Details of the NIST SP 800-53 Rev. 4 Regulatory Compliance built-in initiative
The following article details how the Azure Policy Regulatory Compliance built-in initiative definition maps to compliance domains and controls in NIST SP 800-53 Rev. 4. For more information about this compliance standard, see NIST SP 800-53 Rev. 4. To understand Ownership, see Azure Policy policy definition and Shared responsibility in the cloud.
The following mappings are to the NIST SP 800-53 Rev. 4 controls. Use the navigation on the right to jump directly to a specific compliance domain. Many of the controls are implemented with an Azure Policy initiative definition. To review the complete initiative definition, open Policy in the Azure portal and select the Definitions page. Then, find and select the NIST SP 800-53 Rev. 4 Regulatory Compliance built-in initiative definition.
Important
Each control below is associated with one or more Azure Policy definitions. These policies may help you assess compliance with the control; however, there often is not a one-to-one or complete match between a control and one or more policies. As such, Compliant in Azure Policy refers only to the policy definitions themselves; this doesn't ensure you're fully compliant with all requirements of a control. In addition, the compliance standard includes controls that aren't addressed by any Azure Policy definitions at this time. Therefore, compliance in Azure Policy is only a partial view of your overall compliance status. The associations between compliance domains, controls, and Azure Policy definitions for this compliance standard may change over time. To view the change history, see the GitHub Commit History.
Access Control
Access Control Policy and Procedures
ID: NIST SP 800-53 Rev. 4 AC-1
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1000 - Access Control Policy And Procedures | Microsoft implements this Access Control control | audit | 1.0.0 |
| Microsoft Managed Control 1001 - Access Control Policy And Procedures | Microsoft implements this Access Control control | audit | 1.0.0 |
Account Management
ID: NIST SP 800-53 Rev. 4 AC-2
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| A maximum of 3 owners should be designated for your subscription | It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner. | AuditIfNotExists, Disabled | 3.0.0 |
| An Azure Active Directory administrator should be provisioned for SQL servers | Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services | AuditIfNotExists, Disabled | 1.0.0 |
| Audit usage of custom RBAC rules | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | Audit, Disabled | 1.0.0 |
| Cognitive Services accounts should have local authentication methods disabled | Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/cs/auth. | Audit, Deny, Disabled | 1.0.0 |
| Deprecated accounts should be removed from your subscription | Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. | AuditIfNotExists, Disabled | 3.0.0 |
| Deprecated accounts with owner permissions should be removed from your subscription | Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. | AuditIfNotExists, Disabled | 3.0.0 |
| External accounts with owner permissions should be removed from your subscription | External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. | AuditIfNotExists, Disabled | 3.0.0 |
| External accounts with read permissions should be removed from your subscription | External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access. | AuditIfNotExists, Disabled | 3.0.0 |
| External accounts with write permissions should be removed from your subscription | External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access. | AuditIfNotExists, Disabled | 3.0.0 |
| Managed identity should be used in your API App | Use a managed identity for enhanced authentication security | AuditIfNotExists, Disabled | 2.0.0 |
| Managed identity should be used in your Function App | Use a managed identity for enhanced authentication security | AuditIfNotExists, Disabled | 2.0.0 |
| Managed identity should be used in your Web App | Use a managed identity for enhanced authentication security | AuditIfNotExists, Disabled | 2.0.0 |
| Microsoft Managed Control 1002 - Account Management | Microsoft implements this Access Control control | audit | 1.0.0 |
| Microsoft Managed Control 1003 - Account Management | Microsoft implements this Access Control control | audit | 1.0.0 |
| Microsoft Managed Control 1004 - Account Management | Microsoft implements this Access Control control | audit | 1.0.0 |
| Microsoft Managed Control 1005 - Account Management | Microsoft implements this Access Control control | audit | 1.0.0 |
| Microsoft Managed Control 1006 - Account Management | Microsoft implements this Access Control control | audit | 1.0.0 |
| Microsoft Managed Control 1007 - Account Management | Microsoft implements this Access Control control | audit | 1.0.0 |
| Microsoft Managed Control 1008 - Account Management | Microsoft implements this Access Control control | audit | 1.0.0 |
| Microsoft Managed Control 1009 - Account Management | Microsoft implements this Access Control control | audit | 1.0.0 |
| Microsoft Managed Control 1010 - Account Management | Microsoft implements this Access Control control | audit | 1.0.0 |
| Microsoft Managed Control 1011 - Account Management | Microsoft implements this Access Control control | audit | 1.0.0 |
| Microsoft Managed Control 1012 - Account Management | Microsoft implements this Access Control control | audit | 1.0.0 |
| Service Fabric clusters should only use Azure Active Directory for client authentication | Audit usage of client authentication only via Azure Active Directory in Service Fabric | Audit, Deny, Disabled | 1.1.0 |
Automated System Account Management
ID: NIST SP 800-53 Rev. 4 AC-2 (1)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| An Azure Active Directory administrator should be provisioned for SQL servers | Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services | AuditIfNotExists, Disabled | 1.0.0 |
| Cognitive Services accounts should have local authentication methods disabled | Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/cs/auth. | Audit, Deny, Disabled | 1.0.0 |
| Microsoft Managed Control 1013 - Account Management | Automated System Account Management | Microsoft implements this Access Control control | audit | 1.0.0 |
| Service Fabric clusters should only use Azure Active Directory for client authentication | Audit usage of client authentication only via Azure Active Directory in Service Fabric | Audit, Deny, Disabled | 1.1.0 |
Removal of Temporary / Emergency Accounts
ID: NIST SP 800-53 Rev. 4 AC-2 (2)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1014 - Account Management | Removal Of Temporary / Emergency Accounts | Microsoft implements this Access Control control | audit | 1.0.0 |
Disable Inactive Accounts
ID: NIST SP 800-53 Rev. 4 AC-2 (3)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1015 - Account Management | Disable Inactive Accounts | Microsoft implements this Access Control control | audit | 1.0.0 |
Automated Audit Actions
ID: NIST SP 800-53 Rev. 4 AC-2 (4)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1016 - Account Management | Automated Audit Actions | Microsoft implements this Access Control control | audit | 1.0.0 |
Inactivity Logout
ID: NIST SP 800-53 Rev. 4 AC-2 (5)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1017 - Account Management | Inactivity Logout | Microsoft implements this Access Control control | audit | 1.0.0 |
Role-based Schemes
ID: NIST SP 800-53 Rev. 4 AC-2 (7)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| An Azure Active Directory administrator should be provisioned for SQL servers | Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services | AuditIfNotExists, Disabled | 1.0.0 |
| Audit usage of custom RBAC rules | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | Audit, Disabled | 1.0.0 |
| Cognitive Services accounts should have local authentication methods disabled | Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/cs/auth. | Audit, Deny, Disabled | 1.0.0 |
| Microsoft Managed Control 1018 - Account Management | Role-Based Schemes | Microsoft implements this Access Control control | audit | 1.0.0 |
| Microsoft Managed Control 1019 - Account Management | Role-Based Schemes | Microsoft implements this Access Control control | audit | 1.0.0 |
| Microsoft Managed Control 1020 - Account Management | Role-Based Schemes | Microsoft implements this Access Control control | audit | 1.0.0 |
| Service Fabric clusters should only use Azure Active Directory for client authentication | Audit usage of client authentication only via Azure Active Directory in Service Fabric | Audit, Deny, Disabled | 1.1.0 |
| Service principals should be used to protect your subscriptions instead of management certificates | Management certificates allow anyone who authenticates with them to manage the subscription(s) they are associated with. To manage subscriptions more securely, use of service principals with Resource Manager is recommended to limit the impact of a certificate compromise. | AuditIfNotExists, Disabled | 1.0.0 |
Restrictions On Use of Shared / Group Accounts
ID: NIST SP 800-53 Rev. 4 AC-2 (9)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1021 - Account Management | Restrictions On Use Of Shared / Group Accounts | Microsoft implements this Access Control control | audit | 1.0.0 |
Shared / Group Account Credential Termination
ID: NIST SP 800-53 Rev. 4 AC-2 (10)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1022 - Account Management | Shared / Group Account Credential Termination | Microsoft implements this Access Control control | audit | 1.0.0 |
Usage Conditions
ID: NIST SP 800-53 Rev. 4 AC-2 (11)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1023 - Account Management | Usage Conditions | Microsoft implements this Access Control control | audit | 1.0.0 |
Account Monitoring / Atypical Usage
ID: NIST SP 800-53 Rev. 4 AC-2 (12)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Azure Arc enabled Kubernetes clusters should have Azure Defender's extension installed | Azure Defender's extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/security-center/defender-for-kubernetes-azure-arc. | AuditIfNotExists, Disabled | 3.0.0-preview |
| Azure Defender for App Service should be enabled | Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. | AuditIfNotExists, Disabled | 1.0.3 |
| Azure Defender for Azure SQL Database servers should be enabled | Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. | AuditIfNotExists, Disabled | 1.0.2 |
| Azure Defender for container registries should be enabled | Azure Defender for container registries provides vulnerability scanning of any images pulled within the last 30 days, pushed to your registry, or imported, and exposes detailed findings per image. | AuditIfNotExists, Disabled | 1.0.3 |
| Azure Defender for DNS should be enabled | Azure Defender for DNS provides an additional layer of protection for your cloud resources by continuously monitoring all DNS queries from your Azure resources. Azure Defender alerts you about suspicious activity at the DNS layer. Learn more about the capabilities of Azure Defender for DNS at https://aka.ms/defender-for-dns . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . | AuditIfNotExists, Disabled | 1.0.0-preview |
| Azure Defender for Key Vault should be enabled | Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. | AuditIfNotExists, Disabled | 1.0.3 |
| Azure Defender for Kubernetes should be enabled | Azure Defender for Kubernetes provides real-time threat protection for containerized environments and generates alerts for suspicious activities. | AuditIfNotExists, Disabled | 1.0.3 |
| Azure Defender for Resource Manager should be enabled | Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Defender for servers should be enabled | Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. | AuditIfNotExists, Disabled | 1.0.3 |
| Azure Defender for SQL servers on machines should be enabled | Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. | AuditIfNotExists, Disabled | 1.0.2 |
| Azure Defender for SQL should be enabled for unprotected SQL Managed Instances | Audit each SQL Managed Instance without advanced data security. | AuditIfNotExists, Disabled | 1.0.2 |
| Azure Defender for Storage should be enabled | Azure Defender for Storage provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. | AuditIfNotExists, Disabled | 1.0.3 |
| Management ports of virtual machines should be protected with just-in-time network access control | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | AuditIfNotExists, Disabled | 3.0.0 |
| Microsoft Managed Control 1024 - Account Management | Account Monitoring / Atypical Usage | Microsoft implements this Access Control control | audit | 1.0.0 |
| Microsoft Managed Control 1025 - Account Management | Account Monitoring / Atypical Usage | Microsoft implements this Access Control control | audit | 1.0.0 |
Disable Accounts for High-risk Individuals
ID: NIST SP 800-53 Rev. 4 AC-2 (13)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1026 - Account Management | Disable Accounts For High-Risk Individuals | Microsoft implements this Access Control control | audit | 1.0.0 |
Access Enforcement
ID: NIST SP 800-53 Rev. 4 AC-3
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | modify | 1.0.0 |
| Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | modify | 1.0.0 |
| An Azure Active Directory administrator should be provisioned for SQL servers | Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services | AuditIfNotExists, Disabled | 1.0.0 |
| Audit Linux machines that have accounts without passwords | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that have accounts without passwords | AuditIfNotExists, Disabled | 1.0.0 |
| Authentication to Linux machines should require SSH keys | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | AuditIfNotExists, Disabled | 2.0.1 |
| Cognitive Services accounts should have local authentication methods disabled | Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/cs/auth. | Audit, Deny, Disabled | 1.0.0 |
| Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | deployIfNotExists | 1.0.1 |
| Managed identity should be used in your API App | Use a managed identity for enhanced authentication security | AuditIfNotExists, Disabled | 2.0.0 |
| Managed identity should be used in your Function App | Use a managed identity for enhanced authentication security | AuditIfNotExists, Disabled | 2.0.0 |
| Managed identity should be used in your Web App | Use a managed identity for enhanced authentication security | AuditIfNotExists, Disabled | 2.0.0 |
| MFA should be enabled accounts with write permissions on your subscription | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. | AuditIfNotExists, Disabled | 3.0.0 |
| MFA should be enabled on accounts with owner permissions on your subscription | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. | AuditIfNotExists, Disabled | 3.0.0 |
| MFA should be enabled on accounts with read permissions on your subscription | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. | AuditIfNotExists, Disabled | 3.0.0 |
| Microsoft Managed Control 1027 - Access Enforcement | Microsoft implements this Access Control control | audit | 1.0.0 |
| Service Fabric clusters should only use Azure Active Directory for client authentication | Audit usage of client authentication only via Azure Active Directory in Service Fabric | Audit, Deny, Disabled | 1.1.0 |
| Storage accounts should be migrated to new Azure Resource Manager resources | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Audit, Deny, Disabled | 1.0.0 |
| Virtual machines should be migrated to new Azure Resource Manager resources | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Audit, Deny, Disabled | 1.0.0 |
Role-based Access Control
ID: NIST SP 800-53 Rev. 4 AC-3 (7)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Role-Based Access Control (RBAC) should be used on Kubernetes Services | To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. | Audit, Disabled | 1.0.2 |
Information Flow Enforcement
ID: NIST SP 800-53 Rev. 4 AC-4
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Adaptive network hardening recommendations should be applied on internet facing virtual machines | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | AuditIfNotExists, Disabled | 3.0.0 |
| All Internet traffic should be routed via your deployed Azure Firewall | Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall | AuditIfNotExists, Disabled | 3.0.0-preview |
| All network ports should be restricted on network security groups associated to your virtual machine | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | AuditIfNotExists, Disabled | 3.0.0 |
| API Management services should use a virtual network | Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. | Audit, Disabled | 1.0.1 |
| App Configuration should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/appconfig/private-endpoint. | AuditIfNotExists, Disabled | 1.0.2 |
| Authorized IP ranges should be defined on Kubernetes Services | Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. | Audit, Disabled | 2.0.1 |
| Azure API for FHIR should use private link | Azure API for FHIR should have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. For more information, visit: https://aka.ms/fhir-privatelink. | Audit, Disabled | 1.0.0 |
| Azure Cache for Redis should use private link | Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link. | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Cognitive Search service should use a SKU that supports private link | With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. | Audit, Deny, Disabled | 1.0.0 |
| Azure Cognitive Search services should disable public network access | Disabling public network access improves security by ensuring that your Azure Cognitive Search service is not exposed on the public internet. Creating private endpoints can limit exposure of your Search service. Learn more at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. | Audit, Deny, Disabled | 1.0.0 |
| Azure Cognitive Search services should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Cognitive Search, data leakage risks are reduced. Learn more about private links at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. | Audit, Disabled | 1.0.0 |
| Azure Cosmos DB accounts should have firewall rules | Firewall rules should be defined on your Azure Cosmos DB accounts to prevent traffic from unauthorized sources. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant. | Audit, Deny, Disabled | 2.0.0 |
| Azure Data Factory should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Data Factory, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/data-factory/data-factory-private-link. | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Event Grid domains should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid domain instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. | Audit, Disabled | 1.0.2 |
| Azure Event Grid topics should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid topic instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. | Audit, Disabled | 1.0.2 |
| Azure File Sync should use private link | Creating a private endpoint for the indicated Storage Sync Service resource allows you to address your Storage Sync Service resource from within the private IP address space of your organization's network, rather than through the internet-accessible public endpoint. Creating a private endpoint by itself does not disable the public endpoint. | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Key Vault should disable public network access | Disable public network access for your key vault so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/akvprivatelink. | Audit, Deny, Disabled | 2.0.0-preview |
| Azure Machine Learning workspaces should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Machine Learning workspaces, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link. | Audit, Deny, Disabled | 1.1.0 |
| Azure Service Bus namespaces should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Service Bus namespaces, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/service-bus-messaging/private-link-service. | AuditIfNotExists, Disabled | 1.0.0 |
| Azure SignalR Service should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure SignalR Service resource instead of the entire service, you'll reduce your data leakage risks. Learn more about private links at: https://aka.ms/asrs/privatelink. | Audit, Deny, Disabled | 1.0.1 |
| Azure Synapse workspaces should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Synapse workspace, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/synapse-analytics/security/how-to-connect-to-workspace-with-private-links. | Audit, Disabled | 1.0.1 |
| Azure Web PubSub Service should use private link | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure Web PubSub Service, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/awps/privatelink. | Audit, Deny, Disabled | 1.0.0 |
| Cognitive Services accounts should disable public network access | Disabling public network access improves security by ensuring that Cognitive Services account isn't exposed on the public internet. Creating private endpoints can limit exposure of Cognitive Services account. Learn more at: https://go.microsoft.com/fwlink/?linkid=2129800. | Audit, Deny, Disabled | 2.0.0 |
| Cognitive Services accounts should restrict network access | Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges. | Audit, Deny, Disabled | 2.0.0 |
| Cognitive Services should use private link | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: https://go.microsoft.com/fwlink/?linkid=2129800. | Audit, Disabled | 2.0.0 |
| Container registries should not allow unrestricted network access | Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific public IP addresses or address ranges. If your registry doesn't have an IP/firewall rule or a configured virtual network, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://aka.ms/acr/portal/public-network and here https://aka.ms/acr/vnet. | Audit, Deny, Disabled | 1.1.0 |
| Container registries should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link. | Audit, Disabled | 1.0.1 |
| CORS should not allow every resource to access your Web Applications | Cross-Origin Resource Sharing (CORS) should not allow all domains to access your web application. Allow only required domains to interact with your web app. | AuditIfNotExists, Disabled | 1.0.0 |
| CosmosDB accounts should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints. | Audit, Disabled | 1.0.0 |
| Disk access resources should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: https://aka.ms/disksprivatelinksdoc. | AuditIfNotExists, Disabled | 1.0.0 |
| Event Hub namespaces should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/event-hubs/private-link-service. | AuditIfNotExists, Disabled | 1.0.0 |
| Internet-facing virtual machines should be protected with network security groups | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | AuditIfNotExists, Disabled | 3.0.0 |
| IoT Hub device provisioning service instances should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to the IoT Hub device provisioning service, data leakage risks are reduced. Learn more about private links at: https://aka.ms/iotdpsvnet. | Audit, Disabled | 1.0.0 |
| IP Forwarding on your virtual machine should be disabled | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | AuditIfNotExists, Disabled | 3.0.0 |
| Management ports of virtual machines should be protected with just-in-time network access control | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | AuditIfNotExists, Disabled | 3.0.0 |
| Management ports should be closed on your virtual machines | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | AuditIfNotExists, Disabled | 3.0.0 |
| Microsoft Managed Control 1028 - Information Flow Enforcement | Microsoft implements this Access Control control | audit | 1.0.0 |
| Non-internet-facing virtual machines should be protected with network security groups | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | AuditIfNotExists, Disabled | 3.0.0 |
| Private endpoint connections on Azure SQL Database should be enabled | Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database. | Audit, Disabled | 1.1.0 |
| Private endpoint should be configured for Key Vault | Private link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration. | Audit, Deny, Disabled | 1.1.0-preview |
| Private endpoint should be enabled for MariaDB servers | Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MariaDB. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. | AuditIfNotExists, Disabled | 1.0.2 |
| Private endpoint should be enabled for MySQL servers | Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MySQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. | AuditIfNotExists, Disabled | 1.0.2 |
| Private endpoint should be enabled for PostgreSQL servers | Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for PostgreSQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. | AuditIfNotExists, Disabled | 1.0.2 |
| Public network access on Azure SQL Database should be disabled | Disabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules. | Audit, Deny, Disabled | 1.1.0 |
| Public network access should be disabled for MariaDB servers | Disable the public network access property to improve security and ensure your Azure Database for MariaDB can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. | Audit, Disabled | 1.0.2 |
| Public network access should be disabled for MySQL servers | Disable the public network access property to improve security and ensure your Azure Database for MySQL can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. | Audit, Disabled | 1.0.2 |
| Public network access should be disabled for PostgreSQL servers | Disable the public network access property to improve security and ensure your Azure Database for PostgreSQL can only be accessed from a private endpoint. This configuration disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. | Audit, Disabled | 1.0.2 |
| Storage account public access should be disallowed | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | disabled | 3.0.1-preview |
| Storage accounts should restrict network access | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Audit, Deny, Disabled | 1.1.1 |
| Storage accounts should restrict network access using virtual network rules | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Audit, Deny, Disabled | 1.0.1 |
| Storage accounts should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | AuditIfNotExists, Disabled | 2.0.0 |
| Subnets should be associated with a Network Security Group | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | AuditIfNotExists, Disabled | 3.0.0 |
| VM Image Builder templates should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your VM Image Builder building resources, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/virtual-machines/linux/image-builder-networking#deploy-using-an-existing-vnet. | Audit, Disabled, Deny | 1.1.0 |
Dynamic Information Flow Control
ID: NIST SP 800-53 Rev. 4 AC-4 (3)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Adaptive network hardening recommendations should be applied on internet facing virtual machines | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | AuditIfNotExists, Disabled | 3.0.0 |
| Management ports of virtual machines should be protected with just-in-time network access control | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | AuditIfNotExists, Disabled | 3.0.0 |
Security Policy Filters
ID: NIST SP 800-53 Rev. 4 AC-4 (8)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1029 - Information Flow Enforcement | Security Policy Filters | Microsoft implements this Access Control control | audit | 1.0.0 |
Physical / Logical Separation of Information Flows
ID: NIST SP 800-53 Rev. 4 AC-4 (21)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1030 - Information Flow Enforcement | Physical / Logical Separation Of Information Flows | Microsoft implements this Access Control control | audit | 1.0.0 |
Separation of Duties
ID: NIST SP 800-53 Rev. 4 AC-5
