this section include:
• Microsoft Defender for Cloud
• Microsoft Defender for IoT
• Microsoft Defender External Attack Surface Management

URI
tmod:@turbot/azure-cisv2-0#/policy/types/s02
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0",
  "Skip",
  "Check: All CIS Benchmarks except attestations",
  "Check: All CIS Benchmarks"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0",
    "Skip",
    "Check: All CIS Benchmarks except attestations",
    "Check: All CIS Benchmarks"
  ],
  "example": [
    "Skip"
  ],
  "default": "Per Azure > CIS v2.0"
}

Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud

This subsection is dedicated to providing guidance on Microsoft Defender for Cloud
product plans. This guidance is intended to ensure that - at a minimum - the protective
measures offered by these plans are being considered. Organizations may find that
they have existing products or services that provide the same utility as some Microsoft
Defender for Cloud products. Security and Administrative personnel need to make the
determination on their organization's behalf regarding which - if any - of these
recommendations are relevant to their organization's needs. In consideration of the
above, and because of the potential for increased cost and complexity, please be aware
that all Defender Plan recommendations are profiled as "Level 2" recommendations.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/s0201
Category
Parent
Targets
Schema
{
  "type": "string",
  "default": "Skip"
}

Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.01 - Ensure That Microsoft Defender for Servers Is Set to 'On'

Configures auditing against a CIS Benchmark item.

Level: 2

Turning on Microsoft Defender for Servers enables threat detection for Servers, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.

Enabling Microsoft Defender for Servers allows for greater defense-in-depth, with threat detection provided by the Microsoft Security Response Center (MSRC).

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r020101
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 02 - Microsoft Defender",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 02 - Microsoft Defender",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 02 - Microsoft Defender"
}

Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.02 - Ensure That Microsoft Defender for App Services Is Set To 'On'

Configures auditing against a CIS Benchmark item.

Level: 2

Turning on Microsoft Defender for App Service enables threat detection for App Service, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.

Enabling Microsoft Defender for App Service allows for greater defense-in-depth, with threat detection provided by the Microsoft Security Response Center (MSRC).

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r020102
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 02 - Microsoft Defender",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 02 - Microsoft Defender",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 02 - Microsoft Defender"
}

Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.03 - Ensure That Microsoft Defender for Databases Is Set To 'On'

Configures auditing against a CIS Benchmark item.

Level: 2

Turning on Microsoft Defender for Databases enables threat detection for the instances running your database software. This provides threat intelligence, anomaly detection, and behavior analytics in the Azure Microsoft Defender for Cloud. Instead of being enabled on services like Platform as a Service (PaaS), this implementation will run within your instances as Infrastructure as a Service (IaaS) on the Operating Systems hosting your databases.

Enabling Microsoft Defender for Azure SQL Databases allows your organization more granular control of the infrastructure running your database software. Instead of waiting on Microsoft release updates or other similar processes, you can manage them yourself. Threat detection is provided by the Microsoft Security Response Center (MSRC).

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r020103
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 02 - Microsoft Defender",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 02 - Microsoft Defender",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 02 - Microsoft Defender"
}

Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.04 - Ensure That Microsoft Defender for Azure SQL Databases Is Set To 'On'

Configures auditing against a CIS Benchmark item.

Level: 2

Turning on Microsoft Defender for Azure SQL Databases enables threat detection for Azure SQL database servers, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.

Enabling Microsoft Defender for Azure SQL Databases allows for greater defense-in- depth, with threat detection provided by the Microsoft Security Response Center (MSRC).

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r020104
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 02 - Microsoft Defender",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 02 - Microsoft Defender",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 02 - Microsoft Defender"
}

Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.05 - Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On'

Configures auditing against a CIS Benchmark item.

Level: 2

Turning on Microsoft Defender for SQL servers on machines enables threat detection for SQL servers on machines, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.

Enabling Microsoft Defender for SQL servers on machines allows for greater defense- in-depth, with threat detection provided by the Microsoft Security Response Center (MSRC).

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r020105
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 02 - Microsoft Defender",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 02 - Microsoft Defender",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 02 - Microsoft Defender"
}

Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.06 - Ensure That Microsoft Defender for Open-Source Relational Databases Is Set To 'On'

Configures auditing against a CIS Benchmark item.

Level: 2

Turning on Microsoft Defender for Open-source relational databases enables threat detection for Open-source relational databases, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.

Enabling Microsoft Defender for Open-source relational databases allows for greater defense-in-depth, with threat detection provided by the Microsoft Security Response Center (MSRC).

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r020106
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 02 - Microsoft Defender",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 02 - Microsoft Defender",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 02 - Microsoft Defender"
}

Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.07 - Ensure That Microsoft Defender for Storage Is Set To 'On'

Configures auditing against a CIS Benchmark item.

Level: 2

Turning on Microsoft Defender for Storage enables threat detection for Storage, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.

Enabling Microsoft Defender for Storage allows for greater defense-in-depth, with threat detection provided by the Microsoft Security Response Center (MSRC).

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r020107
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 02 - Microsoft Defender",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 02 - Microsoft Defender",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 02 - Microsoft Defender"
}

Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.08 - Ensure That Microsoft Defender for Containers Is Set To 'On'

Configures auditing against a CIS Benchmark item.

Level: 2

Turning on Microsoft Defender for Containers enables threat detection for Container Registries including Kubernetes, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.

Enabling Microsoft Defender for Container Registries allows for greater defense-in- depth, with threat detection provided by the Microsoft Security Response Center (MSRC).

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r020108
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 02 - Microsoft Defender",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 02 - Microsoft Defender",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 02 - Microsoft Defender"
}

Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.09 - Ensure That Microsoft Defender for Azure Cosmos DB Is Set To 'On'

Configures auditing against a CIS Benchmark item.

Level: 2

Microsoft Defender for Azure Cosmos DB scans all incoming network requests for threats to your Azure Cosmos DB resources.

In scanning Azure Cosmos DB requests within a subscription, requests are compared to a heuristic list of potential security threats. These threats could be a result of a security breach within your services, thus scanning for them could prevent a potential security threat from being introduced.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r020109
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 02 - Microsoft Defender",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 02 - Microsoft Defender",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 02 - Microsoft Defender"
}

Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.10 - Ensure That Microsoft Defender for Key Vault Is Set To 'On'

Configures auditing against a CIS Benchmark item.

Level: 2

Turning on Microsoft Defender for Key Vault enables threat detection for Key Vault, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.

Enabling Microsoft Defender for Key Vault allows for greater defense-in-depth, with threat detection provided by the Microsoft Security Response Center (MSRC).

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r020110
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 02 - Microsoft Defender",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 02 - Microsoft Defender",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 02 - Microsoft Defender"
}

Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.11 - Ensure That Microsoft Defender for DNS Is Set To 'On'

Configures auditing against a CIS Benchmark item.

Level: 2

Microsoft Defender for DNS scans all network traffic exiting from within a subscription.

DNS lookups within a subscription are scanned and compared to a dynamic list of websites that might be potential security threats. These threats could be a result of a security breach within your services, thus scanning for them could prevent a potential security threat from being introduced.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r020111
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 02 - Microsoft Defender",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 02 - Microsoft Defender",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 02 - Microsoft Defender"
}

Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.12 - Ensure That Microsoft Defender for Resource Manager Is Set To 'On'

Configures auditing against a CIS Benchmark item.

Level: 2

Microsoft Defender for Resource Manager scans incoming administrative requests to change your infrastructure from both CLI and the Azure portal.

Scanning resource requests lets you be alerted every time there is suspicious activity in order to prevent a security threat from being introduced.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r020112
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 02 - Microsoft Defender",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 02 - Microsoft Defender",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 02 - Microsoft Defender"
}

Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.13 - Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed'

Configures auditing against a CIS Benchmark item.

Level: 1

Ensure that the latest OS patches for all virtual machines are applied.

Windows and Linux virtual machines should be kept updated to:
• Address a specific bug or flaw
• Improve an OS or application's general stability
• Fix a security vulnerability

The Azure Security Center retrieves a list of available security and critical updates from Windows Update or Windows Server Update Services (WSUS), depending on which service is configured on a Windows VM. The security center also checks for the latest updates in Linux systems. If a VM is missing a system update, the security center will recommend system updates be applied.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r020113
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 02 - Microsoft Defender",
  "Skip",
  "Check: Benchmark using attestation"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 02 - Microsoft Defender",
    "Skip",
    "Check: Benchmark using attestation"
  ],
  "default": "Per Azure > CIS v2.0 > 02 - Microsoft Defender"
}

Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.13 - Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed' > Attestation

Follow Microsoft Azure documentation to apply security patches from the security center. Alternatively, you can employ your own patch assessment and management tool to periodically assess, report, and install the required security patches for your OS.

Once verified, enter the date that this attestation expires. Note that the
date can not be further in the future than is specified in
Azure > CIS v2.0 > Maximum Attestation Duration.
Set to a blank value to clear the attestation.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r020113Attestation
Category
Parent
Targets
Schema
{
  "type": "string",
  "format": "date-time",
  "default": ""
}

Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.14 - Ensure Any of the ASC Default Policy Settings are Not Set to 'Disabled'

Configures auditing against a CIS Benchmark item.

Level: 1

None of the settings offered by ASC Default policy should be set to effect Disabled.

A security policy defines the desired configuration of your workloads and helps ensure compliance with company or regulatory security requirements. ASC Default policy is associated with every subscription by default. ASC default policy assignment is a set of security recommendations based on best practices. Enabling recommendations in ASC default policy ensures that Azure security center provides the ability to monitor all of the supported recommendations and optionally allow automated action for a few of the supported recommendations.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r020114
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 02 - Microsoft Defender",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 02 - Microsoft Defender",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 02 - Microsoft Defender"
}

Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.15 - Ensure that Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On'

Configures auditing against a CIS Benchmark item.

Level: 1

Enable automatic provisioning of the monitoring agent to collect security data.

When Log Analytics agent for Azure VMs is turned on, Microsoft Defender for Cloud provisions the Microsoft Monitoring Agent on all existing supported Azure virtual machines and any new ones that are created. The Microsoft Monitoring Agent scans for various security-related configurations and events such as system updates, OS vulnerabilities, endpoint protection, and provides alerts.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r020115
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 02 - Microsoft Defender",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 02 - Microsoft Defender",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 02 - Microsoft Defender"
}

Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.16 - Ensure that Auto provisioning of 'Vulnerability assessment for machines' is Set to 'On'

Configures auditing against a CIS Benchmark item.

Level: 2

Enable automatic provisioning of vulnerability assessment for machines on both Azure and hybrid (Arc enabled) machines.

Vulnerability assessment for machines scans for various security-related configurations and events such as system updates, OS vulnerabilities, and endpoint protection, then produces alerts on threat and vulnerability findings.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r020116
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 02 - Microsoft Defender",
  "Skip",
  "Check: Benchmark using attestation"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 02 - Microsoft Defender",
    "Skip",
    "Check: Benchmark using attestation"
  ],
  "default": "Per Azure > CIS v2.0 > 02 - Microsoft Defender"
}

Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.16 - Ensure that Auto provisioning of 'Vulnerability assessment for machines' is Set to 'On' > Attestation

From Azure Portal

1. From Azure Home select the Portal Menu
2. Select Microsoft Defender for Cloud
3. Then Environment Settings
4. Select a subscription
5. Click on Settings & Monitoring
6. Ensure that Vulnerability assessment for machines is set to On

Once verified, enter the date that this attestation expires. Note that the
date can not be further in the future than is specified in
Azure > CIS v2.0 > Maximum Attestation Duration.
Set to a blank value to clear the attestation.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r020116Attestation
Category
Parent
Targets
Schema
{
  "type": "string",
  "format": "date-time",
  "default": ""
}

Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.17 - Ensure that Auto provisioning of 'Microsoft Defender for Containers components' is Set to 'On'

Configures auditing against a CIS Benchmark item.

Level: 2

Enable automatic provisioning of the Microsoft Defender for Containers components.

As with any compute resource, Container environments require hardening and run-time protection to ensure safe operations and detection of threats and vulnerabilities.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r020117
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 02 - Microsoft Defender",
  "Skip",
  "Check: Benchmark using attestation"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 02 - Microsoft Defender",
    "Skip",
    "Check: Benchmark using attestation"
  ],
  "default": "Per Azure > CIS v2.0 > 02 - Microsoft Defender"
}

Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.17 - Ensure that Auto provisioning of 'Microsoft Defender for Containers components' is Set to 'On' > Attestation

From Azure Portal

1. From Azure Home select the Portal Menu
2. Select Microsoft Defender for Cloud
3. Then Environment Settings
4. Select a subscription
5. Then Auto Provisioning in the left column.
6. Set Microsoft Defender for Containers components to On

Once verified, enter the date that this attestation expires. Note that the
date can not be further in the future than is specified in
Azure > CIS v2.0 > Maximum Attestation Duration.
Set to a blank value to clear the attestation.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r020117Attestation
Category
Parent
Targets
Schema
{
  "type": "string",
  "format": "date-time",
  "default": ""
}

Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.18 - Ensure That 'All users with the following roles' is set to 'Owner'

Configures auditing against a CIS Benchmark item.

