Details of the System and Organization Controls (SOC) 2 Regulatory Compliance built-in initiative
The following article details how the Azure Policy Regulatory Compliance built-in initiative definition maps to compliance domains and controls in System and Organization Controls (SOC) 2. For more information about this compliance standard, see System and Organization Controls (SOC) 2. To understand Ownership, see Azure Policy policy definition and Shared responsibility in the cloud.
The following mappings are to the System and Organization Controls (SOC) 2 controls. Many of the controls are implemented with an Azure Policy initiative definition. To review the complete initiative definition, open Policy in the Azure portal and select the Definitions page. Then, find and select the SOC 2 Type 2 Regulatory Compliance built-in initiative definition.
Important
Each control below is associated with one or more Azure Policy definitions. These policies may help you assess compliance with the control; however, there often is not a one-to-one or complete match between a control and one or more policies. As such, Compliant in Azure Policy refers only to the policy definitions themselves; this doesn't ensure you're fully compliant with all requirements of a control. In addition, the compliance standard includes controls that aren't addressed by any Azure Policy definitions at this time. Therefore, compliance in Azure Policy is only a partial view of your overall compliance status. The associations between compliance domains, controls, and Azure Policy definitions for this compliance standard may change over time. To view the change history, see the GitHub Commit History.
Additional Criteria For Availability
Capacity management
ID: SOC 2 Type 2 A1.1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Conduct capacity planning | CMA_C1252 - Conduct capacity planning | Manual, Disabled | 1.1.0 |
Environmental protections, software, data back-up processes, and recovery infrastructure
ID: SOC 2 Type 2 A1.2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Azure Backup should be enabled for Virtual Machines | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | AuditIfNotExists, Disabled | 3.0.0 |
| Employ automatic emergency lighting | CMA_0209 - Employ automatic emergency lighting | Manual, Disabled | 1.1.0 |
| Establish an alternate processing site | CMA_0262 - Establish an alternate processing site | Manual, Disabled | 1.1.0 |
| Geo-redundant backup should be enabled for Azure Database for MariaDB | Azure Database for MariaDB allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. | Audit, Disabled | 1.0.1 |
| Geo-redundant backup should be enabled for Azure Database for MySQL | Azure Database for MySQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. | Audit, Disabled | 1.0.1 |
| Geo-redundant backup should be enabled for Azure Database for PostgreSQL | Azure Database for PostgreSQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. | Audit, Disabled | 1.0.1 |
| Implement a penetration testing methodology | CMA_0306 - Implement a penetration testing methodology | Manual, Disabled | 1.1.0 |
| Implement physical security for offices, working areas, and secure areas | CMA_0323 - Implement physical security for offices, working areas, and secure areas | Manual, Disabled | 1.1.0 |
| Install an alarm system | CMA_0338 - Install an alarm system | Manual, Disabled | 1.1.0 |
| Recover and reconstitute resources after any disruption | CMA_C1295 - Recover and reconstitute resources after any disruption | Manual, Disabled | 1.1.1 |
| Run simulation attacks | CMA_0486 - Run simulation attacks | Manual, Disabled | 1.1.0 |
| Separately store backup information | CMA_C1293 - Separately store backup information | Manual, Disabled | 1.1.0 |
| Transfer backup information to an alternate storage site | CMA_C1294 - Transfer backup information to an alternate storage site | Manual, Disabled | 1.1.0 |
Recovery plan testing
ID: SOC 2 Type 2 A1.3 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Coordinate contingency plans with related plans | CMA_0086 - Coordinate contingency plans with related plans | Manual, Disabled | 1.1.0 |
| Initiate contingency plan testing corrective actions | CMA_C1263 - Initiate contingency plan testing corrective actions | Manual, Disabled | 1.1.0 |
| Review the results of contingency plan testing | CMA_C1262 - Review the results of contingency plan testing | Manual, Disabled | 1.1.0 |
| Test the business continuity and disaster recovery plan | CMA_0509 - Test the business continuity and disaster recovery plan | Manual, Disabled | 1.1.0 |
Additional Criteria For Confidentiality
Protection of confidential information
ID: SOC 2 Type 2 C1.1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Control physical access | CMA_0081 - Control physical access | Manual, Disabled | 1.1.0 |
| Manage the input, output, processing, and storage of data | CMA_0369 - Manage the input, output, processing, and storage of data | Manual, Disabled | 1.1.0 |
| Review label activity and analytics | CMA_0474 - Review label activity and analytics | Manual, Disabled | 1.1.0 |
Disposal of confidential information
ID: SOC 2 Type 2 C1.2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Control physical access | CMA_0081 - Control physical access | Manual, Disabled | 1.1.0 |
| Manage the input, output, processing, and storage of data | CMA_0369 - Manage the input, output, processing, and storage of data | Manual, Disabled | 1.1.0 |
| Review label activity and analytics | CMA_0474 - Review label activity and analytics | Manual, Disabled | 1.1.0 |
Control Environment
COSO Principle 1
ID: SOC 2 Type 2 CC1.1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Develop acceptable use policies and procedures | CMA_0143 - Develop acceptable use policies and procedures | Manual, Disabled | 1.1.0 |
| Develop organization code of conduct policy | CMA_0159 - Develop organization code of conduct policy | Manual, Disabled | 1.1.0 |
| Document personnel acceptance of privacy requirements | CMA_0193 - Document personnel acceptance of privacy requirements | Manual, Disabled | 1.1.0 |
| Enforce rules of behavior and access agreements | CMA_0248 - Enforce rules of behavior and access agreements | Manual, Disabled | 1.1.0 |
| Prohibit unfair practices | CMA_0396 - Prohibit unfair practices | Manual, Disabled | 1.1.0 |
| Review and sign revised rules of behavior | CMA_0465 - Review and sign revised rules of behavior | Manual, Disabled | 1.1.0 |
| Update rules of behavior and access agreements | CMA_0521 - Update rules of behavior and access agreements | Manual, Disabled | 1.1.0 |
| Update rules of behavior and access agreements every 3 years | CMA_0522 - Update rules of behavior and access agreements every 3 years | Manual, Disabled | 1.1.0 |
COSO Principle 2
ID: SOC 2 Type 2 CC1.2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Appoint a senior information security officer | CMA_C1733 - Appoint a senior information security officer | Manual, Disabled | 1.1.0 |
| Develop and establish a system security plan | CMA_0151 - Develop and establish a system security plan | Manual, Disabled | 1.1.0 |
| Establish a risk management strategy | CMA_0258 - Establish a risk management strategy | Manual, Disabled | 1.1.0 |
| Establish security requirements for the manufacturing of connected devices | CMA_0279 - Establish security requirements for the manufacturing of connected devices | Manual, Disabled | 1.1.0 |
| Implement security engineering principles of information systems | CMA_0325 - Implement security engineering principles of information systems | Manual, Disabled | 1.1.0 |
COSO Principle 3
ID: SOC 2 Type 2 CC1.3 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Appoint a senior information security officer | CMA_C1733 - Appoint a senior information security officer | Manual, Disabled | 1.1.0 |
| Develop and establish a system security plan | CMA_0151 - Develop and establish a system security plan | Manual, Disabled | 1.1.0 |
| Establish a risk management strategy | CMA_0258 - Establish a risk management strategy | Manual, Disabled | 1.1.0 |
| Establish security requirements for the manufacturing of connected devices | CMA_0279 - Establish security requirements for the manufacturing of connected devices | Manual, Disabled | 1.1.0 |
| Implement security engineering principles of information systems | CMA_0325 - Implement security engineering principles of information systems | Manual, Disabled | 1.1.0 |
COSO Principle 4
ID: SOC 2 Type 2 CC1.4 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Provide periodic role-based security training | CMA_C1095 - Provide periodic role-based security training | Manual, Disabled | 1.1.0 |
| Provide periodic security awareness training | CMA_C1091 - Provide periodic security awareness training | Manual, Disabled | 1.1.0 |
| Provide role-based practical exercises | CMA_C1096 - Provide role-based practical exercises | Manual, Disabled | 1.1.0 |
| Provide security training before providing access | CMA_0418 - Provide security training before providing access | Manual, Disabled | 1.1.0 |
| Provide security training for new users | CMA_0419 - Provide security training for new users | Manual, Disabled | 1.1.0 |
COSO Principle 5
ID: SOC 2 Type 2 CC1.5 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Develop acceptable use policies and procedures | CMA_0143 - Develop acceptable use policies and procedures | Manual, Disabled | 1.1.0 |
| Enforce rules of behavior and access agreements | CMA_0248 - Enforce rules of behavior and access agreements | Manual, Disabled | 1.1.0 |
| Implement formal sanctions process | CMA_0317 - Implement formal sanctions process | Manual, Disabled | 1.1.0 |
| Notify personnel upon sanctions | CMA_0380 - Notify personnel upon sanctions | Manual, Disabled | 1.1.0 |
Communication and Information
COSO Principle 13
ID: SOC 2 Type 2 CC2.1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Control physical access | CMA_0081 - Control physical access | Manual, Disabled | 1.1.0 |
| Manage the input, output, processing, and storage of data | CMA_0369 - Manage the input, output, processing, and storage of data | Manual, Disabled | 1.1.0 |
| Review label activity and analytics | CMA_0474 - Review label activity and analytics | Manual, Disabled | 1.1.0 |
COSO Principle 14
ID: SOC 2 Type 2 CC2.2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Develop acceptable use policies and procedures | CMA_0143 - Develop acceptable use policies and procedures | Manual, Disabled | 1.1.0 |
| Email notification for high severity alerts should be enabled | To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Security Center. | AuditIfNotExists, Disabled | 1.1.0 |
| Email notification to subscription owner for high severity alerts should be enabled | To ensure your subscription owners are notified when there is a potential security breach in their subscription, set email notifications to subscription owners for high severity alerts in Security Center. | AuditIfNotExists, Disabled | 2.1.0 |
| Enforce rules of behavior and access agreements | CMA_0248 - Enforce rules of behavior and access agreements | Manual, Disabled | 1.1.0 |
| Provide periodic role-based security training | CMA_C1095 - Provide periodic role-based security training | Manual, Disabled | 1.1.0 |
| Provide periodic security awareness training | CMA_C1091 - Provide periodic security awareness training | Manual, Disabled | 1.1.0 |
| Provide security training before providing access | CMA_0418 - Provide security training before providing access | Manual, Disabled | 1.1.0 |
| Provide security training for new users | CMA_0419 - Provide security training for new users | Manual, Disabled | 1.1.0 |
| Subscriptions should have a contact email address for security issues | To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, set a security contact to receive email notifications from Security Center. | AuditIfNotExists, Disabled | 1.0.1 |
COSO Principle 15
ID: SOC 2 Type 2 CC2.3 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Define the duties of processors | CMA_0127 - Define the duties of processors | Manual, Disabled | 1.1.0 |
| Deliver security assessment results | CMA_C1147 - Deliver security assessment results | Manual, Disabled | 1.1.0 |
| Develop and establish a system security plan | CMA_0151 - Develop and establish a system security plan | Manual, Disabled | 1.1.0 |
| Email notification for high severity alerts should be enabled | To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Security Center. | AuditIfNotExists, Disabled | 1.1.0 |
| Email notification to subscription owner for high severity alerts should be enabled | To ensure your subscription owners are notified when there is a potential security breach in their subscription, set email notifications to subscription owners for high severity alerts in Security Center. | AuditIfNotExists, Disabled | 2.1.0 |
