Details of the CIS Microsoft Azure Foundations Benchmark 1.1.0 (Azure Government) Regulatory Compliance built-in initiative
The following article details how the Azure Policy Regulatory Compliance built-in initiative definition maps to compliance domains and controls in CIS Microsoft Azure Foundations Benchmark 1.1.0 (Azure Government). For more information about this compliance standard, see CIS Microsoft Azure Foundations Benchmark 1.1.0. To understand Ownership, see Azure Policy policy definition and Shared responsibility in the cloud.
The following mappings are to the CIS Microsoft Azure Foundations Benchmark 1.1.0 controls. Many of the controls are implemented with an Azure Policy initiative definition. To review the complete initiative definition, open Policy in the Azure portal and select the Definitions page. Then, find and select the CIS Microsoft Azure Foundations Benchmark v1.1.0 Regulatory Compliance built-in initiative definition.
Important
Each control below is associated with one or more Azure Policy definitions. These policies may help you assess compliance with the control; however, there often is not a one-to-one or complete match between a control and one or more policies. As such, Compliant in Azure Policy refers only to the policy definitions themselves; this doesn't ensure you're fully compliant with all requirements of a control. In addition, the compliance standard includes controls that aren't addressed by any Azure Policy definitions at this time. Therefore, compliance in Azure Policy is only a partial view of your overall compliance status. The associations between compliance domains, controls, and Azure Policy definitions for this compliance standard may change over time. To view the change history, see the GitHub Commit History.
1 Identity and Access Management
Ensure that multi-factor authentication is enabled for all privileged users
ID: CIS Microsoft Azure Foundations Benchmark recommendation 1.1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Accounts with owner permissions on Azure resources should be MFA enabled | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. | AuditIfNotExists, Disabled | 1.0.0 |
| Accounts with write permissions on Azure resources should be MFA enabled | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. | AuditIfNotExists, Disabled | 1.0.0 |
Ensure that multi-factor authentication is enabled for all non-privileged users
ID: CIS Microsoft Azure Foundations Benchmark recommendation 1.2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Accounts with read permissions on Azure resources should be MFA enabled | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. | AuditIfNotExists, Disabled | 1.0.0 |
Ensure that there are no guest users
ID: CIS Microsoft Azure Foundations Benchmark recommendation 1.3 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Guest accounts with owner permissions on Azure resources should be removed | External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. | AuditIfNotExists, Disabled | 1.0.0 |
| Guest accounts with read permissions on Azure resources should be removed | External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access. | AuditIfNotExists, Disabled | 1.0.0 |
| Guest accounts with write permissions on Azure resources should be removed | External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access. | AuditIfNotExists, Disabled | 1.0.0 |
2 Security Center
Ensure that standard pricing tier is selected
ID: CIS Microsoft Azure Foundations Benchmark recommendation 2.1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Azure Defender for Azure SQL Database servers should be enabled | Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. | AuditIfNotExists, Disabled | 1.0.2 |
| Azure Defender for servers should be enabled | Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. | AuditIfNotExists, Disabled | 1.0.3 |
| Microsoft Defender for Containers should be enabled | Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. | AuditIfNotExists, Disabled | 1.0.0 |
| Microsoft Defender for Storage (Classic) should be enabled | Microsoft Defender for Storage (Classic) provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. | AuditIfNotExists, Disabled | 1.0.4 |
Ensure ASC Default policy setting "Monitor JIT Network Access" is not "Disabled"
ID: CIS Microsoft Azure Foundations Benchmark recommendation 2.12 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Management ports of virtual machines should be protected with just-in-time network access control | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | AuditIfNotExists, Disabled | 3.0.0 |
Ensure ASC Default policy setting "Monitor Adaptive Application Whitelisting" is not "Disabled"
ID: CIS Microsoft Azure Foundations Benchmark recommendation 2.13 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Adaptive application controls for defining safe applications should be enabled on your machines | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | AuditIfNotExists, Disabled | 3.0.0 |
Ensure ASC Default policy setting "Monitor SQL Auditing" is not "Disabled"
ID: CIS Microsoft Azure Foundations Benchmark recommendation 2.14 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Auditing on SQL server should be enabled | Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. | AuditIfNotExists, Disabled | 2.0.0 |
Ensure ASC Default policy setting "Monitor SQL Encryption" is not "Disabled"
ID: CIS Microsoft Azure Foundations Benchmark recommendation 2.15 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Transparent Data Encryption on SQL databases should be enabled | Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements | AuditIfNotExists, Disabled | 2.0.0 |
Ensure that 'Security contact emails' is set