Level: 1

Enable security alert emails to subscription owners.

Enabling security alert emails to subscription owners ensures that they receive security alert emails from Microsoft. This ensures that they are aware of any potential security issues and can mitigate the risk in a timely fashion.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r020118
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 02 - Microsoft Defender",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 02 - Microsoft Defender",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 02 - Microsoft Defender"
}

Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.19 - Ensure 'Additional email addresses' is Configured with a Security Contact Email

Configures auditing against a CIS Benchmark item.

Level: 1

Microsoft Defender for Cloud emails the subscription owners whenever a high-severity alert is triggered for their subscription. You should provide a security contact email address as an additional email address.

Microsoft Defender for Cloud emails the Subscription Owner to notify them about security alerts. Adding your Security Contact's email address to the 'Additional email addresses' field ensures that your organization's Security Team is included in these alerts. This ensures that the proper people are aware of any potential compromise in order to mitigate the risk in a timely fashion.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r020119
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 02 - Microsoft Defender",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 02 - Microsoft Defender",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 02 - Microsoft Defender"
}

Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.20 - Ensure That 'Notify about alerts with the following severity' is Set to 'High'

Configures auditing against a CIS Benchmark item.

Level: 1

Enables emailing security alerts to the subscription owner or other designated security contact.

Enabling security alert emails ensures that security alert emails are received from Microsoft. This ensures that the right people are aware of any potential security issues and are able to mitigate the risk.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r020120
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 02 - Microsoft Defender",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 02 - Microsoft Defender",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 02 - Microsoft Defender"
}

Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.21 - Ensure that Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is Selected

Configures auditing against a CIS Benchmark item.

Level: 2

This integration setting enables Microsoft Defender for Cloud Apps (formerly 'Microsoft Cloud App Security' or 'MCAS' - see additional info) to communicate with Microsoft Defender for Cloud.

Microsoft Defender for Cloud offers an additional layer of protection by using Azure Resource Manager events, which is considered to be the control plane for Azure. By analyzing the Azure Resource Manager records, Microsoft Defender for Cloud detects unusual or potentially harmful operations in the Azure subscription environment. Several of the preceding analytics are powered by Microsoft Defender for Cloud Apps. To benefit from these analytics, subscription must have a Cloud App Security license.

Microsoft Defender for Cloud Apps works only with Standard Tier subscriptions.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r020121
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 02 - Microsoft Defender",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 02 - Microsoft Defender",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 02 - Microsoft Defender"
}

Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.22 - Ensure that Microsoft Defender for Endpoint integration with Microsoft Defender for Cloud is selected

Configures auditing against a CIS Benchmark item.

Level: 2

This integration setting enables Microsoft Defender for Endpoint (formerly 'Advanced Threat Protection' or 'ATP' or 'WDATP' - see additional info) to communicate with Microsoft Defender for Cloud.

IMPORTANT: When enabling integration between DfE & DfC it needs to be taken into account that this will have some side effects that may be undesirable.

1. For server 2019 & above if defender is installed (default for these server SKU's) this will trigger a deployment of the new unified agent and link to any of the extended configuration in the Defender portal.
2. If the new unified agent is required for server SKU's of Win 2016 or Linux and lower there is additional integration that needs to be switched on and agents need to be aligned.

Microsoft Defender for Endpoint integration brings comprehensive Endpoint Detection and Response (EDR) capabilities within Microsoft Defender for Cloud. This integration helps to spot abnormalities, as well as detect and respond to advanced attacks on endpoints monitored by Microsoft Defender for Cloud.

MDE works only with Standard Tier subscriptions.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r020122
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 02 - Microsoft Defender",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 02 - Microsoft Defender",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 02 - Microsoft Defender"
}

Azure > CIS v2.0 > 02 - Microsoft Defender > 2.02 - Microsoft Defender for IoT

This section covers requirements for Microsoft Defender for IoT.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/s0202
Category
Parent
Targets
Schema
{
  "type": "string",
  "default": "Skip"
}

Azure > CIS v2.0 > 02 - Microsoft Defender > 2.02 - Microsoft Defender for IoT > 2.02.01 - Ensure That Microsoft Defender for IoT Hub Is Set To 'On'

Configures auditing against a CIS Benchmark item.

Level: 2

Microsoft Defender for IoT acts as a central security hub for IoT devices within your organization.

IoT devices are very rarely patched and can be potential attack vectors for enterprise networks. Updating their network configuration to use a central security hub allows for detection of these breaches.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r020201
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 02 - Microsoft Defender",
  "Skip",
  "Check: Benchmark using attestation"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 02 - Microsoft Defender",
    "Skip",
    "Check: Benchmark using attestation"
  ],
  "default": "Per Azure > CIS v2.0 > 02 - Microsoft Defender"
}

Azure > CIS v2.0 > 02 - Microsoft Defender > 2.02 - Microsoft Defender for IoT > 2.02.01 - Ensure That Microsoft Defender for IoT Hub Is Set To 'On' > Attestation

From Azure Portal

1. Go to IoT Hub.
2. Select a IoT Hub to validate.
3. Select Overview in Defender for IoT.
4. Click on Secure your IoT solution, and complete the onboarding.

Once verified, enter the date that this attestation expires. Note that the
date can not be further in the future than is specified in
Azure > CIS v2.0 > Maximum Attestation Duration.
Set to a blank value to clear the attestation.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r020201Attestation
Category
Parent
Targets
Schema
{
  "type": "string",
  "format": "date-time",
  "default": ""
}

Azure > CIS v2.0 > 02 - Microsoft Defender > 2.03 - Microsoft Defender for External Attack Surface Monitoring

As more services are exposed to the public internet it is important to be able to monitor the externally exposed surface of your Azure Tenant, to this end it is recommended that tools that monitor this surface are implemented.

Microsoft have a new tool to do this in their Defender Suite of products. Defender EASM, this tool is configured very simply to scan specified domains and report on them, specific domains and addresses can be excluded from the scan.

Typically these tools will report on any vulnerability that is identified (CVE) and will also identify ports and protocols that are open on devices.

Results are classified Critical/High/Medium & Low with proposed mitigations.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/s0203
Category
Parent
Targets
Schema
{
  "type": "string",
  "default": "Skip"
}

Azure > CIS v2.0 > 02 - Microsoft Defender > Maximum Attestation Duration

The maximum duration for CIS Attestations. Attestation policies can not be set
further in the future than is specified here

URI
tmod:@turbot/azure-cisv2-0#/policy/types/s02Attestation
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > Maximum Attestation Duration",
  "Skip",
  "30 days",
  "60 days",
  "90 days",
  "1 year",
  "2 years",
  "3 years"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > Maximum Attestation Duration",
    "Skip",
    "30 days",
    "60 days",
    "90 days",
    "1 year",
    "2 years",
    "3 years"
  ],
  "default": "Per Azure > CIS v2.0 > Maximum Attestation Duration"
}

Azure > CIS v2.0 > 03 - Storage Accounts

Covers security recommendations to follow to set storage account policies on an Azure Subscription. An Azure storage account provides a unique namespace to store and access Azure Storage data objects.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/s03
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0",
  "Skip",
  "Check: All CIS Benchmarks except attestations",
  "Check: All CIS Benchmarks"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0",
    "Skip",
    "Check: All CIS Benchmarks except attestations",
    "Check: All CIS Benchmarks"
  ],
  "example": [
    "Skip"
  ],
  "default": "Per Azure > CIS v2.0"
}

Azure > CIS v2.0 > 03 - Storage Accounts > 3.01 - Ensure that 'Secure transfer required' is set to 'Enabled'

Configures auditing against a CIS Benchmark item.

Level: 1

Enable data encryption is transit.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0301
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 03 - Storage Accounts",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 03 - Storage Accounts",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 03 - Storage Accounts"
}

Azure > CIS v2.0 > 03 - Storage Accounts > 3.02 - Ensure that Enable Infrastructure Encryption for Each Storage Account in Azure Storage is Set to enabled

Configures auditing against a CIS Benchmark item.

Level: 2

Do not allow users to remember multi-factor authentication on devices.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0302
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 03 - Storage Accounts",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 03 - Storage Accounts",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 03 - Storage Accounts"
}

Azure > CIS v2.0 > 03 - Storage Accounts > 3.03 - Ensure that 'Enable key rotation reminders' is enabled for each Storage Account

Configures auditing against a CIS Benchmark item.

Level: 1

Access Keys authenticate application access requests to data contained in Storage Accounts. A periodic rotation of these keys is recommended to ensure that potentially compromised keys cannot result in a long-term exploitable credential. The "Rotation Reminder" is an automatic reminder feature for a manual procedure.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0303
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 03 - Storage Accounts",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 03 - Storage Accounts",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 03 - Storage Accounts"
}

Azure > CIS v2.0 > 03 - Storage Accounts > 3.03 - Ensure that 'Enable key rotation reminders' is enabled for each Storage Account > Attestation

By setting this policy, you attest that you have manually verified that it complies with the relevant section of the CIS Benchmark.

From Azure Portal
1. Go to Storage Accounts
2. For each Storage Account that is not compliant, go to Access keys
3. Click Set rotation reminder
4. Check Enable key rotation reminders
5. In the Send reminders field select Custom, then set the Remind me every field to 90 and the period drop down to Days.
6. Click Save

Once verified, enter the date that this attestation expires. Note that the date can not be further in the future than is specified in Azure > CIS v2.0 > Maximum Attestation Duration.
Set to a blank value to clear the attestation.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0303Attestation
Category
Parent
Targets
Schema
{
  "type": "string",
  "format": "date-time",
  "default": ""
}

Azure > CIS v2.0 > 03 - Storage Accounts > 3.04 - Ensure that Storage Account Access Keys are Periodically Regenerated

Configures auditing against a CIS Benchmark item.

Level: 1

For increased security, regenerate storage account access keys periodically.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0304
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 03 - Storage Accounts",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 03 - Storage Accounts",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 03 - Storage Accounts"
}

Azure > CIS v2.0 > 03 - Storage Accounts > 3.04 - Ensure that Storage Account Access Keys are Periodically Regenerated > Attestation

By setting this policy, you attest that you have manually verified that it complies with the relevant section of the CIS Benchmark.

From Azure Portal
1. Go to Storage Accounts
2. For each Storage Account with outdated keys, go to Access keys
3. Click Rotate key next to the outdated key, then click Yes to the prompt confirming that you want to regenerate the access key.

After Azure regenerates the Access Key, you can confirm that Access keys reflects a Last rotated date of (0 days ago).

Once verified, enter the date that this attestation expires. Note that the date can not be further in the future than is specified in Azure > CIS v2.0 > Maximum Attestation Duration.
Set to a blank value to clear the attestation.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0304Attestation
Category
Parent
Targets
Schema
{
  "type": "string",
  "format": "date-time",
  "default": ""
}

Azure > CIS v2.0 > 03 - Storage Accounts > 3.05 - Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests

Configures auditing against a CIS Benchmark item.

Level: 2

Do not allow users to remember multi-factor authentication on devices.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0305
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 03 - Storage Accounts",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 03 - Storage Accounts",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 03 - Storage Accounts"
}

Azure > CIS v2.0 > 03 - Storage Accounts > 3.06 - Ensure that Shared Access Signature Tokens Expire Within an Hour

Configures auditing against a CIS Benchmark item.

Level: 1

Expire shared access signature tokens within an hour.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0306
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 03 - Storage Accounts",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 03 - Storage Accounts",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 03 - Storage Accounts"
}

Azure > CIS v2.0 > 03 - Storage Accounts > 3.06 - Ensure that Shared Access Signature Tokens Expire Within an Hour > Attestation

By setting this policy, you attest that you have manually verified that it complies with the relevant section of the CIS Benchmark.

When generating shared access signature tokens, use start and end time such that it falls within an hour.

From Azure Portal
1. Go to Storage Accounts
2. For each storage account, go to Shared access signature
3. Set Start and expiry date/time within an hour

Once verified, enter the date that this attestation expires. Note that the date can not be further in the future than is specified in Azure > CIS v2.0 > Maximum Attestation Duration.
Set to a blank value to clear the attestation.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0306Attestation
Category
Parent
Targets
Schema
{
  "type": "string",
  "format": "date-time",
  "default": ""
}

Azure > CIS v2.0 > 03 - Storage Accounts > 3.08 - Ensure Default Network Access Rule for Storage Accounts is Set to Deny

Configures auditing against a CIS Benchmark item.