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1031 - Separation Of Duties | Microsoft implements this Access Control control | audit | 1.0.0 |
| Microsoft Managed Control 1032 - Separation Of Duties | Microsoft implements this Access Control control | audit | 1.0.0 |
| Microsoft Managed Control 1033 - Separation Of Duties | Microsoft implements this Access Control control | audit | 1.0.0 |
| There should be more than one owner assigned to your subscription | It is recommended to designate more than one subscription owner in order to have administrator access redundancy. | AuditIfNotExists, Disabled | 3.0.0 |
Least Privilege
ID: NIST SP 800-53 Rev. 4 AC-6
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| A maximum of 3 owners should be designated for your subscription | It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner. | AuditIfNotExists, Disabled | 3.0.0 |
| Audit usage of custom RBAC rules | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | Audit, Disabled | 1.0.0 |
| Microsoft Managed Control 1034 - Least Privilege | Microsoft implements this Access Control control | audit | 1.0.0 |
Authorize Access to Security Functions
ID: NIST SP 800-53 Rev. 4 AC-6 (1)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1035 - Least Privilege | Authorize Access To Security Functions | Microsoft implements this Access Control control | audit | 1.0.0 |
Non-privileged Access for Nonsecurity Functions
ID: NIST SP 800-53 Rev. 4 AC-6 (2)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1036 - Least Privilege | Non-Privileged Access For Nonsecurity Functions | Microsoft implements this Access Control control | audit | 1.0.0 |
Network Access to Privileged Commands
ID: NIST SP 800-53 Rev. 4 AC-6 (3)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1037 - Least Privilege | Network Access To Privileged Commands | Microsoft implements this Access Control control | audit | 1.0.0 |
Privileged Accounts
ID: NIST SP 800-53 Rev. 4 AC-6 (5)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1038 - Least Privilege | Privileged Accounts | Microsoft implements this Access Control control | audit | 1.0.0 |
Review of User Privileges
ID: NIST SP 800-53 Rev. 4 AC-6 (7)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| A maximum of 3 owners should be designated for your subscription | It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner. | AuditIfNotExists, Disabled | 3.0.0 |
| Audit usage of custom RBAC rules | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | Audit, Disabled | 1.0.0 |
| Microsoft Managed Control 1039 - Least Privilege | Review Of User Privileges | Microsoft implements this Access Control control | audit | 1.0.0 |
| Microsoft Managed Control 1040 - Least Privilege | Review Of User Privileges | Microsoft implements this Access Control control | audit | 1.0.0 |
Privilege Levels for Code Execution
ID: NIST SP 800-53 Rev. 4 AC-6 (8)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1041 - Least Privilege | Privilege Levels For Code Execution | Microsoft implements this Access Control control | audit | 1.0.0 |
Auditing Use of Privileged Functions
ID: NIST SP 800-53 Rev. 4 AC-6 (9)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1042 - Least Privilege | Auditing Use Of Privileged Functions | Microsoft implements this Access Control control | audit | 1.0.0 |
Prohibit Non-privileged Users from Executing Privileged Functions
ID: NIST SP 800-53 Rev. 4 AC-6 (10)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1043 - Least Privilege | Prohibit Non-Privileged Users From Executing Privileged Functions | Microsoft implements this Access Control control | audit | 1.0.0 |
Unsuccessful Logon Attempts
ID: NIST SP 800-53 Rev. 4 AC-7
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1044 - Unsuccessful Logon Attempts | Microsoft implements this Access Control control | audit | 1.0.0 |
| Microsoft Managed Control 1045 - Unsuccessful Logon Attempts | Microsoft implements this Access Control control | audit | 1.0.0 |
Purge / Wipe Mobile Device
ID: NIST SP 800-53 Rev. 4 AC-7 (2)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1046 - Automatic Account Lock | Purge / Wipe Mobile Device | Microsoft implements this Access Control control | audit | 1.0.0 |
System Use Notification
ID: NIST SP 800-53 Rev. 4 AC-8
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1047 - System Use Notification | Microsoft implements this Access Control control | audit | 1.0.0 |
| Microsoft Managed Control 1048 - System Use Notification | Microsoft implements this Access Control control | audit | 1.0.0 |
| Microsoft Managed Control 1049 - System Use Notification | Microsoft implements this Access Control control | audit | 1.0.0 |
Concurrent Session Control
ID: NIST SP 800-53 Rev. 4 AC-10
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1050 - Concurrent Session Control | Microsoft implements this Access Control control | audit | 1.0.0 |
Session Lock
ID: NIST SP 800-53 Rev. 4 AC-11
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1051 - Session Lock | Microsoft implements this Access Control control | audit | 1.0.0 |
| Microsoft Managed Control 1052 - Session Lock | Microsoft implements this Access Control control | audit | 1.0.0 |
Pattern-hiding Displays
ID: NIST SP 800-53 Rev. 4 AC-11 (1)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1053 - Session Lock | Pattern-Hiding Displays | Microsoft implements this Access Control control | audit | 1.0.0 |
Session Termination
ID: NIST SP 800-53 Rev. 4 AC-12
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1054 - Session Termination | Microsoft implements this Access Control control | audit | 1.0.0 |
User-initiated Logouts / Message Displays
ID: NIST SP 800-53 Rev. 4 AC-12 (1)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1055 - Session Termination| User-Initiated Logouts / Message Displays | Microsoft implements this Access Control control | audit | 1.0.0 |
| Microsoft Managed Control 1056 - Session Termination | User-Initiated Logouts / Message Displays | Microsoft implements this Access Control control | audit | 1.0.0 |
Permitted Actions Without Identification or Authentication
ID: NIST SP 800-53 Rev. 4 AC-14
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1057 - Permitted Actions Without Identification Or Authentication | Microsoft implements this Access Control control | audit | 1.0.0 |
| Microsoft Managed Control 1058 - Permitted Actions Without Identification Or Authentication | Microsoft implements this Access Control control | audit | 1.0.0 |
Security Attributes
ID: NIST SP 800-53 Rev. 4 AC-16
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Azure Defender for SQL should be enabled for unprotected Azure SQL servers | Audit SQL servers without Advanced Data Security | AuditIfNotExists, Disabled | 2.0.1 |
| Azure Defender for SQL should be enabled for unprotected SQL Managed Instances | Audit each SQL Managed Instance without advanced data security. | AuditIfNotExists, Disabled | 1.0.2 |
Remote Access
ID: NIST SP 800-53 Rev. 4 AC-17
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | modify | 1.0.0 |
| Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | modify | 1.0.0 |
| App Configuration should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/appconfig/private-endpoint. | AuditIfNotExists, Disabled | 1.0.2 |
| Audit Linux machines that allow remote connections from accounts without passwords | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that allow remote connections from accounts without passwords | AuditIfNotExists, Disabled | 1.0.0 |
| Azure API for FHIR should use private link | Azure API for FHIR should have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. For more information, visit: https://aka.ms/fhir-privatelink. | Audit, Disabled | 1.0.0 |
| Azure Cache for Redis should reside within a virtual network | Azure Virtual Network deployment provides enhanced security and isolation for your Azure Cache for Redis, as well as subnets, access control policies, and other features to further restrict access.When an Azure Cache for Redis instance is configured with a virtual network, it is not publicly addressable and can only be accessed from virtual machines and applications within the virtual network. | Audit, Deny, Disabled | 1.0.3 |
| Azure Cache for Redis should use private link | Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link. | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Cognitive Search service should use a SKU that supports private link | With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. | Audit, Deny, Disabled | 1.0.0 |
| Azure Cognitive Search services should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Cognitive Search, data leakage risks are reduced. Learn more about private links at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. | Audit, Disabled | 1.0.0 |
| Azure Data Factory should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Data Factory, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/data-factory/data-factory-private-link. | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Event Grid domains should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid domain instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. | Audit, Disabled | 1.0.2 |
| Azure Event Grid topics should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid topic instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. | Audit, Disabled | 1.0.2 |
| Azure File Sync should use private link | Creating a private endpoint for the indicated Storage Sync Service resource allows you to address your Storage Sync Service resource from within the private IP address space of your organization's network, rather than through the internet-accessible public endpoint. Creating a private endpoint by itself does not disable the public endpoint. | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Machine Learning workspaces should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Machine Learning workspaces, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link. | Audit, Deny, Disabled | 1.1.0 |
| Azure Service Bus namespaces should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Service Bus namespaces, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/service-bus-messaging/private-link-service. | AuditIfNotExists, Disabled | 1.0.0 |
| Azure SignalR Service should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure SignalR Service resource instead of the entire service, you'll reduce your data leakage risks. Learn more about private links at: https://aka.ms/asrs/privatelink. | Audit, Deny, Disabled | 1.0.1 |
| Azure Spring Cloud should use network injection | Azure Spring Cloud instances should use virtual network injection for the following purposes: 1. Isolate Azure Spring Cloud from Internet. 2. Enable Azure Spring Cloud to interact with systems in either on premises data centers or Azure service in other virtual networks. 3. Empower customers to control inbound and outbound network communications for Azure Spring Cloud. | Audit, Disabled, Deny | 1.0.0 |
| Azure Synapse workspaces should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Synapse workspace, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/synapse-analytics/security/how-to-connect-to-workspace-with-private-links. | Audit, Disabled | 1.0.1 |
| Azure Web PubSub Service should use private link | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure Web PubSub Service, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/awps/privatelink. | Audit, Deny, Disabled | 1.0.0 |
| Cognitive Services should use private link | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: https://go.microsoft.com/fwlink/?linkid=2129800. | Audit, Disabled | 2.0.0 |
| Container registries should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link. | Audit, Disabled | 1.0.1 |
| CosmosDB accounts should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints. | Audit, Disabled | 1.0.0 |
| Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | deployIfNotExists | 1.0.1 |
| Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs | This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | deployIfNotExists | 1.0.1 |
| Disk access resources should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: https://aka.ms/disksprivatelinksdoc. | AuditIfNotExists, Disabled | 1.0.0 |
| Event Hub namespaces should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/event-hubs/private-link-service. | AuditIfNotExists, Disabled | 1.0.0 |
| IoT Hub device provisioning service instances should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to the IoT Hub device provisioning service, data leakage risks are reduced. Learn more about private links at: https://aka.ms/iotdpsvnet. | Audit, Disabled | 1.0.0 |
| Microsoft Managed Control 1059 - Remote Access | Microsoft implements this Access Control control | audit | 1.0.0 |
| Microsoft Managed Control 1060 - Remote Access | Microsoft implements this Access Control control | audit | 1.0.0 |
| Private endpoint connections on Azure SQL Database should be enabled | Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database. | Audit, Disabled | 1.1.0 |
| Private endpoint should be configured for Key Vault | Private link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration. | Audit, Deny, Disabled | 1.1.0-preview |
| Private endpoint should be enabled for MariaDB servers | Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MariaDB. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. | AuditIfNotExists, Disabled | 1.0.2 |
| Private endpoint should be enabled for MySQL servers | Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MySQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. | AuditIfNotExists, Disabled | 1.0.2 |
| Private endpoint should be enabled for PostgreSQL servers | Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for PostgreSQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. | AuditIfNotExists, Disabled | 1.0.2 |
| Remote debugging should be turned off for API Apps | Remote debugging requires inbound ports to be opened on API apps. Remote debugging should be turned off. | AuditIfNotExists, Disabled | 1.0.0 |
| Remote debugging should be turned off for Function Apps | Remote debugging requires inbound ports to be opened on function apps. Remote debugging should be turned off. | AuditIfNotExists, Disabled | 1.0.0 |
| Remote debugging should be turned off for Web Applications | Remote debugging requires inbound ports to be opened on a web application. Remote debugging should be turned off. | AuditIfNotExists, Disabled | 1.0.0 |
| Storage accounts should restrict network access | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Audit, Deny, Disabled | 1.1.1 |
| Storage accounts should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | AuditIfNotExists, Disabled | 2.0.0 |
| VM Image Builder templates should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your VM Image Builder building resources, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/virtual-machines/linux/image-builder-networking#deploy-using-an-existing-vnet. | Audit, Disabled, Deny | 1.1.0 |
Automated Monitoring / Control
ID: NIST SP 800-53 Rev. 4 AC-17 (1)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | modify | 1.0.0 |
| Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | modify | 1.0.0 |
| App Configuration should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/appconfig/private-endpoint. | AuditIfNotExists, Disabled | 1.0.2 |
| Audit Linux machines that allow remote connections from accounts without passwords | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that allow remote connections from accounts without passwords | AuditIfNotExists, Disabled | 1.0.0 |
| Azure API for FHIR should use private link | Azure API for FHIR should have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. For more information, visit: https://aka.ms/fhir-privatelink. | Audit, Disabled | 1.0.0 |
| Azure Cache for Redis should reside within a virtual network | Azure Virtual Network deployment provides enhanced security and isolation for your Azure Cache for Redis, as well as subnets, access control policies, and other features to further restrict access.When an Azure Cache for Redis instance is configured with a virtual network, it is not publicly addressable and can only be accessed from virtual machines and applications within the virtual network. | Audit, Deny, Disabled | 1.0.3 |
| Azure Cache for Redis should use private link | Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link. | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Cognitive Search service should use a SKU that supports private link | With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. | Audit, Deny, Disabled | 1.0.0 |
| Azure Cognitive Search services should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Cognitive Search, data leakage risks are reduced. Learn more about private links at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. | Audit, Disabled | 1.0.0 |
| Azure Data Factory should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Data Factory, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/data-factory/data-factory-private-link. | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Event Grid domains should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid domain instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. | Audit, Disabled | 1.0.2 |
| Azure Event Grid topics should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid topic instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. | Audit, Disabled | 1.0.2 |
| Azure File Sync should use private link | Creating a private endpoint for the indicated Storage Sync Service resource allows you to address your Storage Sync Service resource from within the private IP address space of your organization's network, rather than through the internet-accessible public endpoint. Creating a private endpoint by itself does not disable the public endpoint. | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Machine Learning workspaces should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Machine Learning workspaces, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link. | Audit, Deny, Disabled | 1.1.0 |
| Azure Service Bus namespaces should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Service Bus namespaces, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/service-bus-messaging/private-link-service. | AuditIfNotExists, Disabled | 1.0.0 |
| Azure SignalR Service should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure SignalR Service resource instead of the entire service, you'll reduce your data leakage risks. Learn more about private links at: https://aka.ms/asrs/privatelink. | Audit, Deny, Disabled | 1.0.1 |
| Azure Spring Cloud should use network injection | Azure Spring Cloud instances should use virtual network injection for the following purposes: 1. Isolate Azure Spring Cloud from Internet. 2. Enable Azure Spring Cloud to interact with systems in either on premises data centers or Azure service in other virtual networks. 3. Empower customers to control inbound and outbound network communications for Azure Spring Cloud. | Audit, Disabled, Deny | 1.0.0 |
| Azure Synapse workspaces should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Synapse workspace, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/synapse-analytics/security/how-to-connect-to-workspace-with-private-links. | Audit, Disabled | 1.0.1 |
| Azure Web PubSub Service should use private link | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure Web PubSub Service, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/awps/privatelink. | Audit, Deny, Disabled | 1.0.0 |
| Cognitive Services should use private link | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: https://go.microsoft.com/fwlink/?linkid=2129800. | Audit, Disabled | 2.0.0 |
| Container registries should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link. | Audit, Disabled | 1.0.1 |
| CosmosDB accounts should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints. | Audit, Disabled | 1.0.0 |
| Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | deployIfNotExists | 1.0.1 |
| Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs | This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | deployIfNotExists | 1.0.1 |
| Disk access resources should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: https://aka.ms/disksprivatelinksdoc. | AuditIfNotExists, Disabled | 1.0.0 |
| Event Hub namespaces should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/event-hubs/private-link-service. | AuditIfNotExists, Disabled | 1.0.0 |
| IoT Hub device provisioning service instances should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to the IoT Hub device provisioning service, data leakage risks are reduced. Learn more about private links at: https://aka.ms/iotdpsvnet. | Audit, Disabled | 1.0.0 |
| Microsoft Managed Control 1061 - Remote Access | Automated Monitoring / Control | Microsoft implements this Access Control control | audit | 1.0.0 |
| Private endpoint connections on Azure SQL Database should be enabled | Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database. | Audit, Disabled | 1.1.0 |
| Private endpoint should be configured for Key Vault | Private link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration. | Audit, Deny, Disabled | 1.1.0-preview |
| Private endpoint should be enabled for MariaDB servers | Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MariaDB. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. | AuditIfNotExists, Disabled | 1.0.2 |
| Private endpoint should be enabled for MySQL servers | Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MySQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. | AuditIfNotExists, Disabled | 1.0.2 |
| Private endpoint should be enabled for PostgreSQL servers | Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for PostgreSQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. | AuditIfNotExists, Disabled | 1.0.2 |
| Remote debugging should be turned off for API Apps | Remote debugging requires inbound ports to be opened on API apps. Remote debugging should be turned off. | AuditIfNotExists, Disabled | 1.0.0 |
| Remote debugging should be turned off for Function Apps | Remote debugging requires inbound ports to be opened on function apps. Remote debugging should be turned off. | AuditIfNotExists, Disabled | 1.0.0 |
| Remote debugging should be turned off for Web Applications | Remote debugging requires inbound ports to be opened on a web application. Remote debugging should be turned off. | AuditIfNotExists, Disabled | 1.0.0 |
| Storage accounts should restrict network access | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Audit, Deny, Disabled | 1.1.1 |
| Storage accounts should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | AuditIfNotExists, Disabled | 2.0.0 |
| VM Image Builder templates should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your VM Image Builder building resources, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/virtual-machines/linux/image-builder-networking#deploy-using-an-existing-vnet. | Audit, Disabled, Deny | 1.1.0 |
Protection of Confidentiality / Integrity Using Encryption
ID: NIST SP 800-53 Rev. 4 AC-17 (2)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1062 - Remote Access | Protection Of Confidentiality / Integrity Using Encryption | Microsoft implements this Access Control control | audit | 1.0.0 |
Managed Access Control Points
ID: NIST SP 800-53 Rev. 4 AC-17 (3)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1063 - Remote Access | Managed Access Control Points | Microsoft implements this Access Control control | audit | 1.0.0 |
Privileged Commands / Access
ID: NIST SP 800-53 Rev. 4 AC-17 (4)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1064 - Remote Access | Privileged Commands / Access | Microsoft implements this Access Control control | audit | 1.0.0 |
| Microsoft Managed Control 1065 - Remote Access | Privileged Commands / Access | Microsoft implements this Access Control control | audit | 1.0.0 |
Disconnect / Disable Access
ID: NIST SP 800-53 Rev. 4 AC-17 (9)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1066 - Remote Access | Disconnect / Disable Access | Microsoft implements this Access Control control | audit | 1.0.0 |
Wireless Access
ID: NIST SP 800-53 Rev. 4 AC-18
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1067 - Wireless Access | Microsoft implements this Access Control control | audit | 1.0.0 |
| Microsoft Managed Control 1068 - Wireless Access | Microsoft implements this Access Control control | audit | 1.0.0 |
Authentication and Encryption
ID: NIST SP 800-53 Rev. 4 AC-18 (1)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1069 - Wireless Access | Authentication And Encryption | Microsoft implements this Access Control control | audit | 1.0.0 |
Disable Wireless Networking
ID: NIST SP 800-53 Rev. 4 AC-18 (3)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1070 - Wireless Access | Disable Wireless Networking | Microsoft implements this Access Control control | audit | 1.0.0 |
Restrict Configurations by Users
ID: NIST SP 800-53 Rev. 4 AC-18 (4)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1071 - Wireless Access | Restrict Configurations By Users | Microsoft implements this Access Control control | audit | 1.0.0 |
Antennas / Transmission Power Levels
ID: NIST SP 800-53 Rev. 4 AC-18 (5)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1072 - Wireless Access | Antennas / Transmission Power Levels | Microsoft implements this Access Control control | audit | 1.0.0 |
Access Control for Mobile Devices
ID: NIST SP 800-53 Rev. 4 AC-19
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1073 - Access Control For Mobile Devices | Microsoft implements this Access Control control | audit | 1.0.0 |
| Microsoft Managed Control 1074 - Access Control For Mobile Devices | Microsoft implements this Access Control control | audit | 1.0.0 |
Full Device / Container-based Encryption
ID: NIST SP 800-53 Rev. 4 AC-19 (5)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1075 - Access Control For Mobile Devices | Full Device / Container-Based Encryption | Microsoft implements this Access Control control | audit | 1.0.0 |
Use of External Information Systems
ID: NIST SP 800-53 Rev. 4 AC-20
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1076 - Use Of External Information Systems | Microsoft implements this Access Control control | audit | 1.0.0 |
| Microsoft Managed Control 1077 - Use Of External Information Systems | Microsoft implements this Access Control control | audit | 1.0.0 |
Limits On Authorized Use
ID: NIST SP 800-53 Rev. 4 AC-20 (1)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1078 - Use Of External Information Systems | Limits On Authorized Use | Microsoft implements this Access Control control | audit | 1.0.0 |
| Microsoft Managed Control 1079 - Use Of External Information Systems | Limits On Authorized Use | Microsoft implements this Access Control control | audit | 1.0.0 |
Portable Storage Devices
ID: NIST SP 800-53 Rev. 4 AC-20 (2)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1080 - Use Of External Information Systems | Portable Storage Devices | Microsoft implements this Access Control control | audit | 1.0.0 |
Information Sharing
ID: NIST SP 800-53 Rev. 4 AC-21
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1081 - Information Sharing | Microsoft implements this Access Control control | audit | 1.0.0 |
| Microsoft Managed Control 1082 - Information Sharing | Microsoft implements this Access Control control | audit | 1.0.0 |
Publicly Accessible Content
ID: NIST SP 800-53 Rev. 4 AC-22
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1083 - Publicly Accessible Content | Microsoft implements this Access Control control | audit | 1.0.0 |
| Microsoft Managed Control 1084 - Publicly Accessible Content | Microsoft implements this Access Control control | audit | 1.0.0 |
| Microsoft Managed Control 1085 - Publicly Accessible Content | Microsoft implements this Access Control control | audit | 1.0.0 |
| Microsoft Managed Control 1086 - Publicly Accessible Content | Microsoft implements this Access Control control | audit | 1.0.0 |
Awareness and Training
Security Awareness and Training Policy and Procedures
ID: NIST SP 800-53 Rev. 4 AT-1
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1087 - Security Awareness And Training Policy And Procedures | Microsoft implements this Awareness and Training control | audit | 1.0.0 |