| Establish security requirements for the manufacturing of connected devices | CMA_0279 - Establish security requirements for the manufacturing of connected devices | Manual, Disabled | 1.1.0 |
| Establish third-party personnel security requirements | CMA_C1529 - Establish third-party personnel security requirements | Manual, Disabled | 1.1.0 |
| Implement privacy notice delivery methods | CMA_0324 - Implement privacy notice delivery methods | Manual, Disabled | 1.1.0 |
| Implement security engineering principles of information systems | CMA_0325 - Implement security engineering principles of information systems | Manual, Disabled | 1.1.0 |
| Produce Security Assessment report | CMA_C1146 - Produce Security Assessment report | Manual, Disabled | 1.1.0 |
| Provide privacy notice | CMA_0414 - Provide privacy notice | Manual, Disabled | 1.1.0 |
| Require third-party providers to comply with personnel security policies and procedures | CMA_C1530 - Require third-party providers to comply with personnel security policies and procedures | Manual, Disabled | 1.1.0 |
| Restrict communications | CMA_0449 - Restrict communications | Manual, Disabled | 1.1.0 |
| Subscriptions should have a contact email address for security issues | To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, set a security contact to receive email notifications from Security Center. | AuditIfNotExists, Disabled | 1.0.1 |
Risk Assessment
COSO Principle 6
ID: SOC 2 Type 2 CC3.1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Categorize information | CMA_0052 - Categorize information | Manual, Disabled | 1.1.0 |
| Determine information protection needs | CMA_C1750 - Determine information protection needs | Manual, Disabled | 1.1.0 |
| Develop business classification schemes | CMA_0155 - Develop business classification schemes | Manual, Disabled | 1.1.0 |
| Develop SSP that meets criteria | CMA_C1492 - Develop SSP that meets criteria | Manual, Disabled | 1.1.0 |
| Establish a risk management strategy | CMA_0258 - Establish a risk management strategy | Manual, Disabled | 1.1.0 |
| Perform a risk assessment | CMA_0388 - Perform a risk assessment | Manual, Disabled | 1.1.0 |
| Review label activity and analytics | CMA_0474 - Review label activity and analytics | Manual, Disabled | 1.1.0 |
COSO Principle 7
ID: SOC 2 Type 2 CC3.2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| A vulnerability assessment solution should be enabled on your virtual machines | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | AuditIfNotExists, Disabled | 3.0.0 |
| Categorize information | CMA_0052 - Categorize information | Manual, Disabled | 1.1.0 |
| Determine information protection needs | CMA_C1750 - Determine information protection needs | Manual, Disabled | 1.1.0 |
| Develop business classification schemes | CMA_0155 - Develop business classification schemes | Manual, Disabled | 1.1.0 |
| Establish a risk management strategy | CMA_0258 - Establish a risk management strategy | Manual, Disabled | 1.1.0 |
| Perform a risk assessment | CMA_0388 - Perform a risk assessment | Manual, Disabled | 1.1.0 |
| Perform vulnerability scans | CMA_0393 - Perform vulnerability scans | Manual, Disabled | 1.1.0 |
| Remediate information system flaws | CMA_0427 - Remediate information system flaws | Manual, Disabled | 1.1.0 |
| Review label activity and analytics | CMA_0474 - Review label activity and analytics | Manual, Disabled | 1.1.0 |
| Vulnerability assessment should be enabled on SQL Managed Instance | Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. | AuditIfNotExists, Disabled | 1.0.1 |
| Vulnerability assessment should be enabled on your SQL servers | Audit Azure SQL servers which do not have vulnerability assessment properly configured. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. | AuditIfNotExists, Disabled | 3.0.0 |
COSO Principle 8
ID: SOC 2 Type 2 CC3.3 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Perform a risk assessment | CMA_0388 - Perform a risk assessment | Manual, Disabled | 1.1.0 |
COSO Principle 9
ID: SOC 2 Type 2 CC3.4 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Assess risk in third party relationships | CMA_0014 - Assess risk in third party relationships | Manual, Disabled | 1.1.0 |
| Define requirements for supplying goods and services | CMA_0126 - Define requirements for supplying goods and services | Manual, Disabled | 1.1.0 |
| Determine supplier contract obligations | CMA_0140 - Determine supplier contract obligations | Manual, Disabled | 1.1.0 |
| Establish a risk management strategy | CMA_0258 - Establish a risk management strategy | Manual, Disabled | 1.1.0 |
| Establish policies for supply chain risk management | CMA_0275 - Establish policies for supply chain risk management | Manual, Disabled | 1.1.0 |
| Perform a risk assessment | CMA_0388 - Perform a risk assessment | Manual, Disabled | 1.1.0 |
Monitoring Activities
COSO Principle 16
ID: SOC 2 Type 2 CC4.1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Assess Security Controls | CMA_C1145 - Assess Security Controls | Manual, Disabled | 1.1.0 |
| Develop security assessment plan | CMA_C1144 - Develop security assessment plan | Manual, Disabled | 1.1.0 |
| Select additional testing for security control assessments | CMA_C1149 - Select additional testing for security control assessments | Manual, Disabled | 1.1.0 |
COSO Principle 17
ID: SOC 2 Type 2 CC4.2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Deliver security assessment results | CMA_C1147 - Deliver security assessment results | Manual, Disabled | 1.1.0 |
| Produce Security Assessment report | CMA_C1146 - Produce Security Assessment report | Manual, Disabled | 1.1.0 |
Control Activities
COSO Principle 10
ID: SOC 2 Type 2 CC5.1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Establish a risk management strategy | CMA_0258 - Establish a risk management strategy | Manual, Disabled | 1.1.0 |
| Perform a risk assessment | CMA_0388 - Perform a risk assessment | Manual, Disabled | 1.1.0 |
COSO Principle 11
ID: SOC 2 Type 2 CC5.2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| A maximum of 3 owners should be designated for your subscription | It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner. | AuditIfNotExists, Disabled | 3.0.0 |
| Blocked accounts with owner permissions on Azure resources should be removed | Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. | AuditIfNotExists, Disabled | 1.0.0 |
| Design an access control model | CMA_0129 - Design an access control model | Manual, Disabled | 1.1.0 |
| Determine supplier contract obligations | CMA_0140 - Determine supplier contract obligations | Manual, Disabled | 1.1.0 |
| Document acquisition contract acceptance criteria | CMA_0187 - Document acquisition contract acceptance criteria | Manual, Disabled | 1.1.0 |
| Document protection of personal data in acquisition contracts | CMA_0194 - Document protection of personal data in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document protection of security information in acquisition contracts | CMA_0195 - Document protection of security information in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document requirements for the use of shared data in contracts | CMA_0197 - Document requirements for the use of shared data in contracts | Manual, Disabled | 1.1.0 |
| Document security assurance requirements in acquisition contracts | CMA_0199 - Document security assurance requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document security documentation requirements in acquisition contract | CMA_0200 - Document security documentation requirements in acquisition contract | Manual, Disabled | 1.1.0 |
| Document security functional requirements in acquisition contracts | CMA_0201 - Document security functional requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document security strength requirements in acquisition contracts | CMA_0203 - Document security strength requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document the information system environment in acquisition contracts | CMA_0205 - Document the information system environment in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document the protection of cardholder data in third party contracts | CMA_0207 - Document the protection of cardholder data in third party contracts | Manual, Disabled | 1.1.0 |
| Employ least privilege access | CMA_0212 - Employ least privilege access | Manual, Disabled | 1.1.0 |
| Guest accounts with owner permissions on Azure resources should be removed | External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. | AuditIfNotExists, Disabled | 1.0.0 |
| Perform a risk assessment | CMA_0388 - Perform a risk assessment | Manual, Disabled | 1.1.0 |
| There should be more than one owner assigned to your subscription | It is recommended to designate more than one subscription owner in order to have administrator access redundancy. | AuditIfNotExists, Disabled | 3.0.0 |
COSO Principle 12
ID: SOC 2 Type 2 CC5.3 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Configure detection whitelist | CMA_0068 - Configure detection whitelist | Manual, Disabled | 1.1.0 |
| Perform a risk assessment | CMA_0388 - Perform a risk assessment | Manual, Disabled | 1.1.0 |
| Turn on sensors for endpoint security solution | CMA_0514 - Turn on sensors for endpoint security solution | Manual, Disabled | 1.1.0 |
| Undergo independent security review | CMA_0515 - Undergo independent security review | Manual, Disabled | 1.1.0 |
Logical and Physical Access Controls
Logical access security software, infrastructure, and architectures
ID: SOC 2 Type 2 CC6.1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| A maximum of 3 owners should be designated for your subscription | It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner. | AuditIfNotExists, Disabled | 3.0.0 |
| Accounts with owner permissions on Azure resources should be MFA enabled | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. | AuditIfNotExists, Disabled | 1.0.0 |
| Accounts with read permissions on Azure resources should be MFA enabled | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. | AuditIfNotExists, Disabled | 1.0.0 |
| Accounts with write permissions on Azure resources should be MFA enabled | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. | AuditIfNotExists, Disabled | 1.0.0 |
| Adaptive network hardening recommendations should be applied on internet facing virtual machines | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | AuditIfNotExists, Disabled | 3.0.0 |
| Adopt biometric authentication mechanisms | CMA_0005 - Adopt biometric authentication mechanisms | Manual, Disabled | 1.1.0 |
| All network ports should be restricted on network security groups associated to your virtual machine | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | AuditIfNotExists, Disabled | 3.0.0 |
| App Service apps should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Audit, Disabled, Deny | 4.0.0 |
| App Service apps should require FTPS only | Enable FTPS enforcement for enhanced security. | AuditIfNotExists, Disabled | 3.0.0 |
| Authentication to Linux machines should require SSH keys | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | AuditIfNotExists, Disabled | 3.2.0 |
| Authorize access to security functions and information | CMA_0022 - Authorize access to security functions and information | Manual, Disabled | 1.1.0 |
| Authorize and manage access | CMA_0023 - Authorize and manage access | Manual, Disabled | 1.1.0 |
| Authorize remote access | CMA_0024 - Authorize remote access | Manual, Disabled | 1.1.0 |
| Automation account variables should be encrypted | It is important to enable encryption of Automation account variable assets when storing sensitive data | Audit, Deny, Disabled | 1.1.0 |
| Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest | Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/cosmosdb-cmk. | audit, Audit, deny, Deny, disabled, Disabled | 1.1.0 |
| Azure Machine Learning workspaces should be encrypted with a customer-managed key | Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/azureml-workspaces-cmk. | Audit, Deny, Disabled | 1.0.3 |
| Blocked accounts with owner permissions on Azure resources should be removed | Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. | AuditIfNotExists, Disabled | 1.0.0 |
| Certificates should have the specified maximum validity period | Manage your organizational compliance requirements by specifying the maximum amount of time that a certificate can be valid within your key vault. | audit, Audit, deny, Deny, disabled, Disabled | 2.2.1 |
| Cognitive Services accounts should enable data encryption with a customer-managed key | Customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about customer-managed keys at https://go.microsoft.com/fwlink/?linkid=2121321. | Audit, Deny, Disabled | 2.1.0 |
