Details of the Microsoft cloud security benchmark (Azure Government) Regulatory Compliance built-in initiative
The following article details how the Azure Policy Regulatory Compliance built-in initiative definition maps to compliance domains and controls in Microsoft cloud security benchmark (Azure Government). For more information about this compliance standard, see Microsoft cloud security benchmark. To understand Ownership, see Azure Policy policy definition and Shared responsibility in the cloud.
The following mappings are to the Microsoft cloud security benchmark controls. Many of the controls are implemented with an Azure Policy initiative definition. To review the complete initiative definition, open Policy in the Azure portal and select the Definitions page. Then, find and select the Microsoft cloud security benchmark Regulatory Compliance built-in initiative definition.
Important
Each control below is associated with one or more Azure Policy definitions. These policies may help you assess compliance with the control; however, there often is not a one-to-one or complete match between a control and one or more policies. As such, Compliant in Azure Policy refers only to the policy definitions themselves; this doesn't ensure you're fully compliant with all requirements of a control. In addition, the compliance standard includes controls that aren't addressed by any Azure Policy definitions at this time. Therefore, compliance in Azure Policy is only a partial view of your overall compliance status. The associations between compliance domains, controls, and Azure Policy definitions for this compliance standard may change over time. To view the change history, see the GitHub Commit History.
Network Security
Establish network segmentation boundaries
ID: Microsoft cloud security benchmark NS-1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| All network ports should be restricted on network security groups associated to your virtual machine | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | AuditIfNotExists, Disabled | 3.0.0 |
| Internet-facing virtual machines should be protected with network security groups | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | AuditIfNotExists, Disabled | 3.0.0 |
| Non-internet-facing virtual machines should be protected with network security groups | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | AuditIfNotExists, Disabled | 3.0.0 |
| Subnets should be associated with a Network Security Group | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | AuditIfNotExists, Disabled | 3.0.0 |
Secure cloud services with network controls
ID: Microsoft cloud security benchmark NS-2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| API Management services should use a virtual network | Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. | Audit, Deny, Disabled | 1.0.2 |
| App Configuration should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/appconfig/private-endpoint. | AuditIfNotExists, Disabled | 1.0.2 |
| Authorized IP ranges should be defined on Kubernetes Services | Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. | Audit, Disabled | 2.0.0 |
| Azure AI Services resources should restrict network access | By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. | Audit, Deny, Disabled | 3.2.0 |
| Azure Cache for Redis should use private link | Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link. | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Cosmos DB accounts should have firewall rules | Firewall rules should be defined on your Azure Cosmos DB accounts to prevent traffic from unauthorized sources. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant. | Audit, Deny, Disabled | 2.0.0 |
| Azure Cosmos DB should disable public network access | Disabling public network access improves security by ensuring that your CosmosDB account isn't exposed on the public internet. Creating private endpoints can limit exposure of your CosmosDB account. Learn more at: https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints#blocking-public-network-access-during-account-creation. | Audit, Deny, Disabled | 1.0.0 |
| Azure Databricks Clusters should disable public IP | Disabling public IP of clusters in Azure Databricks Workspaces improves security by ensuring that the clusters aren't exposed on the public internet. Learn more at: https://learn.microsoft.com/azure/databricks/security/secure-cluster-connectivity. | Audit, Deny, Disabled | 1.0.1 |
| Azure Databricks Workspaces should be in a virtual network | Azure Virtual Networks provide enhanced security and isolation for your Azure Databricks Workspaces, as well as subnets, access control policies, and other features to further restrict access. Learn more at: https://docs.microsoft.com/azure/databricks/administration-guide/cloud-configurations/azure/vnet-inject. | Audit, Deny, Disabled | 1.0.2 |
| Azure Databricks Workspaces should disable public network access | Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can control exposure of your resources by creating private endpoints instead. Learn more at: https://learn.microsoft.com/azure/databricks/administration-guide/cloud-configurations/azure/private-link. | Audit, Deny, Disabled | 1.0.1 |
| Azure Databricks Workspaces should use private link | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Databricks workspaces, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/adbpe. | Audit, Disabled | 1.0.2 |
| Azure Event Grid domains should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid domain instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. | Audit, Disabled | 1.0.2 |
| Azure Event Grid topics should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid topic instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. | Audit, Disabled | 1.0.2 |
| Azure Machine Learning Computes should be in a virtual network | Azure Virtual Networks provide enhanced security and isolation for your Azure Machine Learning Compute Clusters and Instances, as well as subnets, access control policies, and other features to further restrict access. When a compute is configured with a virtual network, it is not publicly addressable and can only be accessed from virtual machines and applications within the virtual network. | Audit, Disabled | 1.0.1 |