| Microsoft Managed Control 1088 - Security Awareness And Training Policy And Procedures | Microsoft implements this Awareness and Training control | audit | 1.0.0 |
Security Awareness Training
ID: NIST SP 800-53 Rev. 4 AT-2
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1089 - Security Awareness Training | Microsoft implements this Awareness and Training control | audit | 1.0.0 |
| Microsoft Managed Control 1090 - Security Awareness Training | Microsoft implements this Awareness and Training control | audit | 1.0.0 |
| Microsoft Managed Control 1091 - Security Awareness Training | Microsoft implements this Awareness and Training control | audit | 1.0.0 |
Insider Threat
ID: NIST SP 800-53 Rev. 4 AT-2 (2)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1092 - Security Awareness Training | Insider Threat | Microsoft implements this Awareness and Training control | audit | 1.0.0 |
Role-based Security Training
ID: NIST SP 800-53 Rev. 4 AT-3
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1093 - Role-Based Security Training | Microsoft implements this Awareness and Training control | audit | 1.0.0 |
| Microsoft Managed Control 1094 - Role-Based Security Training | Microsoft implements this Awareness and Training control | audit | 1.0.0 |
| Microsoft Managed Control 1095 - Role-Based Security Training | Microsoft implements this Awareness and Training control | audit | 1.0.0 |
Practical Exercises
ID: NIST SP 800-53 Rev. 4 AT-3 (3)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1096 - Role-Based Security Training | Practical Exercises | Microsoft implements this Awareness and Training control | audit | 1.0.0 |
Suspicious Communications and Anomalous System Behavior
ID: NIST SP 800-53 Rev. 4 AT-3 (4)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1097 - Role-Based Security Training | Suspicious Communications And Anomalous System Behavior | Microsoft implements this Awareness and Training control | audit | 1.0.0 |
Security Training Records
ID: NIST SP 800-53 Rev. 4 AT-4
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1098 - Security Training Records | Microsoft implements this Awareness and Training control | audit | 1.0.0 |
| Microsoft Managed Control 1099 - Security Training Records | Microsoft implements this Awareness and Training control | audit | 1.0.0 |
Audit and Accountability
Audit and Accountability Policy and Procedures
ID: NIST SP 800-53 Rev. 4 AU-1
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1100 - Audit And Accountability Policy And Procedures | Microsoft implements this Audit and Accountability control | audit | 1.0.0 |
| Microsoft Managed Control 1101 - Audit And Accountability Policy And Procedures | Microsoft implements this Audit and Accountability control | audit | 1.0.0 |
Audit Events
ID: NIST SP 800-53 Rev. 4 AU-2
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1102 - Audit Events | Microsoft implements this Audit and Accountability control | audit | 1.0.0 |
| Microsoft Managed Control 1103 - Audit Events | Microsoft implements this Audit and Accountability control | audit | 1.0.0 |
| Microsoft Managed Control 1104 - Audit Events | Microsoft implements this Audit and Accountability control | audit | 1.0.0 |
| Microsoft Managed Control 1105 - Audit Events | Microsoft implements this Audit and Accountability control | audit | 1.0.0 |
Reviews and Updates
ID: NIST SP 800-53 Rev. 4 AU-2 (3)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1106 - Audit Events | Reviews And Updates | Microsoft implements this Audit and Accountability control | audit | 1.0.0 |
Content of Audit Records
ID: NIST SP 800-53 Rev. 4 AU-3
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1107 - Content Of Audit Records | Microsoft implements this Audit and Accountability control | audit | 1.0.0 |
Additional Audit Information
ID: NIST SP 800-53 Rev. 4 AU-3 (1)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1108 - Content Of Audit Records | Additional Audit Information | Microsoft implements this Audit and Accountability control | audit | 1.0.0 |
Centralized Management of Planned Audit Record Content
ID: NIST SP 800-53 Rev. 4 AU-3 (2)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1109 - Content Of Audit Records | Centralized Management Of Planned Audit Record Content | Microsoft implements this Audit and Accountability control | audit | 1.0.0 |
Audit Storage Capacity
ID: NIST SP 800-53 Rev. 4 AU-4
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1110 - Audit Storage Capacity | Microsoft implements this Audit and Accountability control | audit | 1.0.0 |
Response to Audit Processing Failures
ID: NIST SP 800-53 Rev. 4 AU-5
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1111 - Response To Audit Processing Failures | Microsoft implements this Audit and Accountability control | audit | 1.0.0 |
| Microsoft Managed Control 1112 - Response To Audit Processing Failures | Microsoft implements this Audit and Accountability control | audit | 1.0.0 |
Audit Storage Capacity
ID: NIST SP 800-53 Rev. 4 AU-5 (1)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1113 - Response To Audit Processing Failures | Audit Storage Capacity | Microsoft implements this Audit and Accountability control | audit | 1.0.0 |
Real-time Alerts
ID: NIST SP 800-53 Rev. 4 AU-5 (2)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1114 - Response To Audit Processing Failures | Real-Time Alerts | Microsoft implements this Audit and Accountability control | audit | 1.0.0 |
Audit Review, Analysis, and Reporting
ID: NIST SP 800-53 Rev. 4 AU-6
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Azure Arc enabled Kubernetes clusters should have Azure Defender's extension installed | Azure Defender's extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/security-center/defender-for-kubernetes-azure-arc. | AuditIfNotExists, Disabled | 3.0.0-preview |
| Azure Defender for App Service should be enabled | Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. | AuditIfNotExists, Disabled | 1.0.3 |
| Azure Defender for Azure SQL Database servers should be enabled | Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. | AuditIfNotExists, Disabled | 1.0.2 |
| Azure Defender for container registries should be enabled | Azure Defender for container registries provides vulnerability scanning of any images pulled within the last 30 days, pushed to your registry, or imported, and exposes detailed findings per image. | AuditIfNotExists, Disabled | 1.0.3 |
| Azure Defender for DNS should be enabled | Azure Defender for DNS provides an additional layer of protection for your cloud resources by continuously monitoring all DNS queries from your Azure resources. Azure Defender alerts you about suspicious activity at the DNS layer. Learn more about the capabilities of Azure Defender for DNS at https://aka.ms/defender-for-dns . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . | AuditIfNotExists, Disabled | 1.0.0-preview |
| Azure Defender for Key Vault should be enabled | Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. | AuditIfNotExists, Disabled | 1.0.3 |
| Azure Defender for Kubernetes should be enabled | Azure Defender for Kubernetes provides real-time threat protection for containerized environments and generates alerts for suspicious activities. | AuditIfNotExists, Disabled | 1.0.3 |
| Azure Defender for Resource Manager should be enabled | Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Defender for servers should be enabled | Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. | AuditIfNotExists, Disabled | 1.0.3 |
| Azure Defender for SQL servers on machines should be enabled | Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. | AuditIfNotExists, Disabled | 1.0.2 |
| Azure Defender for SQL should be enabled for unprotected Azure SQL servers | Audit SQL servers without Advanced Data Security | AuditIfNotExists, Disabled | 2.0.1 |
| Azure Defender for SQL should be enabled for unprotected SQL Managed Instances | Audit each SQL Managed Instance without advanced data security. | AuditIfNotExists, Disabled | 1.0.2 |
| Azure Defender for Storage should be enabled | Azure Defender for Storage provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. | AuditIfNotExists, Disabled | 1.0.3 |
| Microsoft Managed Control 1115 - Audit Review, Analysis, And Reporting | Microsoft implements this Audit and Accountability control | audit | 1.0.0 |
| Microsoft Managed Control 1116 - Audit Review, Analysis, And Reporting | Microsoft implements this Audit and Accountability control | audit | 1.0.0 |
| Network traffic data collection agent should be installed on Linux virtual machines | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | AuditIfNotExists, Disabled | 1.0.1-preview |
| Network traffic data collection agent should be installed on Windows virtual machines | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | AuditIfNotExists, Disabled | 1.0.1-preview |
| Network Watcher should be enabled | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | AuditIfNotExists, Disabled | 3.0.0 |
Process Integration
ID: NIST SP 800-53 Rev. 4 AU-6 (1)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1117 - Audit Review, Analysis, And Reporting | Process Integration | Microsoft implements this Audit and Accountability control | audit | 1.0.0 |
Correlate Audit Repositories
ID: NIST SP 800-53 Rev. 4 AU-6 (3)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1118 - Audit Review, Analysis, And Reporting | Correlate Audit Repositories | Microsoft implements this Audit and Accountability control | audit | 1.0.0 |
Central Review and Analysis
ID: NIST SP 800-53 Rev. 4 AU-6 (4)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Auditing on SQL server should be enabled | Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. | AuditIfNotExists, Disabled | 2.0.0 |
| Auto provisioning of the Log Analytics agent should be enabled on your subscription | To monitor for security vulnerabilities and threats, Azure Security Center collects data from your Azure virtual machines. Data is collected by the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. We recommend enabling auto provisioning to automatically deploy the agent to all supported Azure VMs and any new ones that are created. | AuditIfNotExists, Disabled | 1.0.1 |
| Azure Arc enabled Kubernetes clusters should have Azure Defender's extension installed | Azure Defender's extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/security-center/defender-for-kubernetes-azure-arc. | AuditIfNotExists, Disabled | 3.0.0-preview |
| Azure Defender for App Service should be enabled | Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. | AuditIfNotExists, Disabled | 1.0.3 |
| Azure Defender for Azure SQL Database servers should be enabled | Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. | AuditIfNotExists, Disabled | 1.0.2 |
| Azure Defender for container registries should be enabled | Azure Defender for container registries provides vulnerability scanning of any images pulled within the last 30 days, pushed to your registry, or imported, and exposes detailed findings per image. | AuditIfNotExists, Disabled | 1.0.3 |
| Azure Defender for DNS should be enabled | Azure Defender for DNS provides an additional layer of protection for your cloud resources by continuously monitoring all DNS queries from your Azure resources. Azure Defender alerts you about suspicious activity at the DNS layer. Learn more about the capabilities of Azure Defender for DNS at https://aka.ms/defender-for-dns . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . | AuditIfNotExists, Disabled | 1.0.0-preview |
| Azure Defender for Key Vault should be enabled | Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. | AuditIfNotExists, Disabled | 1.0.3 |
| Azure Defender for Kubernetes should be enabled | Azure Defender for Kubernetes provides real-time threat protection for containerized environments and generates alerts for suspicious activities. | AuditIfNotExists, Disabled | 1.0.3 |
| Azure Defender for Resource Manager should be enabled | Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Defender for servers should be enabled | Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. | AuditIfNotExists, Disabled | 1.0.3 |
| Azure Defender for SQL servers on machines should be enabled | Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. | AuditIfNotExists, Disabled | 1.0.2 |
| Azure Defender for SQL should be enabled for unprotected Azure SQL servers | Audit SQL servers without Advanced Data Security | AuditIfNotExists, Disabled | 2.0.1 |
| Azure Defender for SQL should be enabled for unprotected SQL Managed Instances | Audit each SQL Managed Instance without advanced data security. | AuditIfNotExists, Disabled | 1.0.2 |
| Azure Defender for Storage should be enabled | Azure Defender for Storage provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. | AuditIfNotExists, Disabled | 1.0.3 |
| Guest Configuration extension should be installed on your machines | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | AuditIfNotExists, Disabled | 1.0.1 |
| Log Analytics agent health issues should be resolved on your machines | Security Center uses the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA). To make sure your virtual machines are successfully monitored, you need to make sure the agent is installed on the virtual machines and properly collects security events to the configured workspace. | AuditIfNotExists, Disabled | 1.0.0 |
| Log Analytics agent should be installed on your Linux Azure Arc machines | This policy audits Linux Azure Arc machines if the Log Analytics agent is not installed. | AuditIfNotExists, Disabled | 1.0.0-preview |
| Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | AuditIfNotExists, Disabled | 1.0.0 |
| Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring | Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. | AuditIfNotExists, Disabled | 1.0.0 |
| Log Analytics agent should be installed on your Windows Azure Arc machines | This policy audits Windows Azure Arc machines if the Log Analytics agent is not installed. | AuditIfNotExists, Disabled | 1.0.0-preview |
| Microsoft Managed Control 1119 - Audit Review, Analysis, And Reporting | Central Review And Analysis | Microsoft implements this Audit and Accountability control | audit | 1.0.0 |
| Network traffic data collection agent should be installed on Linux virtual machines | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | AuditIfNotExists, Disabled | 1.0.1-preview |
| Network traffic data collection agent should be installed on Windows virtual machines | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | AuditIfNotExists, Disabled | 1.0.1-preview |
| Network Watcher should be enabled | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | AuditIfNotExists, Disabled | 3.0.0 |
| Resource logs in Azure Data Lake Store should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Azure Stream Analytics should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Batch accounts should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Data Lake Analytics should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Event Hub should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in IoT Hub should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 3.0.1 |
| Resource logs in Key Vault should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Logic Apps should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Search services should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Service Bus should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Virtual Machine Scale Sets should be enabled | It is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. | AuditIfNotExists, Disabled | 2.0.1 |
| Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | AuditIfNotExists, Disabled | 1.0.1 |
Integration / Scanning and Monitoring Capabilities
ID: NIST SP 800-53 Rev. 4 AU-6 (5)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Auditing on SQL server should be enabled | Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. | AuditIfNotExists, Disabled | 2.0.0 |
| Auto provisioning of the Log Analytics agent should be enabled on your subscription | To monitor for security vulnerabilities and threats, Azure Security Center collects data from your Azure virtual machines. Data is collected by the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. We recommend enabling auto provisioning to automatically deploy the agent to all supported Azure VMs and any new ones that are created. | AuditIfNotExists, Disabled | 1.0.1 |
| Azure Arc enabled Kubernetes clusters should have Azure Defender's extension installed | Azure Defender's extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/security-center/defender-for-kubernetes-azure-arc. | AuditIfNotExists, Disabled | 3.0.0-preview |
| Azure Defender for App Service should be enabled | Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. | AuditIfNotExists, Disabled | 1.0.3 |
| Azure Defender for Azure SQL Database servers should be enabled | Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. | AuditIfNotExists, Disabled | 1.0.2 |
| Azure Defender for container registries should be enabled | Azure Defender for container registries provides vulnerability scanning of any images pulled within the last 30 days, pushed to your registry, or imported, and exposes detailed findings per image. | AuditIfNotExists, Disabled | 1.0.3 |
| Azure Defender for DNS should be enabled | Azure Defender for DNS provides an additional layer of protection for your cloud resources by continuously monitoring all DNS queries from your Azure resources. Azure Defender alerts you about suspicious activity at the DNS layer. Learn more about the capabilities of Azure Defender for DNS at https://aka.ms/defender-for-dns . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . | AuditIfNotExists, Disabled | 1.0.0-preview |
| Azure Defender for Key Vault should be enabled | Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. | AuditIfNotExists, Disabled | 1.0.3 |
| Azure Defender for Kubernetes should be enabled | Azure Defender for Kubernetes provides real-time threat protection for containerized environments and generates alerts for suspicious activities. | AuditIfNotExists, Disabled | 1.0.3 |
| Azure Defender for Resource Manager should be enabled | Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Defender for servers should be enabled | Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. | AuditIfNotExists, Disabled | 1.0.3 |
| Azure Defender for SQL servers on machines should be enabled | Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. | AuditIfNotExists, Disabled | 1.0.2 |
| Azure Defender for SQL should be enabled for unprotected Azure SQL servers | Audit SQL servers without Advanced Data Security | AuditIfNotExists, Disabled | 2.0.1 |
| Azure Defender for SQL should be enabled for unprotected SQL Managed Instances | Audit each SQL Managed Instance without advanced data security. | AuditIfNotExists, Disabled | 1.0.2 |
| Azure Defender for Storage should be enabled | Azure Defender for Storage provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. | AuditIfNotExists, Disabled | 1.0.3 |
| Guest Configuration extension should be installed on your machines | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | AuditIfNotExists, Disabled | 1.0.1 |
| Log Analytics agent health issues should be resolved on your machines | Security Center uses the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA). To make sure your virtual machines are successfully monitored, you need to make sure the agent is installed on the virtual machines and properly collects security events to the configured workspace. | AuditIfNotExists, Disabled | 1.0.0 |
| Log Analytics agent should be installed on your Linux Azure Arc machines | This policy audits Linux Azure Arc machines if the Log Analytics agent is not installed. | AuditIfNotExists, Disabled | 1.0.0-preview |
| Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | AuditIfNotExists, Disabled | 1.0.0 |
| Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring | Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. | AuditIfNotExists, Disabled | 1.0.0 |
| Log Analytics agent should be installed on your Windows Azure Arc machines | This policy audits Windows Azure Arc machines if the Log Analytics agent is not installed. | AuditIfNotExists, Disabled | 1.0.0-preview |
| Microsoft Managed Control 1120 - Audit Review, Analysis, And Reporting | Integration / Scanning And Monitoring Capabilities | Microsoft implements this Audit and Accountability control | audit | 1.0.0 |
| Network traffic data collection agent should be installed on Linux virtual machines | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | AuditIfNotExists, Disabled | 1.0.1-preview |
| Network traffic data collection agent should be installed on Windows virtual machines | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | AuditIfNotExists, Disabled | 1.0.1-preview |
| Network Watcher should be enabled | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | AuditIfNotExists, Disabled | 3.0.0 |
| Resource logs in Azure Data Lake Store should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Azure Stream Analytics should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Batch accounts should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Data Lake Analytics should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Event Hub should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in IoT Hub should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 3.0.1 |
| Resource logs in Key Vault should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Logic Apps should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Search services should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Service Bus should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Virtual Machine Scale Sets should be enabled | It is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. | AuditIfNotExists, Disabled | 2.0.1 |
| Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | AuditIfNotExists, Disabled | 1.0.1 |
Correlation with Physical Monitoring
ID: NIST SP 800-53 Rev. 4 AU-6 (6)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1121 - Audit Review, Analysis, And Reporting | Correlation With Physical Monitoring | Microsoft implements this Audit and Accountability control | audit | 1.0.0 |
Permitted Actions
ID: NIST SP 800-53 Rev. 4 AU-6 (7)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1122 - Audit Review, Analysis, And Reporting | Permitted Actions | Microsoft implements this Audit and Accountability control | audit | 1.0.0 |
Audit Level Adjustment
ID: NIST SP 800-53 Rev. 4 AU-6 (10)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1123 - Audit Review, Analysis, And Reporting | Audit Level Adjustment | Microsoft implements this Audit and Accountability control | audit | 1.0.0 |
Audit Reduction and Report Generation
ID: NIST SP 800-53 Rev. 4 AU-7
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1124 - Audit Reduction And Report Generation | Microsoft implements this Audit and Accountability control | audit | 1.0.0 |
| Microsoft Managed Control 1125 - Audit Reduction And Report Generation | Microsoft implements this Audit and Accountability control | audit | 1.0.0 |
Automatic Processing
ID: NIST SP 800-53 Rev. 4 AU-7 (1)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1126 - Audit Reduction And Report Generation | Automatic Processing | Microsoft implements this Audit and Accountability control | audit | 1.0.0 |
Time Stamps
ID: NIST SP 800-53 Rev. 4 AU-8
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1127 - Time Stamps | Microsoft implements this Audit and Accountability control | audit | 1.0.0 |
| Microsoft Managed Control 1128 - Time Stamps | Microsoft implements this Audit and Accountability control | audit | 1.0.0 |
Synchronization with Authoritative Time Source
ID: NIST SP 800-53 Rev. 4 AU-8 (1)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1129 - Time Stamps | Synchronization With Authoritative Time Source | Microsoft implements this Audit and Accountability control | audit | 1.0.0 |
| Microsoft Managed Control 1130 - Time Stamps | Synchronization With Authoritative Time Source | Microsoft implements this Audit and Accountability control | audit | 1.0.0 |
Protection of Audit Information
ID: NIST SP 800-53 Rev. 4 AU-9
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1131 - Protection Of Audit Information | Microsoft implements this Audit and Accountability control | audit | 1.0.0 |
Audit Backup On Separate Physical Systems / Components
ID: NIST SP 800-53 Rev. 4 AU-9 (2)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1132 - Protection Of Audit Information | Audit Backup On Separate Physical Systems / Components | Microsoft implements this Audit and Accountability control | audit | 1.0.0 |
Cryptographic Protection
ID: NIST SP 800-53 Rev. 4 AU-9 (3)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1133 - Protection Of Audit Information | Cryptographic Protection | Microsoft implements this Audit and Accountability control | audit | 1.0.0 |
Access by Subset of Privileged Users
ID: NIST SP 800-53 Rev. 4 AU-9 (4)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1134 - Protection Of Audit Information | Access By Subset Of Privileged Users | Microsoft implements this Audit and Accountability control | audit | 1.0.0 |
Non-repudiation
ID: NIST SP 800-53 Rev. 4 AU-10
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1135 - Non-Repudiation | Microsoft implements this Audit and Accountability control | audit | 1.0.0 |
Audit Record Retention
ID: NIST SP 800-53 Rev. 4 AU-11
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1136 - Audit Record Retention | Microsoft implements this Audit and Accountability control | audit | 1.0.0 |
| SQL servers with auditing to storage account destination should be configured with 90 days retention or higher | For incident investigation purposes, we recommend setting the data retention for your SQL Server' auditing to storage account destination to at least 90 days. Confirm that you are meeting the necessary retention rules for the regions in which you are operating. This is sometimes required for compliance with regulatory standards. | AuditIfNotExists, Disabled | 3.0.0 |
Audit Generation
ID: NIST SP 800-53 Rev. 4 AU-12
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Auditing on SQL server should be enabled | Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. | AuditIfNotExists, Disabled | 2.0.0 |
| Auto provisioning of the Log Analytics agent should be enabled on your subscription | To monitor for security vulnerabilities and threats, Azure Security Center collects data from your Azure virtual machines. Data is collected by the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. We recommend enabling auto provisioning to automatically deploy the agent to all supported Azure VMs and any new ones that are created. | AuditIfNotExists, Disabled | 1.0.1 |
| Azure Arc enabled Kubernetes clusters should have Azure Defender's extension installed | Azure Defender's extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/security-center/defender-for-kubernetes-azure-arc. | AuditIfNotExists, Disabled | 3.0.0-preview |
| Azure Defender for App Service should be enabled | Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. | AuditIfNotExists, Disabled | 1.0.3 |
| Azure Defender for Azure SQL Database servers should be enabled | Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. | AuditIfNotExists, Disabled | 1.0.2 |
| Azure Defender for container registries should be enabled | Azure Defender for container registries provides vulnerability scanning of any images pulled within the last 30 days, pushed to your registry, or imported, and exposes detailed findings per image. | AuditIfNotExists, Disabled | 1.0.3 |
| Azure Defender for DNS should be enabled | Azure Defender for DNS provides an additional layer of protection for your cloud resources by continuously monitoring all DNS queries from your Azure resources. Azure Defender alerts you about suspicious activity at the DNS layer. Learn more about the capabilities of Azure Defender for DNS at https://aka.ms/defender-for-dns . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . | AuditIfNotExists, Disabled | 1.0.0-preview |