Level: 1

Restricting default network access helps to provide a new layer of security, since storage accounts accept connections from clients on any network. To limit access to selected networks, the default action must be changed.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0308
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 03 - Storage Accounts",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 03 - Storage Accounts",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 03 - Storage Accounts"
}

Azure > CIS v2.0 > 03 - Storage Accounts > 3.09 - Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access

Configures auditing against a CIS Benchmark item.

Level: 2

Some Azure services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trusted Azure services to bypass the network rules. These services will then use strong authentication to access the storage account. If the Allow trusted Azure services exception is enabled, the following services are granted access to the storage account: Azure Backup, Azure Site Recovery, Azure DevTest Labs, Azure Event Grid, Azure Event Hubs, Azure Networking, Azure Monitor, and Azure SQL Data Warehouse (when registered in the subscription).

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0309
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 03 - Storage Accounts",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 03 - Storage Accounts",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 03 - Storage Accounts"
}

Azure > CIS v2.0 > 03 - Storage Accounts > 3.10 - Ensure Private Endpoints are used to access Storage Accounts

Configures auditing against a CIS Benchmark item.

Level: 1

Use private endpoints for your Azure Storage accounts to allow clients and services to securely access data located over a network via an encrypted Private Link. To do this, the private endpoint uses an IP address from the VNet for each service. Network traffic between disparate services securely traverses encrypted over the VNet. This VNet can also link addressing space, extending your network and accessing resources on it. Similarly, it can be a tunnel through public networks to connect remote infrastructures together. This creates further security through segmenting network traffic and preventing outside sources from accessing it.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0310
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 03 - Storage Accounts",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 03 - Storage Accounts",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 03 - Storage Accounts"
}

Azure > CIS v2.0 > 03 - Storage Accounts > 3.11 - Ensure Soft Delete is Enabled for Azure Containers and Blob Storage

Configures auditing against a CIS Benchmark item.

Level: 1

The Azure Storage blobs contain data like ePHI or Financial, which can be secret or personal. Data that is erroneously modified or deleted by an application or other storage account user will cause data loss or unavailability.

It is recommended that both Azure Containers with attached Blob Storage and standalone containers with Blob Storage be made recoverable by enabling the soft delete configuration. This is to save and recover data when blobs or blob snapshots are deleted.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0311
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 03 - Storage Accounts",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 03 - Storage Accounts",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 03 - Storage Accounts"
}

Azure > CIS v2.0 > 03 - Storage Accounts > 3.12 - Ensure Storage for Critical Data are Encrypted with Customer Managed Keys

Configures auditing against a CIS Benchmark item.

Level: 2

Enable sensitive data encryption at rest using Customer Managed Keys rather than Microsoft Managed keys.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0312
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 03 - Storage Accounts",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 03 - Storage Accounts",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 03 - Storage Accounts"
}

Azure > CIS v2.0 > 03 - Storage Accounts > 3.13 - Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests

Configures auditing against a CIS Benchmark item.

Level: 2

The Storage Blob service provides scalable, cost-efficient object storage in the cloud. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the blobs. Storage Logging log entries contain the following information about individual requests: timing information such as start time, end-to-end latency, and server latency; authentication details; concurrency information; and the sizes of the request and response messages.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0313
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 03 - Storage Accounts",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 03 - Storage Accounts",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 03 - Storage Accounts"
}

Azure > CIS v2.0 > 03 - Storage Accounts > 3.15 - Ensure the "Minimum TLS version" for storage accounts is set to "Version 1.2"

Configures auditing against a CIS Benchmark item.

Level: 1

Do not allow users to remember multi-factor authentication on devices.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0315
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 03 - Storage Accounts",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 03 - Storage Accounts",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 03 - Storage Accounts"
}

Azure > CIS v2.0 > 03 - Storage Accounts > Maximum Attestation Duration

The maximum duration for CIS Attestations. Attestation policies can not be set further in the future than is specified here

URI
tmod:@turbot/azure-cisv2-0#/policy/types/s03Attestation
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > Maximum Attestation Duration",
  "Skip",
  "30 days",
  "60 days",
  "90 days",
  "1 year",
  "2 years",
  "3 years"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > Maximum Attestation Duration",
    "Skip",
    "30 days",
    "60 days",
    "90 days",
    "1 year",
    "2 years",
    "3 years"
  ],
  "default": "Per Azure > CIS v2.0 > Maximum Attestation Duration"
}

Azure > CIS v2.0 > 04 - Database Services

Covers security recommendations to follow to set general database services policies on an Azure Subscription. Subsections will address specific database types.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/s04
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0",
  "Skip",
  "Check: All CIS Benchmarks except attestations",
  "Check: All CIS Benchmarks"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0",
    "Skip",
    "Check: All CIS Benchmarks except attestations",
    "Check: All CIS Benchmarks"
  ],
  "example": [
    "Skip"
  ],
  "default": "Per Azure > CIS v2.0"
}

Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing

Auditing for Azure SQL Servers and SQL Databases tracks database events and writes them to an audit log Azure storage account, Log Analytics workspace or Event Hubs. Auditing helps to maintain regulatory compliance, understand database activity, and gain insight into discrepancies and anomalies that could indicate business concerns or suspected security violations. Auditing enables and facilitates adherence to compliance standards, although it doesn't guarantee compliance. The Default SQL Server Auditing profile set for SQL server is inherited by all the SQL Databases which are part of the SQL server.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/s0401
Category
Parent
Targets
Valid Value
[
  "Skip"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip"
  ],
  "example": [
    "Skip"
  ],
  "default": "Skip"
}

Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.01 - Ensure that 'Auditing' is set to 'On'

Configures auditing against a CIS Benchmark item.

Level: 1

Enable auditing on SQL Servers.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r040101
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 04 - Database Services",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 04 - Database Services",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 04 - Database Services"
}

Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.02 - Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)

Configures auditing against a CIS Benchmark item.

Level: 1

Ensure that no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP).

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r040102
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 04 - Database Services",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 04 - Database Services",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 04 - Database Services"
}

Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.03 - Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key

Configures auditing against a CIS Benchmark item.

Level: 2

Transparent Data Encryption (TDE) with Customer-managed key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. With TDE, data is encrypted at rest with a symmetric key (called the database encryption key) stored in the database or data warehouse distribution. To protect this data encryption key (DEK) in the past, only a certificate that the Azure SQL Service managed could be used. Now, with Customer-managed key support for TDE, the DEK can be protected with an asymmetric key that is stored in the Azure Key Vault. The Azure Key Vault is a highly available and scalable cloud-based key store which offers central key management, leverages FIPS 140-2 Level 2 validated hardware security modules (HSMs), and allows separation of management of keys and data for additional security.

Based on business needs or criticality of data/databases hosted on a SQL server, it is recommended that the TDE protector is encrypted by a key that is managed by the data owner (Customer-managed key).

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r040103
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 04 - Database Services",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 04 - Database Services",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 04 - Database Services"
}

Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.04 - Ensure that Azure Active Directory Admin is Configured for SQL Servers

Configures auditing against a CIS Benchmark item.

Level: 1

Use Azure Active Directory Authentication for authentication with SQL Database to manage credentials in a single place.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r040104
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 04 - Database Services",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 04 - Database Services",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 04 - Database Services"
}

Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.05 - Ensure that 'Data encryption' is set to 'On' on a SQL Database

Configures auditing against a CIS Benchmark item.

Level: 1

Enable Transparent Data Encryption on every SQL server.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r040105
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 04 - Database Services",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 04 - Database Services",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 04 - Database Services"
}

Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.06 - Ensure that 'Auditing' Retention is 'greater than 90 days'

Configures auditing against a CIS Benchmark item.

Level: 1

SQL Server Audit Retention should be configured to be greater than 90 days.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r040106
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 04 - Database Services",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 04 - Database Services",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 04 - Database Services"
}

Azure > CIS v2.0 > 04 - Database Services > 4.02 SQL Server - Microsoft Defender for SQL

Microsoft Defender for SQL provides a layer of security which enables customers to detect and respond to potential threats as they occur through security alerts on anomalous activities. Users will receive an alert upon suspicious database activities, potential vulnerabilities, and SQL injection attacks, as well as anomalous database access patterns. SQL Server Threat Detection alerts provide details of suspicious activity and recommend action on how to investigate and mitigate the threat. Microsoft Defender for SQL may incur additional cost per SQL server.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/s0402
Category
Parent
Targets
Valid Value
[
  "Skip"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip"
  ],
  "example": [
    "Skip"
  ],
  "default": "Skip"
}

Azure > CIS v2.0 > 04 - Database Services > 4.02 SQL Server - Microsoft Defender for SQL > 4.02.01 - Ensure that Microsoft Defender for SQL is set to 'On' for critical SQL Servers

Configures auditing against a CIS Benchmark item.

Level: 2

Enable "Microsoft Defender for SQL" on critical SQL Servers.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r040201
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 04 - Database Services",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 04 - Database Services",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 04 - Database Services"
}

Azure > CIS v2.0 > 04 - Database Services > 4.02 SQL Server - Microsoft Defender for SQL > 4.02.02 - Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account

Configures auditing against a CIS Benchmark item.

Level: 2

Enable Vulnerability Assessment (VA) service scans for critical SQL servers and corresponding SQL databases.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r040202
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 04 - Database Services",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 04 - Database Services",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 04 - Database Services"
}

Azure > CIS v2.0 > 04 - Database Services > 4.02 SQL Server - Microsoft Defender for SQL > 4.02.03 - Ensure that Vulnerability Assessment (VA) setting 'Periodic recurring scans' is set to 'on' for each SQL server

Configures auditing against a CIS Benchmark item.

Level: 2

Enable Vulnerability Assessment (VA) Periodic recurring scans for critical SQL servers and corresponding SQL databases.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r040203
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 04 - Database Services",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 04 - Database Services",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 04 - Database Services"
}

Azure > CIS v2.0 > 04 - Database Services > 4.02 SQL Server - Microsoft Defender for SQL > 4.02.04 - Ensure that Vulnerability Assessment (VA) setting 'Send scan reports to' is configured for a SQL server

Configures auditing against a CIS Benchmark item.

Level: 2

Configure 'Send scan reports to' with email addresses of concerned data owners/stakeholders for a critical SQL servers.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r040204
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 04 - Database Services",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 04 - Database Services",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 04 - Database Services"
}

Azure > CIS v2.0 > 04 - Database Services > 4.02 SQL Server - Microsoft Defender for SQL > 4.02.05 - Ensure that Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners' is set for each SQL Server

Configures auditing against a CIS Benchmark item.

Level: 1

Enable Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners'.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r040205
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 04 - Database Services",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 04 - Database Services",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 04 - Database Services"
}

Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server

Covers security best practices/recommendations for Azure PostgreSQL Database Servers.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/s0403
Category
Parent
Targets
Valid Value
[
  "Skip"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip"
  ],
  "example": [
    "Skip"
  ],
  "default": "Skip"
}

Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.01 - Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server

Configures auditing against a CIS Benchmark item.

Level: 1

Enable SSL connection on PostgreSQL Servers.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r040301
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 04 - Database Services",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 04 - Database Services",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 04 - Database Services"
}

Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.02 - Ensure Server Parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server

Configures auditing against a CIS Benchmark item.

Level: 1

Enable log_checkpoints on PostgreSQL Servers.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r040302
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 04 - Database Services",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 04 - Database Services",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 04 - Database Services"
}

Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.03 - Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server

Configures auditing against a CIS Benchmark item.

Level: 1

Enable log_connections on PostgreSQL Servers.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r040303
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 04 - Database Services",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 04 - Database Services",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 04 - Database Services"
}

Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.04 - Ensure Server Parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server

Configures auditing against a CIS Benchmark item.

Level: 1

Enable log_disconnections on PostgreSQL Servers.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r040304
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 04 - Database Services",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 04 - Database Services",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 04 - Database Services"
}

Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.05 - Ensure Server Parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server

Configures auditing against a CIS Benchmark item.

Level: 1

Enable connection_throttling on PostgreSQL Servers.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r040305
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 04 - Database Services",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 04 - Database Services",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 04 - Database Services"
}

Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.06 - Ensure Server Parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server

Configures auditing against a CIS Benchmark item.

Level: 1

Enable log_retention_days on PostgreSQL Servers is set to an appropriate value.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r040306
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 04 - Database Services",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 04 - Database Services",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 04 - Database Services"
}

Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.07 - Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled

Configures auditing against a CIS Benchmark item.

Level: 1

Disable access from Azure services to PostgreSQL Database Server.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r040307
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 04 - Database Services",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 04 - Database Services",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 04 - Database Services"
}

Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.08 - Ensure 'Infrastructure double encryption' for PostgreSQL Database Server is 'Enabled'

Configures auditing against a CIS Benchmark item.