| Container registries should be encrypted with a customer-managed key | Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/acr/CMK. | Audit, Deny, Disabled | 1.1.2 |
| Control information flow | CMA_0079 - Control information flow | Manual, Disabled | 1.1.0 |
| Control physical access | CMA_0081 - Control physical access | Manual, Disabled | 1.1.0 |
| Create a data inventory | CMA_0096 - Create a data inventory | Manual, Disabled | 1.1.0 |
| Define a physical key management process | CMA_0115 - Define a physical key management process | Manual, Disabled | 1.1.0 |
| Define cryptographic use | CMA_0120 - Define cryptographic use | Manual, Disabled | 1.1.0 |
| Define organizational requirements for cryptographic key management | CMA_0123 - Define organizational requirements for cryptographic key management | Manual, Disabled | 1.1.0 |
| Design an access control model | CMA_0129 - Design an access control model | Manual, Disabled | 1.1.0 |
| Determine assertion requirements | CMA_0136 - Determine assertion requirements | Manual, Disabled | 1.1.0 |
| Document mobility training | CMA_0191 - Document mobility training | Manual, Disabled | 1.1.0 |
| Document remote access guidelines | CMA_0196 - Document remote access guidelines | Manual, Disabled | 1.1.0 |
| Employ flow control mechanisms of encrypted information | CMA_0211 - Employ flow control mechanisms of encrypted information | Manual, Disabled | 1.1.0 |
| Employ least privilege access | CMA_0212 - Employ least privilege access | Manual, Disabled | 1.1.0 |
| Enforce logical access | CMA_0245 - Enforce logical access | Manual, Disabled | 1.1.0 |
| Enforce mandatory and discretionary access control policies | CMA_0246 - Enforce mandatory and discretionary access control policies | Manual, Disabled | 1.1.0 |
| Enforce SSL connection should be enabled for MySQL database servers | Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. | Audit, Disabled | 1.0.1 |
| Enforce SSL connection should be enabled for PostgreSQL database servers | Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. | Audit, Disabled | 1.0.1 |
| Establish a data leakage management procedure | CMA_0255 - Establish a data leakage management procedure | Manual, Disabled | 1.1.0 |
| Establish firewall and router configuration standards | CMA_0272 - Establish firewall and router configuration standards | Manual, Disabled | 1.1.0 |
| Establish network segmentation for card holder data environment | CMA_0273 - Establish network segmentation for card holder data environment | Manual, Disabled | 1.1.0 |
| Function apps should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Audit, Disabled, Deny | 5.0.0 |
| Function apps should require FTPS only | Enable FTPS enforcement for enhanced security. | AuditIfNotExists, Disabled | 3.0.0 |
| Function apps should use the latest TLS version | Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. | AuditIfNotExists, Disabled | 2.0.1 |
| Guest accounts with owner permissions on Azure resources should be removed | External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. | AuditIfNotExists, Disabled | 1.0.0 |
| Identify and manage downstream information exchanges | CMA_0298 - Identify and manage downstream information exchanges | Manual, Disabled | 1.1.0 |
| Implement controls to secure alternate work sites | CMA_0315 - Implement controls to secure alternate work sites | Manual, Disabled | 1.1.0 |
| Implement physical security for offices, working areas, and secure areas | CMA_0323 - Implement physical security for offices, working areas, and secure areas | Manual, Disabled | 1.1.0 |
| Internet-facing virtual machines should be protected with network security groups | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | AuditIfNotExists, Disabled | 3.0.0 |
| Issue public key certificates | CMA_0347 - Issue public key certificates | Manual, Disabled | 1.1.0 |
| Key Vault keys should have an expiration date | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Audit, Deny, Disabled | 1.0.2 |
| Key Vault secrets should have an expiration date | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Audit, Deny, Disabled | 1.0.2 |
| Key vaults should have deletion protection enabled | Malicious deletion of a key vault can lead to permanent data loss. You can prevent permanent data loss by enabling purge protection and soft delete. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. Keep in mind that key vaults created after September 1st 2019 have soft-delete enabled by default. | Audit, Deny, Disabled | 2.1.0 |
| Key vaults should have soft delete enabled | Deleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period. | Audit, Deny, Disabled | 3.0.0 |
| Kubernetes clusters should be accessible only over HTTPS | Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc | audit, Audit, deny, Deny, disabled, Disabled | 8.1.0 |
| Maintain records of processing of personal data | CMA_0353 - Maintain records of processing of personal data | Manual, Disabled | 1.1.0 |
| Manage symmetric cryptographic keys | CMA_0367 - Manage symmetric cryptographic keys | Manual, Disabled | 1.1.0 |
| Manage the input, output, processing, and storage of data | CMA_0369 - Manage the input, output, processing, and storage of data | Manual, Disabled | 1.1.0 |
| Management ports of virtual machines should be protected with just-in-time network access control | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | AuditIfNotExists, Disabled | 3.0.0 |
| Management ports should be closed on your virtual machines | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | AuditIfNotExists, Disabled | 3.0.0 |
| MySQL servers should use customer-managed keys to encrypt data at rest | Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. | AuditIfNotExists, Disabled | 1.0.4 |
| Non-internet-facing virtual machines should be protected with network security groups | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | AuditIfNotExists, Disabled | 3.0.0 |
| Notify users of system logon or access | CMA_0382 - Notify users of system logon or access | Manual, Disabled | 1.1.0 |
| Only secure connections to your Azure Cache for Redis should be enabled | Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Audit, Deny, Disabled | 1.0.0 |
| PostgreSQL servers should use customer-managed keys to encrypt data at rest | Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. | AuditIfNotExists, Disabled | 1.0.4 |
| Protect data in transit using encryption | CMA_0403 - Protect data in transit using encryption | Manual, Disabled | 1.1.0 |
| Protect special information | CMA_0409 - Protect special information | Manual, Disabled | 1.1.0 |
| Provide privacy training | CMA_0415 - Provide privacy training | Manual, Disabled | 1.1.0 |
| Require approval for account creation | CMA_0431 - Require approval for account creation | Manual, Disabled | 1.1.0 |
| Restrict access to private keys | CMA_0445 - Restrict access to private keys | Manual, Disabled | 1.1.0 |
| Review user groups and applications with access to sensitive data | CMA_0481 - Review user groups and applications with access to sensitive data | Manual, Disabled | 1.1.0 |
| Secure transfer to storage accounts should be enabled | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Audit, Deny, Disabled | 2.0.0 |
| Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign | Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed | Audit, Deny, Disabled | 1.1.0 |
| SQL managed instances should use customer-managed keys to encrypt data at rest | Implementing Transparent Data Encryption (TDE) with your own key provides you with increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement. | Audit, Deny, Disabled | 2.0.0 |
| SQL servers should use customer-managed keys to encrypt data at rest | Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement. | Audit, Deny, Disabled | 2.0.1 |
| Storage account containing the container with activity logs must be encrypted with BYOK | This policy audits if the Storage account containing the container with activity logs is encrypted with BYOK. The policy works only if the storage account lies on the same subscription as activity logs by design. More information on Azure Storage encryption at rest can be found here https://aka.ms/azurestoragebyok. | AuditIfNotExists, Disabled | 1.0.0 |
| Storage accounts should use customer-managed key for encryption | Secure your blob and file storage account with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data. | Audit, Disabled | 1.0.3 |
| Subnets should be associated with a Network Security Group | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | AuditIfNotExists, Disabled | 3.0.0 |
| There should be more than one owner assigned to your subscription | It is recommended to designate more than one subscription owner in order to have administrator access redundancy. | AuditIfNotExists, Disabled | 3.0.0 |
| Transparent Data Encryption on SQL databases should be enabled | Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements | AuditIfNotExists, Disabled | 2.0.0 |
| Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | AuditIfNotExists, Disabled | 2.0.3 |
| Windows machines should be configured to use secure communication protocols | To protect the privacy of information communicated over the Internet, your machines should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by encrypting a connection between machines. | AuditIfNotExists, Disabled | 4.1.1 |
Access provisioning and removal
ID: SOC 2 Type 2 CC6.2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Assign account managers | CMA_0015 - Assign account managers | Manual, Disabled | 1.1.0 |
| Audit user account status | CMA_0020 - Audit user account status | Manual, Disabled | 1.1.0 |
| Blocked accounts with read and write permissions on Azure resources should be removed | Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. | AuditIfNotExists, Disabled | 1.0.0 |
| Document access privileges | CMA_0186 - Document access privileges | Manual, Disabled | 1.1.0 |
| Establish conditions for role membership | CMA_0269 - Establish conditions for role membership | Manual, Disabled | 1.1.0 |
| Guest accounts with read permissions on Azure resources should be removed | External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access. | AuditIfNotExists, Disabled | 1.0.0 |
| Guest accounts with write permissions on Azure resources should be removed | External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access. | AuditIfNotExists, Disabled | 1.0.0 |
| Require approval for account creation | CMA_0431 - Require approval for account creation | Manual, Disabled | 1.1.0 |
| Restrict access to privileged accounts | CMA_0446 - Restrict access to privileged accounts | Manual, Disabled | 1.1.0 |
| Review account provisioning logs | CMA_0460 - Review account provisioning logs | Manual, Disabled | 1.1.0 |
| Review user accounts | CMA_0480 - Review user accounts | Manual, Disabled | 1.1.0 |
Rol based access and least privilege
ID: SOC 2 Type 2 CC6.3 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| A maximum of 3 owners should be designated for your subscription | It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner. | AuditIfNotExists, Disabled | 3.0.0 |
| Audit privileged functions | CMA_0019 - Audit privileged functions | Manual, Disabled | 1.1.0 |
| Audit usage of custom RBAC roles | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | Audit, Disabled | 1.0.1 |
| Audit user account status | CMA_0020 - Audit user account status | Manual, Disabled | 1.1.0 |
| Azure Role-Based Access Control (RBAC) should be used on Kubernetes Services | To provide granular filtering on the actions that users can perform, use Azure Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. | Audit, Disabled | 1.0.3 |
| Blocked accounts with owner permissions on Azure resources should be removed | Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. | AuditIfNotExists, Disabled | 1.0.0 |
| Blocked accounts with read and write permissions on Azure resources should be removed | Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. | AuditIfNotExists, Disabled | 1.0.0 |
| Design an access control model | CMA_0129 - Design an access control model | Manual, Disabled | 1.1.0 |
| Employ least privilege access | CMA_0212 - Employ least privilege access | Manual, Disabled | 1.1.0 |
| Guest accounts with owner permissions on Azure resources should be removed | External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. | AuditIfNotExists, Disabled | 1.0.0 |
| Guest accounts with read permissions on Azure resources should be removed | External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access. | AuditIfNotExists, Disabled | 1.0.0 |