| Azure Defender for Key Vault should be enabled | Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. | AuditIfNotExists, Disabled | 1.0.3 |
| Azure Defender for Kubernetes should be enabled | Azure Defender for Kubernetes provides real-time threat protection for containerized environments and generates alerts for suspicious activities. | AuditIfNotExists, Disabled | 1.0.3 |
| Azure Defender for Resource Manager should be enabled | Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Defender for servers should be enabled | Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. | AuditIfNotExists, Disabled | 1.0.3 |
| Azure Defender for SQL servers on machines should be enabled | Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. | AuditIfNotExists, Disabled | 1.0.2 |
| Azure Defender for SQL should be enabled for unprotected Azure SQL servers | Audit SQL servers without Advanced Data Security | AuditIfNotExists, Disabled | 2.0.1 |
| Azure Defender for SQL should be enabled for unprotected SQL Managed Instances | Audit each SQL Managed Instance without advanced data security. | AuditIfNotExists, Disabled | 1.0.2 |
| Azure Defender for Storage should be enabled | Azure Defender for Storage provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. | AuditIfNotExists, Disabled | 1.0.3 |
| Guest Configuration extension should be installed on your machines | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | AuditIfNotExists, Disabled | 1.0.1 |
| Log Analytics agent health issues should be resolved on your machines | Security Center uses the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA). To make sure your virtual machines are successfully monitored, you need to make sure the agent is installed on the virtual machines and properly collects security events to the configured workspace. | AuditIfNotExists, Disabled | 1.0.0 |
| Log Analytics agent should be installed on your Linux Azure Arc machines | This policy audits Linux Azure Arc machines if the Log Analytics agent is not installed. | AuditIfNotExists, Disabled | 1.0.0-preview |
| Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | AuditIfNotExists, Disabled | 1.0.0 |
| Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring | Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. | AuditIfNotExists, Disabled | 1.0.0 |
| Log Analytics agent should be installed on your Windows Azure Arc machines | This policy audits Windows Azure Arc machines if the Log Analytics agent is not installed. | AuditIfNotExists, Disabled | 1.0.0-preview |
| Microsoft Managed Control 1137 - Audit Generation | Microsoft implements this Audit and Accountability control | audit | 1.0.0 |
| Microsoft Managed Control 1138 - Audit Generation | Microsoft implements this Audit and Accountability control | audit | 1.0.0 |
| Microsoft Managed Control 1139 - Audit Generation | Microsoft implements this Audit and Accountability control | audit | 1.0.0 |
| Network traffic data collection agent should be installed on Linux virtual machines | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | AuditIfNotExists, Disabled | 1.0.1-preview |
| Network traffic data collection agent should be installed on Windows virtual machines | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | AuditIfNotExists, Disabled | 1.0.1-preview |
| Network Watcher should be enabled | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | AuditIfNotExists, Disabled | 3.0.0 |
| Resource logs in Azure Data Lake Store should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Azure Stream Analytics should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Batch accounts should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Data Lake Analytics should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Event Hub should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in IoT Hub should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 3.0.1 |
| Resource logs in Key Vault should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Logic Apps should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Search services should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Service Bus should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Virtual Machine Scale Sets should be enabled | It is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. | AuditIfNotExists, Disabled | 2.0.1 |
| Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | AuditIfNotExists, Disabled | 1.0.1 |
System-wide / Time-correlated Audit Trail
ID: NIST SP 800-53 Rev. 4 AU-12 (1)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Auditing on SQL server should be enabled | Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. | AuditIfNotExists, Disabled | 2.0.0 |
| Auto provisioning of the Log Analytics agent should be enabled on your subscription | To monitor for security vulnerabilities and threats, Azure Security Center collects data from your Azure virtual machines. Data is collected by the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. We recommend enabling auto provisioning to automatically deploy the agent to all supported Azure VMs and any new ones that are created. | AuditIfNotExists, Disabled | 1.0.1 |
| Azure Arc enabled Kubernetes clusters should have Azure Defender's extension installed | Azure Defender's extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/security-center/defender-for-kubernetes-azure-arc. | AuditIfNotExists, Disabled | 3.0.0-preview |
| Azure Defender for App Service should be enabled | Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. | AuditIfNotExists, Disabled | 1.0.3 |
| Azure Defender for Azure SQL Database servers should be enabled | Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. | AuditIfNotExists, Disabled | 1.0.2 |
| Azure Defender for container registries should be enabled | Azure Defender for container registries provides vulnerability scanning of any images pulled within the last 30 days, pushed to your registry, or imported, and exposes detailed findings per image. | AuditIfNotExists, Disabled | 1.0.3 |
| Azure Defender for DNS should be enabled | Azure Defender for DNS provides an additional layer of protection for your cloud resources by continuously monitoring all DNS queries from your Azure resources. Azure Defender alerts you about suspicious activity at the DNS layer. Learn more about the capabilities of Azure Defender for DNS at https://aka.ms/defender-for-dns . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . | AuditIfNotExists, Disabled | 1.0.0-preview |
| Azure Defender for Key Vault should be enabled | Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. | AuditIfNotExists, Disabled | 1.0.3 |
| Azure Defender for Kubernetes should be enabled | Azure Defender for Kubernetes provides real-time threat protection for containerized environments and generates alerts for suspicious activities. | AuditIfNotExists, Disabled | 1.0.3 |
| Azure Defender for Resource Manager should be enabled | Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Defender for servers should be enabled | Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. | AuditIfNotExists, Disabled | 1.0.3 |
| Azure Defender for SQL servers on machines should be enabled | Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. | AuditIfNotExists, Disabled | 1.0.2 |
| Azure Defender for SQL should be enabled for unprotected Azure SQL servers | Audit SQL servers without Advanced Data Security | AuditIfNotExists, Disabled | 2.0.1 |
| Azure Defender for SQL should be enabled for unprotected SQL Managed Instances | Audit each SQL Managed Instance without advanced data security. | AuditIfNotExists, Disabled | 1.0.2 |
| Azure Defender for Storage should be enabled | Azure Defender for Storage provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. | AuditIfNotExists, Disabled | 1.0.3 |
| Guest Configuration extension should be installed on your machines | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | AuditIfNotExists, Disabled | 1.0.1 |
| Log Analytics agent health issues should be resolved on your machines | Security Center uses the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA). To make sure your virtual machines are successfully monitored, you need to make sure the agent is installed on the virtual machines and properly collects security events to the configured workspace. | AuditIfNotExists, Disabled | 1.0.0 |
| Log Analytics agent should be installed on your Linux Azure Arc machines | This policy audits Linux Azure Arc machines if the Log Analytics agent is not installed. | AuditIfNotExists, Disabled | 1.0.0-preview |
| Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | AuditIfNotExists, Disabled | 1.0.0 |
| Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring | Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. | AuditIfNotExists, Disabled | 1.0.0 |
| Log Analytics agent should be installed on your Windows Azure Arc machines | This policy audits Windows Azure Arc machines if the Log Analytics agent is not installed. | AuditIfNotExists, Disabled | 1.0.0-preview |
| Microsoft Managed Control 1140 - Audit Generation | System-Wide / Time-Correlated Audit Trail | Microsoft implements this Audit and Accountability control | audit | 1.0.0 |
| Network traffic data collection agent should be installed on Linux virtual machines | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | AuditIfNotExists, Disabled | 1.0.1-preview |
| Network traffic data collection agent should be installed on Windows virtual machines | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | AuditIfNotExists, Disabled | 1.0.1-preview |
| Network Watcher should be enabled | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | AuditIfNotExists, Disabled | 3.0.0 |
| Resource logs in Azure Data Lake Store should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Azure Stream Analytics should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Batch accounts should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Data Lake Analytics should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Event Hub should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in IoT Hub should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 3.0.1 |
| Resource logs in Key Vault should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Logic Apps should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Search services should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Service Bus should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Virtual Machine Scale Sets should be enabled | It is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. | AuditIfNotExists, Disabled | 2.0.1 |
| Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | AuditIfNotExists, Disabled | 1.0.1 |
Changes by Authorized Individuals
ID: NIST SP 800-53 Rev. 4 AU-12 (3)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1141 - Audit Generation | Changes By Authorized Individuals | Microsoft implements this Audit and Accountability control | audit | 1.0.0 |
Security Assessment and Authorization
Security Assessment and Authorization Policy and Procedures
ID: NIST SP 800-53 Rev. 4 CA-1
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1142 - Security Assessment And Authorization Policy And Procedures | Microsoft implements this Security Assessment and Authorization control | audit | 1.0.0 |
| Microsoft Managed Control 1143 - Security Assessment And Authorization Policy And Procedures | Microsoft implements this Security Assessment and Authorization control | audit | 1.0.0 |
Security Assessments
ID: NIST SP 800-53 Rev. 4 CA-2
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1144 - Security Assessments | Microsoft implements this Security Assessment and Authorization control | audit | 1.0.0 |
| Microsoft Managed Control 1145 - Security Assessments | Microsoft implements this Security Assessment and Authorization control | audit | 1.0.0 |
| Microsoft Managed Control 1146 - Security Assessments | Microsoft implements this Security Assessment and Authorization control | audit | 1.0.0 |
| Microsoft Managed Control 1147 - Security Assessments | Microsoft implements this Security Assessment and Authorization control | audit | 1.0.0 |
Independent Assessors
ID: NIST SP 800-53 Rev. 4 CA-2 (1)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1148 - Security Assessments | Independent Assessors | Microsoft implements this Security Assessment and Authorization control | audit | 1.0.0 |
Specialized Assessments
ID: NIST SP 800-53 Rev. 4 CA-2 (2)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1149 - Security Assessments | Specialized Assessments | Microsoft implements this Security Assessment and Authorization control | audit | 1.0.0 |
External Organizations
ID: NIST SP 800-53 Rev. 4 CA-2 (3)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1150 - Security Assessments | External Organizations | Microsoft implements this Security Assessment and Authorization control | audit | 1.0.0 |
System Interconnections
ID: NIST SP 800-53 Rev. 4 CA-3
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1151 - System Interconnections | Microsoft implements this Security Assessment and Authorization control | audit | 1.0.0 |
| Microsoft Managed Control 1152 - System Interconnections | Microsoft implements this Security Assessment and Authorization control | audit | 1.0.0 |
| Microsoft Managed Control 1153 - System Interconnections | Microsoft implements this Security Assessment and Authorization control | audit | 1.0.0 |
Unclassified Non-national Security System Connections
ID: NIST SP 800-53 Rev. 4 CA-3 (3)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1154 - System Interconnections | Unclassified Non-National Security System Connections | Microsoft implements this Security Assessment and Authorization control | audit | 1.0.0 |
Restrictions On External System Connections
ID: NIST SP 800-53 Rev. 4 CA-3 (5)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1155 - System Interconnections | Restrictions On External System Connections | Microsoft implements this Security Assessment and Authorization control | audit | 1.0.0 |
Plan of Action and Milestones
ID: NIST SP 800-53 Rev. 4 CA-5
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1156 - Plan Of Action And Milestones | Microsoft implements this Security Assessment and Authorization control | audit | 1.0.0 |
| Microsoft Managed Control 1157 - Plan Of Action And Milestones | Microsoft implements this Security Assessment and Authorization control | audit | 1.0.0 |
Security Authorization
ID: NIST SP 800-53 Rev. 4 CA-6
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1158 - Security Authorization | Microsoft implements this Security Assessment and Authorization control | audit | 1.0.0 |
| Microsoft Managed Control 1159 - Security Authorization | Microsoft implements this Security Assessment and Authorization control | audit | 1.0.0 |
| Microsoft Managed Control 1160 - Security Authorization | Microsoft implements this Security Assessment and Authorization control | audit | 1.0.0 |
Continuous Monitoring
ID: NIST SP 800-53 Rev. 4 CA-7
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1161 - Continuous Monitoring | Microsoft implements this Security Assessment and Authorization control | audit | 1.0.0 |
| Microsoft Managed Control 1162 - Continuous Monitoring | Microsoft implements this Security Assessment and Authorization control | audit | 1.0.0 |
| Microsoft Managed Control 1163 - Continuous Monitoring | Microsoft implements this Security Assessment and Authorization control | audit | 1.0.0 |
| Microsoft Managed Control 1164 - Continuous Monitoring | Microsoft implements this Security Assessment and Authorization control | audit | 1.0.0 |
| Microsoft Managed Control 1165 - Continuous Monitoring | Microsoft implements this Security Assessment and Authorization control | audit | 1.0.0 |
| Microsoft Managed Control 1166 - Continuous Monitoring | Microsoft implements this Security Assessment and Authorization control | audit | 1.0.0 |
| Microsoft Managed Control 1167 - Continuous Monitoring | Microsoft implements this Security Assessment and Authorization control | audit | 1.0.0 |
Independent Assessment
ID: NIST SP 800-53 Rev. 4 CA-7 (1)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1168 - Continuous Monitoring | Independent Assessment | Microsoft implements this Security Assessment and Authorization control | audit | 1.0.0 |
Trend Analyses
ID: NIST SP 800-53 Rev. 4 CA-7 (3)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1169 - Continuous Monitoring | Trend Analyses | Microsoft implements this Security Assessment and Authorization control | audit | 1.0.0 |
Penetration Testing
ID: NIST SP 800-53 Rev. 4 CA-8
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1170 - Penetration Testing | Microsoft implements this Security Assessment and Authorization control | audit | 1.0.0 |
Independent Penetration Agent or Team
ID: NIST SP 800-53 Rev. 4 CA-8 (1)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1171 - Penetration Testing | Independent Penetration Agent Or Team | Microsoft implements this Security Assessment and Authorization control | audit | 1.0.0 |
Internal System Connections
ID: NIST SP 800-53 Rev. 4 CA-9
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1172 - Internal System Connections | Microsoft implements this Security Assessment and Authorization control | audit | 1.0.0 |
| Microsoft Managed Control 1173 - Internal System Connections | Microsoft implements this Security Assessment and Authorization control | audit | 1.0.0 |
Configuration Management
Configuration Management Policy and Procedures
ID: NIST SP 800-53 Rev. 4 CM-1
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1174 - Configuration Management Policy And Procedures | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1175 - Configuration Management Policy And Procedures | Microsoft implements this Configuration Management control | audit | 1.0.0 |
Baseline Configuration
ID: NIST SP 800-53 Rev. 4 CM-2
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1176 - Baseline Configuration | Microsoft implements this Configuration Management control | audit | 1.0.0 |
Reviews and Updates
ID: NIST SP 800-53 Rev. 4 CM-2 (1)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1177 - Baseline Configuration | Reviews And Updates | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1178 - Baseline Configuration | Reviews And Updates | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1179 - Baseline Configuration | Reviews And Updates | Microsoft implements this Configuration Management control | audit | 1.0.0 |
Automation Support for Accuracy / Currency
ID: NIST SP 800-53 Rev. 4 CM-2 (2)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1180 - Baseline Configuration | Automation Support For Accuracy / Currency | Microsoft implements this Configuration Management control | audit | 1.0.0 |
Retention of Previous Configurations
ID: NIST SP 800-53 Rev. 4 CM-2 (3)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1181 - Baseline Configuration | Retention Of Previous Configurations | Microsoft implements this Configuration Management control | audit | 1.0.0 |
Configure Systems, Components, or Devices for High-risk Areas
ID: NIST SP 800-53 Rev. 4 CM-2 (7)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1182 - Baseline Configuration | Configure Systems, Components, Or Devices For High-Risk Areas | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1183 - Baseline Configuration | Configure Systems, Components, Or Devices For High-Risk Areas | Microsoft implements this Configuration Management control | audit | 1.0.0 |
Configuration Change Control
ID: NIST SP 800-53 Rev. 4 CM-3
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1184 - Configuration Change Control | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1185 - Configuration Change Control | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1186 - Configuration Change Control | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1187 - Configuration Change Control | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1188 - Configuration Change Control | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1189 - Configuration Change Control | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1190 - Configuration Change Control | Microsoft implements this Configuration Management control | audit | 1.0.0 |
Automated Document / Notification / Prohibition of Changes
ID: NIST SP 800-53 Rev. 4 CM-3 (1)
Test / Validate / Document Changes
ID: NIST SP 800-53 Rev. 4 CM-3 (2)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1197 - Configuration Change Control | Test / Validate / Document Changes | Microsoft implements this Configuration Management control | audit | 1.0.0 |
Security Representative
ID: NIST SP 800-53 Rev. 4 CM-3 (4)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1198 - Configuration Change Control | Security Representative | Microsoft implements this Configuration Management control | audit | 1.0.0 |
Cryptography Management
ID: NIST SP 800-53 Rev. 4 CM-3 (6)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1199 - Configuration Change Control | Cryptography Management | Microsoft implements this Configuration Management control | audit | 1.0.0 |
Security Impact Analysis
ID: NIST SP 800-53 Rev. 4 CM-4
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1200 - Security Impact Analysis | Microsoft implements this Configuration Management control | audit | 1.0.0 |
Separate Test Environments
ID: NIST SP 800-53 Rev. 4 CM-4 (1)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1201 - Security Impact Analysis | Separate Test Environments | Microsoft implements this Configuration Management control | audit | 1.0.0 |
Access Restrictions for Change
ID: NIST SP 800-53 Rev. 4 CM-5
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1202 - Access Restrictions For Change | Microsoft implements this Configuration Management control | audit | 1.0.0 |
Automated Access Enforcement / Auditing
ID: NIST SP 800-53 Rev. 4 CM-5 (1)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1203 - Access Restrictions For Change | Automated Access Enforcement / Auditing | Microsoft implements this Configuration Management control | audit | 1.0.0 |
Review System Changes
ID: NIST SP 800-53 Rev. 4 CM-5 (2)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1204 - Access Restrictions For Change | Review System Changes | Microsoft implements this Configuration Management control | audit | 1.0.0 |
Signed Components
ID: NIST SP 800-53 Rev. 4 CM-5 (3)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1205 - Access Restrictions For Change | Signed Components | Microsoft implements this Configuration Management control | audit | 1.0.0 |
Limit Production / Operational Privileges
ID: NIST SP 800-53 Rev. 4 CM-5 (5)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1206 - Access Restrictions For Change | Limit Production / Operational Privileges | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1207 - Access Restrictions For Change | Limit Production / Operational Privileges | Microsoft implements this Configuration Management control | audit | 1.0.0 |
Configuration Settings
ID: NIST SP 800-53 Rev. 4 CM-6
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters | Azure Policy Add-on for Kubernetes service (AKS) extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner. | Audit, Disabled | 1.0.2 |
| CORS should not allow every resource to access your API App | Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API app. Allow only required domains to interact with your API app. | AuditIfNotExists, Disabled | 1.0.0 |
| CORS should not allow every resource to access your Function Apps | Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app. | AuditIfNotExists, Disabled | 1.0.0 |
| CORS should not allow every resource to access your Web Applications | Cross-Origin Resource Sharing (CORS) should not allow all domains to access your web application. Allow only required domains to interact with your web app. | AuditIfNotExists, Disabled | 1.0.0 |
| Ensure API app has 'Client Certificates (Incoming client certificates)' set to 'On' | Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. | Audit, Disabled | 1.0.0 |
| Ensure WEB app has 'Client Certificates (Incoming client certificates)' set to 'On' | Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. | Audit, Disabled | 1.0.0 |
| Function apps should have 'Client Certificates (Incoming client certificates)' enabled | Client certificates allow for the app to request a certificate for incoming requests. Only clients with valid certificates will be able to reach the app. | Audit, Disabled | 1.0.1 |
| Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits | Enforce container CPU and memory resource limits to prevent resource exhaustion attacks in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | disabled | 7.0.0 |
| Kubernetes cluster containers should not share host process ID or host IPC namespace | Block pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. This recommendation is part of CIS 5.2.2 and CIS 5.2.3 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | disabled | 3.0.1 |
| Kubernetes cluster containers should only listen on allowed ports | Restrict containers to listen only on allowed ports to secure access to the Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | disabled | 6.1.1 |
| Kubernetes cluster containers should only use allowed AppArmor profiles | Containers should only use allowed AppArmor profiles in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | disabled | 4.0.1 |
| Kubernetes cluster containers should only use allowed capabilities | Restrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | disabled | 4.0.1 |
| Kubernetes cluster containers should only use allowed images | Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | disabled | 7.0.0 |
| Kubernetes cluster containers should run with a read only root file system | Run containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | disabled | 4.0.1 |
| Kubernetes cluster pod hostPath volumes should only use allowed host paths | Limit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | disabled | 4.0.1 |
| Kubernetes cluster pods and containers should only run with approved user and group IDs | Control the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | disabled | 4.0.1 |
| Kubernetes cluster pods should only use approved host network and port range | Restrict pod access to the host network and the allowable host port range in a Kubernetes cluster. This recommendation is part of CIS 5.2.4 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | disabled | 4.0.1 |
| Kubernetes cluster services should listen only on allowed ports | Restrict services to listen only on allowed ports to secure access to the Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | disabled | 6.1.1 |
| Kubernetes cluster should not allow privileged containers | Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | disabled | 7.0.0 |
| Kubernetes clusters should not allow container privilege escalation | Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | disabled | 3.0.1 |
| Linux machines should meet requirements for the Azure compute security baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | AuditIfNotExists, Disabled | 1.1.1-preview |
| Microsoft Managed Control 1208 - Configuration Settings | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1209 - Configuration Settings | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1210 - Configuration Settings | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1211 - Configuration Settings | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Remote debugging should be turned off for API Apps | Remote debugging requires inbound ports to be opened on API apps. Remote debugging should be turned off. | AuditIfNotExists, Disabled | 1.0.0 |
| Remote debugging should be turned off for Function Apps | Remote debugging requires inbound ports to be opened on function apps. Remote debugging should be turned off. | AuditIfNotExists, Disabled | 1.0.0 |
| Remote debugging should be turned off for Web Applications | Remote debugging requires inbound ports to be opened on a web application. Remote debugging should be turned off. | AuditIfNotExists, Disabled | 1.0.0 |
| Windows machines should meet requirements of the Azure compute security baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | AuditIfNotExists, Disabled | 1.0.1-preview |
Automated Central Management / Application / Verification