Level: 1

Azure Database for PostgreSQL servers should be created with 'infrastructure double encryption' enabled.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r040308
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 04 - Database Services",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 04 - Database Services",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 04 - Database Services"
}

Azure > CIS v2.0 > 04 - Database Services > 4.04 - MySQL Database

Covers security best practices/recommendations for Azure MySQL Database Servers.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/s0404
Category
Parent
Targets
Valid Value
[
  "Skip"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip"
  ],
  "example": [
    "Skip"
  ],
  "default": "Skip"
}

Azure > CIS v2.0 > 04 - Database Services > 4.04 - MySQL Database > 4.04.01 - Ensure 'Enforce SSL connection' is set to 'Enabled' for Standard MySQL Database Server

Configures auditing against a CIS Benchmark item.

Level: 1

Enable SSL connection on MYSQL Servers.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r040401
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 04 - Database Services",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 04 - Database Services",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 04 - Database Services"
}

Azure > CIS v2.0 > 04 - Database Services > 4.04 - MySQL Database > 4.04.02 - Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server

Configures auditing against a CIS Benchmark item.

Level: 1

Ensure TLS version on MySQL flexible servers is set to the default value.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r040402
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 04 - Database Services",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 04 - Database Services",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 04 - Database Services"
}

Azure > CIS v2.0 > 04 - Database Services > 4.04 - MySQL Database > 4.04.03 - Ensure server parameter 'audit_log_enabled' is set to 'ON' for MySQL Database Server

Configures auditing against a CIS Benchmark item.

Level: 2

Enable audit_log_enabled on MySQL Servers.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r040403
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 04 - Database Services",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 04 - Database Services",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 04 - Database Services"
}

Azure > CIS v2.0 > 04 - Database Services > 4.04 - MySQL Database > 4.04.04 - Ensure server parameter 'audit_log_events' has 'CONNECTION' set for MySQL Database Server

Configures auditing against a CIS Benchmark item.

Level: 2

Set audit_log_enabled to include CONNECTION on MySQL Servers.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r040404
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 04 - Database Services",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 04 - Database Services",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 04 - Database Services"
}

Azure > CIS v2.0 > 04 - Database Services > 4.05 - Cosmos DB

Covers security best practices/recommendations for Azure Cosmos DB Database Servers.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/s0405
Category
Parent
Targets
Valid Value
[
  "Skip"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip"
  ],
  "example": [
    "Skip"
  ],
  "default": "Skip"
}

Azure > CIS v2.0 > 04 - Database Services > 4.05 - Cosmos DB > 4.05.01 - Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks

Configures auditing against a CIS Benchmark item.

Level: 2

Limiting your Cosmos DB to only communicate on whitelisted networks lowers its attack footprint.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r040501
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 04 - Database Services",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 04 - Database Services",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 04 - Database Services"
}

Azure > CIS v2.0 > 04 - Database Services > 4.05 - Cosmos DB > 4.05.02 - Ensure That Private Endpoints Are Used Where Possible

Configures auditing against a CIS Benchmark item.

Level: 2

Private endpoints limit network traffic to approved sources.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r040502
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 04 - Database Services",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 04 - Database Services",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 04 - Database Services"
}

Azure > CIS v2.0 > 04 - Database Services > 4.05 - Cosmos DB > 4.05.03 - Use Azure Active Directory (AAD) Client Authentication and Azure RBAC where possible

Configures auditing against a CIS Benchmark item.

Level: 1

Cosmos DB can use tokens or AAD for client authentication which in turn will use Azure RBAC for authorization. Using AAD is significantly more secure because AAD handles the credentials and allows for MFA and centralized management, and the Azure RBAC better integrated with the rest of Azure.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r040503
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 04 - Database Services",
  "Skip",
  "Check: Benchmark using attestation"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 04 - Database Services",
    "Skip",
    "Check: Benchmark using attestation"
  ],
  "default": "Per Azure > CIS v2.0 > 04 - Database Services"
}

Azure > CIS v2.0 > 04 - Database Services > 4.05 - Cosmos DB > 4.05.03 - Use Azure Active Directory (AAD) Client Authentication and Azure RBAC where possible > Attestation

By setting this policy, you attest that you have manually verified that it complies with the relevant section of the CIS Benchmark.

Map all the resources that currently access to the Azure Cosmos DB account with keys or access tokens.
Create an Azure Active Directory (AAD) identity for each of these resources:
For Azure resources, you can create a managed identity . You may choose between system-assigned and user-assigned managed identities.
For non-Azure resources, create an AAD identity.
Grant each AAD identity the minimum permission it requires. When possible, we recommend you use one of the 2 built-in role definitions: Cosmos DB Built-in Data Reader or Cosmos DB Built-in Data Contributor.
Validate that the new resource is functioning correctly. After new permissions are granted to identities, it may take a few hours until they propagate. When all resources are working correctly with the new identities, continue to the next step.

You can use the az resource update powershell command:

$cosmosdbname = "cosmos-db-account-name"
$resourcegroup = "resource-group-name"
$cosmosdb = az cosmosdb show --name $cosmosdbname --resource-group
$resourcegroup | ConvertFrom-Json

az resource update --ids $cosmosdb.id --set properties.disableLocalAuth=true --latest-include-preview

Once verified, enter the date that this attestation expires.
Note that the date can not be further in the future than is specified in Azure > CIS v2.0 > Maximum Attestation Duration.
Set to a blank value to clear the attestation.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r040503Attestation
Category
Parent
Targets
Schema
{
  "type": "string",
  "format": "date-time",
  "default": ""
}

Azure > CIS v2.0 > 04 - Database Services > Maximum Attestation Duration

The maximum duration for CIS Attestations. Attestation policies can not be set further in the future than is specified here

URI
tmod:@turbot/azure-cisv2-0#/policy/types/s04Attestation
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > Maximum Attestation Duration",
  "Skip",
  "30 days",
  "60 days",
  "90 days",
  "1 year",
  "2 years",
  "3 years"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > Maximum Attestation Duration",
    "Skip",
    "30 days",
    "60 days",
    "90 days",
    "1 year",
    "2 years",
    "3 years"
  ],
  "default": "Per Azure > CIS v2.0 > Maximum Attestation Duration"
}

Azure > CIS v2.0 > 05 - Logging and Monitoring

Covers security recommendations to follow to set logging and monitoring policies on an Azure Subscription.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/s05
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0",
  "Skip",
  "Check: All CIS Benchmarks except attestations",
  "Check: All CIS Benchmarks"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0",
    "Skip",
    "Check: All CIS Benchmarks except attestations",
    "Check: All CIS Benchmarks"
  ],
  "example": [
    "Skip"
  ],
  "default": "Per Azure > CIS v2.0"
}

Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.01 - Configuring Diagnostic Settings

The Azure Diagnostic Settings capture control/management activities performed on a subscription or Azure AD Tenant. By default, the Azure Portal retains activity logs only for 90 days. The Diagnostic Settings define the type of events that are stored or streamed and the outputs—storage account, log analytics workspace, event hub, and others. The Diagnostic Settings, if configured properly, can ensure that all logs are retained for longer duration. This section has recommendations for correctly configuring the Diagnostic Settings so that all logs captured are retained for longer periods.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/s0501
Category
Parent
Targets
Valid Value
[
  "Skip"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip"
  ],
  "example": [
    "Skip"
  ],
  "default": "Skip"
}

Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.01 - Configuring Diagnostic Settings > 5.01.03 - Ensure the Storage Container Storing the Activity Logs is not Publicly Accessible

Configures auditing against a CIS Benchmark item.

Level: 1

The storage account container containing the activity log export should not be publicly accessible.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r050103
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 05 - Logging and Monitoring",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 05 - Logging and Monitoring",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 05 - Logging and Monitoring"
}

Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.01 - Configuring Diagnostic Settings > 5.01.04 - Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key

Configures auditing against a CIS Benchmark item.

Level: 2

Storage accounts with the activity log exports can be configured to use Customer Managed Keys (CMK).

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r050104
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 05 - Logging and Monitoring",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 05 - Logging and Monitoring",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 05 - Logging and Monitoring"
}

Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.01 - Configuring Diagnostic Settings > 5.01.05 - Ensure that logging for Azure Key Vault is 'Enabled'

Configures auditing against a CIS Benchmark item.

Level: 1

Enable AuditEvent logging for key vault instances to ensure interactions with key vaults are logged and available.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r050105
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 05 - Logging and Monitoring",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 05 - Logging and Monitoring",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 05 - Logging and Monitoring"
}

Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.01 - Configuring Diagnostic Settings > 5.01.07 - Ensure that logging for Azure AppService 'HTTP logs' is enabled

Configures auditing against a CIS Benchmark item.

Level: 2

Enable AppServiceHTTPLogs diagnostic log category for Azure App Service instances to ensure all http requests are captured and centrally logged.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r050107
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 05 - Logging and Monitoring",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 05 - Logging and Monitoring",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 05 - Logging and Monitoring"
}

Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts

The recommendations provided in this section are intended to provide entry-level alerting for crucial activities on a tenant account. These recommended activities should be tuned to your needs. By default, each of these Activity Log Alerts tends to guide the reader to alerting at the "Subscription-wide" level which will capture and alert on rules triggered by all resources and resource groups contained within a subscription. This is not an ideal rule set for Alerting within larger and more complex organizations. While this section provides recommendations for the creation of Activity Log Alerts specifically, Microsoft Azure supports four different types of alerts:
- Metric Alerts
- Log Alerts
- Activity Log Alerts
- Smart Detection Alerts

All Azure services (Microsoft provided or otherwise) that can generate alerts are assigned a "Resource provider namespace" when they are registered in an Azure tenant. The recommendations in this section are in no way exhaustive of the plethora of available "Providers" or "Resource Types." The Resource Providers that are registered in your Azure Tenant can be located in your Subscription. Each registered Provider in your environment may have available "Conditions" to raise alerts via Activity Log Alerts. These providers should be considered for inclusion in Activity Log Alert rules of your own making.
To view the registered resource providers in your Subscription(s), use this guide:
- https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/resource-providers-and-types

If you wish to create custom alerting rules for Activity Log Alerts or other alert types, please refer to Microsoft documentation:
- https://docs.microsoft.com/en-us/azure/azure-monitor/alerts/alerts-create-new-alert-rule

URI
tmod:@turbot/azure-cisv2-0#/policy/types/s0502
Category
Parent
Targets
Valid Value
[
  "Skip"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip"
  ],
  "example": [
    "Skip"
  ],
  "default": "Skip"
}

Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.01 - Ensure that Activity Log Alert exists for Create Policy Assignment

Configures auditing against a CIS Benchmark item.

Level: 1

Create an activity log alert for the Create Policy Assignment event.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r050201
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 05 - Logging and Monitoring",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 05 - Logging and Monitoring",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 05 - Logging and Monitoring"
}

Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.02 - Ensure that Activity Log Alert exists for Delete Policy Assignment

Configures auditing against a CIS Benchmark item.

Level: 1

Create an activity log alert for the Delete Policy Assignment event.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r050202
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 05 - Logging and Monitoring",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 05 - Logging and Monitoring",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 05 - Logging and Monitoring"
}

Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.03 - Ensure that Activity Log Alert exists for Create or Update Network Security Group

Configures auditing against a CIS Benchmark item.

Level: 1

Create an Activity Log Alert for the Create or Update Network Security Group event.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r050203
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 05 - Logging and Monitoring",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 05 - Logging and Monitoring",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 05 - Logging and Monitoring"
}

Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.04 - Ensure that Activity Log Alert exists for Delete Network Security Group

Configures auditing against a CIS Benchmark item.

Level: 1

Create an activity log alert for the Delete Network Security Group event.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r050204
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 05 - Logging and Monitoring",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 05 - Logging and Monitoring",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 05 - Logging and Monitoring"
}

Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.05 - Ensure that Activity Log Alert exists for Create or Update Security Solution

Configures auditing against a CIS Benchmark item.

Level: 1

Create an activity log alert for the Create or Update Security Solution event.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r050205
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 05 - Logging and Monitoring",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 05 - Logging and Monitoring",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 05 - Logging and Monitoring"
}

Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.06 - Ensure that Activity Log Alert exists for Delete Security Solution

Configures auditing against a CIS Benchmark item.

Level: 1

Create an activity log alert for the Delete Security Solution event.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r050206
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 05 - Logging and Monitoring",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 05 - Logging and Monitoring",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 05 - Logging and Monitoring"
}

Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.07 - Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule

Configures auditing against a CIS Benchmark item.

Level: 1

Create an activity log alert for the Create or Update SQL Server Firewall Rule event.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r050207
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 05 - Logging and Monitoring",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 05 - Logging and Monitoring",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 05 - Logging and Monitoring"
}

Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.08 - Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule

Configures auditing against a CIS Benchmark item.