| Azure Machine Learning Workspaces should disable public network access | Disabling public network access improves security by ensuring that the Machine Learning Workspaces aren't exposed on the public internet. You can control exposure of your workspaces by creating private endpoints instead. Learn more at: https://learn.microsoft.com/azure/machine-learning/how-to-configure-private-link?view=azureml-api-2&tabs=azure-portal. | Audit, Deny, Disabled | 2.0.1 |
| Azure Machine Learning workspaces should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Machine Learning workspaces, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link. | Audit, Disabled | 1.0.0 |
| Azure SignalR Service should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure SignalR Service resource instead of the entire service, you'll reduce your data leakage risks. Learn more about private links at: https://aka.ms/asrs/privatelink. | Audit, Disabled | 1.0.0 |
| Azure SQL Managed Instances should disable public network access | Disabling public network access (public endpoint) on Azure SQL Managed Instances improves security by ensuring that they can only be accessed from inside their virtual networks or via Private Endpoints. To learn more about public network access, visit https://aka.ms/mi-public-endpoint. | Audit, Deny, Disabled | 1.0.0 |
| Cognitive Services should use private link | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: https://go.microsoft.com/fwlink/?linkid=2129800. | Audit, Disabled | 3.0.0 |
| Container registries should not allow unrestricted network access | Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://aka.ms/acr/privatelink, https://aka.ms/acr/portal/public-network and https://aka.ms/acr/vnet. | Audit, Deny, Disabled | 2.0.0 |
| Container registries should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link. | Audit, Disabled | 1.0.1 |
| CosmosDB accounts should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints. | Audit, Disabled | 1.0.0 |
| Private endpoint connections on Azure SQL Database should be enabled | Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database. | Audit, Disabled | 1.1.0 |
| Private endpoint should be enabled for PostgreSQL servers | Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for PostgreSQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. | AuditIfNotExists, Disabled | 1.0.2 |
| Public network access on Azure SQL Database should be disabled | Disabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules. | Audit, Deny, Disabled | 1.1.0 |
| Public network access should be disabled for PostgreSQL servers | Disable the public network access property to improve security and ensure your Azure Database for PostgreSQL can only be accessed from a private endpoint. This configuration disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. | Audit, Deny, Disabled | 2.0.1 |
| Storage accounts should restrict network access | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Audit, Deny, Disabled | 1.1.1 |
| Storage accounts should restrict network access using virtual network rules | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Audit, Deny, Disabled | 1.0.1 |
| Storage accounts should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | AuditIfNotExists, Disabled | 2.0.0 |
Deploy firewall at the edge of enterprise network
ID: Microsoft cloud security benchmark NS-3 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| [Preview]: All Internet traffic should be routed via your deployed Azure Firewall | Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall | AuditIfNotExists, Disabled | 3.0.0-preview |
| IP Forwarding on your virtual machine should be disabled | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | AuditIfNotExists, Disabled | 3.0.0 |
| Management ports of virtual machines should be protected with just-in-time network access control | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | AuditIfNotExists, Disabled | 3.0.0 |
| Management ports should be closed on your virtual machines | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | AuditIfNotExists, Disabled | 3.0.0 |
Deploy DDOS protection
ID: Microsoft cloud security benchmark NS-5 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Azure DDoS Protection should be enabled | DDoS protection should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. | AuditIfNotExists, Disabled | 3.0.1 |
Deploy web application firewall
ID: Microsoft cloud security benchmark NS-6 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Azure Web Application Firewall should be enabled for Azure Front Door entry-points | Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. | Audit, Deny, Disabled | 1.0.2 |
| Web Application Firewall (WAF) should be enabled for Application Gateway | Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. | Audit, Deny, Disabled | 2.0.0 |
Detect and disable insecure services and protocols
ID: Microsoft cloud security benchmark NS-8 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| App Service apps should use the latest TLS version | Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. | AuditIfNotExists, Disabled | 2.0.1 |
| Function apps should use the latest TLS version | Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. | AuditIfNotExists, Disabled | 2.0.1 |
Identity Management
Use centralized identity and authentication system
ID: Microsoft cloud security benchmark IM-1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| A Microsoft Entra administrator should be provisioned for PostgreSQL servers | Audit provisioning of a Microsoft Entra administrator for your PostgreSQL server to enable Microsoft Entra authentication. Microsoft Entra authentication enables simplified permission management and centralized identity management of database users and other Microsoft services | AuditIfNotExists, Disabled | 1.0.1 |
| An Azure Active Directory administrator should be provisioned for SQL servers | Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services | AuditIfNotExists, Disabled | 1.0.0 |
| Azure AI Services resources should have key access disabled (disable local authentication) | Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: https://aka.ms/AI/auth | Audit, Deny, Disabled | 1.1.0 |
| Azure Machine Learning Computes should have local authentication methods disabled | Disabling local authentication methods improves security by ensuring that Machine Learning Computes require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/azure-ml-aad-policy. | Audit, Deny, Disabled | 2.1.0 |