ID: NIST SP 800-53 Rev. 4 CM-6 (1)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1212 - Configuration Settings | Automated Central Management / Application / Verification | Microsoft implements this Configuration Management control | audit | 1.0.0 |
Respond to Unauthorized Changes
ID: NIST SP 800-53 Rev. 4 CM-6 (2)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1213 - Configuration Settings | Respond To Unauthorized Changes | Microsoft implements this Configuration Management control | audit | 1.0.0 |
Least Functionality
ID: NIST SP 800-53 Rev. 4 CM-7
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Adaptive application controls for defining safe applications should be enabled on your machines | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | AuditIfNotExists, Disabled | 3.0.0 |
| Allowlist rules in your adaptive application control policy should be updated | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | AuditIfNotExists, Disabled | 3.0.0 |
| Azure Defender for servers should be enabled | Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. | AuditIfNotExists, Disabled | 1.0.3 |
| Microsoft Managed Control 1214 - Least Functionality | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1215 - Least Functionality | Microsoft implements this Configuration Management control | audit | 1.0.0 |
Periodic Review
ID: NIST SP 800-53 Rev. 4 CM-7 (1)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1216 - Least Functionality | Periodic Review | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1217 - Least Functionality | Periodic Review | Microsoft implements this Configuration Management control | audit | 1.0.0 |
Prevent Program Execution
ID: NIST SP 800-53 Rev. 4 CM-7 (2)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Adaptive application controls for defining safe applications should be enabled on your machines | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | AuditIfNotExists, Disabled | 3.0.0 |
| Allowlist rules in your adaptive application control policy should be updated | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | AuditIfNotExists, Disabled | 3.0.0 |
| Microsoft Managed Control 1218 - Least Functionality | Prevent Program Execution | Microsoft implements this Configuration Management control | audit | 1.0.0 |
Authorized Software / Whitelisting
ID: NIST SP 800-53 Rev. 4 CM-7 (5)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Adaptive application controls for defining safe applications should be enabled on your machines | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | AuditIfNotExists, Disabled | 3.0.0 |
| Allowlist rules in your adaptive application control policy should be updated | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | AuditIfNotExists, Disabled | 3.0.0 |
| Microsoft Managed Control 1219 - Least Functionality | Authorized Software / Whitelisting | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1220 - Least Functionality | Authorized Software / Whitelisting | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1221 - Least Functionality | Authorized Software / Whitelisting | Microsoft implements this Configuration Management control | audit | 1.0.0 |
Information System Component Inventory
ID: NIST SP 800-53 Rev. 4 CM-8
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1222 - Information System Component Inventory | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1223 - Information System Component Inventory | Microsoft implements this Configuration Management control | audit | 1.0.0 |
Updates During Installations / Removals
ID: NIST SP 800-53 Rev. 4 CM-8 (1)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1224 - Information System Component Inventory | Updates During Installations / Removals | Microsoft implements this Configuration Management control | audit | 1.0.0 |
Automated Maintenance
ID: NIST SP 800-53 Rev. 4 CM-8 (2)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1225 - Information System Component Inventory | Automated Maintenance | Microsoft implements this Configuration Management control | audit | 1.0.0 |
Automated Unauthorized Component Detection
ID: NIST SP 800-53 Rev. 4 CM-8 (3)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1226 - Information System Component Inventory | Automated Unauthorized Component Detection | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1227 - Information System Component Inventory | Automated Unauthorized Component Detection | Microsoft implements this Configuration Management control | audit | 1.0.0 |
Accountability Information
ID: NIST SP 800-53 Rev. 4 CM-8 (4)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1228 - Information System Component Inventory | Accountability Information | Microsoft implements this Configuration Management control | audit | 1.0.0 |
No Duplicate Accounting of Components
ID: NIST SP 800-53 Rev. 4 CM-8 (5)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1229 - Information System Component Inventory | No Duplicate Accounting Of Components | Microsoft implements this Configuration Management control | audit | 1.0.0 |
Configuration Management Plan
ID: NIST SP 800-53 Rev. 4 CM-9
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1230 - Configuration Management Plan | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1231 - Configuration Management Plan | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1232 - Configuration Management Plan | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1233 - Configuration Management Plan | Microsoft implements this Configuration Management control | audit | 1.0.0 |
Software Usage Restrictions
ID: NIST SP 800-53 Rev. 4 CM-10
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Adaptive application controls for defining safe applications should be enabled on your machines | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | AuditIfNotExists, Disabled | 3.0.0 |
| Allowlist rules in your adaptive application control policy should be updated | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | AuditIfNotExists, Disabled | 3.0.0 |
| Microsoft Managed Control 1234 - Software Usage Restrictions | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1235 - Software Usage Restrictions | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1236 - Software Usage Restrictions | Microsoft implements this Configuration Management control | audit | 1.0.0 |
Open Source Software
ID: NIST SP 800-53 Rev. 4 CM-10 (1)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1237 - Software Usage Restrictions | Open Source Software | Microsoft implements this Configuration Management control | audit | 1.0.0 |
User-installed Software
ID: NIST SP 800-53 Rev. 4 CM-11
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Adaptive application controls for defining safe applications should be enabled on your machines | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | AuditIfNotExists, Disabled | 3.0.0 |
| Allowlist rules in your adaptive application control policy should be updated | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | AuditIfNotExists, Disabled | 3.0.0 |
| Microsoft Managed Control 1238 - User-Installed Software | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1239 - User-Installed Software | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1240 - User-Installed Software | Microsoft implements this Configuration Management control | audit | 1.0.0 |
Alerts for Unauthorized Installations
ID: NIST SP 800-53 Rev. 4 CM-11 (1)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1241 - User-Installed Software | Alerts For Unauthorized Installations | Microsoft implements this Configuration Management control | audit | 1.0.0 |
Contingency Planning
Contingency Planning Policy and Procedures
ID: NIST SP 800-53 Rev. 4 CP-1
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1242 - Contingency Planning Policy And Procedures | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1243 - Contingency Planning Policy And Procedures | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
Contingency Plan
ID: NIST SP 800-53 Rev. 4 CP-2
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1244 - Contingency Plan | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1245 - Contingency Plan | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1246 - Contingency Plan | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1247 - Contingency Plan | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1248 - Contingency Plan | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1249 - Contingency Plan | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1250 - Contingency Plan | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
Coordinate with Related Plans
ID: NIST SP 800-53 Rev. 4 CP-2 (1)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1251 - Contingency Plan | Coordinate With Related Plans | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
Capacity Planning
ID: NIST SP 800-53 Rev. 4 CP-2 (2)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1252 - Contingency Plan | Capacity Planning | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
Resume Essential Missions / Business Functions
ID: NIST SP 800-53 Rev. 4 CP-2 (3)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1253 - Contingency Plan | Resume Essential Missions / Business Functions | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
Resume All Missions / Business Functions
ID: NIST SP 800-53 Rev. 4 CP-2 (4)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1254 - Contingency Plan | Resume All Missions / Business Functions | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
Continue Essential Missions / Business Functions
ID: NIST SP 800-53 Rev. 4 CP-2 (5)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1255 - Contingency Plan | Continue Essential Missions / Business Functions | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
Identify Critical Assets
ID: NIST SP 800-53 Rev. 4 CP-2 (8)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1256 - Contingency Plan | Identify Critical Assets | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
Contingency Training
ID: NIST SP 800-53 Rev. 4 CP-3
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1257 - Contingency Training | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1258 - Contingency Training | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1259 - Contingency Training | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
Simulated Events
ID: NIST SP 800-53 Rev. 4 CP-3 (1)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1260 - Contingency Training | Simulated Events | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
Contingency Plan Testing
ID: NIST SP 800-53 Rev. 4 CP-4
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1261 - Contingency Plan Testing | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1262 - Contingency Plan Testing | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1263 - Contingency Plan Testing | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
Coordinate with Related Plans
ID: NIST SP 800-53 Rev. 4 CP-4 (1)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1264 - Contingency Plan Testing | Coordinate With Related Plans | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
Alternate Processing Site
ID: NIST SP 800-53 Rev. 4 CP-4 (2)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1265 - Contingency Plan Testing | Alternate Processing Site | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1266 - Contingency Plan Testing | Alternate Processing Site | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
Alternate Storage Site
ID: NIST SP 800-53 Rev. 4 CP-6
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Geo-redundant backup should be enabled for Azure Database for MariaDB | Azure Database for MariaDB allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. | Audit, Disabled | 1.0.1 |
| Geo-redundant backup should be enabled for Azure Database for MySQL | Azure Database for MySQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. | Audit, Disabled | 1.0.1 |
| Geo-redundant backup should be enabled for Azure Database for PostgreSQL | Azure Database for PostgreSQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. | Audit, Disabled | 1.0.1 |
| Geo-redundant storage should be enabled for Storage Accounts | Use geo-redundancy to create highly available applications | Audit, Disabled | 1.0.0 |
| Long-term geo-redundant backup should be enabled for Azure SQL Databases | This policy audits any Azure SQL Database with long-term geo-redundant backup not enabled. | AuditIfNotExists, Disabled | 2.0.0 |
| Microsoft Managed Control 1267 - Alternate Storage Site | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1268 - Alternate Storage Site | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
Separation from Primary Site
ID: NIST SP 800-53 Rev. 4 CP-6 (1)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Geo-redundant backup should be enabled for Azure Database for MariaDB | Azure Database for MariaDB allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. | Audit, Disabled | 1.0.1 |
| Geo-redundant backup should be enabled for Azure Database for MySQL | Azure Database for MySQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. | Audit, Disabled | 1.0.1 |
| Geo-redundant backup should be enabled for Azure Database for PostgreSQL | Azure Database for PostgreSQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. | Audit, Disabled | 1.0.1 |
| Geo-redundant storage should be enabled for Storage Accounts | Use geo-redundancy to create highly available applications | Audit, Disabled | 1.0.0 |
| Long-term geo-redundant backup should be enabled for Azure SQL Databases | This policy audits any Azure SQL Database with long-term geo-redundant backup not enabled. | AuditIfNotExists, Disabled | 2.0.0 |
| Microsoft Managed Control 1269 - Alternate Storage Site | Separation From Primary Site | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
Recovery Time / Point Objectives
ID: NIST SP 800-53 Rev. 4 CP-6 (2)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1270 - Alternate Storage Site | Recovery Time / Point Objectives | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
Accessibility
ID: NIST SP 800-53 Rev. 4 CP-6 (3)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1271 - Alternate Storage Site | Accessibility | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
Alternate Processing Site
ID: NIST SP 800-53 Rev. 4 CP-7
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Audit virtual machines without disaster recovery configured | Audit virtual machines which do not have disaster recovery configured. To learn more about disaster recovery, visit https://aka.ms/asr-doc. | auditIfNotExists | 1.0.0 |
| Microsoft Managed Control 1272 - Alternate Processing Site | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1273 - Alternate Processing Site | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1274 - Alternate Processing Site | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
Separation from Primary Site
ID: NIST SP 800-53 Rev. 4 CP-7 (1)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1275 - Alternate Processing Site | Separation From Primary Site | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
Accessibility
ID: NIST SP 800-53 Rev. 4 CP-7 (2)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1276 - Alternate Processing Site | Accessibility | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
Priority of Service
ID: NIST SP 800-53 Rev. 4 CP-7 (3)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1277 - Alternate Processing Site | Priority Of Service | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
Preparation for Use
ID: NIST SP 800-53 Rev. 4 CP-7 (4)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1278 - Alternate Processing Site | Preparation For Use | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
Telecommunications Services
ID: NIST SP 800-53 Rev. 4 CP-8
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1279 - Telecommunications Services | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
Priority of Service Provisions
ID: NIST SP 800-53 Rev. 4 CP-8 (1)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1280 - Telecommunications Services | Priority Of Service Provisions | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1281 - Telecommunications Services | Priority Of Service Provisions | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
Single Points of Failure
ID: NIST SP 800-53 Rev. 4 CP-8 (2)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1282 - Telecommunications Services | Single Points Of Failure | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
Separation of Primary / Alternate Providers
ID: NIST SP 800-53 Rev. 4 CP-8 (3)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1283 - Telecommunications Services | Separation Of Primary / Alternate Providers | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
Provider Contingency Plan
ID: NIST SP 800-53 Rev. 4 CP-8 (4)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1284 - Telecommunications Services | Provider Contingency Plan | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1285 - Telecommunications Services | Provider Contingency Plan | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1286 - Telecommunications Services | Provider Contingency Plan | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
Information System Backup
ID: NIST SP 800-53 Rev. 4 CP-9
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Azure Backup should be enabled for Virtual Machines | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | AuditIfNotExists, Disabled | 2.0.0 |
| Geo-redundant backup should be enabled for Azure Database for MariaDB | Azure Database for MariaDB allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. | Audit, Disabled | 1.0.1 |
| Geo-redundant backup should be enabled for Azure Database for MySQL | Azure Database for MySQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. | Audit, Disabled | 1.0.1 |
| Geo-redundant backup should be enabled for Azure Database for PostgreSQL | Azure Database for PostgreSQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. | Audit, Disabled | 1.0.1 |
| Key vaults should have purge protection enabled | Malicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. | Audit, Deny, Disabled | 2.0.0 |
| Key vaults should have soft delete enabled | Deleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period. | Audit, Deny, Disabled | 2.0.0 |
| Microsoft Managed Control 1287 - Information System Backup | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1288 - Information System Backup | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1289 - Information System Backup | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1290 - Information System Backup | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
Testing for Reliability / Integrity
ID: NIST SP 800-53 Rev. 4 CP-9 (1)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1291 - Information System Backup | Testing For Reliability / Integrity | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
Test Restoration Using Sampling
ID: NIST SP 800-53 Rev. 4 CP-9 (2)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1292 - Information System Backup | Test Restoration Using Sampling | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
Separate Storage for Critical Information
ID: NIST SP 800-53 Rev. 4 CP-9 (3)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1293 - Information System Backup | Separate Storage For Critical Information | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
Transfer to Alternate Storage Site
ID: NIST SP 800-53 Rev. 4 CP-9 (5)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1294 - Information System Backup | Transfer To Alternate Storage Site | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
Information System Recovery and Reconstitution
ID: NIST SP 800-53 Rev. 4 CP-10
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1295 - Information System Recovery And Reconstitution | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
Transaction Recovery
ID: NIST SP 800-53 Rev. 4 CP-10 (2)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1296 - Information System Recovery And Reconstitution | Transaction Recovery | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
Restore Within Time Period
ID: NIST SP 800-53 Rev. 4 CP-10 (4)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1297 - Information System Recovery And Reconstitution | Restore Within Time Period | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
Identification and Authentication
Identification and Authentication Policy and Procedures
ID: NIST SP 800-53 Rev. 4 IA-1
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1298 - Identification And Authentication Policy And Procedures | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
| Microsoft Managed Control 1299 - Identification And Authentication Policy And Procedures | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
Identification and Authentication (organizational Users)
ID: NIST SP 800-53 Rev. 4 IA-2
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| An Azure Active Directory administrator should be provisioned for SQL servers | Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services | AuditIfNotExists, Disabled | 1.0.0 |
| Cognitive Services accounts should have local authentication methods disabled | Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/cs/auth. | Audit, Deny, Disabled | 1.0.0 |
| Managed identity should be used in your API App | Use a managed identity for enhanced authentication security | AuditIfNotExists, Disabled | 2.0.0 |
| Managed identity should be used in your Function App | Use a managed identity for enhanced authentication security | AuditIfNotExists, Disabled | 2.0.0 |
| Managed identity should be used in your Web App | Use a managed identity for enhanced authentication security | AuditIfNotExists, Disabled | 2.0.0 |
| MFA should be enabled accounts with write permissions on your subscription | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. | AuditIfNotExists, Disabled | 3.0.0 |
| MFA should be enabled on accounts with owner permissions on your subscription | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. | AuditIfNotExists, Disabled | 3.0.0 |
| MFA should be enabled on accounts with read permissions on your subscription | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. | AuditIfNotExists, Disabled | 3.0.0 |
| Microsoft Managed Control 1300 - Identification And Authentication (Organizational Users) | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
| Service Fabric clusters should only use Azure Active Directory for client authentication | Audit usage of client authentication only via Azure Active Directory in Service Fabric | Audit, Deny, Disabled | 1.1.0 |
| Service principals should be used to protect your subscriptions instead of management certificates | Management certificates allow anyone who authenticates with them to manage the subscription(s) they are associated with. To manage subscriptions more securely, use of service principals with Resource Manager is recommended to limit the impact of a certificate compromise. | AuditIfNotExists, Disabled | 1.0.0 |
Network Access to Privileged Accounts
ID: NIST SP 800-53 Rev. 4 IA-2 (1)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| MFA should be enabled accounts with write permissions on your subscription | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. | AuditIfNotExists, Disabled | 3.0.0 |
| MFA should be enabled on accounts with owner permissions on your subscription | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. | AuditIfNotExists, Disabled | 3.0.0 |
| Microsoft Managed Control 1301 - Identification And Authentication (Org. Users) | Network Access To Privileged Accounts | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
Network Access to Non-privileged Accounts
ID: NIST SP 800-53 Rev. 4 IA-2 (2)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| MFA should be enabled on accounts with read permissions on your subscription | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. | AuditIfNotExists, Disabled | 3.0.0 |
| Microsoft Managed Control 1302 - Identification And Authentication (Org. Users) | Network Access To Non-Privileged Accounts | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
Local Access to Privileged Accounts
ID: NIST SP 800-53 Rev. 4 IA-2 (3)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1303 - Identification And Authentication (Org. Users) | Local Access To Privileged Accounts | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
Local Access to Non-privileged Accounts
ID: NIST SP 800-53 Rev. 4 IA-2 (4)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1304 - Identification And Authentication (Org. Users) | Local Access To Non-Privileged Accounts | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
Group Authentication
ID: NIST SP 800-53 Rev. 4 IA-2 (5)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1305 - Identification And Authentication (Org. Users) | Group Authentication | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
Network Access to Privileged Accounts - Replay Resistant
ID: NIST SP 800-53 Rev. 4 IA-2 (8)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1306 - Identification And Authentication (Org. Users) | Net. Access To Priv. Accts. - Replay | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
Network Access to Non-privileged Accounts - Replay Resistant
ID: NIST SP 800-53 Rev. 4 IA-2 (9)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1307 - Identification And Authentication (Org. Users) | Net. Access To Non-Priv. Accts. - Replay | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
Remote Access - Separate Device
ID: NIST SP 800-53 Rev. 4 IA-2 (11)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1308 - Identification And Authentication (Org. Users) | Remote Access - Separate Device | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
Acceptance of PIV Credentials
ID: NIST SP 800-53 Rev. 4 IA-2 (12)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1309 - Identification And Authentication (Org. Users) | Acceptance Of Piv Credentials | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
Device Identification and Authentication
ID: NIST SP 800-53 Rev. 4 IA-3
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1310 - Device Identification And Authentication | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
Identifier Management
ID: NIST SP 800-53 Rev. 4 IA-4
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| An Azure Active Directory administrator should be provisioned for SQL servers | Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services | AuditIfNotExists, Disabled | 1.0.0 |
| Cognitive Services accounts should have local authentication methods disabled | Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/cs/auth. | Audit, Deny, Disabled | 1.0.0 |
| Managed identity should be used in your API App | Use a managed identity for enhanced authentication security | AuditIfNotExists, Disabled | 2.0.0 |
| Managed identity should be used in your Function App | Use a managed identity for enhanced authentication security | AuditIfNotExists, Disabled | 2.0.0 |
| Managed identity should be used in your Web App | Use a managed identity for enhanced authentication security | AuditIfNotExists, Disabled | 2.0.0 |
| Microsoft Managed Control 1311 - Identifier Management | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
| Microsoft Managed Control 1312 - Identifier Management | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
| Microsoft Managed Control 1313 - Identifier Management | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
| Microsoft Managed Control 1314 - Identifier Management | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
| Microsoft Managed Control 1315 - Identifier Management | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
| Service Fabric clusters should only use Azure Active Directory for client authentication | Audit usage of client authentication only via Azure Active Directory in Service Fabric | Audit, Deny, Disabled | 1.1.0 |
| Service principals should be used to protect your subscriptions instead of management certificates | Management certificates allow anyone who authenticates with them to manage the subscription(s) they are associated with. To manage subscriptions more securely, use of service principals with Resource Manager is recommended to limit the impact of a certificate compromise. | AuditIfNotExists, Disabled | 1.0.0 |