ID: CIS Microsoft Azure Foundations Benchmark recommendation 2.16 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Subscriptions should have a contact email address for security issues | To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, set a security contact to receive email notifications from Security Center. | AuditIfNotExists, Disabled | 1.0.1 |
Ensure that 'Send email notification for high severity alerts' is set to 'On'
ID: CIS Microsoft Azure Foundations Benchmark recommendation 2.18 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Email notification for high severity alerts should be enabled | To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Security Center. | AuditIfNotExists, Disabled | 1.0.1 |
Ensure that 'Send email also to subscription owners' is set to 'On'
ID: CIS Microsoft Azure Foundations Benchmark recommendation 2.19 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Email notification to subscription owner for high severity alerts should be enabled | To ensure your subscription owners are notified when there is a potential security breach in their subscription, set email notifications to subscription owners for high severity alerts in Security Center. | AuditIfNotExists, Disabled | 2.0.0 |
Ensure that 'Automatic provisioning of monitoring agent' is set to 'On'
ID: CIS Microsoft Azure Foundations Benchmark recommendation 2.2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Auto provisioning of the Log Analytics agent should be enabled on your subscription | To monitor for security vulnerabilities and threats, Azure Security Center collects data from your Azure virtual machines. Data is collected by the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. We recommend enabling auto provisioning to automatically deploy the agent to all supported Azure VMs and any new ones that are created. | AuditIfNotExists, Disabled | 1.0.1 |
Ensure ASC Default policy setting "Monitor System Updates" is not "Disabled"
ID: CIS Microsoft Azure Foundations Benchmark recommendation 2.3 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| System updates should be installed on your machines | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | AuditIfNotExists, Disabled | 3.0.0 |
Ensure ASC Default policy setting "Monitor OS Vulnerabilities" is not "Disabled"
ID: CIS Microsoft Azure Foundations Benchmark recommendation 2.4 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Vulnerabilities in security configuration on your machines should be remediated | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | AuditIfNotExists, Disabled | 3.1.0 |
Ensure ASC Default policy setting "Monitor Endpoint Protection" is not "Disabled"
ID: CIS Microsoft Azure Foundations Benchmark recommendation 2.5 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Monitor missing Endpoint Protection in Azure Security Center | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | AuditIfNotExists, Disabled | 3.1.0 |
Ensure ASC Default policy setting "Monitor Disk Encryption" is not "Disabled"
ID: CIS Microsoft Azure Foundations Benchmark recommendation 2.6 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | AuditIfNotExists, Disabled | 2.0.3 |
Ensure ASC Default policy setting "Enable Next Generation Firewall(NGFW) Monitoring" is not "Disabled"
ID: CIS Microsoft Azure Foundations Benchmark recommendation 2.9 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Internet-facing virtual machines should be protected with network security groups | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | AuditIfNotExists, Disabled | 3.0.0 |
| Subnets should be associated with a Network Security Group | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | AuditIfNotExists, Disabled | 3.0.0 |
3 Storage Accounts
Ensure that 'Secure transfer required' is set to 'Enabled'
ID: CIS Microsoft Azure Foundations Benchmark recommendation 3.1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Secure transfer to storage accounts should be enabled | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Audit, Deny, Disabled | 2.0.0 |
Ensure default network access rule for Storage Accounts is set to deny
ID: CIS Microsoft Azure Foundations Benchmark recommendation 3.7 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Storage accounts should restrict network access | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Audit, Deny, Disabled | 1.1.1 |
Ensure 'Trusted Microsoft Services' is enabled for Storage Account access
ID: CIS Microsoft Azure Foundations Benchmark recommendation 3.8 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Storage accounts should allow access from trusted Microsoft services | Some Microsoft services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules. These services will then use strong authentication to access the storage account. | Audit, Deny, Disabled | 1.0.0 |
4 Database Services
Ensure that 'Auditing' is set to 'On'
ID: CIS Microsoft Azure Foundations Benchmark recommendation 4.1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Auditing on SQL server should be enabled | Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. | AuditIfNotExists, Disabled | 2.0.0 |
Ensure SQL server's TDE protector is encrypted with BYOK (Use your own key)
ID: CIS Microsoft Azure Foundations Benchmark recommendation 4.10 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| SQL managed instances should use customer-managed keys to encrypt data at rest | Implementing Transparent Data Encryption (TDE) with your own key provides you with increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement. | Audit, Deny, Disabled | 2.0.0 |
| SQL servers should use customer-managed keys to encrypt data at rest | Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement. | Audit, Deny, Disabled | 2.0.1 |
Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server
ID: CIS Microsoft Azure Foundations Benchmark recommendation 4.11 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Enforce SSL connection should be enabled for MySQL database servers | Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. | Audit, Disabled | 1.0.1 |
Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server
ID: CIS Microsoft Azure Foundations Benchmark recommendation 4.12 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Log checkpoints should be enabled for PostgreSQL database servers | This policy helps audit any PostgreSQL databases in your environment without log_checkpoints setting enabled. | AuditIfNotExists, Disabled | 1.0.0 |
Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server
ID: CIS Microsoft Azure Foundations Benchmark recommendation 4.13 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Enforce SSL connection should be enabled for PostgreSQL database servers | Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. | Audit, Disabled | 1.0.1 |
Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server
ID: CIS Microsoft Azure Foundations Benchmark recommendation 4.14 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Log connections should be enabled for PostgreSQL database servers | This policy helps audit any PostgreSQL databases in your environment without log_connections setting enabled. | AuditIfNotExists, Disabled | 1.0.0 |
Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server
ID: CIS Microsoft Azure Foundations Benchmark recommendation 4.15 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Disconnections should be logged for PostgreSQL database servers. | This policy helps audit any PostgreSQL databases in your environment without log_disconnections enabled. | AuditIfNotExists, Disabled | 1.0.0 |
Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server
ID: CIS Microsoft Azure Foundations Benchmark recommendation 4.17 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Connection throttling should be enabled for PostgreSQL database servers | This policy helps audit any PostgreSQL databases in your environment without Connection throttling enabled. This setting enables temporary connection throttling per IP for too many invalid password login failures. | AuditIfNotExists, Disabled | 1.0.0 |
Ensure that 'AuditActionGroups' in 'auditing' policy for a SQL server is set properly
ID: CIS Microsoft Azure Foundations Benchmark recommendation 4.2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| SQL Auditing settings should have Action-Groups configured to capture critical activities | The AuditActionsAndGroups property should contain at least SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP, FAILED_DATABASE_AUTHENTICATION_GROUP, BATCH_COMPLETED_GROUP to ensure a thorough audit logging | AuditIfNotExists, Disabled | 1.0.0 |
Ensure that 'Auditing' Retention is 'greater than 90 days'
ID: CIS Microsoft Azure Foundations Benchmark recommendation 4.3 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| SQL servers with auditing to storage account destination should be configured with 90 days retention or higher | For incident investigation purposes, we recommend setting the data retention for your SQL Server' auditing to storage account destination to at least 90 days. Confirm that you are meeting the necessary retention rules for the regions in which you are operating. This is sometimes required for compliance with regulatory standards. | AuditIfNotExists, Disabled | 3.0.0 |
Ensure that 'Advanced Data Security' on a SQL server is set to 'On'
ID: CIS Microsoft Azure Foundations Benchmark recommendation 4.4 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Azure Defender for SQL should be enabled for unprotected Azure SQL servers | Audit SQL servers without Advanced Data Security | AuditIfNotExists, Disabled | 2.0.1 |
| Azure Defender for SQL should be enabled for unprotected SQL Managed Instances | Audit each SQL Managed Instance without advanced data security. | AuditIfNotExists, Disabled | 1.0.2 |
Ensure that Azure Active Directory Admin is configured
ID: CIS Microsoft Azure Foundations Benchmark recommendation 4.8 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| An Azure Active Directory administrator should be provisioned for SQL servers | Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services | AuditIfNotExists, Disabled | 1.0.0 |
Ensure that 'Data encryption' is set to 'On' on a SQL Database
ID: CIS Microsoft Azure Foundations Benchmark recommendation 4.9 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Transparent Data Encryption on SQL databases should be enabled | Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements | AuditIfNotExists, Disabled | 2.0.0 |
5 Logging and Monitoring
Ensure that a Log Profile exists
ID: CIS Microsoft Azure Foundations Benchmark recommendation 5.1.1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Azure subscriptions should have a log profile for Activity Log | This policy ensures if a log profile is enabled for exporting activity logs. It audits if there is no log profile created to export the logs either to a storage account or to an event hub. | AuditIfNotExists, Disabled | 1.0.0 |
Ensure that Activity Log Retention is set 365 days or greater
ID: CIS Microsoft Azure Foundations Benchmark recommendation 5.1.2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Activity log should be retained for at least one year | This policy audits the activity log if the retention is not set for 365 days or forever (retention days set to 0). | AuditIfNotExists, Disabled | 1.0.0 |
Ensure audit profile captures all the activities