| Azure SQL Database should have Microsoft Entra-only authentication enabled | Require Azure SQL logical servers to use Microsoft Entra-only authentication. This policy doesn't block servers from being created with local authentication enabled. It does block local authentication from being enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: https://aka.ms/adonlycreate. | Audit, Deny, Disabled | 1.0.0 |
| Azure SQL Database should have Microsoft Entra-only authentication enabled during creation | Require Azure SQL logical servers to be created with Microsoft Entra-only authentication. This policy doesn't block local authentication from being re-enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: https://aka.ms/adonlycreate. | Audit, Deny, Disabled | 1.2.0 |
| Azure SQL Managed Instance should have Microsoft Entra-only authentication enabled | Require Azure SQL Managed Instance to use Microsoft Entra-only authentication. This policy doesn't block Azure SQL Managed instances from being created with local authentication enabled. It does block local authentication from being enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: https://aka.ms/adonlycreate. | Audit, Deny, Disabled | 1.0.0 |
| Azure SQL Managed Instances should have Microsoft Entra-only authentication enabled during creation | Require Azure SQL Managed Instance to be created with Microsoft Entra-only authentication. This policy doesn't block local authentication from being re-enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: https://aka.ms/adonlycreate. | Audit, Deny, Disabled | 1.2.0 |
| Service Fabric clusters should only use Azure Active Directory for client authentication | Audit usage of client authentication only via Azure Active Directory in Service Fabric | Audit, Deny, Disabled | 1.1.0 |
| Storage accounts should prevent shared key access | Audit requirement of Azure Active Directory (Azure AD) to authorize requests for your storage account. By default, requests can be authorized with either Azure Active Directory credentials, or by using the account access key for Shared Key authorization. Of these two types of authorization, Azure AD provides superior security and ease of use over Shared Key, and is recommended by Microsoft. | Audit, Deny, Disabled | 2.0.0 |
| Synapse Workspaces should have Microsoft Entra-only authentication enabled | Require Synapse Workspaces to use Microsoft Entra-only authentication. This policy doesn't block workspaces from being created with local authentication enabled. It does block local authentication from being enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: https://aka.ms/Synapse. | Audit, Deny, Disabled | 1.0.0 |
| Synapse Workspaces should use only Microsoft Entra identities for authentication during workspace creation | Require Synapse Workspaces to be created with Microsoft Entra-only authentication. This policy doesn't block local authentication from being re-enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: https://aka.ms/Synapse. | Audit, Deny, Disabled | 1.2.0 |
| VPN gateways should use only Azure Active Directory (Azure AD) authentication for point-to-site users | Disabling local authentication methods improves security by ensuring that VPN Gateways use only Azure Active Directory identities for authentication. Learn more about Azure AD authentication at https://docs.microsoft.com/azure/vpn-gateway/openvpn-azure-ad-tenant | Audit, Deny, Disabled | 1.0.0 |
Manage application identities securely and automatically
ID: Microsoft cloud security benchmark IM-3 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| App Service apps should use managed identity | Use a managed identity for enhanced authentication security | AuditIfNotExists, Disabled | 3.0.0 |
| Function apps should use managed identity | Use a managed identity for enhanced authentication security | AuditIfNotExists, Disabled | 3.0.0 |
| Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | AuditIfNotExists, Disabled | 1.0.1 |
Authenticate server and services
ID: Microsoft cloud security benchmark IM-4 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Azure SQL Database should be running TLS version 1.2 or newer | Setting TLS version to 1.2 or newer improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2 or newer. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities. | Audit, Disabled, Deny | 2.0.0 |
Use strong authentication controls
ID: Microsoft cloud security benchmark IM-6 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Accounts with owner permissions on Azure resources should be MFA enabled | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. | AuditIfNotExists, Disabled | 1.0.0 |
| Accounts with read permissions on Azure resources should be MFA enabled | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. | AuditIfNotExists, Disabled | 1.0.0 |
| Accounts with write permissions on Azure resources should be MFA enabled | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. | AuditIfNotExists, Disabled | 1.0.0 |
Privileged Access
Separate and limit highly privileged/administrative users
ID: Microsoft cloud security benchmark PA-1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| A maximum of 3 owners should be designated for your subscription | It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner. | AuditIfNotExists, Disabled | 3.0.0 |
| Blocked accounts with owner permissions on Azure resources should be removed | Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. | AuditIfNotExists, Disabled | 1.0.0 |
| Guest accounts with owner permissions on Azure resources should be removed | External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. | AuditIfNotExists, Disabled | 1.0.0 |
| There should be more than one owner assigned to your subscription | It is recommended to designate more than one subscription owner in order to have administrator access redundancy. | AuditIfNotExists, Disabled | 3.0.0 |
Avoid standing access for accounts and permissions
ID: Microsoft cloud security benchmark PA-2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Management ports of virtual machines should be protected with just-in-time network access control | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | AuditIfNotExists, Disabled | 3.0.0 |
Review and reconcile user access regularly
ID: Microsoft cloud security benchmark PA-4 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Blocked accounts with owner permissions on Azure resources should be removed | Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. | AuditIfNotExists, Disabled | 1.0.0 |