Identify User Status
ID: NIST SP 800-53 Rev. 4 IA-4 (4)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1316 - Identifier Management | Identify User Status | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
Authenticator Management
ID: NIST SP 800-53 Rev. 4 IA-5
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | modify | 1.0.0 |
| Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | modify | 1.0.0 |
| Audit Linux machines that do not have the passwd file permissions set to 0644 | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that do not have the passwd file permissions set to 0644 | AuditIfNotExists, Disabled | 1.0.0 |
| Audit Windows machines that do not store passwords using reversible encryption | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not store passwords using reversible encryption | AuditIfNotExists, Disabled | 1.0.0 |
| Authentication to Linux machines should require SSH keys | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | AuditIfNotExists, Disabled | 2.0.1 |
| Certificates should have the specified maximum validity period | Manage your organizational compliance requirements by specifying the maximum amount of time that a certificate can be valid within your key vault. | disabled | 2.1.0-preview |
| Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | deployIfNotExists | 1.0.1 |
| Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs | This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | deployIfNotExists | 1.0.1 |
| Key Vault keys should have an expiration date | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Audit, Deny, Disabled | 1.0.2 |
| Key Vault secrets should have an expiration date | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Audit, Deny, Disabled | 1.0.2 |
| Microsoft Managed Control 1317 - Authenticator Management | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
| Microsoft Managed Control 1318 - Authenticator Management | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
| Microsoft Managed Control 1319 - Authenticator Management | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
| Microsoft Managed Control 1320 - Authenticator Management | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
| Microsoft Managed Control 1321 - Authenticator Management | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
| Microsoft Managed Control 1322 - Authenticator Management | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
| Microsoft Managed Control 1323 - Authenticator Management | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
| Microsoft Managed Control 1324 - Authenticator Management | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
| Microsoft Managed Control 1325 - Authenticator Management | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
| Microsoft Managed Control 1326 - Authenticator Management | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
Password-based Authentication
ID: NIST SP 800-53 Rev. 4 IA-5 (1)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | modify | 1.0.0 |
| Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | modify | 1.0.0 |
| Audit Linux machines that do not have the passwd file permissions set to 0644 | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that do not have the passwd file permissions set to 0644 | AuditIfNotExists, Disabled | 1.0.0 |
| Audit Windows machines that allow re-use of the previous 24 passwords | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that allow re-use of the previous 24 passwords | AuditIfNotExists, Disabled | 1.0.0 |
| Audit Windows machines that do not have a maximum password age of 70 days | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have a maximum password age of 70 days | AuditIfNotExists, Disabled | 1.0.0 |
| Audit Windows machines that do not have a minimum password age of 1 day | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have a minimum password age of 1 day | AuditIfNotExists, Disabled | 1.0.0 |
| Audit Windows machines that do not have the password complexity setting enabled | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have the password complexity setting enabled | AuditIfNotExists, Disabled | 1.0.0 |
| Audit Windows machines that do not restrict the minimum password length to 14 characters | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not restrict the minimum password length to 14 characters | AuditIfNotExists, Disabled | 1.0.0 |
| Audit Windows machines that do not store passwords using reversible encryption | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not store passwords using reversible encryption | AuditIfNotExists, Disabled | 1.0.0 |
| Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | deployIfNotExists | 1.0.1 |
| Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs | This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | deployIfNotExists | 1.0.1 |
| Microsoft Managed Control 1327 - Authenticator Management | Password-Based Authentication | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
| Microsoft Managed Control 1328 - Authenticator Management | Password-Based Authentication | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
| Microsoft Managed Control 1329 - Authenticator Management | Password-Based Authentication | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
| Microsoft Managed Control 1330 - Authenticator Management | Password-Based Authentication | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
| Microsoft Managed Control 1331 - Authenticator Management | Password-Based Authentication | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
| Microsoft Managed Control 1332 - Authenticator Management | Password-Based Authentication | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
Pki-based Authentication
ID: NIST SP 800-53 Rev. 4 IA-5 (2)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1333 - Authenticator Management | Pki-Based Authentication | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
| Microsoft Managed Control 1334 - Authenticator Management | Pki-Based Authentication | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
| Microsoft Managed Control 1335 - Authenticator Management | Pki-Based Authentication | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
| Microsoft Managed Control 1336 - Authenticator Management | Pki-Based Authentication | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
In-person or Trusted Third-party Registration
ID: NIST SP 800-53 Rev. 4 IA-5 (3)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1337 - Authenticator Management | In-Person Or Trusted Third-Party Registration | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
Automated Support for Password Strength Determination
ID: NIST SP 800-53 Rev. 4 IA-5 (4)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1338 - Authenticator Management | Automated Support For Password Strength Determination | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
Protection of Authenticators
ID: NIST SP 800-53 Rev. 4 IA-5 (6)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1339 - Authenticator Management | Protection Of Authenticators | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
No Embedded Unencrypted Static Authenticators
ID: NIST SP 800-53 Rev. 4 IA-5 (7)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1340 - Authenticator Management | No Embedded Unencrypted Static Authenticators | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
Multiple Information System Accounts
ID: NIST SP 800-53 Rev. 4 IA-5 (8)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1341 - Authenticator Management | Multiple Information System Accounts | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
Hardware Token-based Authentication
ID: NIST SP 800-53 Rev. 4 IA-5 (11)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1342 - Authenticator Management | Hardware Token-Based Authentication | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
Expiration of Cached Authenticators
ID: NIST SP 800-53 Rev. 4 IA-5 (13)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1343 - Authenticator Management | Expiration Of Cached Authenticators | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
Authenticator Feedback
ID: NIST SP 800-53 Rev. 4 IA-6
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1344 - Authenticator Feedback | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
Cryptographic Module Authentication
ID: NIST SP 800-53 Rev. 4 IA-7
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1345 - Cryptographic Module Authentication | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
Identification and Authentication (non-organizational Users)
ID: NIST SP 800-53 Rev. 4 IA-8
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1346 - Identification And Authentication (Non-Organizational Users) | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
Acceptance of PIV Credentials from Other Agencies
ID: NIST SP 800-53 Rev. 4 IA-8 (1)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1347 - Identification And Authentication (Non-Org. Users) | Acceptance Of PIV Creds. From Other Agys. | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
Acceptance of Third-party Credentials
ID: NIST SP 800-53 Rev. 4 IA-8 (2)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1348 - Identification And Authentication (Non-Org. Users) | Acceptance Of Third-Party Credentials | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
Use of Ficam-approved Products
ID: NIST SP 800-53 Rev. 4 IA-8 (3)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1349 - Identification And Authentication (Non-Org. Users) | Use Of FICAM-Approved Products | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
Use of Ficam-issued Profiles
ID: NIST SP 800-53 Rev. 4 IA-8 (4)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1350 - Identification And Authentication (Non-Org. Users) | Use Of FICAM-Issued Profiles | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
Incident Response
Incident Response Policy and Procedures
ID: NIST SP 800-53 Rev. 4 IR-1
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1351 - Incident Response Policy And Procedures | Microsoft implements this Incident Response control | audit | 1.0.0 |
| Microsoft Managed Control 1352 - Incident Response Policy And Procedures | Microsoft implements this Incident Response control | audit | 1.0.0 |
Incident Response Training
ID: NIST SP 800-53 Rev. 4 IR-2
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1353 - Incident Response Training | Microsoft implements this Incident Response control | audit | 1.0.0 |
| Microsoft Managed Control 1354 - Incident Response Training | Microsoft implements this Incident Response control | audit | 1.0.0 |
| Microsoft Managed Control 1355 - Incident Response Training | Microsoft implements this Incident Response control | audit | 1.0.0 |
Simulated Events
ID: NIST SP 800-53 Rev. 4 IR-2 (1)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1356 - Incident Response Training | Simulated Events | Microsoft implements this Incident Response control | audit | 1.0.0 |
Automated Training Environments
ID: NIST SP 800-53 Rev. 4 IR-2 (2)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1357 - Incident Response Training | Automated Training Environments | Microsoft implements this Incident Response control | audit | 1.0.0 |
Incident Response Testing
ID: NIST SP 800-53 Rev. 4 IR-3
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1358 - Incident Response Testing | Microsoft implements this Incident Response control | audit | 1.0.0 |
Coordination with Related Plans
ID: NIST SP 800-53 Rev. 4 IR-3 (2)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1359 - Incident Response Testing | Coordination With Related Plans | Microsoft implements this Incident Response control | audit | 1.0.0 |
Incident Handling
ID: NIST SP 800-53 Rev. 4 IR-4
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Azure Defender for App Service should be enabled | Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. | AuditIfNotExists, Disabled | 1.0.3 |
| Azure Defender for Azure SQL Database servers should be enabled | Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. | AuditIfNotExists, Disabled | 1.0.2 |
| Azure Defender for container registries should be enabled | Azure Defender for container registries provides vulnerability scanning of any images pulled within the last 30 days, pushed to your registry, or imported, and exposes detailed findings per image. | AuditIfNotExists, Disabled | 1.0.3 |
| Azure Defender for DNS should be enabled | Azure Defender for DNS provides an additional layer of protection for your cloud resources by continuously monitoring all DNS queries from your Azure resources. Azure Defender alerts you about suspicious activity at the DNS layer. Learn more about the capabilities of Azure Defender for DNS at https://aka.ms/defender-for-dns . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . | AuditIfNotExists, Disabled | 1.0.0-preview |
| Azure Defender for Key Vault should be enabled | Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. | AuditIfNotExists, Disabled | 1.0.3 |
| Azure Defender for Kubernetes should be enabled | Azure Defender for Kubernetes provides real-time threat protection for containerized environments and generates alerts for suspicious activities. | AuditIfNotExists, Disabled | 1.0.3 |
| Azure Defender for Resource Manager should be enabled | Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Defender for servers should be enabled | Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. | AuditIfNotExists, Disabled | 1.0.3 |
| Azure Defender for SQL servers on machines should be enabled | Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. | AuditIfNotExists, Disabled | 1.0.2 |
| Azure Defender for SQL should be enabled for unprotected Azure SQL servers | Audit SQL servers without Advanced Data Security | AuditIfNotExists, Disabled | 2.0.1 |
| Azure Defender for SQL should be enabled for unprotected SQL Managed Instances | Audit each SQL Managed Instance without advanced data security. | AuditIfNotExists, Disabled | 1.0.2 |
| Azure Defender for Storage should be enabled | Azure Defender for Storage provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. | AuditIfNotExists, Disabled | 1.0.3 |
| Email notification for high severity alerts should be enabled | To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Security Center. | AuditIfNotExists, Disabled | 1.0.1 |
| Email notification to subscription owner for high severity alerts should be enabled | To ensure your subscription owners are notified when there is a potential security breach in their subscription, set email notifications to subscription owners for high severity alerts in Security Center. | AuditIfNotExists, Disabled | 2.0.0 |
| Microsoft Managed Control 1360 - Incident Handling | Microsoft implements this Incident Response control | audit | 1.0.0 |
| Microsoft Managed Control 1361 - Incident Handling | Microsoft implements this Incident Response control | audit | 1.0.0 |
| Microsoft Managed Control 1362 - Incident Handling | Microsoft implements this Incident Response control | audit | 1.0.0 |
| Subscriptions should have a contact email address for security issues | To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, set a security contact to receive email notifications from Security Center. | AuditIfNotExists, Disabled | 1.0.1 |
Automated Incident Handling Processes
ID: NIST SP 800-53 Rev. 4 IR-4 (1)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1363 - Incident Handling | Automated Incident Handling Processes | Microsoft implements this Incident Response control | audit | 1.0.0 |
Dynamic Reconfiguration
ID: NIST SP 800-53 Rev. 4 IR-4 (2)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1364 - Incident Handling | Dynamic Reconfiguration | Microsoft implements this Incident Response control | audit | 1.0.0 |
Continuity of Operations
ID: NIST SP 800-53 Rev. 4 IR-4 (3)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1365 - Incident Handling | Continuity Of Operations | Microsoft implements this Incident Response control | audit | 1.0.0 |
Information Correlation
ID: NIST SP 800-53 Rev. 4 IR-4 (4)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1366 - Incident Handling | Information Correlation | Microsoft implements this Incident Response control | audit | 1.0.0 |
Insider Threats - Specific Capabilities
ID: NIST SP 800-53 Rev. 4 IR-4 (6)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1367 - Incident Handling | Insider Threats - Specific Capabilities | Microsoft implements this Incident Response control | audit | 1.0.0 |
Correlation with External Organizations
ID: NIST SP 800-53 Rev. 4 IR-4 (8)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1368 - Incident Handling | Correlation With External Organizations | Microsoft implements this Incident Response control | audit | 1.0.0 |
Incident Monitoring
ID: NIST SP 800-53 Rev. 4 IR-5
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Azure Defender for App Service should be enabled | Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. | AuditIfNotExists, Disabled | 1.0.3 |
| Azure Defender for Azure SQL Database servers should be enabled | Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. | AuditIfNotExists, Disabled | 1.0.2 |
| Azure Defender for container registries should be enabled | Azure Defender for container registries provides vulnerability scanning of any images pulled within the last 30 days, pushed to your registry, or imported, and exposes detailed findings per image. | AuditIfNotExists, Disabled | 1.0.3 |
| Azure Defender for DNS should be enabled | Azure Defender for DNS provides an additional layer of protection for your cloud resources by continuously monitoring all DNS queries from your Azure resources. Azure Defender alerts you about suspicious activity at the DNS layer. Learn more about the capabilities of Azure Defender for DNS at https://aka.ms/defender-for-dns . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . | AuditIfNotExists, Disabled | 1.0.0-preview |
| Azure Defender for Key Vault should be enabled | Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. | AuditIfNotExists, Disabled | 1.0.3 |
| Azure Defender for Kubernetes should be enabled | Azure Defender for Kubernetes provides real-time threat protection for containerized environments and generates alerts for suspicious activities. | AuditIfNotExists, Disabled | 1.0.3 |
| Azure Defender for Resource Manager should be enabled | Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Defender for servers should be enabled | Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. | AuditIfNotExists, Disabled | 1.0.3 |
| Azure Defender for SQL servers on machines should be enabled | Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. | AuditIfNotExists, Disabled | 1.0.2 |
| Azure Defender for SQL should be enabled for unprotected Azure SQL servers | Audit SQL servers without Advanced Data Security | AuditIfNotExists, Disabled | 2.0.1 |
| Azure Defender for SQL should be enabled for unprotected SQL Managed Instances | Audit each SQL Managed Instance without advanced data security. | AuditIfNotExists, Disabled | 1.0.2 |
| Azure Defender for Storage should be enabled | Azure Defender for Storage provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. | AuditIfNotExists, Disabled | 1.0.3 |
| Email notification for high severity alerts should be enabled | To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Security Center. | AuditIfNotExists, Disabled | 1.0.1 |
| Email notification to subscription owner for high severity alerts should be enabled | To ensure your subscription owners are notified when there is a potential security breach in their subscription, set email notifications to subscription owners for high severity alerts in Security Center. | AuditIfNotExists, Disabled | 2.0.0 |
| Microsoft Managed Control 1369 - Incident Monitoring | Microsoft implements this Incident Response control | audit | 1.0.0 |
| Subscriptions should have a contact email address for security issues | To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, set a security contact to receive email notifications from Security Center. | AuditIfNotExists, Disabled | 1.0.1 |
Automated Tracking / Data Collection / Analysis
ID: NIST SP 800-53 Rev. 4 IR-5 (1)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1370 - Incident Monitoring | Automated Tracking / Data Collection / Analysis | Microsoft implements this Incident Response control | audit | 1.0.0 |
Incident Reporting
ID: NIST SP 800-53 Rev. 4 IR-6
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1371 - Incident Reporting | Microsoft implements this Incident Response control | audit | 1.0.0 |
| Microsoft Managed Control 1372 - Incident Reporting | Microsoft implements this Incident Response control | audit | 1.0.0 |
Automated Reporting
ID: NIST SP 800-53 Rev. 4 IR-6 (1)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1373 - Incident Reporting | Automated Reporting | Microsoft implements this Incident Response control | audit | 1.0.0 |
Vulnerabilities Related to Incidents
ID: NIST SP 800-53 Rev. 4 IR-6 (2)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Email notification for high severity alerts should be enabled | To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Security Center. | AuditIfNotExists, Disabled | 1.0.1 |
| Email notification to subscription owner for high severity alerts should be enabled | To ensure your subscription owners are notified when there is a potential security breach in their subscription, set email notifications to subscription owners for high severity alerts in Security Center. | AuditIfNotExists, Disabled | 2.0.0 |
| Subscriptions should have a contact email address for security issues | To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, set a security contact to receive email notifications from Security Center. | AuditIfNotExists, Disabled | 1.0.1 |
Incident Response Assistance
ID: NIST SP 800-53 Rev. 4 IR-7
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1374 - Incident Response Assistance | Microsoft implements this Incident Response control | audit | 1.0.0 |
Automation Support for Availability of Information / Support
ID: NIST SP 800-53 Rev. 4 IR-7 (1)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1375 - Incident Response Assistance | Automation Support For Availability Of Information / Support | Microsoft implements this Incident Response control | audit | 1.0.0 |
Coordination with External Providers
ID: NIST SP 800-53 Rev. 4 IR-7 (2)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1376 - Incident Response Assistance | Coordination With External Providers | Microsoft implements this Incident Response control | audit | 1.0.0 |
| Microsoft Managed Control 1377 - Incident Response Assistance | Coordination With External Providers | Microsoft implements this Incident Response control | audit | 1.0.0 |
Incident Response Plan
ID: NIST SP 800-53 Rev. 4 IR-8
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1378 - Incident Response Plan | Microsoft implements this Incident Response control | audit | 1.0.0 |
| Microsoft Managed Control 1379 - Incident Response Plan | Microsoft implements this Incident Response control | audit | 1.0.0 |
| Microsoft Managed Control 1380 - Incident Response Plan | Microsoft implements this Incident Response control | audit | 1.0.0 |
| Microsoft Managed Control 1381 - Incident Response Plan | Microsoft implements this Incident Response control | audit | 1.0.0 |
| Microsoft Managed Control 1382 - Incident Response Plan | Microsoft implements this Incident Response control | audit | 1.0.0 |
| Microsoft Managed Control 1383 - Incident Response Plan | Microsoft implements this Incident Response control | audit | 1.0.0 |
Information Spillage Response
ID: NIST SP 800-53 Rev. 4 IR-9
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1384 - Information Spillage Response | Microsoft implements this Incident Response control | audit | 1.0.0 |
| Microsoft Managed Control 1385 - Information Spillage Response | Microsoft implements this Incident Response control | audit | 1.0.0 |
| Microsoft Managed Control 1386 - Information Spillage Response | Microsoft implements this Incident Response control | audit | 1.0.0 |
| Microsoft Managed Control 1387 - Information Spillage Response | Microsoft implements this Incident Response control | audit | 1.0.0 |
| Microsoft Managed Control 1388 - Information Spillage Response | Microsoft implements this Incident Response control | audit | 1.0.0 |
| Microsoft Managed Control 1389 - Information Spillage Response | Microsoft implements this Incident Response control | audit | 1.0.0 |
Responsible Personnel
ID: NIST SP 800-53 Rev. 4 IR-9 (1)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1390 - Information Spillage Response | Responsible Personnel | Microsoft implements this Incident Response control | audit | 1.0.0 |
Training
ID: NIST SP 800-53 Rev. 4 IR-9 (2)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1391 - Information Spillage Response | Training | Microsoft implements this Incident Response control | audit | 1.0.0 |
Post-spill Operations
ID: NIST SP 800-53 Rev. 4 IR-9 (3)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1392 - Information Spillage Response | Post-Spill Operations | Microsoft implements this Incident Response control | audit | 1.0.0 |
Exposure to Unauthorized Personnel
ID: NIST SP 800-53 Rev. 4 IR-9 (4)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1393 - Information Spillage Response | Exposure To Unauthorized Personnel | Microsoft implements this Incident Response control | audit | 1.0.0 |
Maintenance
System Maintenance Policy and Procedures
ID: NIST SP 800-53 Rev. 4 MA-1
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1394 - System Maintenance Policy And Procedures | Microsoft implements this Maintenance control | audit | 1.0.0 |
| Microsoft Managed Control 1395 - System Maintenance Policy And Procedures | Microsoft implements this Maintenance control | audit | 1.0.0 |
Controlled Maintenance
ID: NIST SP 800-53 Rev. 4 MA-2
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1396 - Controlled Maintenance | Microsoft implements this Maintenance control | audit | 1.0.0 |
| Microsoft Managed Control 1397 - Controlled Maintenance | Microsoft implements this Maintenance control | audit | 1.0.0 |
| Microsoft Managed Control 1398 - Controlled Maintenance | Microsoft implements this Maintenance control | audit | 1.0.0 |
| Microsoft Managed Control 1399 - Controlled Maintenance | Microsoft implements this Maintenance control | audit | 1.0.0 |
| Microsoft Managed Control 1400 - Controlled Maintenance | Microsoft implements this Maintenance control | audit | 1.0.0 |
| Microsoft Managed Control 1401 - Controlled Maintenance | Microsoft implements this Maintenance control | audit | 1.0.0 |
Automated Maintenance Activities
ID: NIST SP 800-53 Rev. 4 MA-2 (2)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1402 - Controlled Maintenance | Automated Maintenance Activities | Microsoft implements this Maintenance control | audit | 1.0.0 |
| Microsoft Managed Control 1403 - Controlled Maintenance | Automated Maintenance Activities | Microsoft implements this Maintenance control | audit | 1.0.0 |
Maintenance Tools
ID: NIST SP 800-53 Rev. 4 MA-3
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1404 - Maintenance Tools | Microsoft implements this Maintenance control | audit | 1.0.0 |
Inspect Tools
ID: NIST SP 800-53 Rev. 4 MA-3 (1)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1405 - Maintenance Tools | Inspect Tools | Microsoft implements this Maintenance control | audit | 1.0.0 |
Inspect Media
ID: NIST SP 800-53 Rev. 4 MA-3 (2)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1406 - Maintenance Tools | Inspect Media | Microsoft implements this Maintenance control | audit | 1.0.0 |
Prevent Unauthorized Removal
ID: NIST SP 800-53 Rev. 4 MA-3 (3)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1407 - Maintenance Tools | Prevent Unauthorized Removal | Microsoft implements this Maintenance control | audit | 1.0.0 |
| Microsoft Managed Control 1408 - Maintenance Tools | Prevent Unauthorized Removal | Microsoft implements this Maintenance control | audit | 1.0.0 |
| Microsoft Managed Control 1409 - Maintenance Tools | Prevent Unauthorized Removal | Microsoft implements this Maintenance control | audit | 1.0.0 |