| Guest accounts with write permissions on Azure resources should be removed | External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access. | AuditIfNotExists, Disabled | 1.0.0 |
| Monitor privileged role assignment | CMA_0378 - Monitor privileged role assignment | Manual, Disabled | 1.1.0 |
| Restrict access to privileged accounts | CMA_0446 - Restrict access to privileged accounts | Manual, Disabled | 1.1.0 |
| Review account provisioning logs | CMA_0460 - Review account provisioning logs | Manual, Disabled | 1.1.0 |
| Review user accounts | CMA_0480 - Review user accounts | Manual, Disabled | 1.1.0 |
| Review user privileges | CMA_C1039 - Review user privileges | Manual, Disabled | 1.1.0 |
| Revoke privileged roles as appropriate | CMA_0483 - Revoke privileged roles as appropriate | Manual, Disabled | 1.1.0 |
| There should be more than one owner assigned to your subscription | It is recommended to designate more than one subscription owner in order to have administrator access redundancy. | AuditIfNotExists, Disabled | 3.0.0 |
| Use privileged identity management | CMA_0533 - Use privileged identity management | Manual, Disabled | 1.1.0 |
Restricted physical access
ID: SOC 2 Type 2 CC6.4 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Control physical access | CMA_0081 - Control physical access | Manual, Disabled | 1.1.0 |
Logical and physical protections over physical assets
ID: SOC 2 Type 2 CC6.5 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Employ a media sanitization mechanism | CMA_0208 - Employ a media sanitization mechanism | Manual, Disabled | 1.1.0 |
| Implement controls to secure all media | CMA_0314 - Implement controls to secure all media | Manual, Disabled | 1.1.0 |
Security measures against threats outside system boundaries
ID: SOC 2 Type 2 CC6.6 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| [Preview]: All Internet traffic should be routed via your deployed Azure Firewall | Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall | AuditIfNotExists, Disabled | 3.0.0-preview |
| Accounts with owner permissions on Azure resources should be MFA enabled | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. | AuditIfNotExists, Disabled | 1.0.0 |
| Accounts with read permissions on Azure resources should be MFA enabled | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. | AuditIfNotExists, Disabled | 1.0.0 |
| Accounts with write permissions on Azure resources should be MFA enabled | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. | AuditIfNotExists, Disabled | 1.0.0 |
| Adaptive network hardening recommendations should be applied on internet facing virtual machines | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | AuditIfNotExists, Disabled | 3.0.0 |
| Adopt biometric authentication mechanisms | CMA_0005 - Adopt biometric authentication mechanisms | Manual, Disabled | 1.1.0 |
| All network ports should be restricted on network security groups associated to your virtual machine | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | AuditIfNotExists, Disabled | 3.0.0 |
| App Service apps should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Audit, Disabled, Deny | 4.0.0 |
| App Service apps should require FTPS only | Enable FTPS enforcement for enhanced security. | AuditIfNotExists, Disabled | 3.0.0 |
| Authentication to Linux machines should require SSH keys | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | AuditIfNotExists, Disabled | 3.2.0 |
| Authorize remote access | CMA_0024 - Authorize remote access | Manual, Disabled | 1.1.0 |
| Azure Web Application Firewall should be enabled for Azure Front Door entry-points | Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. | Audit, Deny, Disabled | 1.0.2 |
| Control information flow | CMA_0079 - Control information flow | Manual, Disabled | 1.1.0 |
| Document mobility training | CMA_0191 - Document mobility training | Manual, Disabled | 1.1.0 |
| Document remote access guidelines | CMA_0196 - Document remote access guidelines | Manual, Disabled | 1.1.0 |
| Employ flow control mechanisms of encrypted information | CMA_0211 - Employ flow control mechanisms of encrypted information | Manual, Disabled | 1.1.0 |
| Enforce SSL connection should be enabled for MySQL database servers | Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. | Audit, Disabled | 1.0.1 |
| Enforce SSL connection should be enabled for PostgreSQL database servers | Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. | Audit, Disabled | 1.0.1 |
| Establish firewall and router configuration standards | CMA_0272 - Establish firewall and router configuration standards | Manual, Disabled | 1.1.0 |
| Establish network segmentation for card holder data environment | CMA_0273 - Establish network segmentation for card holder data environment | Manual, Disabled | 1.1.0 |
| Function apps should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Audit, Disabled, Deny | 5.0.0 |
| Function apps should require FTPS only | Enable FTPS enforcement for enhanced security. | AuditIfNotExists, Disabled | 3.0.0 |
| Function apps should use the latest TLS version | Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. | AuditIfNotExists, Disabled | 2.0.1 |
| Identify and authenticate network devices | CMA_0296 - Identify and authenticate network devices | Manual, Disabled | 1.1.0 |
| Identify and manage downstream information exchanges | CMA_0298 - Identify and manage downstream information exchanges | Manual, Disabled | 1.1.0 |
| Implement controls to secure alternate work sites | CMA_0315 - Implement controls to secure alternate work sites | Manual, Disabled | 1.1.0 |
| Implement system boundary protection | CMA_0328 - Implement system boundary protection | Manual, Disabled | 1.1.0 |
| Internet-facing virtual machines should be protected with network security groups | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | AuditIfNotExists, Disabled | 3.0.0 |
| IP Forwarding on your virtual machine should be disabled | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | AuditIfNotExists, Disabled | 3.0.0 |
| Kubernetes clusters should be accessible only over HTTPS | Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc | audit, Audit, deny, Deny, disabled, Disabled | 8.1.0 |
| Management ports of virtual machines should be protected with just-in-time network access control | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | AuditIfNotExists, Disabled | 3.0.0 |
| Management ports should be closed on your virtual machines | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | AuditIfNotExists, Disabled | 3.0.0 |
| Non-internet-facing virtual machines should be protected with network security groups | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | AuditIfNotExists, Disabled | 3.0.0 |
| Notify users of system logon or access | CMA_0382 - Notify users of system logon or access | Manual, Disabled | 1.1.0 |
| Only secure connections to your Azure Cache for Redis should be enabled | Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Audit, Deny, Disabled | 1.0.0 |
| Protect data in transit using encryption | CMA_0403 - Protect data in transit using encryption | Manual, Disabled | 1.1.0 |
| Provide privacy training | CMA_0415 - Provide privacy training | Manual, Disabled | 1.1.0 |
| Secure transfer to storage accounts should be enabled | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Audit, Deny, Disabled | 2.0.0 |
| Subnets should be associated with a Network Security Group | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | AuditIfNotExists, Disabled | 3.0.0 |
| Web Application Firewall (WAF) should be enabled for Application Gateway | Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. | Audit, Deny, Disabled | 2.0.0 |
| Windows machines should be configured to use secure communication protocols | To protect the privacy of information communicated over the Internet, your machines should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by encrypting a connection between machines. | AuditIfNotExists, Disabled | 4.1.1 |
Restrict the movement of information to authorized users
ID: SOC 2 Type 2 CC6.7 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Adaptive network hardening recommendations should be applied on internet facing virtual machines | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | AuditIfNotExists, Disabled | 3.0.0 |
| All network ports should be restricted on network security groups associated to your virtual machine | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | AuditIfNotExists, Disabled | 3.0.0 |
| App Service apps should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Audit, Disabled, Deny | 4.0.0 |
| App Service apps should require FTPS only | Enable FTPS enforcement for enhanced security. | AuditIfNotExists, Disabled | 3.0.0 |
| Configure workstations to check for digital certificates | CMA_0073 - Configure workstations to check for digital certificates | Manual, Disabled | 1.1.0 |
| Control information flow | CMA_0079 - Control information flow | Manual, Disabled | 1.1.0 |
| Define mobile device requirements | CMA_0122 - Define mobile device requirements | Manual, Disabled | 1.1.0 |
| Employ a media sanitization mechanism | CMA_0208 - Employ a media sanitization mechanism | Manual, Disabled | 1.1.0 |
| Employ flow control mechanisms of encrypted information | CMA_0211 - Employ flow control mechanisms of encrypted information | Manual, Disabled | 1.1.0 |
| Enforce SSL connection should be enabled for MySQL database servers | Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. | Audit, Disabled | 1.0.1 |
| Enforce SSL connection should be enabled for PostgreSQL database servers | Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. | Audit, Disabled | 1.0.1 |
| Establish firewall and router configuration standards | CMA_0272 - Establish firewall and router configuration standards | Manual, Disabled | 1.1.0 |
| Establish network segmentation for card holder data environment | CMA_0273 - Establish network segmentation for card holder data environment | Manual, Disabled | 1.1.0 |
| Function apps should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Audit, Disabled, Deny | 5.0.0 |
| Function apps should require FTPS only | Enable FTPS enforcement for enhanced security. | AuditIfNotExists, Disabled | 3.0.0 |
| Function apps should use the latest TLS version | Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. | AuditIfNotExists, Disabled | 2.0.1 |
| Identify and manage downstream information exchanges | CMA_0298 - Identify and manage downstream information exchanges | Manual, Disabled | 1.1.0 |
| Implement controls to secure all media | CMA_0314 - Implement controls to secure all media | Manual, Disabled | 1.1.0 |
| Internet-facing virtual machines should be protected with network security groups | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | AuditIfNotExists, Disabled | 3.0.0 |
| Kubernetes clusters should be accessible only over HTTPS | Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc | audit, Audit, deny, Deny, disabled, Disabled | 8.1.0 |
| Manage the transportation of assets | CMA_0370 - Manage the transportation of assets | Manual, Disabled | 1.1.0 |
| Management ports of virtual machines should be protected with just-in-time network access control | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | AuditIfNotExists, Disabled | 3.0.0 |
| Management ports should be closed on your virtual machines | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | AuditIfNotExists, Disabled | 3.0.0 |
| Non-internet-facing virtual machines should be protected with network security groups | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | AuditIfNotExists, Disabled | 3.0.0 |
| Only secure connections to your Azure Cache for Redis should be enabled | Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Audit, Deny, Disabled | 1.0.0 |
| Protect data in transit using encryption | CMA_0403 - Protect data in transit using encryption | Manual, Disabled | 1.1.0 |
| Protect passwords with encryption | CMA_0408 - Protect passwords with encryption | Manual, Disabled | 1.1.0 |
| Secure transfer to storage accounts should be enabled | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Audit, Deny, Disabled | 2.0.0 |
| Subnets should be associated with a Network Security Group | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | AuditIfNotExists, Disabled | 3.0.0 |
| Windows machines should be configured to use secure communication protocols | To protect the privacy of information communicated over the Internet, your machines should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by encrypting a connection between machines. | AuditIfNotExists, Disabled | 4.1.1 |
Prevent or detect against unauthorized or malicious software