| Blocked accounts with read and write permissions on Azure resources should be removed | Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. | AuditIfNotExists, Disabled | 1.0.0 |
| Guest accounts with owner permissions on Azure resources should be removed | External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. | AuditIfNotExists, Disabled | 1.0.0 |
| Guest accounts with read permissions on Azure resources should be removed | External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access. | AuditIfNotExists, Disabled | 1.0.0 |
| Guest accounts with write permissions on Azure resources should be removed | External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access. | AuditIfNotExists, Disabled | 1.0.0 |
Follow just enough administration (least privilege) principle
ID: Microsoft cloud security benchmark PA-7 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Audit usage of custom RBAC roles | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | Audit, Disabled | 1.0.1 |
| Azure Role-Based Access Control (RBAC) should be used on Kubernetes Services | To provide granular filtering on the actions that users can perform, use Azure Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. | Audit, Disabled | 1.0.3 |
Data Protection
Monitor anomalies and threats targeting sensitive data
ID: Microsoft cloud security benchmark DP-2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Azure Defender for Azure SQL Database servers should be enabled | Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. | AuditIfNotExists, Disabled | 1.0.2 |
| Azure Defender for SQL should be enabled for unprotected SQL Managed Instances | Audit each SQL Managed Instance without advanced data security. | AuditIfNotExists, Disabled | 1.0.2 |
| Microsoft Defender for Storage (Classic) should be enabled | Microsoft Defender for Storage (Classic) provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. | AuditIfNotExists, Disabled | 1.0.4 |
Encrypt sensitive data in transit
ID: Microsoft cloud security benchmark DP-3 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| App Service apps should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Audit, Disabled, Deny | 4.0.0 |
| App Service apps should require FTPS only | Enable FTPS enforcement for enhanced security. | AuditIfNotExists, Disabled | 3.0.0 |
| App Service apps should use the latest TLS version | Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. | AuditIfNotExists, Disabled | 2.0.1 |
| Azure SQL Database should be running TLS version 1.2 or newer | Setting TLS version to 1.2 or newer improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2 or newer. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities. | Audit, Disabled, Deny | 2.0.0 |
| Enforce SSL connection should be enabled for MySQL database servers | Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. | Audit, Disabled | 1.0.1 |
| Enforce SSL connection should be enabled for PostgreSQL database servers | Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. | Audit, Disabled | 1.0.1 |
| Function apps should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Audit, Disabled, Deny | 5.0.0 |
| Function apps should require FTPS only | Enable FTPS enforcement for enhanced security. | AuditIfNotExists, Disabled | 3.0.0 |
| Function apps should use the latest TLS version | Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. | AuditIfNotExists, Disabled | 2.0.1 |
| Kubernetes clusters should be accessible only over HTTPS | Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc | audit, Audit, deny, Deny, disabled, Disabled | 9.1.0 |
| Only secure connections to your Azure Cache for Redis should be enabled | Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Audit, Deny, Disabled | 1.0.0 |
| Secure transfer to storage accounts should be enabled | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Audit, Deny, Disabled | 2.0.0 |
Enable data at rest encryption by default
ID: Microsoft cloud security benchmark DP-4 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Automation account variables should be encrypted | It is important to enable encryption of Automation account variable assets when storing sensitive data | Audit, Deny, Disabled | 1.1.0 |
| Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign | Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed | Audit, Deny, Disabled | 1.1.0 |
| Transparent Data Encryption on SQL databases should be enabled | Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements | AuditIfNotExists, Disabled | 2.0.0 |
| Virtual machines and virtual machine scale sets should have encryption at host enabled | Use encryption at host to get end-to-end encryption for your virtual machine and virtual machine scale set data. Encryption at host enables encryption at rest for your temporary disk and OS/data disk caches. Temporary and ephemeral OS disks are encrypted with platform-managed keys when encryption at host is enabled. OS/data disk caches are encrypted at rest with either customer-managed or platform-managed key, depending on the encryption type selected on the disk. Learn more at https://aka.ms/vm-hbe. | Audit, Deny, Disabled | 1.0.0 |
| Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | AuditIfNotExists, Disabled | 2.0.3 |
Use customer-managed key option in data at rest encryption when required
ID: Microsoft cloud security benchmark DP-5 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest | Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/cosmosdb-cmk. | audit, Audit, deny, Deny, disabled, Disabled | 1.1.0 |
| Azure Machine Learning workspaces should be encrypted with a customer-managed key | Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/azureml-workspaces-cmk. | Audit, Deny, Disabled | 1.0.3 |
| Cognitive Services accounts should enable data encryption with a customer-managed key | Customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about customer-managed keys at https://go.microsoft.com/fwlink/?linkid=2121321. | Audit, Deny, Disabled | 2.1.0 |
| Container registries should be encrypted with a customer-managed key | Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/acr/CMK. | Audit, Deny, Disabled | 1.1.2 |
| PostgreSQL servers should use customer-managed keys to encrypt data at rest | Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. | AuditIfNotExists, Disabled | 1.0.4 |