ID: CIS Microsoft Azure Foundations Benchmark recommendation 5.1.3 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Azure Monitor log profile should collect logs for categories 'write,' 'delete,' and 'action' | This policy ensures that a log profile collects logs for categories 'write,' 'delete,' and 'action' | AuditIfNotExists, Disabled | 1.0.0 |
Ensure the log profile captures activity logs for all regions including global
ID: CIS Microsoft Azure Foundations Benchmark recommendation 5.1.4 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Azure Monitor should collect activity logs from all regions | This policy audits the Azure Monitor log profile which does not export activities from all Azure supported regions including global. | AuditIfNotExists, Disabled | 2.0.0 |
Ensure the storage account containing the container with activity logs is encrypted with BYOK (Use Your Own Key)
ID: CIS Microsoft Azure Foundations Benchmark recommendation 5.1.6 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Storage account containing the container with activity logs must be encrypted with BYOK | This policy audits if the Storage account containing the container with activity logs is encrypted with BYOK. The policy works only if the storage account lies on the same subscription as activity logs by design. More information on Azure Storage encryption at rest can be found here https://aka.ms/azurestoragebyok. | AuditIfNotExists, Disabled | 1.0.0 |
Ensure that logging for Azure KeyVault is 'Enabled'
ID: CIS Microsoft Azure Foundations Benchmark recommendation 5.1.7 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Resource logs in Key Vault should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
Ensure that Activity Log Alert exists for Create Policy Assignment
ID: CIS Microsoft Azure Foundations Benchmark recommendation 5.2.1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| An activity log alert should exist for specific Policy operations | This policy audits specific Policy operations with no activity log alerts configured. | AuditIfNotExists, Disabled | 3.0.0 |
Ensure that Activity Log Alert exists for Create or Update Network Security Group
ID: CIS Microsoft Azure Foundations Benchmark recommendation 5.2.2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| An activity log alert should exist for specific Administrative operations | This policy audits specific Administrative operations with no activity log alerts configured. | AuditIfNotExists, Disabled | 1.0.0 |
Ensure that Activity Log Alert exists for Delete Network Security Group
ID: CIS Microsoft Azure Foundations Benchmark recommendation 5.2.3 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| An activity log alert should exist for specific Administrative operations | This policy audits specific Administrative operations with no activity log alerts configured. | AuditIfNotExists, Disabled | 1.0.0 |
Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule
ID: CIS Microsoft Azure Foundations Benchmark recommendation 5.2.4 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| An activity log alert should exist for specific Administrative operations | This policy audits specific Administrative operations with no activity log alerts configured. | AuditIfNotExists, Disabled | 1.0.0 |
Ensure that activity log alert exists for the Delete Network Security Group Rule
ID: CIS Microsoft Azure Foundations Benchmark recommendation 5.2.5 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| An activity log alert should exist for specific Administrative operations | This policy audits specific Administrative operations with no activity log alerts configured. | AuditIfNotExists, Disabled | 1.0.0 |
Ensure that Activity Log Alert exists for Create or Update Security Solution
ID: CIS Microsoft Azure Foundations Benchmark recommendation 5.2.6 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| An activity log alert should exist for specific Security operations | This policy audits specific Security operations with no activity log alerts configured. | AuditIfNotExists, Disabled | 1.0.0 |
Ensure that Activity Log Alert exists for Delete Security Solution
ID: CIS Microsoft Azure Foundations Benchmark recommendation 5.2.7 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| An activity log alert should exist for specific Security operations | This policy audits specific Security operations with no activity log alerts configured. | AuditIfNotExists, Disabled | 1.0.0 |
Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule
ID: CIS Microsoft Azure Foundations Benchmark recommendation 5.2.8 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| An activity log alert should exist for specific Administrative operations | This policy audits specific Administrative operations with no activity log alerts configured. | AuditIfNotExists, Disabled | 1.0.0 |
Ensure that Activity Log Alert exists for Update Security Policy
ID: CIS Microsoft Azure Foundations Benchmark recommendation 5.2.9 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| An activity log alert should exist for specific Security operations | This policy audits specific Security operations with no activity log alerts configured. | AuditIfNotExists, Disabled | 1.0.0 |
6 Networking
Ensure that Network Watcher is 'Enabled'
ID: CIS Microsoft Azure Foundations Benchmark recommendation 6.5 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Network Watcher should be enabled | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | AuditIfNotExists, Disabled | 3.0.0 |
7 Virtual Machines
Ensure that 'OS disk' are encrypted
ID: CIS Microsoft Azure Foundations Benchmark recommendation 7.1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | AuditIfNotExists, Disabled | 2.0.3 |