ID: SOC 2 Type 2 CC6.8 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| [Deprecated]: Function apps should have 'Client Certificates (Incoming client certificates)' enabled | Client certificates allow for the app to request a certificate for incoming requests. Only clients with valid certificates will be able to reach the app. This policy has been replaced by a new policy with the same name because Http 2.0 doesn't support client certificates. | Audit, Disabled | 3.1.0-deprecated |
| [Preview]: Guest Attestation extension should be installed on supported Linux virtual machines | Install Guest Attestation extension on supported Linux virtual machines to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Linux virtual machines. | AuditIfNotExists, Disabled | 6.0.0-preview |
| [Preview]: Guest Attestation extension should be installed on supported Linux virtual machines scale sets | Install Guest Attestation extension on supported Linux virtual machines scale sets to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Linux virtual machine scale sets. | AuditIfNotExists, Disabled | 5.1.0-preview |
| [Preview]: Guest Attestation extension should be installed on supported Windows virtual machines | Install Guest Attestation extension on supported virtual machines to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | AuditIfNotExists, Disabled | 4.0.0-preview |
| [Preview]: Guest Attestation extension should be installed on supported Windows virtual machines scale sets | Install Guest Attestation extension on supported virtual machines scale sets to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Windows virtual machine scale sets. | AuditIfNotExists, Disabled | 3.1.0-preview |
| [Preview]: Secure Boot should be enabled on supported Windows virtual machines | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Audit, Disabled | 4.0.0-preview |
| [Preview]: vTPM should be enabled on supported virtual machines | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Audit, Disabled | 2.0.0-preview |
| Adaptive application controls for defining safe applications should be enabled on your machines | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | AuditIfNotExists, Disabled | 3.0.0 |
| Allowlist rules in your adaptive application control policy should be updated | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | AuditIfNotExists, Disabled | 3.0.0 |
| App Service apps should have Client Certificates (Incoming client certificates) enabled | Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. This policy applies to apps with Http version set to 1.1. | AuditIfNotExists, Disabled | 1.0.0 |
| App Service apps should have remote debugging turned off | Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off. | AuditIfNotExists, Disabled | 2.0.0 |
| App Service apps should not have CORS configured to allow every resource to access your apps | Cross-Origin Resource Sharing (CORS) should not allow all domains to access your app. Allow only required domains to interact with your app. | AuditIfNotExists, Disabled | 2.0.0 |
| App Service apps should use latest 'HTTP Version' | Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. | AuditIfNotExists, Disabled | 4.0.0 |
| Audit VMs that do not use managed disks | This policy audits VMs that do not use managed disks | audit | 1.0.0 |
| Azure Arc enabled Kubernetes clusters should have the Azure Policy extension installed | The Azure Policy extension for Azure Arc provides at-scale enforcements and safeguards on your Arc enabled Kubernetes clusters in a centralized, consistent manner. Learn more at https://aka.ms/akspolicydoc. | AuditIfNotExists, Disabled | 1.1.0 |
| Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters | Azure Policy Add-on for Kubernetes service (AKS) extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner. | Audit, Disabled | 1.0.2 |
| Block untrusted and unsigned processes that run from USB | CMA_0050 - Block untrusted and unsigned processes that run from USB | Manual, Disabled | 1.1.0 |
| Endpoint protection health issues should be resolved on your machines | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | AuditIfNotExists, Disabled | 1.0.0 |
| Endpoint protection should be installed on your machines | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | AuditIfNotExists, Disabled | 1.0.0 |
| Endpoint protection solution should be installed on virtual machine scale sets | Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities. | AuditIfNotExists, Disabled | 3.0.0 |
| Function apps should have remote debugging turned off | Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off. | AuditIfNotExists, Disabled | 2.0.0 |
| Function apps should not have CORS configured to allow every resource to access your apps | Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app. | AuditIfNotExists, Disabled | 2.0.0 |
| Function apps should use latest 'HTTP Version' | Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. | AuditIfNotExists, Disabled | 4.0.0 |
| Guest Configuration extension should be installed on your machines | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | AuditIfNotExists, Disabled | 1.0.3 |
| Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits | Enforce container CPU and memory resource limits to prevent resource exhaustion attacks in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 9.2.0 |
| Kubernetes cluster containers should not share host process ID or host IPC namespace | Block pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. This recommendation is part of CIS 5.2.2 and CIS 5.2.3 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 5.1.0 |
| Kubernetes cluster containers should only use allowed AppArmor profiles | Containers should only use allowed AppArmor profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 6.1.1 |
| Kubernetes cluster containers should only use allowed capabilities | Restrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 6.1.0 |
| Kubernetes cluster containers should only use allowed images | Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 9.2.0 |
| Kubernetes cluster containers should run with a read only root file system | Run containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 6.2.0 |
| Kubernetes cluster pod hostPath volumes should only use allowed host paths | Limit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 6.1.1 |
| Kubernetes cluster pods and containers should only run with approved user and group IDs | Control the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 6.1.1 |
| Kubernetes cluster pods should only use approved host network and port range | Restrict pod access to the host network and the allowable host port range in a Kubernetes cluster. This recommendation is part of CIS 5.2.4 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 6.1.0 |
| Kubernetes cluster services should listen only on allowed ports | Restrict services to listen only on allowed ports to secure access to the Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 8.1.0 |
| Kubernetes cluster should not allow privileged containers | Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 9.1.0 |
| Kubernetes clusters should disable automounting API credentials | Disable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 4.1.0 |
| Kubernetes clusters should not allow container privilege escalation | Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 7.1.0 |
| Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities | To reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 5.1.0 |
| Kubernetes clusters should not use the default namespace | Prevent usage of the default namespace in Kubernetes clusters to protect against unauthorized access for ConfigMap, Pod, Secret, Service, and ServiceAccount resource types. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 4.1.0 |
| Linux machines should meet requirements for the Azure compute security baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | AuditIfNotExists, Disabled | 2.2.0 |
| Manage gateways | CMA_0363 - Manage gateways | Manual, Disabled | 1.1.0 |
| Monitor missing Endpoint Protection in Azure Security Center | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | AuditIfNotExists, Disabled | 3.0.0 |
| Only approved VM extensions should be installed | This policy governs the virtual machine extensions that are not approved. | Audit, Deny, Disabled | 1.0.0 |
| Perform a trend analysis on threats | CMA_0389 - Perform a trend analysis on threats | Manual, Disabled | 1.1.0 |
| Perform vulnerability scans | CMA_0393 - Perform vulnerability scans | Manual, Disabled | 1.1.0 |
| Review malware detections report weekly | CMA_0475 - Review malware detections report weekly | Manual, Disabled | 1.1.0 |
| Review threat protection status weekly | CMA_0479 - Review threat protection status weekly | Manual, Disabled | 1.1.0 |
| Storage accounts should allow access from trusted Microsoft services | Some Microsoft services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules. These services will then use strong authentication to access the storage account. | Audit, Deny, Disabled | 1.0.0 |
| Update antivirus definitions | CMA_0517 - Update antivirus definitions | Manual, Disabled | 1.1.0 |
| Verify software, firmware and information integrity | CMA_0542 - Verify software, firmware and information integrity | Manual, Disabled | 1.1.0 |
| View and configure system diagnostic data | CMA_0544 - View and configure system diagnostic data | Manual, Disabled | 1.1.0 |
| Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | AuditIfNotExists, Disabled | 1.0.1 |
| Windows machines should meet requirements of the Azure compute security baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | AuditIfNotExists, Disabled | 2.0.0 |
System Operations
Detection and monitoring of new vulnerabilities
ID: SOC 2 Type 2 CC7.1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| A vulnerability assessment solution should be enabled on your virtual machines | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | AuditIfNotExists, Disabled | 3.0.0 |
| Adaptive application controls for defining safe applications should be enabled on your machines | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | AuditIfNotExists, Disabled | 3.0.0 |
| Allowlist rules in your adaptive application control policy should be updated | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | AuditIfNotExists, Disabled | 3.0.0 |
| Configure actions for noncompliant devices | CMA_0062 - Configure actions for noncompliant devices | Manual, Disabled | 1.1.0 |
| Develop and maintain baseline configurations | CMA_0153 - Develop and maintain baseline configurations | Manual, Disabled | 1.1.0 |
| Enable detection of network devices | CMA_0220 - Enable detection of network devices | Manual, Disabled | 1.1.0 |
| Enforce security configuration settings | CMA_0249 - Enforce security configuration settings | Manual, Disabled | 1.1.0 |
| Establish a configuration control board | CMA_0254 - Establish a configuration control board | Manual, Disabled | 1.1.0 |
| Establish and document a configuration management plan | CMA_0264 - Establish and document a configuration management plan | Manual, Disabled | 1.1.0 |
| Implement an automated configuration management tool | CMA_0311 - Implement an automated configuration management tool | Manual, Disabled | 1.1.0 |
| Perform vulnerability scans | CMA_0393 - Perform vulnerability scans | Manual, Disabled | 1.1.0 |
| Remediate information system flaws | CMA_0427 - Remediate information system flaws | Manual, Disabled | 1.1.0 |
| Set automated notifications for new and trending cloud applications in your organization | CMA_0495 - Set automated notifications for new and trending cloud applications in your organization | Manual, Disabled | 1.1.0 |
| Verify software, firmware and information integrity | CMA_0542 - Verify software, firmware and information integrity | Manual, Disabled | 1.1.0 |
| View and configure system diagnostic data | CMA_0544 - View and configure system diagnostic data | Manual, Disabled | 1.1.0 |
| Vulnerability assessment should be enabled on SQL Managed Instance | Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. | AuditIfNotExists, Disabled | 1.0.1 |
| Vulnerability assessment should be enabled on your SQL servers | Audit Azure SQL servers which do not have vulnerability assessment properly configured. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. | AuditIfNotExists, Disabled | 3.0.0 |
Monitor system components for anomalous behavior
ID: SOC 2 Type 2 CC7.2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| [Preview]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed | Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. | AuditIfNotExists, Disabled | 6.0.0-preview |
| An activity log alert should exist for specific Administrative operations | This policy audits specific Administrative operations with no activity log alerts configured. | AuditIfNotExists, Disabled | 1.0.0 |