Level: 1

Create an activity log alert for the Delete SQL Server Firewall Rule.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r050208
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 05 - Logging and Monitoring",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 05 - Logging and Monitoring",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 05 - Logging and Monitoring"
}

Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.09 - Ensure that Activity Log Alert exists for Create or Update Public IP Address rule

Configures auditing against a CIS Benchmark item.

Level: 1

Create an activity log alert for the Create or Update Public IP Addresses rule.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r050209
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 05 - Logging and Monitoring",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 05 - Logging and Monitoring",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 05 - Logging and Monitoring"
}

Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.10 - Ensure that Activity Log Alert exists for Delete Public IP Address rule

Configures auditing against a CIS Benchmark item.

Level: 1

Create an activity log alert for the Delete Public IP Address rule.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r050210
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 05 - Logging and Monitoring",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 05 - Logging and Monitoring",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 05 - Logging and Monitoring"
}

Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.03 - Configuring Application Insights

Covers recommendations addressing Application Insights.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/s0503
Category
Parent
Targets
Valid Value
[
  "Skip"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip"
  ],
  "example": [
    "Skip"
  ],
  "default": "Skip"
}

Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.03 - Configuring Application Insights > 5.03.01 - Ensure Application Insights are Configured

Configures auditing against a CIS Benchmark item.

Level: 2

Application Insights within Azure act as an Application Performance Monitoring solution providing valuable data into how well an application performs and additional information when performing incident response. The types of log data collected include application metrics, telemetry data, and application trace logging data providing organizations with detailed information about application activity and application transactions. Both data sets help organizations adopt a proactive and retroactive means to handle security and performance related metrics within their modern applications.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r050301
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 05 - Logging and Monitoring",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 05 - Logging and Monitoring",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 05 - Logging and Monitoring"
}

Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.04 - Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it

Configures auditing against a CIS Benchmark item.

Level: 1

Resource Logs capture activity to the data access plane while the Activity log is a subscription-level log for the control plane. Resource-level diagnostic logs provide insight into operations that were performed within that resource itself; for example, reading or updating a secret from a Key Vault. Currently, 95 Azure resources support Azure Monitoring (See the more information section for a complete list), including Network Security Groups, Load Balancers, Key Vault, AD, Logic Apps, and CosmosDB. The content of these logs varies by resource type. A number of back-end services were not configured to log and store Resource Logs for certain activities or for a sufficient length. It is crucial that monitoring is correctly configured to log all relevant activities and retain those logs for a sufficient length of time. Given that the mean time to detection in an enterprise is 240 days, a minimum retention period of two years is recommended.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0504
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 05 - Logging and Monitoring",
  "Skip",
  "Check: Benchmark using attestation"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 05 - Logging and Monitoring",
    "Skip",
    "Check: Benchmark using attestation"
  ],
  "default": "Per Azure > CIS v2.0 > 05 - Logging and Monitoring"
}

Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.04 - Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it > Attestation

By setting this policy, you attest that you have manually verified that it complies with the relevant section of the CIS Benchmark.

Azure Subscriptions should log every access and operation for all resources. Logs should be sent to Storage and a Log Analytics Workspace or equivalent third-party system. Logs should be kept in readily-accessible storage for a minimum of one year, and then moved to inexpensive cold storage for a duration of time as necessary. If retention policies are set but storing logs in a Storage Account is disabled (for example, if only Event Hubs or Log Analytics options are selected), the retention policies have no effect. Enable all monitoring at first, and then be more aggressive moving data to cold storage if the volume of data becomes a cost concern.

From Azure Portal
The specific steps for configuring resources within the Azure console vary depending on resource, but typically the steps are:
1. Go to the resource
2. Click on Diagnostic settings
3. In the blade that appears, click "Add diagnostic setting"
4. Configure the diagnostic settings
5. Click on Save

From Azure CLI
For each resource, run the following making sure to use a resource appropriate JSON encoded category for the --logs option.

<br />az monitor diagnostic-settings create --name &lt;diagnostic settings name&gt; --resource &lt;resource ID&gt; --logs &quot;[{category:&lt;resource specific category&gt;,enabled:true,rentention-policy:{enabled:true,days:180}}]&quot; --metrics &quot;[{category:AllMetrics,enabled:true,retention-policy:{enabled:true,days:180}}]&quot; &lt;[--event-hub &lt;event hub ID&gt; --event-hub-rule &lt;event hub auth rule ID&gt; | --storage-account &lt;storage account ID&gt; |--<br />

From PowerShell
Create the log settings object

<br />$logSettings = @()$logSettings += New-AzDiagnosticSettingLogSettingsObject -Enabled $true -RetentionPolicyDay 180 -RetentionPolicyEnabled $true -Category &lt;resource specific category&gt; $logSettings += New-AzDiagnosticSettingLogSettingsObject -Enabled $true -RetentionPolicyDay 180 -RetentionPolicyEnabled $true -Category &lt;resource specific category number 2&gt;<br />

Create the metric settings object

<br />$metricSettings = @()$metricSettings += New-AzDiagnosticSettingMetricSettingsObject -Enabled $true-RetentionPolicyDay 180 -RetentionPolicyEnabled $true -Category AllMetrics<br />

Create the diagnostic setting for a specific resource

<br />New-AzDiagnosticSetting -Name &quot;&lt;diagnostic settings name&gt;&quot; -ResourceId &lt;resource ID&gt; -Log $logSettings -Metric $metricSettings<br />

Once verified, enter the date that this attestation expires.
Note that the date can not be further in the future than is specified in Azure > CIS v2.0 > Maximum Attestation Duration.
Set to a blank value to clear the attestation.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0504Attestation
Category
Parent
Targets
Schema
{
  "type": "string",
  "format": "date-time",
  "default": ""
}

Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.05 - Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads)

Configures auditing against a CIS Benchmark item.

Level: 2

The use of Basic or Free SKUs in Azure whilst cost effective have significant limitations in terms of what can be monitored and what support can be realized from Microsoft. Typically, these SKU's do not have a service SLA and Microsoft will usually refuse to provide support for them. Consequently Basic/Free SKUs should never be used for production workloads.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0505
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 05 - Logging and Monitoring",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 05 - Logging and Monitoring",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 05 - Logging and Monitoring"
}

Azure > CIS v2.0 > 05 - Logging and Monitoring > Maximum Attestation Duration

The maximum duration for CIS Attestations. Attestation policies can not be set further in the future than is specified here.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/s05Attestation
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > Maximum Attestation Duration",
  "Skip",
  "30 days",
  "60 days",
  "90 days",
  "1 year",
  "2 years",
  "3 years"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > Maximum Attestation Duration",
    "Skip",
    "30 days",
    "60 days",
    "90 days",
    "1 year",
    "2 years",
    "3 years"
  ],
  "default": "Per Azure > CIS v2.0 > Maximum Attestation Duration"
}

Azure > CIS v2.0 > 06 - Networking

Covers security recommendations to follow in order to set networking policies on an Azure subscription.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/s06
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0",
  "Skip",
  "Check: All CIS Benchmarks except attestations",
  "Check: All CIS Benchmarks"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0",
    "Skip",
    "Check: All CIS Benchmarks except attestations",
    "Check: All CIS Benchmarks"
  ],
  "example": [
    "Skip"
  ],
  "default": "Per Azure > CIS v2.0"
}

Azure > CIS v2.0 > 06 - Networking > 6.01 - Ensure that RDP access from the Internet is evaluated and restricted

Configures auditing against a CIS Benchmark item.

Level: 1

Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0601
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 06 - Networking",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 06 - Networking",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 06 - Networking"
}

Azure > CIS v2.0 > 06 - Networking > 6.02 - Ensure that SSH access from the Internet is evaluated and restricted

Configures auditing against a CIS Benchmark item.

Level: 1

Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0602
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 06 - Networking",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 06 - Networking",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 06 - Networking"
}

Azure > CIS v2.0 > 06 - Networking > 6.03 - Ensure that UDP access from the Internet is evaluated and restricted

Configures auditing against a CIS Benchmark item.

Level: 1

Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0603
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 06 - Networking",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 06 - Networking",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 06 - Networking"
}

Azure > CIS v2.0 > 06 - Networking > 6.04 - Ensure that HTTP(S) access from the Internet is evaluated and restricted

Configures auditing against a CIS Benchmark item.

Level: 1

Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required and narrowly configured.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0604
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 06 - Networking",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 06 - Networking",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 06 - Networking"
}

Azure > CIS v2.0 > 06 - Networking > 6.05 - Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'

Configures auditing against a CIS Benchmark item.

Level: 2

Network Security Group Flow Logs should be enabled and the retention period set to greater than or equal to 90 days.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0605
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 06 - Networking",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 06 - Networking",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 06 - Networking"
}

Azure > CIS v2.0 > 06 - Networking > 6.06 - Ensure that Network Watcher is 'Enabled'

Configures auditing against a CIS Benchmark item.

Level: 2

Enable Network Watcher for Azure subscriptions.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0606
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 06 - Networking",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 06 - Networking",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 06 - Networking"
}

Azure > CIS v2.0 > 06 - Networking > 6.07 - Ensure that Public IP addresses are Evaluated on a Periodic Basis

Configures auditing against a CIS Benchmark item.

Level: 1

Public IP Addresses provide tenant accounts with Internet connectivity for resources contained within the tenant. During the creation of certain resources in Azure, a Public IP Address may be created. All Public IP Addresses within the tenant should be periodically reviewed for accuracy and necessity.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0607
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 06 - Networking",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 06 - Networking",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 06 - Networking"
}

Azure > CIS v2.0 > 06 - Networking > 6.07 - Ensure that Public IP addresses are Evaluated on a Periodic Basis > Attestation

By setting this policy, you attest that you have manually verified that it complies with the relevant section of the CIS Benchmark.

Remediation will vary significantly depending on your organization's security requirements for the resources attached to each individual Public IP address.

Once verified, enter the date that this attestation expires. Note that the date can not be further in the future than is specified in Azure > CIS v2.0 > Maximum Attestation Duration.
Set to a blank value to clear the attestation.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0607Attestation
Category
Parent
Targets
Schema
{
  "type": "string",
  "format": "date-time",
  "default": ""
}

Azure > CIS v2.0 > 06 - Networking > Maximum Attestation Duration

The maximum duration for CIS Attestations. Attestation policies can not be set further in the future than is specified here

URI
tmod:@turbot/azure-cisv2-0#/policy/types/s06Attestation
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > Maximum Attestation Duration",
  "Skip",
  "30 days",
  "60 days",
  "90 days",
  "1 year",
  "2 years",
  "3 years"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > Maximum Attestation Duration",
    "Skip",
    "30 days",
    "60 days",
    "90 days",
    "1 year",
    "2 years",
    "3 years"
  ],
  "default": "Per Azure > CIS v2.0 > Maximum Attestation Duration"
}

Azure > CIS v2.0 > 07 - Virtual Machines

Covers recommendations to follow for the configuration of Virtual Machines on an Azure subscription.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/s07
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0",
  "Skip",
  "Check: All CIS Benchmarks except attestations",
  "Check: All CIS Benchmarks"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0",
    "Skip",
    "Check: All CIS Benchmarks except attestations",
    "Check: All CIS Benchmarks"
  ],
  "example": [
    "Skip"
  ],
  "default": "Per Azure > CIS v2.0"
}

Azure > CIS v2.0 > 07 - Virtual Machines > 7.02 - Ensure Virtual Machines are utilizing Managed Disks

Configures auditing against a CIS Benchmark item.

Level: 1

Migrate BLOB based VHD's to Managed Disks on Virtual Machines to exploit the default features of this configuration. The features include:
1. Default Disk Encryption
2. Resilience as Microsoft will managed the disk storage and move around if underlying hardware goes faulty
3. Reduction of costs over storage accounts

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0702
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 07 - Virtual Machines",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 07 - Virtual Machines",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 07 - Virtual Machines"
}

Azure > CIS v2.0 > 07 - Virtual Machines > 7.03 - Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK)

Configures auditing against a CIS Benchmark item.

Level: 2

Ensure that OS disks (boot volumes) and data disks (non-boot volumes) are encrypted with CMK (Customer Managed Keys). Customer Managed keys can be either ADE or Server Side Encryption (SSE).

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0703
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 07 - Virtual Machines",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 07 - Virtual Machines",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 07 - Virtual Machines"
}

Azure > CIS v2.0 > 07 - Virtual Machines > 7.04 - Ensure that 'Unattached disks' are encrypted with 'Customer Managed Key' (CMK)

Configures auditing against a CIS Benchmark item.

Level: 2

Ensure that unattached disks in a subscription are encrypted with a Customer Managed Key (CMK).