Ensure that 'Data disks' are encrypted
ID: CIS Microsoft Azure Foundations Benchmark recommendation 7.2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | AuditIfNotExists, Disabled | 2.0.3 |
Ensure that only approved extensions are installed
ID: CIS Microsoft Azure Foundations Benchmark recommendation 7.4 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Only approved VM extensions should be installed | This policy governs the virtual machine extensions that are not approved. | Audit, Deny, Disabled | 1.0.0 |
Ensure that the latest OS Patches for all Virtual Machines are applied
ID: CIS Microsoft Azure Foundations Benchmark recommendation 7.5 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| System updates should be installed on your machines | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | AuditIfNotExists, Disabled | 3.0.0 |
Ensure that the endpoint protection for all Virtual Machines is installed
ID: CIS Microsoft Azure Foundations Benchmark recommendation 7.6 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Monitor missing Endpoint Protection in Azure Security Center | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | AuditIfNotExists, Disabled | 3.1.0 |
8 Other Security Considerations
Ensure the key vault is recoverable
ID: CIS Microsoft Azure Foundations Benchmark recommendation 8.4 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Key vaults should have deletion protection enabled | Malicious deletion of a key vault can lead to permanent data loss. You can prevent permanent data loss by enabling purge protection and soft delete. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. Keep in mind that key vaults created after September 1st 2019 have soft-delete enabled by default. | Audit, Deny, Disabled | 2.1.0 |
Enable role-based access control (RBAC) within Azure Kubernetes Services
ID: CIS Microsoft Azure Foundations Benchmark recommendation 8.5 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Azure Role-Based Access Control (RBAC) should be used on Kubernetes Services | To provide granular filtering on the actions that users can perform, use Azure Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. | Audit, Disabled | 1.0.3 |
9 AppService
Ensure App Service Authentication is set on Azure App Service
ID: CIS Microsoft Azure Foundations Benchmark recommendation 9.1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| App Service apps should have authentication enabled | Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the web app, or authenticate those that have tokens before they reach the web app. | AuditIfNotExists, Disabled | 2.0.1 |
| Function apps should have authentication enabled | Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the Function app, or authenticate those that have tokens before they reach the Function app. | AuditIfNotExists, Disabled | 3.0.0 |
Ensure that 'HTTP Version' is the latest, if used to run the web app
ID: CIS Microsoft Azure Foundations Benchmark recommendation 9.10 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| App Service apps should use latest 'HTTP Version' | Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. | AuditIfNotExists, Disabled | 4.0.0 |
| Function apps should use latest 'HTTP Version' | Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. | AuditIfNotExists, Disabled | 4.0.0 |
Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service
ID: CIS Microsoft Azure Foundations Benchmark recommendation 9.2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| App Service apps should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Audit, Disabled, Deny | 4.0.0 |
Ensure web app is using the latest version of TLS encryption
ID: CIS Microsoft Azure Foundations Benchmark recommendation 9.3 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| App Service apps should use the latest TLS version | Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. | AuditIfNotExists, Disabled | 2.0.1 |
| Function apps should use the latest TLS version | Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. | AuditIfNotExists, Disabled | 2.0.1 |
Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On'
ID: CIS Microsoft Azure Foundations Benchmark recommendation 9.4 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| [Deprecated]: Function apps should have 'Client Certificates (Incoming client certificates)' enabled | Client certificates allow for the app to request a certificate for incoming requests. Only clients with valid certificates will be able to reach the app. This policy has been replaced by a new policy with the same name because Http 2.0 doesn't support client certificates. | Audit, Disabled | 3.1.0-deprecated |
| App Service apps should have Client Certificates (Incoming client certificates) enabled | Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. This policy applies to apps with Http version set to 1.1. | AuditIfNotExists, Disabled | 1.0.0 |
Ensure that Register with Azure Active Directory is enabled on App Service
ID: CIS Microsoft Azure Foundations Benchmark recommendation 9.5 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| App Service apps should use managed identity | Use a managed identity for enhanced authentication security | AuditIfNotExists, Disabled | 3.0.0 |
| Function apps should use managed identity | Use a managed identity for enhanced authentication security | AuditIfNotExists, Disabled | 3.0.0 |
Next steps
Additional articles about Azure Policy:
- Regulatory Compliance overview.
- See the initiative definition structure.
- Review other examples at Azure Policy samples.
- Review Understanding policy effects.
- Learn how to remediate non-compliant resources.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for