| Storage accounts should use customer-managed key for encryption | Secure your blob and file storage account with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data. | Audit, Disabled | 1.0.3 |
Ensure security of key and certificate repository
ID: Microsoft cloud security benchmark DP-8 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Key vaults should have deletion protection enabled | Malicious deletion of a key vault can lead to permanent data loss. You can prevent permanent data loss by enabling purge protection and soft delete. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. Keep in mind that key vaults created after September 1st 2019 have soft-delete enabled by default. | Audit, Deny, Disabled | 2.1.0 |
| Key vaults should have soft delete enabled | Deleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period. | Audit, Deny, Disabled | 3.0.0 |
| Resource logs in Key Vault should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
Asset Management
Use only approved services
ID: Microsoft cloud security benchmark AM-2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Storage accounts should be migrated to new Azure Resource Manager resources | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Audit, Deny, Disabled | 1.0.0 |
| Virtual machines should be migrated to new Azure Resource Manager resources | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Audit, Deny, Disabled | 1.0.0 |
Use only approved applications in virtual machine
ID: Microsoft cloud security benchmark AM-5 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Adaptive application controls for defining safe applications should be enabled on your machines | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | AuditIfNotExists, Disabled | 3.0.0 |
| Allowlist rules in your adaptive application control policy should be updated | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | AuditIfNotExists, Disabled | 3.0.0 |
Logging and Threat Detection
Enable threat detection capabilities
ID: Microsoft cloud security benchmark LT-1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| [Preview]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed | Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. | AuditIfNotExists, Disabled | 4.0.1-preview |
| Azure Defender for Azure SQL Database servers should be enabled | Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. | AuditIfNotExists, Disabled | 1.0.2 |
| Azure Defender for Resource Manager should be enabled | Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Defender for servers should be enabled | Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. | AuditIfNotExists, Disabled | 1.0.3 |
| Azure Defender for SQL should be enabled for unprotected PostgreSQL flexible servers | Audit PostgreSQL flexible servers without Advanced Data Security | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Defender for SQL should be enabled for unprotected SQL Managed Instances | Audit each SQL Managed Instance without advanced data security. | AuditIfNotExists, Disabled | 1.0.2 |
| Microsoft Defender for Containers should be enabled | Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. | AuditIfNotExists, Disabled | 1.0.0 |
| Microsoft Defender for SQL should be enabled for unprotected Synapse workspaces | Enable Defender for SQL to protect your Synapse workspaces. Defender for SQL monitors your Synapse SQL to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. | AuditIfNotExists, Disabled | 1.0.0 |
| Microsoft Defender for Storage (Classic) should be enabled | Microsoft Defender for Storage (Classic) provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. | AuditIfNotExists, Disabled | 1.0.4 |
Enable threat detection for identity and access management
ID: Microsoft cloud security benchmark LT-2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| [Preview]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed | Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. | AuditIfNotExists, Disabled | 4.0.1-preview |
| Azure Defender for Azure SQL Database servers should be enabled | Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. | AuditIfNotExists, Disabled | 1.0.2 |
| Azure Defender for Resource Manager should be enabled | Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Defender for servers should be enabled | Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. | AuditIfNotExists, Disabled | 1.0.3 |
| Azure Defender for SQL should be enabled for unprotected PostgreSQL flexible servers | Audit PostgreSQL flexible servers without Advanced Data Security | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Defender for SQL should be enabled for unprotected SQL Managed Instances | Audit each SQL Managed Instance without advanced data security. | AuditIfNotExists, Disabled | 1.0.2 |
| Microsoft Defender for Containers should be enabled | Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. | AuditIfNotExists, Disabled | 1.0.0 |
| Microsoft Defender for SQL should be enabled for unprotected Synapse workspaces | Enable Defender for SQL to protect your Synapse workspaces. Defender for SQL monitors your Synapse SQL to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. | AuditIfNotExists, Disabled | 1.0.0 |
| Microsoft Defender for Storage (Classic) should be enabled | Microsoft Defender for Storage (Classic) provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. | AuditIfNotExists, Disabled | 1.0.4 |
Enable logging for security investigation
ID: Microsoft cloud security benchmark LT-3 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| App Service apps should have resource logs enabled | Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. | AuditIfNotExists, Disabled | 2.0.1 |
| Auditing on SQL server should be enabled | Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. | AuditIfNotExists, Disabled | 2.0.0 |
| Resource logs in Azure Data Lake Store should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Azure Databricks Workspaces should be enabled | Resource logs enable recreating activity trails to use for investigation purposes when a security incident occurs or when your network is compromised. | AuditIfNotExists, Disabled | 1.0.1 |
| Resource logs in Azure Kubernetes Service should be enabled | Azure Kubernetes Service's resource logs can help recreate activity trails when investigating security incidents. Enable it to make sure the logs will exist when needed | AuditIfNotExists, Disabled | 1.0.0 |