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0704
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 07 - Virtual Machines",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 07 - Virtual Machines",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 07 - Virtual Machines"
}

Azure > CIS v2.0 > 07 - Virtual Machines > 7.05 - Ensure that Only Approved Extensions Are Installed

Configures auditing against a CIS Benchmark item.

Level: 1

For added security, only install organization-approved extensions on VMs.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0705
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 07 - Virtual Machines",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 07 - Virtual Machines",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 07 - Virtual Machines"
}

Azure > CIS v2.0 > 07 - Virtual Machines > 7.05 - Ensure that Only Approved Extensions Are Installed > Attestation

By setting this policy, you attest that you have manually verified that it complies with the relevant section of the CIS Benchmark.

From Azure Portal
1. Go to Virtual machines
2. For each virtual machine, go to Settings
3. Click on Extensions + applications
4. If there are unapproved extensions, uninstall them.

From Azure CLI
From the audit command identify the unapproved extensions, and use the below CLI command to remove an unapproved extension attached to VM.
<br /> az vm extension delete --resource-group &lt;resourceGroupName&gt; --vm-name &lt;vmName&gt; --name &lt;extensionName&gt;<br />

From PowerShell
<br /> Remove-AzVMExtension -ResourceGroupName &lt;ResourceGroupName&gt; -Name &lt;ExtensionName&gt; -VMName &lt;VirtualMachineName&gt;<br />

Once verified, enter the date that this attestation expires. Note that the date can not be further in the future than is specified in Azure > CIS v2.0 > Maximum Attestation Duration.
Set to a blank value to clear the attestation.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0705Attestation
Category
Parent
Targets
Schema
{
  "type": "string",
  "format": "date-time",
  "default": ""
}

Azure > CIS v2.0 > 07 - Virtual Machines > 7.06 - Ensure that Endpoint Protection for all Virtual Machines is installed

Configures auditing against a CIS Benchmark item.

Level: 2

Install endpoint protection for all virtual machines.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0706
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 07 - Virtual Machines",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 07 - Virtual Machines",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 07 - Virtual Machines"
}

Azure > CIS v2.0 > 07 - Virtual Machines > 7.06 - Ensure that Endpoint Protection for all Virtual Machines is installed > Attestation

By setting this policy, you attest that you have manually verified that it complies with the relevant section of the CIS Benchmark.

Follow Microsoft Azure documentation to install endpoint protection from the security center. Alternatively, you can employ your own endpoint protection tool for your OS.

Once verified, enter the date that this attestation expires. Note that the date can not be further in the future than is specified in Azure > CIS v2.0 > Maximum Attestation Duration.
Set to a blank value to clear the attestation.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0706Attestation
Category
Parent
Targets
Schema
{
  "type": "string",
  "format": "date-time",
  "default": ""
}

Azure > CIS v2.0 > 07 - Virtual Machines > 7.07 - [Legacy] Ensure that VHDs are Encrypted

Configures auditing against a CIS Benchmark item.

Level: 2

NOTE: This is a legacy recommendation. Managed Disks are encrypted by default and recommended for all new VM implementations.

VHD (Virtual Hard Disks) are stored in blob storage and are the old-style disks that were attached to Virtual Machines. The blob VHD was then leased to the VM. By default, storage accounts are not encrypted, and Microsoft Defender will then recommend that the OS disks should be encrypted. Storage accounts can be encrypted as a whole using PMK or CMK. This should be turned on for storage accounts containing VHDs.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0707
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 07 - Virtual Machines",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 07 - Virtual Machines",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 07 - Virtual Machines"
}

Azure > CIS v2.0 > 07 - Virtual Machines > 7.07 - [Legacy] Ensure that VHDs are Encrypted > Attestation

By setting this policy, you attest that you have manually verified that it complies with the relevant section of the CIS Benchmark.

From Azure Portal
1. Navigate to the storage account that you wish to encrypt
2. Select encryption
3. Select the encryption type that you wish to use

If you wish to use a Microsoft-managed key (the default), you can save at this point and encryption will be applied to the account. If you select Customer-managed keys, it will ask for the location of the key (The default is an Azure Key Vault) and the key name. Once these are captured, save the configuration and the account will be encrypted using the provided key.

From Azure CLI:
Create the Key Vault
<br /> az keyvault create --name &lt;name&gt; --resource-group &lt;resourceGroup&gt; --location &lt;location&gt; --enabled-for-disk-encryption<br />

Encrypt the disk and store the key in Key Vault
<br /> az vm encryption enable -g &lt;resourceGroup&gt; --name &lt;name&gt; --disk-encryption-keyvault myKV<br />

From PowerShell
This process uses a Key Vault to store the keys
Create the Key Vault
<br /> New-AzKeyvault -name &lt;name&gt; -ResourceGroupName &lt;resourceGroup&gt; -Location &lt;location&gt; -EnabledForDiskEncryption<br />

Encrypt the disk and store the key in Key Vault
<br /> $KeyVault = Get-AzKeyVault -VaultName &lt;name&gt; -ResourceGroupName &lt;resourceGroup&gt;<br /> Set-AzVMDiskEncryptionExtension -ResourceGroupName &lt;resourceGroup&gt; -VMName &lt;name&gt; -DiskEncryptionKeyVaultUrl $KeyVault.VaultUri -DiskEncryptionKeyVaultId $KeyVault.ResourceId<br />

Once verified, enter the date that this attestation expires. Note that the date can not be further in the future than is specified in Azure > CIS v2.0 > Maximum Attestation Duration.
Set to a blank value to clear the attestation.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0707Attestation
Category
Parent
Targets
Schema
{
  "type": "string",
  "format": "date-time",
  "default": ""
}

Azure > CIS v2.0 > 07 - Virtual Machines > Maximum Attestation Duration

The maximum duration for CIS Attestations. Attestation policies can not be set further in the future than is specified here

URI
tmod:@turbot/azure-cisv2-0#/policy/types/s07Attestation
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > Maximum Attestation Duration",
  "Skip",
  "30 days",
  "60 days",
  "90 days",
  "1 year",
  "2 years",
  "3 years"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > Maximum Attestation Duration",
    "Skip",
    "30 days",
    "60 days",
    "90 days",
    "1 year",
    "2 years",
    "3 years"
  ],
  "default": "Per Azure > CIS v2.0 > Maximum Attestation Duration"
}

Azure > CIS v2.0 > 08 - Key Vault

Covers security recommendations to follow for the configuration and use of Azure Key Vault.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/s08
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0",
  "Skip",
  "Check: All CIS Benchmarks except attestations",
  "Check: All CIS Benchmarks"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0",
    "Skip",
    "Check: All CIS Benchmarks except attestations",
    "Check: All CIS Benchmarks"
  ],
  "example": [
    "Skip"
  ],
  "default": "Per Azure > CIS v2.0"
}

Azure > CIS v2.0 > 08 - Key Vault > 8.01 - Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults

Configures auditing against a CIS Benchmark item.

Level: 1

Ensure that all Keys in Role Based Access Control (RBAC) Azure Key Vaults have an expiration date set.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0801
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 08 - Key Vault",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 08 - Key Vault",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 08 - Key Vault"
}

Azure > CIS v2.0 > 08 - Key Vault > 8.02 - Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults

Configures auditing against a CIS Benchmark item.

Level: 1

Ensure that all Keys in Non Role Based Access Control (RBAC) Azure Key Vaults have an expiration date set.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0802
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 08 - Key Vault",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 08 - Key Vault",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 08 - Key Vault"
}

Azure > CIS v2.0 > 08 - Key Vault > 8.03 - Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults

Configures auditing against a CIS Benchmark item.

Level: 1

Ensure that all Secrets in Role Based Access Control (RBAC) Azure Key Vaults have an expiration date set.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0803
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 08 - Key Vault",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 08 - Key Vault",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 08 - Key Vault"
}

Azure > CIS v2.0 > 08 - Key Vault > 8.04 - Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults

Configures auditing against a CIS Benchmark item.

Level: 1

Ensure that all Secrets in Non Role Based Access Control (RBAC) Azure Key Vaults have an expiration date set.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0804
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 08 - Key Vault",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 08 - Key Vault",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 08 - Key Vault"
}

Azure > CIS v2.0 > 08 - Key Vault > 8.05 - Ensure the key vault is recoverable

Configures auditing against a CIS Benchmark item.

Level: 1

The key vault contains object keys, secrets and certificates. Accidental unavailability of a key vault can cause immediate data loss or loss of security functions (authentication, validation, verification, non-repudiation, etc.) supported by the key vault objects.

It is recommended the key vault be made recoverable by enabling the "Do Not Purge" and "Soft Delete" functions. This is in order to prevent loss of encrypted data including storage accounts, SQL databases, and/or dependent services provided by key vault objects (Keys, Secrets, Certificates) etc., as may happen in the case of accidental deletion by a user or from disruptive activity by a malicious user.

WARNING: A current limitation of the soft-delete feature across all Azure services is
role assignments disappearing when Key Vault is deleted. All role assignments will
need to be recreated after recovery.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0805
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 08 - Key Vault",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 08 - Key Vault",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 08 - Key Vault"
}

Azure > CIS v2.0 > 08 - Key Vault > 8.06 - Ensure Role Based Access Control for Azure Key Vault

Configures auditing against a CIS Benchmark item.

Level: 2

WARNING: Role assignments disappear when a Key Vault has been deleted (soft-delete) and recovered. Afterwards it will be required to recreate all role assignments.

This is a limitation of the soft-delete feature across all Azure services.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0806
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 08 - Key Vault",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 08 - Key Vault",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 08 - Key Vault"
}

Azure > CIS v2.0 > 08 - Key Vault > 8.07 - Ensure that Private Endpoints are Used for Azure Key Vault

Configures auditing against a CIS Benchmark item.

Level: 2

Private endpoints will secure network traffic from Azure Key Vault to the resources requesting secrets and keys.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0807
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 08 - Key Vault",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 08 - Key Vault",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 08 - Key Vault"
}

Azure > CIS v2.0 > 08 - Key Vault > 8.08 - Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services

Configures auditing against a CIS Benchmark item.

Level: 2

Automatic Key Rotation is available in Public Preview. The currently supported applications are Key Vault, Managed Disks, and Storage accounts accessing keys within Key Vault. The number of supported applications will incrementally increased.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0808
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 08 - Key Vault",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 08 - Key Vault",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 08 - Key Vault"
}

Azure > CIS v2.0 > 08 - Key Vault > 8.08 - Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services > Attestation

By setting this policy, you attest that you have manually verified that it complies with the relevant section of the CIS Benchmark.

Note:
Azure CLI and Powershell use ISO8601 flags to input timespans. Every timespan input
will be in the format P<timespanInISO8601Format>(Y,M,D). The leading P is required
with it denoting period. The (Y,M,D) are for the duration of Year, Month,and Day
respectively. A time frame of 2 years, 2 months, 2 days would be (P2Y2M2D).

From Azure Portal
1. From Azure Portal select the Portal Menu in the top left.
2. Select Key Vaults.
3. Select a Key Vault to audit.
4. Under Objects select Keys.
5. Select a key to audit.
6. In the top row select Rotation policy.
7. Select an Expiry time.
8. Set Enable auto rotation to Enabled.
9. Set an appropriate Rotation option and Rotation time.
10.Optionally set the Notification time.
11.Select Save.
12.Repeat steps 3-11 for each Key Vault and Key.