| Microsoft Managed Control 1410 - Maintenance Tools | Prevent Unauthorized Removal | Microsoft implements this Maintenance control | audit | 1.0.0 |
Nonlocal Maintenance
ID: NIST SP 800-53 Rev. 4 MA-4
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1411 - Nonlocal Maintenance | Microsoft implements this Maintenance control | audit | 1.0.0 |
| Microsoft Managed Control 1412 - Nonlocal Maintenance | Microsoft implements this Maintenance control | audit | 1.0.0 |
| Microsoft Managed Control 1413 - Nonlocal Maintenance | Microsoft implements this Maintenance control | audit | 1.0.0 |
| Microsoft Managed Control 1414 - Nonlocal Maintenance | Microsoft implements this Maintenance control | audit | 1.0.0 |
| Microsoft Managed Control 1415 - Nonlocal Maintenance | Microsoft implements this Maintenance control | audit | 1.0.0 |
Document Nonlocal Maintenance
ID: NIST SP 800-53 Rev. 4 MA-4 (2)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1416 - Nonlocal Maintenance | Document Nonlocal Maintenance | Microsoft implements this Maintenance control | audit | 1.0.0 |
Comparable Security / Sanitization
ID: NIST SP 800-53 Rev. 4 MA-4 (3)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1417 - Nonlocal Maintenance | Comparable Security / Sanitization | Microsoft implements this Maintenance control | audit | 1.0.0 |
| Microsoft Managed Control 1418 - Nonlocal Maintenance | Comparable Security / Sanitization | Microsoft implements this Maintenance control | audit | 1.0.0 |
Cryptographic Protection
ID: NIST SP 800-53 Rev. 4 MA-4 (6)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1419 - Nonlocal Maintenance | Cryptographic Protection | Microsoft implements this Maintenance control | audit | 1.0.0 |
Maintenance Personnel
ID: NIST SP 800-53 Rev. 4 MA-5
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1420 - Maintenance Personnel | Microsoft implements this Maintenance control | audit | 1.0.0 |
| Microsoft Managed Control 1421 - Maintenance Personnel | Microsoft implements this Maintenance control | audit | 1.0.0 |
| Microsoft Managed Control 1422 - Maintenance Personnel | Microsoft implements this Maintenance control | audit | 1.0.0 |
Individuals Without Appropriate Access
ID: NIST SP 800-53 Rev. 4 MA-5 (1)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1423 - Maintenance Personnel | Individuals Without Appropriate Access | Microsoft implements this Maintenance control | audit | 1.0.0 |
| Microsoft Managed Control 1424 - Maintenance Personnel | Individuals Without Appropriate Access | Microsoft implements this Maintenance control | audit | 1.0.0 |
Timely Maintenance
ID: NIST SP 800-53 Rev. 4 MA-6
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1425 - Timely Maintenance | Microsoft implements this Maintenance control | audit | 1.0.0 |
Media Protection
Media Protection Policy and Procedures
ID: NIST SP 800-53 Rev. 4 MP-1
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1426 - Media Protection Policy And Procedures | Microsoft implements this Media Protection control | audit | 1.0.0 |
| Microsoft Managed Control 1427 - Media Protection Policy And Procedures | Microsoft implements this Media Protection control | audit | 1.0.0 |
Media Access
ID: NIST SP 800-53 Rev. 4 MP-2
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1428 - Media Access | Microsoft implements this Media Protection control | audit | 1.0.0 |
Media Marking
ID: NIST SP 800-53 Rev. 4 MP-3
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1429 - Media Marking | Microsoft implements this Media Protection control | audit | 1.0.0 |
| Microsoft Managed Control 1430 - Media Marking | Microsoft implements this Media Protection control | audit | 1.0.0 |
Media Storage
ID: NIST SP 800-53 Rev. 4 MP-4
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1431 - Media Storage | Microsoft implements this Media Protection control | audit | 1.0.0 |
| Microsoft Managed Control 1432 - Media Storage | Microsoft implements this Media Protection control | audit | 1.0.0 |
Media Transport
ID: NIST SP 800-53 Rev. 4 MP-5
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1433 - Media Transport | Microsoft implements this Media Protection control | audit | 1.0.0 |
| Microsoft Managed Control 1434 - Media Transport | Microsoft implements this Media Protection control | audit | 1.0.0 |
| Microsoft Managed Control 1435 - Media Transport | Microsoft implements this Media Protection control | audit | 1.0.0 |
| Microsoft Managed Control 1436 - Media Transport | Microsoft implements this Media Protection control | audit | 1.0.0 |
Cryptographic Protection
ID: NIST SP 800-53 Rev. 4 MP-5 (4)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1437 - Media Transport | Cryptographic Protection | Microsoft implements this Media Protection control | audit | 1.0.0 |
Media Sanitization
ID: NIST SP 800-53 Rev. 4 MP-6
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1438 - Media Sanitization | Microsoft implements this Media Protection control | audit | 1.0.0 |
| Microsoft Managed Control 1439 - Media Sanitization | Microsoft implements this Media Protection control | audit | 1.0.0 |
Review / Approve / Track / Document / Verify
ID: NIST SP 800-53 Rev. 4 MP-6 (1)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1440 - Media Sanitization | Review / Approve / Track / Document / Verify | Microsoft implements this Media Protection control | audit | 1.0.0 |
Equipment Testing
ID: NIST SP 800-53 Rev. 4 MP-6 (2)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1441 - Media Sanitization | Equipment Testing | Microsoft implements this Media Protection control | audit | 1.0.0 |
Nondestructive Techniques
ID: NIST SP 800-53 Rev. 4 MP-6 (3)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1442 - Media Sanitization | Nondestructive Techniques | Microsoft implements this Media Protection control | audit | 1.0.0 |
Media Use
ID: NIST SP 800-53 Rev. 4 MP-7
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1443 - Media Use | Microsoft implements this Media Protection control | audit | 1.0.0 |
Prohibit Use Without Owner
ID: NIST SP 800-53 Rev. 4 MP-7 (1)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1444 - Media Use | Prohibit Use Without Owner | Microsoft implements this Media Protection control | audit | 1.0.0 |
Physical and Environmental Protection
Physical and Environmental Protection Policy and Procedures
ID: NIST SP 800-53 Rev. 4 PE-1
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1445 - Physical And Environmental Protection Policy And Procedures | Microsoft implements this Physical and Environmental Protection control | audit | 1.0.0 |
| Microsoft Managed Control 1446 - Physical And Environmental Protection Policy And Procedures | Microsoft implements this Physical and Environmental Protection control | audit | 1.0.0 |
Physical Access Authorizations
ID: NIST SP 800-53 Rev. 4 PE-2
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1447 - Physical Access Authorizations | Microsoft implements this Physical and Environmental Protection control | audit | 1.0.0 |
| Microsoft Managed Control 1448 - Physical Access Authorizations | Microsoft implements this Physical and Environmental Protection control | audit | 1.0.0 |
| Microsoft Managed Control 1449 - Physical Access Authorizations | Microsoft implements this Physical and Environmental Protection control | audit | 1.0.0 |
| Microsoft Managed Control 1450 - Physical Access Authorizations | Microsoft implements this Physical and Environmental Protection control | audit | 1.0.0 |
Physical Access Control
ID: NIST SP 800-53 Rev. 4 PE-3
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1451 - Physical Access Control | Microsoft implements this Physical and Environmental Protection control | audit | 1.0.0 |
| Microsoft Managed Control 1452 - Physical Access Control | Microsoft implements this Physical and Environmental Protection control | audit | 1.0.0 |
| Microsoft Managed Control 1453 - Physical Access Control | Microsoft implements this Physical and Environmental Protection control | audit | 1.0.0 |
| Microsoft Managed Control 1454 - Physical Access Control | Microsoft implements this Physical and Environmental Protection control | audit | 1.0.0 |
| Microsoft Managed Control 1455 - Physical Access Control | Microsoft implements this Physical and Environmental Protection control | audit | 1.0.0 |
| Microsoft Managed Control 1456 - Physical Access Control | Microsoft implements this Physical and Environmental Protection control | audit | 1.0.0 |
| Microsoft Managed Control 1457 - Physical Access Control | Microsoft implements this Physical and Environmental Protection control | audit | 1.0.0 |
Information System Access
ID: NIST SP 800-53 Rev. 4 PE-3 (1)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1458 - Physical Access Control | Information System Access | Microsoft implements this Physical and Environmental Protection control | audit | 1.0.0 |
Access Control for Transmission Medium
ID: NIST SP 800-53 Rev. 4 PE-4
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1459 - Access Control For Transmission Medium | Microsoft implements this Physical and Environmental Protection control | audit | 1.0.0 |
Access Control for Output Devices
ID: NIST SP 800-53 Rev. 4 PE-5
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1460 - Access Control For Output Devices | Microsoft implements this Physical and Environmental Protection control | audit | 1.0.0 |
Monitoring Physical Access
ID: NIST SP 800-53 Rev. 4 PE-6
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1461 - Monitoring Physical Access | Microsoft implements this Physical and Environmental Protection control | audit | 1.0.0 |
| Microsoft Managed Control 1462 - Monitoring Physical Access | Microsoft implements this Physical and Environmental Protection control | audit | 1.0.0 |
| Microsoft Managed Control 1463 - Monitoring Physical Access | Microsoft implements this Physical and Environmental Protection control | audit | 1.0.0 |
Intrusion Alarms / Surveillance Equipment
ID: NIST SP 800-53 Rev. 4 PE-6 (1)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1464 - Monitoring Physical Access | Intrusion Alarms / Surveillance Equipment | Microsoft implements this Physical and Environmental Protection control | audit | 1.0.0 |
Monitoring Physical Access to Information Systems
ID: NIST SP 800-53 Rev. 4 PE-6 (4)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1465 - Monitoring Physical Access | Monitoring Physical Access To Information Systems | Microsoft implements this Physical and Environmental Protection control | audit | 1.0.0 |
Visitor Access Records
ID: NIST SP 800-53 Rev. 4 PE-8
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1466 - Visitor Access Records | Microsoft implements this Physical and Environmental Protection control | audit | 1.0.0 |
| Microsoft Managed Control 1467 - Visitor Access Records | Microsoft implements this Physical and Environmental Protection control | audit | 1.0.0 |
Automated Records Maintenance / Review
ID: NIST SP 800-53 Rev. 4 PE-8 (1)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1468 - Visitor Access Records | Automated Records Maintenance / Review | Microsoft implements this Physical and Environmental Protection control | audit | 1.0.0 |
Power Equipment and Cabling
ID: NIST SP 800-53 Rev. 4 PE-9
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1469 - Power Equipment And Cabling | Microsoft implements this Physical and Environmental Protection control | audit | 1.0.0 |
Emergency Shutoff
ID: NIST SP 800-53 Rev. 4 PE-10
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1470 - Emergency Shutoff | Microsoft implements this Physical and Environmental Protection control | audit | 1.0.0 |
| Microsoft Managed Control 1471 - Emergency Shutoff | Microsoft implements this Physical and Environmental Protection control | audit | 1.0.0 |
| Microsoft Managed Control 1472 - Emergency Shutoff | Microsoft implements this Physical and Environmental Protection control | audit | 1.0.0 |
Emergency Power
ID: NIST SP 800-53 Rev. 4 PE-11
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1473 - Emergency Power | Microsoft implements this Physical and Environmental Protection control | audit | 1.0.0 |
Long-term Alternate Power Supply - Minimal Operational Capability
ID: NIST SP 800-53 Rev. 4 PE-11 (1)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1474 - Emergency Power | Long-Term Alternate Power Supply - Minimal Operational Capability | Microsoft implements this Physical and Environmental Protection control | audit | 1.0.0 |
Emergency Lighting
ID: NIST SP 800-53 Rev. 4 PE-12
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1475 - Emergency Lighting | Microsoft implements this Physical and Environmental Protection control | audit | 1.0.0 |
Fire Protection
ID: NIST SP 800-53 Rev. 4 PE-13
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1476 - Fire Protection | Microsoft implements this Physical and Environmental Protection control | audit | 1.0.0 |
Detection Devices / Systems
ID: NIST SP 800-53 Rev. 4 PE-13 (1)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1477 - Fire Protection | Detection Devices / Systems | Microsoft implements this Physical and Environmental Protection control | audit | 1.0.0 |
Suppression Devices / Systems
ID: NIST SP 800-53 Rev. 4 PE-13 (2)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1478 - Fire Protection | Suppression Devices / Systems | Microsoft implements this Physical and Environmental Protection control | audit | 1.0.0 |
Automatic Fire Suppression
ID: NIST SP 800-53 Rev. 4 PE-13 (3)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1479 - Fire Protection | Automatic Fire Suppression | Microsoft implements this Physical and Environmental Protection control | audit | 1.0.0 |
Temperature and Humidity Controls
ID: NIST SP 800-53 Rev. 4 PE-14
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1480 - Temperature And Humidity Controls | Microsoft implements this Physical and Environmental Protection control | audit | 1.0.0 |
| Microsoft Managed Control 1481 - Temperature And Humidity Controls | Microsoft implements this Physical and Environmental Protection control | audit | 1.0.0 |
Monitoring with Alarms / Notifications
ID: NIST SP 800-53 Rev. 4 PE-14 (2)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1482 - Temperature And Humidity Controls | Monitoring With Alarms / Notifications | Microsoft implements this Physical and Environmental Protection control | audit | 1.0.0 |
Water Damage Protection
ID: NIST SP 800-53 Rev. 4 PE-15
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1483 - Water Damage Protection | Microsoft implements this Physical and Environmental Protection control | audit | 1.0.0 |
Automation Support
ID: NIST SP 800-53 Rev. 4 PE-15 (1)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1484 - Water Damage Protection | Automation Support | Microsoft implements this Physical and Environmental Protection control | audit | 1.0.0 |
Delivery and Removal
ID: NIST SP 800-53 Rev. 4 PE-16
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1485 - Delivery And Removal | Microsoft implements this Physical and Environmental Protection control | audit | 1.0.0 |
Alternate Work Site
ID: NIST SP 800-53 Rev. 4 PE-17
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1486 - Alternate Work Site | Microsoft implements this Physical and Environmental Protection control | audit | 1.0.0 |
| Microsoft Managed Control 1487 - Alternate Work Site | Microsoft implements this Physical and Environmental Protection control | audit | 1.0.0 |
| Microsoft Managed Control 1488 - Alternate Work Site | Microsoft implements this Physical and Environmental Protection control | audit | 1.0.0 |
Location of Information System Components
ID: NIST SP 800-53 Rev. 4 PE-18
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1489 - Location Of Information System Components | Microsoft implements this Physical and Environmental Protection control | audit | 1.0.0 |
Planning
Security Planning Policy and Procedures
ID: NIST SP 800-53 Rev. 4 PL-1
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1490 - Security Planning Policy And Procedures | Microsoft implements this Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1491 - Security Planning Policy And Procedures | Microsoft implements this Planning control | audit | 1.0.0 |
System Security Plan
ID: NIST SP 800-53 Rev. 4 PL-2
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1492 - System Security Plan | Microsoft implements this Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1493 - System Security Plan | Microsoft implements this Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1494 - System Security Plan | Microsoft implements this Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1495 - System Security Plan | Microsoft implements this Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1496 - System Security Plan | Microsoft implements this Planning control | audit | 1.0.0 |
Plan / Coordinate with Other Organizational Entities
ID: NIST SP 800-53 Rev. 4 PL-2 (3)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1497 - System Security Plan | Plan / Coordinate With Other Organizational Entities | Microsoft implements this Planning control | audit | 1.0.0 |
Rules of Behavior
ID: NIST SP 800-53 Rev. 4 PL-4
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1498 - Rules Of Behavior | Microsoft implements this Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1499 - Rules Of Behavior | Microsoft implements this Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1500 - Rules Of Behavior | Microsoft implements this Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1501 - Rules Of Behavior | Microsoft implements this Planning control | audit | 1.0.0 |
Social Media and Networking Restrictions
ID: NIST SP 800-53 Rev. 4 PL-4 (1)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1502 - Rules Of Behavior | Social Media And Networking Restrictions | Microsoft implements this Planning control | audit | 1.0.0 |
Information Security Architecture
ID: NIST SP 800-53 Rev. 4 PL-8
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1503 - Information Security Architecture | Microsoft implements this Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1504 - Information Security Architecture | Microsoft implements this Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1505 - Information Security Architecture | Microsoft implements this Planning control | audit | 1.0.0 |
Personnel Security
Personnel Security Policy and Procedures
ID: NIST SP 800-53 Rev. 4 PS-1
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1506 - Personnel Security Policy And Procedures | Microsoft implements this Personnel Security control | audit | 1.0.0 |
| Microsoft Managed Control 1507 - Personnel Security Policy And Procedures | Microsoft implements this Personnel Security control | audit | 1.0.0 |
Position Risk Designation
ID: NIST SP 800-53 Rev. 4 PS-2
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1508 - Position Risk Designation | Microsoft implements this Personnel Security control | audit | 1.0.0 |
| Microsoft Managed Control 1509 - Position Risk Designation | Microsoft implements this Personnel Security control | audit | 1.0.0 |
| Microsoft Managed Control 1510 - Position Risk Designation | Microsoft implements this Personnel Security control | audit | 1.0.0 |
Personnel Screening
ID: NIST SP 800-53 Rev. 4 PS-3
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1511 - Personnel Screening | Microsoft implements this Personnel Security control | audit | 1.0.0 |
| Microsoft Managed Control 1512 - Personnel Screening | Microsoft implements this Personnel Security control | audit | 1.0.0 |
Information with Special Protection Measures
ID: NIST SP 800-53 Rev. 4 PS-3 (3)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1513 - Personnel Screening | Information With Special Protection Measures | Microsoft implements this Personnel Security control | audit | 1.0.0 |
| Microsoft Managed Control 1514 - Personnel Screening | Information With Special Protection Measures | Microsoft implements this Personnel Security control | audit | 1.0.0 |
Personnel Termination
ID: NIST SP 800-53 Rev. 4 PS-4
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1515 - Personnel Termination | Microsoft implements this Personnel Security control | audit | 1.0.0 |
| Microsoft Managed Control 1516 - Personnel Termination | Microsoft implements this Personnel Security control | audit | 1.0.0 |
| Microsoft Managed Control 1517 - Personnel Termination | Microsoft implements this Personnel Security control | audit | 1.0.0 |
| Microsoft Managed Control 1518 - Personnel Termination | Microsoft implements this Personnel Security control | audit | 1.0.0 |
| Microsoft Managed Control 1519 - Personnel Termination | Microsoft implements this Personnel Security control | audit | 1.0.0 |
| Microsoft Managed Control 1520 - Personnel Termination | Microsoft implements this Personnel Security control | audit | 1.0.0 |
Automated Notification
ID: NIST SP 800-53 Rev. 4 PS-4 (2)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1521 - Personnel Termination | Automated Notification | Microsoft implements this Personnel Security control | audit | 1.0.0 |
Personnel Transfer
ID: NIST SP 800-53 Rev. 4 PS-5
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1522 - Personnel Transfer | Microsoft implements this Personnel Security control | audit | 1.0.0 |
| Microsoft Managed Control 1523 - Personnel Transfer | Microsoft implements this Personnel Security control | audit | 1.0.0 |
| Microsoft Managed Control 1524 - Personnel Transfer | Microsoft implements this Personnel Security control | audit | 1.0.0 |
| Microsoft Managed Control 1525 - Personnel Transfer | Microsoft implements this Personnel Security control | audit | 1.0.0 |
Access Agreements
ID: NIST SP 800-53 Rev. 4 PS-6
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1526 - Access Agreements | Microsoft implements this Personnel Security control | audit | 1.0.0 |
| Microsoft Managed Control 1527 - Access Agreements | Microsoft implements this Personnel Security control | audit | 1.0.0 |
| Microsoft Managed Control 1528 - Access Agreements | Microsoft implements this Personnel Security control | audit | 1.0.0 |
Third-party Personnel Security
ID: NIST SP 800-53 Rev. 4 PS-7
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1529 - Third-Party Personnel Security | Microsoft implements this Personnel Security control | audit | 1.0.0 |
| Microsoft Managed Control 1530 - Third-Party Personnel Security | Microsoft implements this Personnel Security control | audit | 1.0.0 |
| Microsoft Managed Control 1531 - Third-Party Personnel Security | Microsoft implements this Personnel Security control | audit | 1.0.0 |
| Microsoft Managed Control 1532 - Third-Party Personnel Security | Microsoft implements this Personnel Security control | audit | 1.0.0 |
| Microsoft Managed Control 1533 - Third-Party Personnel Security | Microsoft implements this Personnel Security control | audit | 1.0.0 |
Personnel Sanctions
ID: NIST SP 800-53 Rev. 4 PS-8
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1534 - Personnel Sanctions | Microsoft implements this Personnel Security control | audit | 1.0.0 |
| Microsoft Managed Control 1535 - Personnel Sanctions | Microsoft implements this Personnel Security control | audit | 1.0.0 |
Risk Assessment
Risk Assessment Policy and Procedures
ID: NIST SP 800-53 Rev. 4 RA-1
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1536 - Risk Assessment Policy And Procedures | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1537 - Risk Assessment Policy And Procedures | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
Security Categorization
ID: NIST SP 800-53 Rev. 4 RA-2
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1538 - Security Categorization | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1539 - Security Categorization | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1540 - Security Categorization | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
Risk Assessment
ID: NIST SP 800-53 Rev. 4 RA-3
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1541 - Risk Assessment | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1542 - Risk Assessment | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1543 - Risk Assessment | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1544 - Risk Assessment | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1545 - Risk Assessment | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
Vulnerability Scanning
ID: NIST SP 800-53 Rev. 4 RA-5
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| A vulnerability assessment solution should be enabled on your virtual machines | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | AuditIfNotExists, Disabled | 3.0.0 |
| Azure Defender for App Service should be enabled | Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. | AuditIfNotExists, Disabled | 1.0.3 |
| Azure Defender for Azure SQL Database servers should be enabled | Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. | AuditIfNotExists, Disabled | 1.0.2 |
| Azure Defender for container registries should be enabled | Azure Defender for container registries provides vulnerability scanning of any images pulled within the last 30 days, pushed to your registry, or imported, and exposes detailed findings per image. | AuditIfNotExists, Disabled | 1.0.3 |
| Azure Defender for DNS should be enabled | Azure Defender for DNS provides an additional layer of protection for your cloud resources by continuously monitoring all DNS queries from your Azure resources. Azure Defender alerts you about suspicious activity at the DNS layer. Learn more about the capabilities of Azure Defender for DNS at https://aka.ms/defender-for-dns . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . | AuditIfNotExists, Disabled | 1.0.0-preview |
| Azure Defender for Key Vault should be enabled | Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. | AuditIfNotExists, Disabled | 1.0.3 |
| Azure Defender for Kubernetes should be enabled | Azure Defender for Kubernetes provides real-time threat protection for containerized environments and generates alerts for suspicious activities. | AuditIfNotExists, Disabled | 1.0.3 |
| Azure Defender for Resource Manager should be enabled | Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Defender for servers should be enabled | Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. | AuditIfNotExists, Disabled | 1.0.3 |
| Azure Defender for SQL servers on machines should be enabled | Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. | AuditIfNotExists, Disabled | 1.0.2 |
| Azure Defender for SQL should be enabled for unprotected Azure SQL servers | Audit SQL servers without Advanced Data Security | AuditIfNotExists, Disabled | 2.0.1 |
| Azure Defender for SQL should be enabled for unprotected SQL Managed Instances | Audit each SQL Managed Instance without advanced data security. | AuditIfNotExists, Disabled | 1.0.2 |
| Azure Defender for Storage should be enabled | Azure Defender for Storage provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. | AuditIfNotExists, Disabled | 1.0.3 |
| Microsoft Managed Control 1546 - Vulnerability Scanning | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1547 - Vulnerability Scanning | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1548 - Vulnerability Scanning | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1549 - Vulnerability Scanning | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1550 - Vulnerability Scanning | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| SQL databases should have vulnerability findings resolved | Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. | AuditIfNotExists, Disabled | 4.0.0 |
| SQL servers on machines should have vulnerability findings resolved | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | AuditIfNotExists, Disabled | 1.0.0 |
| Vulnerabilities in Azure Container Registry images should be remediated | Container image vulnerability assessment scans your registry for security vulnerabilities on each pushed container image and exposes detailed findings for each image (powered by Qualys). Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. | AuditIfNotExists, Disabled | 2.0.0 |
| Vulnerabilities in container security configurations should be remediated | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | AuditIfNotExists, Disabled | 3.0.0 |