| Resource logs in Azure Machine Learning Workspaces should be enabled | Resource logs enable recreating activity trails to use for investigation purposes when a security incident occurs or when your network is compromised. | AuditIfNotExists, Disabled | 1.0.1 |
| Resource logs in Azure Stream Analytics should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Batch accounts should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Data Lake Analytics should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Event Hub should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Key Vault should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Logic Apps should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.1.0 |
| Resource logs in Search services should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Service Bus should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
Centralize security log management and analysis
ID: Microsoft cloud security benchmark LT-5 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Auto provisioning of the Log Analytics agent should be enabled on your subscription | To monitor for security vulnerabilities and threats, Azure Security Center collects data from your Azure virtual machines. Data is collected by the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. We recommend enabling auto provisioning to automatically deploy the agent to all supported Azure VMs and any new ones that are created. | AuditIfNotExists, Disabled | 1.0.1 |
| Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | AuditIfNotExists, Disabled | 1.0.0 |
| Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring | Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. | AuditIfNotExists, Disabled | 1.0.0 |
Configure log storage retention
ID: Microsoft cloud security benchmark LT-6 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| SQL servers with auditing to storage account destination should be configured with 90 days retention or higher | For incident investigation purposes, we recommend setting the data retention for your SQL Server' auditing to storage account destination to at least 90 days. Confirm that you are meeting the necessary retention rules for the regions in which you are operating. This is sometimes required for compliance with regulatory standards. | AuditIfNotExists, Disabled | 3.0.0 |
Incident Response
Preparation - setup incident notification
ID: Microsoft cloud security benchmark IR-2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Email notification for high severity alerts should be enabled | To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Security Center. | AuditIfNotExists, Disabled | 1.0.1 |
| Email notification to subscription owner for high severity alerts should be enabled | To ensure your subscription owners are notified when there is a potential security breach in their subscription, set email notifications to subscription owners for high severity alerts in Security Center. | AuditIfNotExists, Disabled | 2.0.0 |
| Subscriptions should have a contact email address for security issues | To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, set a security contact to receive email notifications from Security Center. | AuditIfNotExists, Disabled | 1.0.1 |
Detection and analysis - create incidents based on high-quality alerts
ID: Microsoft cloud security benchmark IR-3 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Azure Defender for Azure SQL Database servers should be enabled | Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. | AuditIfNotExists, Disabled | 1.0.2 |
| Azure Defender for Resource Manager should be enabled | Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Defender for servers should be enabled | Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. | AuditIfNotExists, Disabled | 1.0.3 |
| Azure Defender for SQL should be enabled for unprotected PostgreSQL flexible servers | Audit PostgreSQL flexible servers without Advanced Data Security | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Defender for SQL should be enabled for unprotected SQL Managed Instances | Audit each SQL Managed Instance without advanced data security. | AuditIfNotExists, Disabled | 1.0.2 |
| Microsoft Defender for Containers should be enabled | Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. | AuditIfNotExists, Disabled | 1.0.0 |
| Microsoft Defender for SQL should be enabled for unprotected Synapse workspaces | Enable Defender for SQL to protect your Synapse workspaces. Defender for SQL monitors your Synapse SQL to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. | AuditIfNotExists, Disabled | 1.0.0 |
| Microsoft Defender for Storage (Classic) should be enabled | Microsoft Defender for Storage (Classic) provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. | AuditIfNotExists, Disabled | 1.0.4 |
Detection and analysis - investigate an incident
ID: Microsoft cloud security benchmark IR-4 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Network Watcher should be enabled | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | AuditIfNotExists, Disabled | 3.0.0 |
Detection and analysis - prioritize incidents
ID: AMicrosoft cloud security benchmark IR-5 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Azure Defender for Azure SQL Database servers should be enabled | Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. | AuditIfNotExists, Disabled | 1.0.2 |
| Azure Defender for Resource Manager should be enabled | Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Defender for servers should be enabled | Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. | AuditIfNotExists, Disabled | 1.0.3 |
| Azure Defender for SQL should be enabled for unprotected PostgreSQL flexible servers | Audit PostgreSQL flexible servers without Advanced Data Security | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Defender for SQL should be enabled for unprotected SQL Managed Instances | Audit each SQL Managed Instance without advanced data security. | AuditIfNotExists, Disabled | 1.0.2 |
| Microsoft Defender for Containers should be enabled | Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. | AuditIfNotExists, Disabled | 1.0.0 |
| Microsoft Defender for SQL should be enabled for unprotected Synapse workspaces | Enable Defender for SQL to protect your Synapse workspaces. Defender for SQL monitors your Synapse SQL to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. | AuditIfNotExists, Disabled | 1.0.0 |