From Azure CLI
Run the following command for each key to update its policy to be auto-rotated:
<br /> az keyvault key rotation-policy update -n &lt;keyName&gt; --vault-name &lt;vaultName&gt; --value &lt;path/to/policy.json&gt;<br /><br /> Note: It is easiest to supply the policy flags in a .json file. An example<br /> json file would be:<br /> {<br /> &quot;lifetimeActions&quot;: [<br /> {<br /> &quot;trigger&quot;: {<br /> &quot;timeAfterCreate&quot;: &quot;&lt;timespanInISO8601Format&gt;&quot;,<br /> &quot;timeBeforeExpiry&quot; : null<br /> },<br /> &quot;action&quot;: {<br /> &quot;type&quot;: &quot;Rotate&quot;<br /> }<br /> },<br /> {<br /> &quot;trigger&quot;: {<br /> &quot;timeBeforeExpiry&quot; : &quot;&lt;timespanInISO8601Format&gt;&quot;<br /> },<br /> &quot;action&quot;: {<br /> &quot;type&quot;: &quot;Notify&quot;<br /> }<br /> }<br /> ],<br /> &quot;attributes&quot;: {<br /> &quot;expiryTime&quot;: &quot;&lt;timespanInISO8601Format&gt;&quot;<br /> }<br /> }<br />

From PowerShell
Run the following command for each key to update its policy:
<br /> Set-AzKeyVaultKeyRotationPolicy -VaultName test-kv -Name test-key -PolicyPathrotation_policy.json<br />

Note: It is easiest to supply the policy flags in a .json file. An example json file would be:
<br /> &lt;#<br /> rotation_policy.json<br /> {<br /> &quot;lifetimeActions&quot;: [<br /> {<br /> &quot;trigger&quot;: {<br /> &quot;timeAfterCreate&quot;: &quot;P&lt;timespanInISO8601Format&gt;M&quot;,<br /> &quot;timeBeforeExpiry&quot;: null<br /> },<br /> &quot;action&quot;: {<br /> &quot;type&quot;: &quot;Rotate&quot;<br /> }<br /> },<br /> {<br /> &quot;trigger&quot;: {<br /> &quot;timeBeforeExpiry&quot;: &quot;P&lt;timespanInISO8601Format&gt;D&quot;<br /> },<br /> &quot;action&quot;: {<br /> &quot;type&quot;: &quot;Notify&quot;<br /> }<br /> }<br /> ],<br /> &quot;attributes&quot;: {<br /> &quot;expiryTime&quot;: &quot;P&lt;timespanInISO8601Format&gt;Y&quot;<br /> }<br /> }<br /> #&gt;<br />

Once verified, enter the date that this attestation expires. Note that the date can not be further in the future than is specified in Azure > CIS v2.0 > Maximum Attestation Duration.
Set to a blank value to clear the attestation.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0808Attestation
Category
Parent
Targets
Schema
{
  "type": "string",
  "format": "date-time",
  "default": ""
}

Azure > CIS v2.0 > 08 - Key Vault > Maximum Attestation Duration

The maximum duration for CIS Attestations. Attestation policies can not be set further in the future than is specified here

URI
tmod:@turbot/azure-cisv2-0#/policy/types/s08Attestation
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > Maximum Attestation Duration",
  "Skip",
  "30 days",
  "60 days",
  "90 days",
  "1 year",
  "2 years",
  "3 years"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > Maximum Attestation Duration",
    "Skip",
    "30 days",
    "60 days",
    "90 days",
    "1 year",
    "2 years",
    "3 years"
  ],
  "default": "Per Azure > CIS v2.0 > Maximum Attestation Duration"
}

Azure > CIS v2.0 > 09 - Application Services

Covers security recommendations for Azure AppService.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/s09
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0",
  "Skip",
  "Check: All CIS Benchmarks except attestations",
  "Check: All CIS Benchmarks"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0",
    "Skip",
    "Check: All CIS Benchmarks except attestations",
    "Check: All CIS Benchmarks"
  ],
  "example": [
    "Skip"
  ],
  "default": "Per Azure > CIS v2.0"
}

Azure > CIS v2.0 > 09 - Application Services > 9.01 - Ensure App Service Authentication is set up for apps in Azure App Service

Configures auditing against a CIS Benchmark item.

Level: 2

Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching a Web Application or authenticate those with tokens before they reach the app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0901
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 09 - Application Services",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 09 - Application Services",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 09 - Application Services"
}

Azure > CIS v2.0 > 09 - Application Services > 9.02 - Ensure Web App Redirects All HTTP traffic to HTTPS in Azure App Service

Configures auditing against a CIS Benchmark item.

Level: 1

Azure Web Apps allows sites to run under both HTTP and HTTPS by default. Web apps can be accessed by anyone using non-secure HTTP links by default. Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0902
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 09 - Application Services",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 09 - Application Services",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 09 - Application Services"
}

Azure > CIS v2.0 > 09 - Application Services > 9.03 - Ensure Web App is using the latest version of TLS encryption

Configures auditing against a CIS Benchmark item.

Level: 1

The TLS (Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards such as PCI DSS.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0903
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 09 - Application Services",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 09 - Application Services",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 09 - Application Services"
}

Azure > CIS v2.0 > 09 - Application Services > 9.04 - Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On'

Configures auditing against a CIS Benchmark item.

Level: 2

Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0904
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 09 - Application Services",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 09 - Application Services",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 09 - Application Services"
}

Azure > CIS v2.0 > 09 - Application Services > 9.05 - Ensure that Register with Azure Active Directory is enabled on App Service

Configures auditing against a CIS Benchmark item.

Level: 1

Managed service identity in App Service provides more security by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in App Service, the app will connect to other Azure services securely without the need for usernames and passwords.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0905
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 09 - Application Services",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 09 - Application Services",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 09 - Application Services"
}

Azure > CIS v2.0 > 09 - Application Services > 9.06 - Ensure That 'PHP version' is the Latest, If Used to Run the Web App

Configures auditing against a CIS Benchmark item.

Level: 1

Periodically newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0906
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 09 - Application Services",
  "Skip",
  "Check: Benchmark using attestation"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 09 - Application Services",
    "Skip",
    "Check: Benchmark using attestation"
  ],
  "default": "Per Azure > CIS v2.0 > 09 - Application Services"
}

Azure > CIS v2.0 > 09 - Application Services > 9.06 - Ensure That 'PHP version' is the Latest, If Used to Run the Web App > Attestation

By setting this policy, you attest that you have manually verified that it complies with the relevant section of the CIS Benchmark.

From Azure Portal
1. From Azure Home open the Portal Menu in the top left
2. Go to App Services
3. Click on each App
4. Under Settings section, click on Configuration
5. Click on the General settings pane, ensure that for a Stack of PHP the Major
Version and Minor Version reflect the latest stable and supported release.

NOTE: No action is required If PHP version is set to Off or is set with an empty value as PHP is not used by your web app.

From Azure CLI
List the available PHP runtimes:

<br />az webapp list-runtimes<br />

To set latest PHP version for an existing app, run the following command:

<br />az webapp config set --resource-group &lt;resource group name&gt; --name &lt;app name&gt;[--linux-fx-version &lt;php runtime version&gt;][--php-version &lt;php version&gt;]<br />

From PowerShell
To set latest PHP version for an existing app, run the following command:

<br />Set-AzWebApp -ResourceGroupName &lt;resource group name&gt; -Name &lt;app name&gt; -phpVersion &lt;php version&gt;<br />

NOTE: Currently there is no way to update an existing web app Linux FX Version setting using PowerShell, nor is there a way to create a new web app using PowerShell that configures the PHP runtime in the Linux FX Version setting.

Once verified, enter the date that this attestation expires.
Note that the date can not be further in the future than is specified in Azure > CIS v2.0 > Maximum Attestation Duration.
Set to a blank value to clear the attestation.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0906Attestation
Category
Parent
Targets
Schema
{
  "type": "string",
  "format": "date-time",
  "default": ""
}

Azure > CIS v2.0 > 09 - Application Services > 9.07 - Ensure that 'Python version' is the Latest Stable Version, if Used to Run the Web App

Configures auditing against a CIS Benchmark item.

Level: 1

Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest full Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0907
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 09 - Application Services",
  "Skip",
  "Check: Benchmark using attestation"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 09 - Application Services",
    "Skip",
    "Check: Benchmark using attestation"
  ],
  "default": "Per Azure > CIS v2.0 > 09 - Application Services"
}

Azure > CIS v2.0 > 09 - Application Services > 9.07 - Ensure that 'Python version' is the Latest Stable Version, if Used to Run the Web App > Attestation

By setting this policy, you attest that you have manually verified that it complies with the relevant section of the CIS Benchmark.

From Azure Portal
1. From Azure Home open the Portal Menu in the top left
2. Go to App Services
3. Click on each App
4. Under Settings section, click on Configuration
5. Click on the General settings pane and ensure that the Major Version and the Minor Version is set to the latest stable version available (Python 3.11, at the time of writing)

NOTE: No action is required if Python version is set to Off, as Python is not used by your web app.

From Azure CLI
To see the list of supported runtimes:

<br />az webapp list-runtimes<br />

To set latest Python version for an existing app, run the following command:

<br />az webapp config set --resource-group &lt;RESOURCE_GROUP_NAME&gt; --name &lt;APP_NAME&gt; [--windows-fx-version &quot;PYTHON|3.11&quot;] [--linux-fx-version &quot;PYTHON|3.11&quot;]<br />

From PowerShell
As of this writing, there is no way to update an existing application's SiteConfig or set the a new application's SiteConfig settings during creation via PowerShell.

Once verified, enter the date that this attestation expires.
Note that the date can not be further in the future than is specified in Azure > CIS v2.0 > Maximum Attestation Duration.
Set to a blank value to clear the attestation.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0907Attestation
Category
Parent
Targets
Schema
{
  "type": "string",
  "format": "date-time",
  "default": ""
}

Azure > CIS v2.0 > 09 - Application Services > 9.08 - Ensure that 'Java version' is the latest, if used to run the Web App

Configures auditing against a CIS Benchmark item.

Level: 1

Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the newer version.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0908
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 09 - Application Services",
  "Skip",
  "Check: Benchmark using attestation"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 09 - Application Services",
    "Skip",
    "Check: Benchmark using attestation"
  ],
  "default": "Per Azure > CIS v2.0 > 09 - Application Services"
}

Azure > CIS v2.0 > 09 - Application Services > 9.08 - Ensure that 'Java version' is the latest, if used to run the Web App > Attestation

By setting this policy, you attest that you have manually verified that it complies with the relevant section of the CIS Benchmark.

From Azure Portal
1. Login to Azure Portal using https://portal.azure.com
2. Go to App Services
3. Click on each App
4. Under Settings section, click on Configuration
5. Click on the General settings pane and ensure that for a Stack of Java the Major Version and Minor Version reflect the latest stable and supported release, and that the Java web server version is set to the auto-update option.

NOTE: No action is required if Java version is set to Off, as Java is not used by your web app.

From Azure CLI
To see the list of supported runtimes:

<br />az webapp list-runtimes<br />

To set latest Java version for an existing app, run the following command:

<br />az webapp config set --resource-group &lt;RESOURCE_GROUP_NAME&gt; --name &lt;APP_NAME&gt;[--java-version &lt;JAVA_VERSION&gt; --java-container &lt;JAVA_CONTAINER&gt; --java-container-version &lt;JAVA_CONTAINER_VERSION&gt; [--windows-fx-version &lt;javaruntime version&gt;] [--linux-fx-version &lt;java runtime version version&gt;]<br />

If creating a new web application to use a currently supported version of Java, run the following commands.

To create an app service plan:

<br />az appservice plan create --resource-group &lt;resource group name&gt; --name &lt;planname&gt; --location &lt;location&gt; [--is-linux --number-of-workers &lt;int&gt; --sku &lt;pricing tier&gt;] [--hyper-v --sku &lt;pricing tier&gt;]<br />

Get the app service plan ID:

<br />az appservice plan list --query &quot;[].{Name:name, ID:id, SKU:sku, Location:location}&quot;<br />

To create a new Java web application using the retrieved app service ID:

<br />az webapp create --resource-group &lt;resource group name&gt; --plan &lt;app serviceplan ID&gt; --name &lt;app name&gt; [--linux-fx-version &lt;java run time version&gt;] [--windows-fx-version &lt;java run time version&gt;]<br />

From PowerShell
As of this writing, there is no way to update an existing application's SiteConfig or set a new application's SiteConfig settings during creation via PowerShell.

Once verified, enter the date that this attestation expires.
Note that the date can not be further in the future than is specified in Azure > CIS v2.0 > Maximum Attestation Duration.
Set to a blank value to clear the attestation.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0908Attestation
Category
Parent
Targets
Schema
{
  "type": "string",
  "format": "date-time",
  "default": ""
}

Azure > CIS v2.0 > 09 - Application Services > 9.09 - Ensure that 'HTTP Version' is the Latest, if Used to Run the Web App

Configures auditing against a CIS Benchmark item.

Level: 1

Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0909
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 09 - Application Services",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 09 - Application Services",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 09 - Application Services"
}

Azure > CIS v2.0 > 09 - Application Services > 9.10 - Ensure FTP deployments are Disabled

Configures auditing against a CIS Benchmark item.

Level: 1

By default, Azure Functions, Web, and API Services can be deployed over FTP. If FTP is required for an essential deployment workflow, FTPS should be required for FTP login for all App Service Apps and Functions.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0910
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 09 - Application Services",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 09 - Application Services",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per Azure > CIS v2.0 > 09 - Application Services"
}

Azure > CIS v2.0 > 09 - Application Services > 9.11 - Ensure Azure Key Vaults are Used to Store Secrets

Configures auditing against a CIS Benchmark item.