| An activity log alert should exist for specific Policy operations | This policy audits specific Policy operations with no activity log alerts configured. | AuditIfNotExists, Disabled | 3.0.0 |
| An activity log alert should exist for specific Security operations | This policy audits specific Security operations with no activity log alerts configured. | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Defender for App Service should be enabled | Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. | AuditIfNotExists, Disabled | 1.0.3 |
| Azure Defender for Azure SQL Database servers should be enabled | Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. | AuditIfNotExists, Disabled | 1.0.2 |
| Azure Defender for Key Vault should be enabled | Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. | AuditIfNotExists, Disabled | 1.0.3 |
| Azure Defender for open-source relational databases should be enabled | Azure Defender for open-source relational databases detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Learn more about the capabilities of Azure Defender for open-source relational databases at https://aka.ms/AzDforOpenSourceDBsDocu. Important: Enabling this plan will result in charges for protecting your open-source relational databases. Learn about the pricing on Security Center's pricing page: https://aka.ms/pricing-security-center | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Defender for Resource Manager should be enabled | Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Defender for servers should be enabled | Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. | AuditIfNotExists, Disabled | 1.0.3 |
| Azure Defender for SQL servers on machines should be enabled | Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. | AuditIfNotExists, Disabled | 1.0.2 |
| Azure Defender for SQL should be enabled for unprotected Azure SQL servers | Audit SQL servers without Advanced Data Security | AuditIfNotExists, Disabled | 2.0.1 |
| Azure Defender for SQL should be enabled for unprotected SQL Managed Instances | Audit each SQL Managed Instance without advanced data security. | AuditIfNotExists, Disabled | 1.0.2 |
| Azure Kubernetes Service clusters should have Defender profile enabled | Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.AzureDefender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks | Audit, Disabled | 2.0.1 |
| Detect network services that have not been authorized or approved | CMA_C1700 - Detect network services that have not been authorized or approved | Manual, Disabled | 1.1.0 |
| Govern and monitor audit processing activities | CMA_0289 - Govern and monitor audit processing activities | Manual, Disabled | 1.1.0 |
| Microsoft Defender for Containers should be enabled | Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. | AuditIfNotExists, Disabled | 1.0.0 |
| Microsoft Defender for Storage should be enabled | Microsoft Defender for Storage detects potential threats to your storage accounts. It helps prevent the three major impacts on your data and workload: malicious file uploads, sensitive data exfiltration, and data corruption. The new Defender for Storage plan includes Malware Scanning and Sensitive Data Threat Detection. This plan also provides a predictable pricing structure (per storage account) for control over coverage and costs. | AuditIfNotExists, Disabled | 1.0.0 |
| Perform a trend analysis on threats | CMA_0389 - Perform a trend analysis on threats | Manual, Disabled | 1.1.0 |
| Windows Defender Exploit Guard should be enabled on your machines | Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). | AuditIfNotExists, Disabled | 2.0.0 |
Security incidents detection
ID: SOC 2 Type 2 CC7.3 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Review and update incident response policies and procedures | CMA_C1352 - Review and update incident response policies and procedures | Manual, Disabled | 1.1.0 |
Security incidents response
ID: SOC 2 Type 2 CC7.4 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Assess information security events | CMA_0013 - Assess information security events | Manual, Disabled | 1.1.0 |
| Coordinate contingency plans with related plans | CMA_0086 - Coordinate contingency plans with related plans | Manual, Disabled | 1.1.0 |
| Develop an incident response plan | CMA_0145 - Develop an incident response plan | Manual, Disabled | 1.1.0 |
| Develop security safeguards | CMA_0161 - Develop security safeguards | Manual, Disabled | 1.1.0 |
| Email notification for high severity alerts should be enabled | To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Security Center. | AuditIfNotExists, Disabled | 1.1.0 |
| Email notification to subscription owner for high severity alerts should be enabled | To ensure your subscription owners are notified when there is a potential security breach in their subscription, set email notifications to subscription owners for high severity alerts in Security Center. | AuditIfNotExists, Disabled | 2.1.0 |
| Enable network protection | CMA_0238 - Enable network protection | Manual, Disabled | 1.1.0 |
| Eradicate contaminated information | CMA_0253 - Eradicate contaminated information | Manual, Disabled | 1.1.0 |
| Execute actions in response to information spills | CMA_0281 - Execute actions in response to information spills | Manual, Disabled | 1.1.0 |
| Identify classes of Incidents and Actions taken | CMA_C1365 - Identify classes of Incidents and Actions taken | Manual, Disabled | 1.1.0 |
| Implement incident handling | CMA_0318 - Implement incident handling | Manual, Disabled | 1.1.0 |
| Include dynamic reconfig of customer deployed resources | CMA_C1364 - Include dynamic reconfig of customer deployed resources | Manual, Disabled | 1.1.0 |
| Maintain incident response plan | CMA_0352 - Maintain incident response plan | Manual, Disabled | 1.1.0 |
| Network Watcher should be enabled | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | AuditIfNotExists, Disabled | 3.0.0 |
| Perform a trend analysis on threats | CMA_0389 - Perform a trend analysis on threats | Manual, Disabled | 1.1.0 |
| Subscriptions should have a contact email address for security issues | To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, set a security contact to receive email notifications from Security Center. | AuditIfNotExists, Disabled | 1.0.1 |
| View and investigate restricted users | CMA_0545 - View and investigate restricted users | Manual, Disabled | 1.1.0 |
Recovery from identified security incidents
ID: SOC 2 Type 2 CC7.5 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Assess information security events | CMA_0013 - Assess information security events | Manual, Disabled | 1.1.0 |
| Conduct incident response testing | CMA_0060 - Conduct incident response testing | Manual, Disabled | 1.1.0 |
| Coordinate contingency plans with related plans | CMA_0086 - Coordinate contingency plans with related plans | Manual, Disabled | 1.1.0 |
| Coordinate with external organizations to achieve cross org perspective | CMA_C1368 - Coordinate with external organizations to achieve cross org perspective | Manual, Disabled | 1.1.0 |
| Develop an incident response plan | CMA_0145 - Develop an incident response plan | Manual, Disabled | 1.1.0 |
| Develop security safeguards | CMA_0161 - Develop security safeguards | Manual, Disabled | 1.1.0 |
| Email notification for high severity alerts should be enabled | To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Security Center. | AuditIfNotExists, Disabled | 1.1.0 |
| Email notification to subscription owner for high severity alerts should be enabled | To ensure your subscription owners are notified when there is a potential security breach in their subscription, set email notifications to subscription owners for high severity alerts in Security Center. | AuditIfNotExists, Disabled | 2.1.0 |
| Enable network protection | CMA_0238 - Enable network protection | Manual, Disabled | 1.1.0 |
| Eradicate contaminated information | CMA_0253 - Eradicate contaminated information | Manual, Disabled | 1.1.0 |
| Establish an information security program | CMA_0263 - Establish an information security program | Manual, Disabled | 1.1.0 |
| Execute actions in response to information spills | CMA_0281 - Execute actions in response to information spills | Manual, Disabled | 1.1.0 |
| Implement incident handling | CMA_0318 - Implement incident handling | Manual, Disabled | 1.1.0 |
| Maintain incident response plan | CMA_0352 - Maintain incident response plan | Manual, Disabled | 1.1.0 |
| Network Watcher should be enabled | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | AuditIfNotExists, Disabled | 3.0.0 |
| Perform a trend analysis on threats | CMA_0389 - Perform a trend analysis on threats | Manual, Disabled | 1.1.0 |
| Run simulation attacks | CMA_0486 - Run simulation attacks | Manual, Disabled | 1.1.0 |
| Subscriptions should have a contact email address for security issues | To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, set a security contact to receive email notifications from Security Center. | AuditIfNotExists, Disabled | 1.0.1 |
| View and investigate restricted users | CMA_0545 - View and investigate restricted users | Manual, Disabled | 1.1.0 |
Change Management
Changes to infrastructure, data, and software
ID: SOC 2 Type 2 CC8.1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| [Deprecated]: Function apps should have 'Client Certificates (Incoming client certificates)' enabled | Client certificates allow for the app to request a certificate for incoming requests. Only clients with valid certificates will be able to reach the app. This policy has been replaced by a new policy with the same name because Http 2.0 doesn't support client certificates. | Audit, Disabled | 3.1.0-deprecated |
| [Preview]: Guest Attestation extension should be installed on supported Linux virtual machines | Install Guest Attestation extension on supported Linux virtual machines to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Linux virtual machines. | AuditIfNotExists, Disabled | 6.0.0-preview |
| [Preview]: Guest Attestation extension should be installed on supported Linux virtual machines scale sets | Install Guest Attestation extension on supported Linux virtual machines scale sets to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Linux virtual machine scale sets. | AuditIfNotExists, Disabled | 5.1.0-preview |
| [Preview]: Guest Attestation extension should be installed on supported Windows virtual machines | Install Guest Attestation extension on supported virtual machines to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | AuditIfNotExists, Disabled | 4.0.0-preview |
| [Preview]: Guest Attestation extension should be installed on supported Windows virtual machines scale sets | Install Guest Attestation extension on supported virtual machines scale sets to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Windows virtual machine scale sets. | AuditIfNotExists, Disabled | 3.1.0-preview |
| [Preview]: Secure Boot should be enabled on supported Windows virtual machines | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Audit, Disabled | 4.0.0-preview |
| [Preview]: vTPM should be enabled on supported virtual machines | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Audit, Disabled | 2.0.0-preview |
| App Service apps should have Client Certificates (Incoming client certificates) enabled | Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. This policy applies to apps with Http version set to 1.1. | AuditIfNotExists, Disabled | 1.0.0 |
| App Service apps should have remote debugging turned off | Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off. | AuditIfNotExists, Disabled | 2.0.0 |
| App Service apps should not have CORS configured to allow every resource to access your apps | Cross-Origin Resource Sharing (CORS) should not allow all domains to access your app. Allow only required domains to interact with your app. | AuditIfNotExists, Disabled | 2.0.0 |
| App Service apps should use latest 'HTTP Version' | Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. | AuditIfNotExists, Disabled | 4.0.0 |
| Audit VMs that do not use managed disks | This policy audits VMs that do not use managed disks | audit | 1.0.0 |
| Azure Arc enabled Kubernetes clusters should have the Azure Policy extension installed | The Azure Policy extension for Azure Arc provides at-scale enforcements and safeguards on your Arc enabled Kubernetes clusters in a centralized, consistent manner. Learn more at https://aka.ms/akspolicydoc. | AuditIfNotExists, Disabled | 1.1.0 |
| Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters | Azure Policy Add-on for Kubernetes service (AKS) extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner. | Audit, Disabled | 1.0.2 |
| Conduct a security impact analysis | CMA_0057 - Conduct a security impact analysis | Manual, Disabled | 1.1.0 |