| Microsoft Defender for Storage (Classic) should be enabled | Microsoft Defender for Storage (Classic) provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. | AuditIfNotExists, Disabled | 1.0.4 |
Posture and Vulnerability Management
Audit and enforce secure configurations
ID: Microsoft cloud security benchmark PV-2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| [Deprecated]: Function apps should have 'Client Certificates (Incoming client certificates)' enabled | Client certificates allow for the app to request a certificate for incoming requests. Only clients with valid certificates will be able to reach the app. This policy has been replaced by a new policy with the same name because Http 2.0 doesn't support client certificates. | Audit, Disabled | 3.1.0-deprecated |
| App Service apps should have Client Certificates (Incoming client certificates) enabled | Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. This policy applies to apps with Http version set to 1.1. | AuditIfNotExists, Disabled | 1.0.0 |
| App Service apps should have remote debugging turned off | Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off. | AuditIfNotExists, Disabled | 2.0.0 |
| App Service apps should not have CORS configured to allow every resource to access your apps | Cross-Origin Resource Sharing (CORS) should not allow all domains to access your app. Allow only required domains to interact with your app. | AuditIfNotExists, Disabled | 2.0.0 |
| Azure Machine Learning compute instances should be recreated to get the latest software updates | Ensure Azure Machine Learning compute instances run on the latest available operating system. Security is improved and vulnerabilities reduced by running with the latest security patches. For more information, visit https://aka.ms/azureml-ci-updates/. | [parameters('effects')] | 1.0.3 |
| Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters | Azure Policy Add-on for Kubernetes service (AKS) extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner. | Audit, Disabled | 1.0.2 |
| Function apps should have remote debugging turned off | Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off. | AuditIfNotExists, Disabled | 2.0.0 |
| Function apps should not have CORS configured to allow every resource to access your apps | Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app. | AuditIfNotExists, Disabled | 2.0.0 |
| Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits | Enforce container CPU and memory resource limits to prevent resource exhaustion attacks in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 10.1.0 |
| Kubernetes cluster containers should not share host process ID or host IPC namespace | Block pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. This recommendation is part of CIS 5.2.2 and CIS 5.2.3 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 6.1.0 |
| Kubernetes cluster containers should only use allowed AppArmor profiles | Containers should only use allowed AppArmor profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 7.1.1 |
| Kubernetes cluster containers should only use allowed capabilities | Restrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 7.1.0 |
| Kubernetes cluster containers should only use allowed images | Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 10.1.1 |
| Kubernetes cluster containers should run with a read only root file system | Run containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 7.1.0 |
| Kubernetes cluster pod hostPath volumes should only use allowed host paths | Limit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 7.1.1 |
| Kubernetes cluster pods and containers should only run with approved user and group IDs | Control the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 7.1.1 |
| Kubernetes cluster pods should only use approved host network and port range | Restrict pod access to the host network and the allowable host port range in a Kubernetes cluster. This recommendation is part of CIS 5.2.4 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 7.1.0 |
| Kubernetes cluster services should listen only on allowed ports | Restrict services to listen only on allowed ports to secure access to the Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 9.1.0 |
| Kubernetes cluster should not allow privileged containers | Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 10.1.0 |
| Kubernetes clusters should disable automounting API credentials | Disable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 5.1.0 |
| Kubernetes clusters should not allow container privilege escalation | Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 8.1.0 |
| Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities | To reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 6.1.0 |
| Kubernetes clusters should not use the default namespace | Prevent usage of the default namespace in Kubernetes clusters to protect against unauthorized access for ConfigMap, Pod, Secret, Service, and ServiceAccount resource types. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 5.1.0 |
Audit and enforce secure configurations for compute resources
ID: Microsoft cloud security benchmark PV-4 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| [Preview]: Guest Attestation extension should be installed on supported Linux virtual machines | Install Guest Attestation extension on supported Linux virtual machines to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Linux virtual machines. | AuditIfNotExists, Disabled | 6.0.0-preview |
| [Preview]: Guest Attestation extension should be installed on supported Linux virtual machines scale sets | Install Guest Attestation extension on supported Linux virtual machines scale sets to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Linux virtual machine scale sets. | AuditIfNotExists, Disabled | 5.1.0-preview |
| [Preview]: Guest Attestation extension should be installed on supported Windows virtual machines | Install Guest Attestation extension on supported virtual machines to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | AuditIfNotExists, Disabled | 4.0.0-preview |
| [Preview]: Guest Attestation extension should be installed on supported Windows virtual machines scale sets | Install Guest Attestation extension on supported virtual machines scale sets to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Windows virtual machine scale sets. | AuditIfNotExists, Disabled | 3.1.0-preview |
| [Preview]: Secure Boot should be enabled on supported Windows virtual machines | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Audit, Disabled | 4.0.0-preview |