Level: 2

Azure Key Vault will store multiple types of sensitive information such as encryption keys, certificate thumbprints, and Managed Identity Credentials. Access to these 'Secrets' can be controlled through granular permissions.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0911
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 09 - Application Services",
  "Skip",
  "Check: Benchmark using attestation"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 09 - Application Services",
    "Skip",
    "Check: Benchmark using attestation"
  ],
  "default": "Per Azure > CIS v2.0 > 09 - Application Services"
}

Azure > CIS v2.0 > 09 - Application Services > 9.11 - Ensure Azure Key Vaults are Used to Store Secrets > Attestation

By setting this policy, you attest that you have manually verified that it complies with the relevant section of the CIS Benchmark.

Remediation has 2 steps
1. Setup the Key Vault
2. Setup the App Service to use the Key Vault

Step 1: Set up the Key Vault

From Azure CLI

<br />az keyvault create --name &quot;&lt;name&gt;&quot; --resource-group &quot;&lt;myResourceGroup&gt;&quot; --location myLocation<br />

From Powershell

<br />New-AzKeyvault -name &lt;name&gt; -ResourceGroupName &lt;myResourceGroup&gt; -Location &lt;myLocation&gt;<br />

Step 2: Set up the App Service to use the Key Vault Sample JSON Template for App Service Configuration:

<br />{<br /> &quot;resources&quot;:[<br /> {<br /> &quot;type&quot;:&quot;Microsoft.Storage/storageAccounts&quot;,<br /> &quot;name&quot;:&quot;[variables(&#39;storageAccountName&#39;)]&quot;,<br /> },<br /> {<br /> &quot;type&quot;:&quot;Microsoft.Insights/components&quot;,<br /> &quot;name&quot;:&quot;[variables(&#39;appInsightsName&#39;)]&quot;,<br /> },<br /> {<br /> &quot;type&quot;:&quot;Microsoft.Web/sites&quot;,<br /> &quot;name&quot;:&quot;[variables(&#39;functionAppName&#39;)]&quot;,<br /> &quot;identity&quot;:{<br /> &quot;type&quot;:&quot;SystemAssigned&quot;<br /> },<br /> &quot;resources&quot;:[<br /> {<br /> &quot;type&quot;:&quot;config&quot;,<br /> &quot;name&quot;:&quot;appsettings&quot;,<br /> &quot;dependsOn&quot;:[<br /> &quot;[resourceId(&#39;Microsoft.Web/sites&#39;, variables(&#39;functionAppName&#39;))]&quot;,<br /> &quot;[resourceId(&#39;Microsoft.KeyVault/vaults/&#39;, variables(&#39;keyVaultName&#39;))]&quot;,<br /> &quot;[resourceId(&#39;Microsoft.KeyVault/vaults/secrets&#39;, variables(&#39;keyVaultName&#39;), variables(&#39;storageConnectionStringName&#39;))]&quot;,<br /> &quot;[resourceId(&#39;Microsoft.KeyVault/vaults/secrets&#39;, variables(&#39;keyVaultName&#39;), variables(&#39;appInsightsKeyName&#39;))]&quot;<br /> ],<br /> &quot;properties&quot;:{<br /> &quot;AzureWebJobsStorage&quot;:&quot;[concat(&#39;@Microsoft.KeyVault(SecretUri=&#39;, reference(variables(&#39;storageConnectionStringResourceId&#39;)).secretUriWithVersio n, &#39;)&#39;)]&quot;,<br /> &quot;WEBSITE_CONTENTAZUREFILECONNECTIONSTRING&quot;:&quot;[concat(&#39;@Microsoft.KeyVault(SecretUri=&#39;,<br /> reference(variables(&#39;storageConnectionStringResourceId&#39;)).secretUriWithVersio n, &#39;)&#39;)]&quot;,<br /> &quot;APPINSIGHTS_INSTRUMENTATIONKEY&quot;:&quot;[concat(&#39;@Microsoft.KeyVault(SecretUri=&#39;,<br /> reference(variables(&#39;appInsightsKeyResourceId&#39;)).secretUriWithVersion, &#39;)&#39;)]&quot;,<br /> &quot;WEBSITE_ENABLE_SYNC_UPDATE_SITE&quot;:&quot;true&quot;<br /> }<br /> },<br /> {<br /> &quot;type&quot;:&quot;sourcecontrols&quot;,<br /> &quot;name&quot;:&quot;web&quot;,<br /> &quot;dependsOn&quot;:[<br /> &quot;[resourceId(&#39;Microsoft.Web/sites&#39;, variables(&#39;functionAppName&#39;))]&quot;,<br /> &quot;[resourceId(&#39;Microsoft.Web/sites/config&#39;, variables(&#39;functionAppName&#39;), &#39;appsettings&#39;)]&quot;<br /> ]<br /> }{<br /> &quot;type&quot;:&quot;Microsoft.KeyVault/vaults&quot;,<br /> &quot;name&quot;:&quot;[variables(&#39;keyVaultName&#39;)]&quot;,<br /> ]<br /> },<br /> &quot;dependsOn&quot;:[<br /> &quot;[resourceId(&#39;Microsoft.Web/sites&#39;,<br /> variables(&#39;functionAppName&#39;))]&quot;<br /> ],<br /> &quot;properties&quot;:{<br /> &quot;accessPolicies&quot;:[<br /> {<br /> &quot;tenantId&quot;:&quot;[reference(concat(&#39;Microsoft.Web/sites/&#39;, variables(&#39;functionAppName&#39;),<br /> &#39;/providers/Microsoft.ManagedIdentity/Identities/default&#39;), &#39;2015-08-31- PREVIEW&#39;).tenantId]&quot;,<br /> &quot;objectId&quot;:&quot;[reference(concat(&#39;Microsoft.Web/sites/&#39;, variables(&#39;functionAppName&#39;),<br /> &#39;/providers/Microsoft.ManagedIdentity/Identities/default&#39;), &#39;2015-08-31- PREVIEW&#39;).principalId]&quot;,<br /> &quot;permissions&quot;:{<br /> &quot;secrets&quot;:[<br /> &quot;get&quot;<br /> ]<br /> }<br /> }&quot;resources&quot;:[<br /> {<br /> &quot;type&quot;:&quot;secrets&quot;<br /> ]<br /> },<br /> &quot;name&quot;:&quot;[variables(&#39;storageConnectionStringName&#39;)]&quot;,<br /> &quot;dependsOn&quot;:[<br /> &quot;[resourceId(&#39;Microsoft.KeyVault/vaults/&#39;, variables(&#39;keyVaultName&#39;))]&quot;,<br /> &quot;[resourceId(&#39;Microsoft.Storage/storageAccounts&#39;, variables(&#39;storageAccountName&#39;))]&quot;<br /> ],<br /> &quot;properties&quot;:{<br /> &quot;value&quot;:&quot;[concat(&#39;DefaultEndpointsProtocol=https;AccountName=&#39;,<br /> variables(&#39;storageAccountName&#39;), &#39;;AccountKey=&#39;, listKeys(variables(&#39;storageAccountResourceId&#39;),&#39;2015-05-01-preview&#39;).key1)]&quot;<br /> }<br /> },<br /> {<br /> &quot;type&quot;:&quot;secrets&quot;,<br /> &quot;name&quot;:&quot;[variables(&#39;appInsightsKeyName&#39;)]&quot;,<br /> &quot;dependsOn&quot;:[<br /> &quot;[resourceId(&#39;Microsoft.KeyVault/vaults/&#39;, variables(&#39;keyVaultName&#39;))]&quot;,<br /> &quot;[resourceId(&#39;Microsoft.Insights/components&#39;, variables(&#39;appInsightsName&#39;))]&quot;<br /> ],<br /> &quot;properties&quot;:{<br /> &quot;value&quot;:&quot;[reference(resourceId(&#39;microsoft.insights/components/&#39;,<br /> variables(&#39;appInsightsName&#39;)), &#39;2015-05-01&#39;).InstrumentationKey]&quot;<br /> }<br /> }<br /> ]<br /> }<br /> ]<br />}<br />

Once verified, enter the date that this attestation expires.
Note that the date can not be further in the future than is specified in Azure > CIS v2.0 > Maximum Attestation Duration.
Set to a blank value to clear the attestation.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r0911Attestation
Category
Parent
Targets
Schema
{
  "type": "string",
  "format": "date-time",
  "default": ""
}

Azure > CIS v2.0 > 09 - Application Services > Maximum Attestation Duration

The maximum duration for CIS Attestations. Attestation policies can not be set further in the future than is specified here

URI
tmod:@turbot/azure-cisv2-0#/policy/types/s09Attestation
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > Maximum Attestation Duration",
  "Skip",
  "30 days",
  "60 days",
  "90 days",
  "1 year",
  "2 years",
  "3 years"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > Maximum Attestation Duration",
    "Skip",
    "30 days",
    "60 days",
    "90 days",
    "1 year",
    "2 years",
    "3 years"
  ],
  "default": "Per Azure > CIS v2.0 > Maximum Attestation Duration"
}

Azure > CIS v2.0 > 10 - Miscellaneous

Covers miscellaneous security recommendations.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/s10
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0",
  "Skip",
  "Check: All CIS Benchmarks except attestations",
  "Check: All CIS Benchmarks"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0",
    "Skip",
    "Check: All CIS Benchmarks except attestations",
    "Check: All CIS Benchmarks"
  ],
  "example": [
    "Skip"
  ],
  "default": "Per Azure > CIS v2.0"
}

Azure > CIS v2.0 > 10 - Miscellaneous > 10.01 - Ensure that Resource Locks are set for Mission-Critical Azure Resources

Configures auditing against a CIS Benchmark item.

Level: 2

Resource Manager Locks provide a way for administrators to lock down Azure resources to prevent deletion of, or modifications to, a resource. These locks sit outside of the Role Based Access Controls (RBAC) hierarchy and, when applied, will place restrictions on the resource for all users. These locks are very useful when there is an important resource in a subscription that users should not be able to delete or change. Locks can help prevent accidental and malicious changes or deletion.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r1001
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > 10 - Miscellaneous",
  "Skip",
  "Check: Benchmark using attestation"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > 10 - Miscellaneous",
    "Skip",
    "Check: Benchmark using attestation"
  ],
  "default": "Per Azure > CIS v2.0 > 10 - Miscellaneous"
}

Azure > CIS v2.0 > 10 - Miscellaneous > 10.01 - Ensure that Resource Locks are set for Mission-Critical Azure Resources > Attestation

By setting this policy, you attest that you have manually verified that it complies with the relevant section of the CIS Benchmark.

From Azure Portal
1. Navigate to the specific Azure Resource or Resource Group
2. For each mission critical resource, click on Locks
3. Click Add
4. Give the lock a name and a description, then select the type, Read-only or Delete as appropriate
5. Click OK

From Azure CLI
To lock a resource, provide the name of the resource, its resource type, and its resource group name.

<br />az lock create --name &lt;LockName&gt; --lock-type &lt;CanNotDelete/Read-only&gt; --resource-group &lt;resourceGroupName&gt; --resource-name &lt;resourceName&gt; --resource-type &lt;resourceType&gt;<br />

From Powershell

<br />Get-AzResourceLock -ResourceName &lt;Resource Name&gt; -ResourceType &lt;ResourceType&gt; -ResourceGroupName &lt;Resource Group Name&gt; -Locktype &lt;CanNotDelete/Read-only&gt;<br />

Note that the date can not be further in the future than is specified in Azure > CIS v2.0 > Maximum Attestation Duration.
Set to a blank value to clear the attestation.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/r1001Attestation
Category
Parent
Targets
Schema
{
  "type": "string",
  "format": "date-time",
  "default": ""
}

Azure > CIS v2.0 > 10 - Miscellaneous > Maximum Attestation Duration

The maximum duration for CIS Attestations. Attestation policies can not be set further in the future than is specified here

URI
tmod:@turbot/azure-cisv2-0#/policy/types/s10Attestation
Category
Parent
Targets
Valid Value
[
  "Per Azure > CIS v2.0 > Maximum Attestation Duration",
  "Skip",
  "30 days",
  "60 days",
  "90 days",
  "1 year",
  "2 years",
  "3 years"
]
Schema
{
  "type": "string",
  "enum": [
    "Per Azure > CIS v2.0 > Maximum Attestation Duration",
    "Skip",
    "30 days",
    "60 days",
    "90 days",
    "1 year",
    "2 years",
    "3 years"
  ],
  "default": "Per Azure > CIS v2.0 > Maximum Attestation Duration"
}

Azure > CIS v2.0 > Maximum Attestation Duration

The maximum duration for CIS Attestations. Attestation policies can not be set further in the future than is specified here.

URI
tmod:@turbot/azure-cisv2-0#/policy/types/attestation
Category
Parent
Targets
Valid Value
[
  "Skip",
  "30 days",
  "60 days",
  "90 days",
  "1 year",
  "2 years",
  "3 years"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "30 days",
    "60 days",
    "90 days",
    "1 year",
    "2 years",
    "3 years"
  ],
  "default": "Skip"
}