| Configure actions for noncompliant devices | CMA_0062 - Configure actions for noncompliant devices | Manual, Disabled | 1.1.0 |
| Develop and maintain a vulnerability management standard | CMA_0152 - Develop and maintain a vulnerability management standard | Manual, Disabled | 1.1.0 |
| Develop and maintain baseline configurations | CMA_0153 - Develop and maintain baseline configurations | Manual, Disabled | 1.1.0 |
| Enforce security configuration settings | CMA_0249 - Enforce security configuration settings | Manual, Disabled | 1.1.0 |
| Establish a configuration control board | CMA_0254 - Establish a configuration control board | Manual, Disabled | 1.1.0 |
| Establish a risk management strategy | CMA_0258 - Establish a risk management strategy | Manual, Disabled | 1.1.0 |
| Establish and document a configuration management plan | CMA_0264 - Establish and document a configuration management plan | Manual, Disabled | 1.1.0 |
| Establish and document change control processes | CMA_0265 - Establish and document change control processes | Manual, Disabled | 1.1.0 |
| Establish configuration management requirements for developers | CMA_0270 - Establish configuration management requirements for developers | Manual, Disabled | 1.1.0 |
| Function apps should have remote debugging turned off | Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off. | AuditIfNotExists, Disabled | 2.0.0 |
| Function apps should not have CORS configured to allow every resource to access your apps | Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app. | AuditIfNotExists, Disabled | 2.0.0 |
| Function apps should use latest 'HTTP Version' | Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. | AuditIfNotExists, Disabled | 4.0.0 |
| Guest Configuration extension should be installed on your machines | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | AuditIfNotExists, Disabled | 1.0.3 |
| Implement an automated configuration management tool | CMA_0311 - Implement an automated configuration management tool | Manual, Disabled | 1.1.0 |
| Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits | Enforce container CPU and memory resource limits to prevent resource exhaustion attacks in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 9.2.0 |
| Kubernetes cluster containers should not share host process ID or host IPC namespace | Block pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. This recommendation is part of CIS 5.2.2 and CIS 5.2.3 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 5.1.0 |
| Kubernetes cluster containers should only use allowed AppArmor profiles | Containers should only use allowed AppArmor profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 6.1.1 |
| Kubernetes cluster containers should only use allowed capabilities | Restrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 6.1.0 |
| Kubernetes cluster containers should only use allowed images | Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 9.2.0 |
| Kubernetes cluster containers should run with a read only root file system | Run containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 6.2.0 |
| Kubernetes cluster pod hostPath volumes should only use allowed host paths | Limit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 6.1.1 |
| Kubernetes cluster pods and containers should only run with approved user and group IDs | Control the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 6.1.1 |
| Kubernetes cluster pods should only use approved host network and port range | Restrict pod access to the host network and the allowable host port range in a Kubernetes cluster. This recommendation is part of CIS 5.2.4 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 6.1.0 |
| Kubernetes cluster services should listen only on allowed ports | Restrict services to listen only on allowed ports to secure access to the Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 8.1.0 |
| Kubernetes cluster should not allow privileged containers | Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 9.1.0 |
| Kubernetes clusters should disable automounting API credentials | Disable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 4.1.0 |
| Kubernetes clusters should not allow container privilege escalation | Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 7.1.0 |
| Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities | To reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 5.1.0 |
| Kubernetes clusters should not use the default namespace | Prevent usage of the default namespace in Kubernetes clusters to protect against unauthorized access for ConfigMap, Pod, Secret, Service, and ServiceAccount resource types. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 4.1.0 |
| Linux machines should meet requirements for the Azure compute security baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | AuditIfNotExists, Disabled | 2.2.0 |
| Only approved VM extensions should be installed | This policy governs the virtual machine extensions that are not approved. | Audit, Deny, Disabled | 1.0.0 |
| Perform a privacy impact assessment | CMA_0387 - Perform a privacy impact assessment | Manual, Disabled | 1.1.0 |
| Perform a risk assessment | CMA_0388 - Perform a risk assessment | Manual, Disabled | 1.1.0 |
| Perform audit for configuration change control | CMA_0390 - Perform audit for configuration change control | Manual, Disabled | 1.1.0 |
| Storage accounts should allow access from trusted Microsoft services | Some Microsoft services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules. These services will then use strong authentication to access the storage account. | Audit, Deny, Disabled | 1.0.0 |
| Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | AuditIfNotExists, Disabled | 1.0.1 |
| Windows machines should meet requirements of the Azure compute security baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | AuditIfNotExists, Disabled | 2.0.0 |
Risk Mitigation
Risk mitigation activities
ID: SOC 2 Type 2 CC9.1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Determine information protection needs | CMA_C1750 - Determine information protection needs | Manual, Disabled | 1.1.0 |
| Establish a risk management strategy | CMA_0258 - Establish a risk management strategy | Manual, Disabled | 1.1.0 |
| Perform a risk assessment | CMA_0388 - Perform a risk assessment | Manual, Disabled | 1.1.0 |
Vendors and business partners risk management
ID: SOC 2 Type 2 CC9.2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Assess risk in third party relationships | CMA_0014 - Assess risk in third party relationships | Manual, Disabled | 1.1.0 |
| Define requirements for supplying goods and services | CMA_0126 - Define requirements for supplying goods and services | Manual, Disabled | 1.1.0 |
| Define the duties of processors | CMA_0127 - Define the duties of processors | Manual, Disabled | 1.1.0 |
| Determine supplier contract obligations | CMA_0140 - Determine supplier contract obligations | Manual, Disabled | 1.1.0 |
| Document acquisition contract acceptance criteria | CMA_0187 - Document acquisition contract acceptance criteria | Manual, Disabled | 1.1.0 |
| Document protection of personal data in acquisition contracts | CMA_0194 - Document protection of personal data in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document protection of security information in acquisition contracts | CMA_0195 - Document protection of security information in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document requirements for the use of shared data in contracts | CMA_0197 - Document requirements for the use of shared data in contracts | Manual, Disabled | 1.1.0 |
| Document security assurance requirements in acquisition contracts | CMA_0199 - Document security assurance requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document security documentation requirements in acquisition contract | CMA_0200 - Document security documentation requirements in acquisition contract | Manual, Disabled | 1.1.0 |
| Document security functional requirements in acquisition contracts | CMA_0201 - Document security functional requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document security strength requirements in acquisition contracts | CMA_0203 - Document security strength requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document the information system environment in acquisition contracts | CMA_0205 - Document the information system environment in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document the protection of cardholder data in third party contracts | CMA_0207 - Document the protection of cardholder data in third party contracts | Manual, Disabled | 1.1.0 |
| Establish policies for supply chain risk management | CMA_0275 - Establish policies for supply chain risk management | Manual, Disabled | 1.1.0 |
| Establish third-party personnel security requirements | CMA_C1529 - Establish third-party personnel security requirements | Manual, Disabled | 1.1.0 |
| Monitor third-party provider compliance | CMA_C1533 - Monitor third-party provider compliance | Manual, Disabled | 1.1.0 |
| Record disclosures of PII to third parties | CMA_0422 - Record disclosures of PII to third parties | Manual, Disabled | 1.1.0 |
| Require third-party providers to comply with personnel security policies and procedures | CMA_C1530 - Require third-party providers to comply with personnel security policies and procedures | Manual, Disabled | 1.1.0 |
| Train staff on PII sharing and its consequences | CMA_C1871 - Train staff on PII sharing and its consequences | Manual, Disabled | 1.1.0 |
Additional Criteria For Privacy
Privacy notice
ID: SOC 2 Type 2 P1.1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Document and distribute a privacy policy | CMA_0188 - Document and distribute a privacy policy | Manual, Disabled | 1.1.0 |
| Ensure privacy program information is publicly available | CMA_C1867 - Ensure privacy program information is publicly available | Manual, Disabled | 1.1.0 |
| Implement privacy notice delivery methods | CMA_0324 - Implement privacy notice delivery methods | Manual, Disabled | 1.1.0 |
| Provide privacy notice | CMA_0414 - Provide privacy notice | Manual, Disabled | 1.1.0 |
| Provide privacy notice to the public and to individuals | CMA_C1861 - Provide privacy notice to the public and to individuals | Manual, Disabled | 1.1.0 |
Privacy consent
ID: SOC 2 Type 2 P2.1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Document personnel acceptance of privacy requirements | CMA_0193 - Document personnel acceptance of privacy requirements | Manual, Disabled | 1.1.0 |
| Implement privacy notice delivery methods | CMA_0324 - Implement privacy notice delivery methods | Manual, Disabled | 1.1.0 |
| Obtain consent prior to collection or processing of personal data | CMA_0385 - Obtain consent prior to collection or processing of personal data | Manual, Disabled | 1.1.0 |
| Provide privacy notice | CMA_0414 - Provide privacy notice | Manual, Disabled | 1.1.0 |
Consistent personal information collection
ID: SOC 2 Type 2 P3.1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Determine legal authority to collect PII | CMA_C1800 - Determine legal authority to collect PII | Manual, Disabled | 1.1.0 |
| Document process to ensure integrity of PII | CMA_C1827 - Document process to ensure integrity of PII | Manual, Disabled | 1.1.0 |
| Evaluate and review PII holdings regularly | CMA_C1832 - Evaluate and review PII holdings regularly | Manual, Disabled | 1.1.0 |
| Obtain consent prior to collection or processing of personal data | CMA_0385 - Obtain consent prior to collection or processing of personal data | Manual, Disabled | 1.1.0 |
Personal information explicit consent
ID: SOC 2 Type 2 P3.2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Collect PII directly from the individual | CMA_C1822 - Collect PII directly from the individual | Manual, Disabled | 1.1.0 |
| Obtain consent prior to collection or processing of personal data | CMA_0385 - Obtain consent prior to collection or processing of personal data | Manual, Disabled | 1.1.0 |
Personal information use
ID: SOC 2 Type 2 P4.1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Document the legal basis for processing personal information | CMA_0206 - Document the legal basis for processing personal information | Manual, Disabled | 1.1.0 |
| Implement privacy notice delivery methods | CMA_0324 - Implement privacy notice delivery methods | Manual, Disabled | 1.1.0 |
| Obtain consent prior to collection or processing of personal data | CMA_0385 - Obtain consent prior to collection or processing of personal data | Manual, Disabled | 1.1.0 |
| Provide privacy notice | CMA_0414 - Provide privacy notice | Manual, Disabled | 1.1.0 |