| [Preview]: vTPM should be enabled on supported virtual machines | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Audit, Disabled | 2.0.0-preview |
| Guest Configuration extension should be installed on your machines | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | AuditIfNotExists, Disabled | 1.0.2 |
| Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | AuditIfNotExists, Disabled | 1.0.1 |
Rapidly and automatically remediate vulnerabilities
ID: Microsoft cloud security benchmark PV-6 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Azure registry container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management) | Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. Resolving vulnerabilities can greatly improve your security posture, ensuring images are safe to use prior to deployment. | AuditIfNotExists, Disabled | 1.0.1 |
| Azure running container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management) | Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. This recommendation provides visibility to vulnerable images currently running in your Kubernetes clusters. Remediating vulnerabilities in container images that are currently running is key to improving your security posture, significantly reducing the attack surface for your containerized workloads. | AuditIfNotExists, Disabled | 1.0.1 |
| SQL databases should have vulnerability findings resolved | Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. | AuditIfNotExists, Disabled | 4.1.0 |
| SQL servers on machines should have vulnerability findings resolved | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | AuditIfNotExists, Disabled | 1.0.0 |
| System updates on virtual machine scale sets should be installed | Audit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure. | AuditIfNotExists, Disabled | 3.0.0 |
| System updates should be installed on your machines | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | AuditIfNotExists, Disabled | 3.0.0 |
| Vulnerabilities in container security configurations should be remediated | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | AuditIfNotExists, Disabled | 3.0.0 |
| Vulnerabilities in security configuration on your machines should be remediated | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | AuditIfNotExists, Disabled | 3.1.0 |
| Vulnerabilities in security configuration on your virtual machine scale sets should be remediated | Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. | AuditIfNotExists, Disabled | 3.0.0 |
Endpoint Security
Use Endpoint Detection and Response (EDR)
ID: Microsoft cloud security benchmark ES-1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Azure Defender for servers should be enabled | Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. | AuditIfNotExists, Disabled | 1.0.3 |
Use modern anti-malware software
ID: Microsoft cloud security benchmark ES-2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Endpoint protection solution should be installed on virtual machine scale sets | Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities. | AuditIfNotExists, Disabled | 3.0.0 |
| Monitor missing Endpoint Protection in Azure Security Center | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | AuditIfNotExists, Disabled | 3.1.0 |
Backup and Recovery
Ensure regular automated backups
ID: Microsoft cloud security benchmark BR-1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Azure Backup should be enabled for Virtual Machines | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | AuditIfNotExists, Disabled | 3.0.0 |
| Geo-redundant backup should be enabled for Azure Database for MariaDB | Azure Database for MariaDB allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. | Audit, Disabled | 1.0.1 |
| Geo-redundant backup should be enabled for Azure Database for MySQL | Azure Database for MySQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. | Audit, Disabled | 1.0.1 |
| Geo-redundant backup should be enabled for Azure Database for PostgreSQL | Azure Database for PostgreSQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. | Audit, Disabled | 1.0.1 |
Protect backup and recovery data
ID: Microsoft cloud security benchmark BR-2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Azure Backup should be enabled for Virtual Machines | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | AuditIfNotExists, Disabled | 3.0.0 |
| Geo-redundant backup should be enabled for Azure Database for MariaDB | Azure Database for MariaDB allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. | Audit, Disabled | 1.0.1 |
| Geo-redundant backup should be enabled for Azure Database for MySQL | Azure Database for MySQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. | Audit, Disabled | 1.0.1 |
| Geo-redundant backup should be enabled for Azure Database for PostgreSQL | Azure Database for PostgreSQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. | Audit, Disabled | 1.0.1 |
DevOps Security
Enforce security of workload throughout DevOps lifecycle
ID: Microsoft cloud security benchmark DS-6 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Azure registry container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management) | Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. Resolving vulnerabilities can greatly improve your security posture, ensuring images are safe to use prior to deployment. | AuditIfNotExists, Disabled | 1.0.1 |
| Azure running container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management) | Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. This recommendation provides visibility to vulnerable images currently running in your Kubernetes clusters. Remediating vulnerabilities in container images that are currently running is key to improving your security posture, significantly reducing the attack surface for your containerized workloads. | AuditIfNotExists, Disabled | 1.0.1 |
| Vulnerabilities in container security configurations should be remediated | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | AuditIfNotExists, Disabled | 3.0.0 |
Next steps
Additional articles about Azure Policy:
- Regulatory Compliance overview.
- See the initiative definition structure.
- Review other examples at Azure Policy samples.
- Review Understanding policy effects.
- Learn how to remediate non-compliant resources.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for