| Restrict communications | CMA_0449 - Restrict communications | Manual, Disabled | 1.1.0 |
Personal information retention
ID: SOC 2 Type 2 P4.2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Adhere to retention periods defined | CMA_0004 - Adhere to retention periods defined | Manual, Disabled | 1.1.0 |
| Document process to ensure integrity of PII | CMA_C1827 - Document process to ensure integrity of PII | Manual, Disabled | 1.1.0 |
Personal information disposal
ID: SOC 2 Type 2 P4.3 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Perform disposition review | CMA_0391 - Perform disposition review | Manual, Disabled | 1.1.0 |
| Verify personal data is deleted at the end of processing | CMA_0540 - Verify personal data is deleted at the end of processing | Manual, Disabled | 1.1.0 |
Personal information access
ID: SOC 2 Type 2 P5.1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Implement methods for consumer requests | CMA_0319 - Implement methods for consumer requests | Manual, Disabled | 1.1.0 |
| Publish rules and regulations accessing Privacy Act records | CMA_C1847 - Publish rules and regulations accessing Privacy Act records | Manual, Disabled | 1.1.0 |
Personal information correction
ID: SOC 2 Type 2 P5.2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Respond to rectification requests | CMA_0442 - Respond to rectification requests | Manual, Disabled | 1.1.0 |
Personal information third party disclosure
ID: SOC 2 Type 2 P6.1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Define the duties of processors | CMA_0127 - Define the duties of processors | Manual, Disabled | 1.1.0 |
| Determine supplier contract obligations | CMA_0140 - Determine supplier contract obligations | Manual, Disabled | 1.1.0 |
| Document acquisition contract acceptance criteria | CMA_0187 - Document acquisition contract acceptance criteria | Manual, Disabled | 1.1.0 |
| Document protection of personal data in acquisition contracts | CMA_0194 - Document protection of personal data in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document protection of security information in acquisition contracts | CMA_0195 - Document protection of security information in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document requirements for the use of shared data in contracts | CMA_0197 - Document requirements for the use of shared data in contracts | Manual, Disabled | 1.1.0 |
| Document security assurance requirements in acquisition contracts | CMA_0199 - Document security assurance requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document security documentation requirements in acquisition contract | CMA_0200 - Document security documentation requirements in acquisition contract | Manual, Disabled | 1.1.0 |
| Document security functional requirements in acquisition contracts | CMA_0201 - Document security functional requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document security strength requirements in acquisition contracts | CMA_0203 - Document security strength requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document the information system environment in acquisition contracts | CMA_0205 - Document the information system environment in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document the protection of cardholder data in third party contracts | CMA_0207 - Document the protection of cardholder data in third party contracts | Manual, Disabled | 1.1.0 |
| Establish privacy requirements for contractors and service providers | CMA_C1810 - Establish privacy requirements for contractors and service providers | Manual, Disabled | 1.1.0 |
| Record disclosures of PII to third parties | CMA_0422 - Record disclosures of PII to third parties | Manual, Disabled | 1.1.0 |
| Train staff on PII sharing and its consequences | CMA_C1871 - Train staff on PII sharing and its consequences | Manual, Disabled | 1.1.0 |
Authorized disclosure of personal information record
ID: SOC 2 Type 2 P6.2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Keep accurate accounting of disclosures of information | CMA_C1818 - Keep accurate accounting of disclosures of information | Manual, Disabled | 1.1.0 |
Unauthorized disclosure of personal information record
ID: SOC 2 Type 2 P6.3 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Keep accurate accounting of disclosures of information | CMA_C1818 - Keep accurate accounting of disclosures of information | Manual, Disabled | 1.1.0 |
Third party agreements
ID: SOC 2 Type 2 P6.4 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Define the duties of processors | CMA_0127 - Define the duties of processors | Manual, Disabled | 1.1.0 |
Third party unauthorized disclosure notification
ID: SOC 2 Type 2 P6.5 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Determine supplier contract obligations | CMA_0140 - Determine supplier contract obligations | Manual, Disabled | 1.1.0 |
| Document acquisition contract acceptance criteria | CMA_0187 - Document acquisition contract acceptance criteria | Manual, Disabled | 1.1.0 |
| Document protection of personal data in acquisition contracts | CMA_0194 - Document protection of personal data in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document protection of security information in acquisition contracts | CMA_0195 - Document protection of security information in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document requirements for the use of shared data in contracts | CMA_0197 - Document requirements for the use of shared data in contracts | Manual, Disabled | 1.1.0 |
| Document security assurance requirements in acquisition contracts | CMA_0199 - Document security assurance requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document security documentation requirements in acquisition contract | CMA_0200 - Document security documentation requirements in acquisition contract | Manual, Disabled | 1.1.0 |
| Document security functional requirements in acquisition contracts | CMA_0201 - Document security functional requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document security strength requirements in acquisition contracts | CMA_0203 - Document security strength requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document the information system environment in acquisition contracts | CMA_0205 - Document the information system environment in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document the protection of cardholder data in third party contracts | CMA_0207 - Document the protection of cardholder data in third party contracts | Manual, Disabled | 1.1.0 |
| Information security and personal data protection | CMA_0332 - Information security and personal data protection | Manual, Disabled | 1.1.0 |
Privacy incident notification
ID: SOC 2 Type 2 P6.6 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Develop an incident response plan | CMA_0145 - Develop an incident response plan | Manual, Disabled | 1.1.0 |
| Information security and personal data protection | CMA_0332 - Information security and personal data protection | Manual, Disabled | 1.1.0 |
Accounting of disclosure of personal information
ID: SOC 2 Type 2 P6.7 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Implement privacy notice delivery methods | CMA_0324 - Implement privacy notice delivery methods | Manual, Disabled | 1.1.0 |
| Keep accurate accounting of disclosures of information | CMA_C1818 - Keep accurate accounting of disclosures of information | Manual, Disabled | 1.1.0 |
| Make accounting of disclosures available upon request | CMA_C1820 - Make accounting of disclosures available upon request | Manual, Disabled | 1.1.0 |
| Provide privacy notice | CMA_0414 - Provide privacy notice | Manual, Disabled | 1.1.0 |
| Restrict communications | CMA_0449 - Restrict communications | Manual, Disabled | 1.1.0 |
Personal information quality
ID: SOC 2 Type 2 P7.1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Confirm quality and integrity of PII | CMA_C1821 - Confirm quality and integrity of PII | Manual, Disabled | 1.1.0 |
| Issue guidelines for ensuring data quality and integrity | CMA_C1824 - Issue guidelines for ensuring data quality and integrity | Manual, Disabled | 1.1.0 |
| Verify inaccurate or outdated PII | CMA_C1823 - Verify inaccurate or outdated PII | Manual, Disabled | 1.1.0 |
Privacy complaint management and compliance management
ID: SOC 2 Type 2 P8.1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Document and implement privacy complaint procedures | CMA_0189 - Document and implement privacy complaint procedures | Manual, Disabled | 1.1.0 |
| Evaluate and review PII holdings regularly | CMA_C1832 - Evaluate and review PII holdings regularly | Manual, Disabled | 1.1.0 |
| Information security and personal data protection | CMA_0332 - Information security and personal data protection | Manual, Disabled | 1.1.0 |
| Respond to complaints, concerns, or questions timely | CMA_C1853 - Respond to complaints, concerns, or questions timely | Manual, Disabled | 1.1.0 |
| Train staff on PII sharing and its consequences | CMA_C1871 - Train staff on PII sharing and its consequences | Manual, Disabled | 1.1.0 |
Additional Criteria For Processing Integrity
Data processing definitions
ID: SOC 2 Type 2 PI1.1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Implement privacy notice delivery methods | CMA_0324 - Implement privacy notice delivery methods | Manual, Disabled | 1.1.0 |
| Provide privacy notice | CMA_0414 - Provide privacy notice | Manual, Disabled | 1.1.0 |
| Restrict communications | CMA_0449 - Restrict communications | Manual, Disabled | 1.1.0 |
System inputs over completeness and accuracy
ID: SOC 2 Type 2 PI1.2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Perform information input validation | CMA_C1723 - Perform information input validation | Manual, Disabled | 1.1.0 |
System processing
ID: SOC 2 Type 2 PI1.3 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Control physical access | CMA_0081 - Control physical access | Manual, Disabled | 1.1.0 |
| Generate error messages | CMA_C1724 - Generate error messages | Manual, Disabled | 1.1.0 |
| Manage the input, output, processing, and storage of data | CMA_0369 - Manage the input, output, processing, and storage of data | Manual, Disabled | 1.1.0 |
| Perform information input validation | CMA_C1723 - Perform information input validation | Manual, Disabled | 1.1.0 |
| Review label activity and analytics | CMA_0474 - Review label activity and analytics | Manual, Disabled | 1.1.0 |
System output is complete, accurate, and timely
ID: SOC 2 Type 2 PI1.4 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Control physical access | CMA_0081 - Control physical access | Manual, Disabled | 1.1.0 |
| Manage the input, output, processing, and storage of data | CMA_0369 - Manage the input, output, processing, and storage of data | Manual, Disabled | 1.1.0 |
| Review label activity and analytics | CMA_0474 - Review label activity and analytics | Manual, Disabled | 1.1.0 |
Store inputs and outputs completely, accurately, and timely
ID: SOC 2 Type 2 PI1.5 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Azure Backup should be enabled for Virtual Machines | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | AuditIfNotExists, Disabled | 3.0.0 |
| Control physical access | CMA_0081 - Control physical access | Manual, Disabled | 1.1.0 |
| Establish backup policies and procedures | CMA_0268 - Establish backup policies and procedures | Manual, Disabled | 1.1.0 |
| Geo-redundant backup should be enabled for Azure Database for MariaDB | Azure Database for MariaDB allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. | Audit, Disabled | 1.0.1 |
| Geo-redundant backup should be enabled for Azure Database for MySQL | Azure Database for MySQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. | Audit, Disabled | 1.0.1 |
| Geo-redundant backup should be enabled for Azure Database for PostgreSQL | Azure Database for PostgreSQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. | Audit, Disabled | 1.0.1 |
| Implement controls to secure all media | CMA_0314 - Implement controls to secure all media | Manual, Disabled | 1.1.0 |
| Manage the input, output, processing, and storage of data | CMA_0369 - Manage the input, output, processing, and storage of data | Manual, Disabled | 1.1.0 |
| Review label activity and analytics | CMA_0474 - Review label activity and analytics | Manual, Disabled | 1.1.0 |
| Separately store backup information | CMA_C1293 - Separately store backup information | Manual, Disabled | 1.1.0 |
Next steps
Additional articles about Azure Policy:
- Regulatory Compliance overview.
- See the initiative definition structure.
- Review other examples at Azure Policy samples.
- Review Understanding policy effects.
- Learn how to remediate non-compliant resources.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for