| Vulnerabilities in security configuration on your machines should be remediated | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | AuditIfNotExists, Disabled | 3.0.0 |
| Vulnerabilities in security configuration on your virtual machine scale sets should be remediated | Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. | AuditIfNotExists, Disabled | 3.0.0 |
| Vulnerability assessment should be enabled on SQL Managed Instance | Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. | AuditIfNotExists, Disabled | 1.0.1 |
| Vulnerability assessment should be enabled on your SQL servers | Audit Azure SQL servers which do not have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. | AuditIfNotExists, Disabled | 2.0.0 |
| Vulnerability assessment should be enabled on your Synapse workspaces | Discover, track, and remediate potential vulnerabilities by configuring recurring SQL vulnerability assessment scans on your Synapse workspaces. | AuditIfNotExists, Disabled | 1.0.0 |
Update Tool Capability
ID: NIST SP 800-53 Rev. 4 RA-5 (1)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1551 - Vulnerability Scanning | Update Tool Capability | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
Update by Frequency / Prior to New Scan / When Identified
ID: NIST SP 800-53 Rev. 4 RA-5 (2)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1552 - Vulnerability Scanning | Update By Frequency / Prior To New Scan / When Identified | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
Breadth / Depth of Coverage
ID: NIST SP 800-53 Rev. 4 RA-5 (3)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1553 - Vulnerability Scanning | Breadth / Depth Of Coverage | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
Discoverable Information
ID: NIST SP 800-53 Rev. 4 RA-5 (4)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1554 - Vulnerability Scanning | Discoverable Information | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
Privileged Access
ID: NIST SP 800-53 Rev. 4 RA-5 (5)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1555 - Vulnerability Scanning | Privileged Access | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
Automated Trend Analyses
ID: NIST SP 800-53 Rev. 4 RA-5 (6)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1556 - Vulnerability Scanning | Automated Trend Analyses | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
Review Historic Audit Logs
ID: NIST SP 800-53 Rev. 4 RA-5 (8)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1557 - Vulnerability Scanning | Review Historic Audit Logs | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
Correlate Scanning Information
ID: NIST SP 800-53 Rev. 4 RA-5 (10)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1558 - Vulnerability Scanning | Correlate Scanning Information | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
System and Services Acquisition
System and Services Acquisition Policy and Procedures
ID: NIST SP 800-53 Rev. 4 SA-1
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1559 - System And Services Acquisition Policy And Procedures | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Microsoft Managed Control 1560 - System And Services Acquisition Policy And Procedures | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
Allocation of Resources
ID: NIST SP 800-53 Rev. 4 SA-2
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1561 - Allocation Of Resources | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Microsoft Managed Control 1562 - Allocation Of Resources | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Microsoft Managed Control 1563 - Allocation Of Resources | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
System Development Life Cycle
ID: NIST SP 800-53 Rev. 4 SA-3
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1564 - System Development Life Cycle | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Microsoft Managed Control 1565 - System Development Life Cycle | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Microsoft Managed Control 1566 - System Development Life Cycle | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Microsoft Managed Control 1567 - System Development Life Cycle | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
Acquisition Process
ID: NIST SP 800-53 Rev. 4 SA-4
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1568 - Acquisition Process | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Microsoft Managed Control 1569 - Acquisition Process | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Microsoft Managed Control 1570 - Acquisition Process | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Microsoft Managed Control 1571 - Acquisition Process | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Microsoft Managed Control 1572 - Acquisition Process | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Microsoft Managed Control 1573 - Acquisition Process | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Microsoft Managed Control 1574 - Acquisition Process | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
Functional Properties of Security Controls
ID: NIST SP 800-53 Rev. 4 SA-4 (1)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1575 - Acquisition Process | Functional Properties Of Security Controls | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
Design / Implementation Information for Security Controls
ID: NIST SP 800-53 Rev. 4 SA-4 (2)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1576 - Acquisition Process | Design / Implementation Information For Security Controls | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
Continuous Monitoring Plan
ID: NIST SP 800-53 Rev. 4 SA-4 (8)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1577 - Acquisition Process | Continuous Monitoring Plan | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
Functions / Ports / Protocols / Services in Use
ID: NIST SP 800-53 Rev. 4 SA-4 (9)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1578 - Acquisition Process | Functions / Ports / Protocols / Services In Use | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
Use of Approved PIV Products
ID: NIST SP 800-53 Rev. 4 SA-4 (10)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1579 - Acquisition Process | Use Of Approved Piv Products | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
Information System Documentation
ID: NIST SP 800-53 Rev. 4 SA-5
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1580 - Information System Documentation | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Microsoft Managed Control 1581 - Information System Documentation | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Microsoft Managed Control 1582 - Information System Documentation | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Microsoft Managed Control 1583 - Information System Documentation | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Microsoft Managed Control 1584 - Information System Documentation | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
Security Engineering Principles
ID: NIST SP 800-53 Rev. 4 SA-8
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1585 - Security Engineering Principles | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
External Information System Services
ID: NIST SP 800-53 Rev. 4 SA-9
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1586 - External Information System Services | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Microsoft Managed Control 1587 - External Information System Services | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Microsoft Managed Control 1588 - External Information System Services | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
Risk Assessments / Organizational Approvals
ID: NIST SP 800-53 Rev. 4 SA-9 (1)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1589 - External Information System Services | Risk Assessments / Organizational Approvals | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Microsoft Managed Control 1590 - External Information System Services | Risk Assessments / Organizational Approvals | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
Identification of Functions / Ports / Protocols / Services
ID: NIST SP 800-53 Rev. 4 SA-9 (2)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1591 - External Information System Services | Ident. Of Functions / Ports / Protocols / Services | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
Consistent Interests of Consumers and Providers
ID: NIST SP 800-53 Rev. 4 SA-9 (4)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1592 - External Information System Services | Consistent Interests Of Consumers And Providers | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
Processing, Storage, and Service Location
ID: NIST SP 800-53 Rev. 4 SA-9 (5)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1593 - External Information System Services | Processing, Storage, And Service Location | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
Developer Configuration Management
ID: NIST SP 800-53 Rev. 4 SA-10
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1594 - Developer Configuration Management | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Microsoft Managed Control 1595 - Developer Configuration Management | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Microsoft Managed Control 1596 - Developer Configuration Management | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Microsoft Managed Control 1597 - Developer Configuration Management | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Microsoft Managed Control 1598 - Developer Configuration Management | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
Software / Firmware Integrity Verification
ID: NIST SP 800-53 Rev. 4 SA-10 (1)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1599 - Developer Configuration Management | Software / Firmware Integrity Verification | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
Developer Security Testing and Evaluation
ID: NIST SP 800-53 Rev. 4 SA-11
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1600 - Developer Security Testing And Evaluation | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Microsoft Managed Control 1601 - Developer Security Testing And Evaluation | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Microsoft Managed Control 1602 - Developer Security Testing And Evaluation | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Microsoft Managed Control 1603 - Developer Security Testing And Evaluation | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Microsoft Managed Control 1604 - Developer Security Testing And Evaluation | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
Static Code Analysis
ID: NIST SP 800-53 Rev. 4 SA-11 (1)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1605 - Developer Security Testing And Evaluation | Static Code Analysis | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
Threat and Vulnerability Analyses
ID: NIST SP 800-53 Rev. 4 SA-11 (2)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1606 - Developer Security Testing And Evaluation | Threat And Vulnerability Analyses | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
Dynamic Code Analysis
ID: NIST SP 800-53 Rev. 4 SA-11 (8)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1607 - Developer Security Testing And Evaluation | Dynamic Code Analysis | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
Supply Chain Protection
ID: NIST SP 800-53 Rev. 4 SA-12
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1608 - Supply Chain Protection | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
Development Process, Standards, and Tools
ID: NIST SP 800-53 Rev. 4 SA-15
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1609 - Development Process, Standards, And Tools | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Microsoft Managed Control 1610 - Development Process, Standards, And Tools | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
Developer-provided Training
ID: NIST SP 800-53 Rev. 4 SA-16
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1611 - Developer-Provided Training | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
Developer Security Architecture and Design
ID: NIST SP 800-53 Rev. 4 SA-17
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1612 - Developer Security Architecture And Design | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Microsoft Managed Control 1613 - Developer Security Architecture And Design | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Microsoft Managed Control 1614 - Developer Security Architecture And Design | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
System and Communications Protection
System and Communications Protection Policy and Procedures
ID: NIST SP 800-53 Rev. 4 SC-1
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1615 - System And Communications Protection Policy And Procedures | Microsoft implements this System and Communications Protection control | audit | 1.0.0 |
| Microsoft Managed Control 1616 - System And Communications Protection Policy And Procedures | Microsoft implements this System and Communications Protection control | audit | 1.0.0 |
Application Partitioning
ID: NIST SP 800-53 Rev. 4 SC-2
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1617 - Application Partitioning | Microsoft implements this System and Communications Protection control | audit | 1.0.0 |
Security Function Isolation
ID: NIST SP 800-53 Rev. 4 SC-3
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Azure Defender for servers should be enabled | Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. | AuditIfNotExists, Disabled | 1.0.3 |
| Endpoint protection solution should be installed on virtual machine scale sets | Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities. | AuditIfNotExists, Disabled | 3.0.0 |
| Microsoft Managed Control 1618 - Security Function Isolation | Microsoft implements this System and Communications Protection control | audit | 1.0.0 |
| Monitor missing Endpoint Protection in Azure Security Center | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | AuditIfNotExists, Disabled | 3.0.0 |
| Windows Defender Exploit Guard should be enabled on your machines | Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). | AuditIfNotExists, Disabled | 1.1.1 |
Information in Shared Resources
ID: NIST SP 800-53 Rev. 4 SC-4
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1619 - Information In Shared Resources | Microsoft implements this System and Communications Protection control | audit | 1.0.0 |
Denial of Service Protection
ID: NIST SP 800-53 Rev. 4 SC-5
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Azure DDoS Protection should be enabled | DDoS Protection should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. | AuditIfNotExists, Disabled | 3.0.0 |
| IP Forwarding on your virtual machine should be disabled | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | AuditIfNotExists, Disabled | 3.0.0 |
| Microsoft Managed Control 1620 - Denial Of Service Protection | Microsoft implements this System and Communications Protection control | audit | 1.0.0 |
| Web Application Firewall (WAF) should be enabled for Application Gateway | Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. | Audit, Deny, Disabled | 1.0.1 |
| Web Application Firewall (WAF) should be enabled for Azure Front Door Service service | Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. | Audit, Deny, Disabled | 1.0.1 |
Resource Availability
ID: NIST SP 800-53 Rev. 4 SC-6
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1621 - Resource Availability | Microsoft implements this System and Communications Protection control | audit | 1.0.0 |
Boundary Protection
ID: NIST SP 800-53 Rev. 4 SC-7
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Adaptive network hardening recommendations should be applied on internet facing virtual machines | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | AuditIfNotExists, Disabled | 3.0.0 |
| All Internet traffic should be routed via your deployed Azure Firewall | Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall | AuditIfNotExists, Disabled | 3.0.0-preview |
| All network ports should be restricted on network security groups associated to your virtual machine | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | AuditIfNotExists, Disabled | 3.0.0 |
| API Management services should use a virtual network | Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. | Audit, Disabled | 1.0.1 |
| App Configuration should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/appconfig/private-endpoint. | AuditIfNotExists, Disabled | 1.0.2 |
| Authorized IP ranges should be defined on Kubernetes Services | Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. | Audit, Disabled | 2.0.1 |
| Azure API for FHIR should use private link | Azure API for FHIR should have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. For more information, visit: https://aka.ms/fhir-privatelink. | Audit, Disabled | 1.0.0 |
| Azure Cache for Redis should use private link | Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link. | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Cognitive Search service should use a SKU that supports private link | With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. | Audit, Deny, Disabled | 1.0.0 |
| Azure Cognitive Search services should disable public network access | Disabling public network access improves security by ensuring that your Azure Cognitive Search service is not exposed on the public internet. Creating private endpoints can limit exposure of your Search service. Learn more at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. | Audit, Deny, Disabled | 1.0.0 |
| Azure Cognitive Search services should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Cognitive Search, data leakage risks are reduced. Learn more about private links at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. | Audit, Disabled | 1.0.0 |
| Azure Cosmos DB accounts should have firewall rules | Firewall rules should be defined on your Azure Cosmos DB accounts to prevent traffic from unauthorized sources. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant. | Audit, Deny, Disabled | 2.0.0 |
| Azure Data Factory should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Data Factory, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/data-factory/data-factory-private-link. | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Event Grid domains should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid domain instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. | Audit, Disabled | 1.0.2 |
| Azure Event Grid topics should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid topic instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. | Audit, Disabled | 1.0.2 |
| Azure File Sync should use private link | Creating a private endpoint for the indicated Storage Sync Service resource allows you to address your Storage Sync Service resource from within the private IP address space of your organization's network, rather than through the internet-accessible public endpoint. Creating a private endpoint by itself does not disable the public endpoint. | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Key Vault should disable public network access | Disable public network access for your key vault so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/akvprivatelink. | Audit, Deny, Disabled | 2.0.0-preview |
| Azure Machine Learning workspaces should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Machine Learning workspaces, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link. | Audit, Deny, Disabled | 1.1.0 |
| Azure Service Bus namespaces should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Service Bus namespaces, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/service-bus-messaging/private-link-service. | AuditIfNotExists, Disabled | 1.0.0 |
| Azure SignalR Service should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure SignalR Service resource instead of the entire service, you'll reduce your data leakage risks. Learn more about private links at: https://aka.ms/asrs/privatelink. | Audit, Deny, Disabled | 1.0.1 |
| Azure Synapse workspaces should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Synapse workspace, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/synapse-analytics/security/how-to-connect-to-workspace-with-private-links. | Audit, Disabled | 1.0.1 |
| Azure Web PubSub Service should use private link | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure Web PubSub Service, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/awps/privatelink. | Audit, Deny, Disabled | 1.0.0 |
| Cognitive Services accounts should disable public network access | Disabling public network access improves security by ensuring that Cognitive Services account isn't exposed on the public internet. Creating private endpoints can limit exposure of Cognitive Services account. Learn more at: https://go.microsoft.com/fwlink/?linkid=2129800. | Audit, Deny, Disabled | 2.0.0 |
| Cognitive Services accounts should restrict network access | Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges. | Audit, Deny, Disabled | 2.0.0 |
| Cognitive Services should use private link | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: https://go.microsoft.com/fwlink/?linkid=2129800. | Audit, Disabled | 2.0.0 |
| Container registries should not allow unrestricted network access | Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific public IP addresses or address ranges. If your registry doesn't have an IP/firewall rule or a configured virtual network, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://aka.ms/acr/portal/public-network and here https://aka.ms/acr/vnet. | Audit, Deny, Disabled | 1.1.0 |
| Container registries should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link. | Audit, Disabled | 1.0.1 |
| CosmosDB accounts should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints. | Audit, Disabled | 1.0.0 |
| Disk access resources should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: https://aka.ms/disksprivatelinksdoc. | AuditIfNotExists, Disabled | 1.0.0 |
| Event Hub namespaces should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/event-hubs/private-link-service. | AuditIfNotExists, Disabled | 1.0.0 |
| Internet-facing virtual machines should be protected with network security groups | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | AuditIfNotExists, Disabled | 3.0.0 |
| IoT Hub device provisioning service instances should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to the IoT Hub device provisioning service, data leakage risks are reduced. Learn more about private links at: https://aka.ms/iotdpsvnet. | Audit, Disabled | 1.0.0 |
| IP Forwarding on your virtual machine should be disabled | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | AuditIfNotExists, Disabled | 3.0.0 |
| Management ports of virtual machines should be protected with just-in-time network access control | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | AuditIfNotExists, Disabled | 3.0.0 |
| Management ports should be closed on your virtual machines | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | AuditIfNotExists, Disabled | 3.0.0 |
| Microsoft Managed Control 1622 - Boundary Protection | Microsoft implements this System and Communications Protection control | audit | 1.0.0 |
| Microsoft Managed Control 1623 - Boundary Protection | Microsoft implements this System and Communications Protection control | audit | 1.0.0 |
| Microsoft Managed Control 1624 - Boundary Protection | Microsoft implements this System and Communications Protection control | audit | 1.0.0 |
| Non-internet-facing virtual machines should be protected with network security groups | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | AuditIfNotExists, Disabled | 3.0.0 |
| Private endpoint connections on Azure SQL Database should be enabled | Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database. | Audit, Disabled | 1.1.0 |
| Private endpoint should be configured for Key Vault | Private link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration. | Audit, Deny, Disabled | 1.1.0-preview |
| Private endpoint should be enabled for MariaDB servers | Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MariaDB. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. | AuditIfNotExists, Disabled | 1.0.2 |
| Private endpoint should be enabled for MySQL servers | Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MySQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. | AuditIfNotExists, Disabled | 1.0.2 |
| Private endpoint should be enabled for PostgreSQL servers | Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for PostgreSQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. | AuditIfNotExists, Disabled | 1.0.2 |
| Public network access on Azure SQL Database should be disabled | Disabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules. | Audit, Deny, Disabled | 1.1.0 |
| Public network access should be disabled for MariaDB servers | Disable the public network access property to improve security and ensure your Azure Database for MariaDB can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. | Audit, Disabled | 1.0.2 |
| Public network access should be disabled for MySQL servers | Disable the public network access property to improve security and ensure your Azure Database for MySQL can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. | Audit, Disabled | 1.0.2 |
| Public network access should be disabled for PostgreSQL servers | Disable the public network access property to improve security and ensure your Azure Database for PostgreSQL can only be accessed from a private endpoint. This configuration disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. | Audit, Disabled | 1.0.2 |
| Storage account public access should be disallowed | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | disabled | 3.0.1-preview |
| Storage accounts should restrict network access | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Audit, Deny, Disabled | 1.1.1 |
| Storage accounts should restrict network access using virtual network rules | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Audit, Deny, Disabled | 1.0.1 |
| Storage accounts should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | AuditIfNotExists, Disabled | 2.0.0 |
| Subnets should be associated with a Network Security Group | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | AuditIfNotExists, Disabled | 3.0.0 |
| VM Image Builder templates should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your VM Image Builder building resources, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/virtual-machines/linux/image-builder-networking#deploy-using-an-existing-vnet. | Audit, Disabled, Deny | 1.1.0 |
| Web Application Firewall (WAF) should be enabled for Application Gateway | Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. | Audit, Deny, Disabled | 1.0.1 |
| Web Application Firewall (WAF) should be enabled for Azure Front Door Service service | Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. | Audit, Deny, Disabled | 1.0.1 |
Access Points
ID: NIST SP 800-53 Rev. 4 SC-7 (3)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Adaptive network hardening recommendations should be applied on internet facing virtual machines | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | AuditIfNotExists, Disabled | 3.0.0 |
| All Internet traffic should be routed via your deployed Azure Firewall | Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall | AuditIfNotExists, Disabled | 3.0.0-preview |
| All network ports should be restricted on network security groups associated to your virtual machine | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | AuditIfNotExists, Disabled | 3.0.0 |
| API Management services should use a virtual network | Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. | Audit, Disabled | 1.0.1 |
| App Configuration should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/appconfig/private-endpoint. | AuditIfNotExists, Disabled | 1.0.2 |
| Authorized IP ranges should be defined on Kubernetes Services | Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. | Audit, Disabled | 2.0.1 |
| Azure API for FHIR should use private link | Azure API for FHIR should have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. For more information, visit: https://aka.ms/fhir-privatelink. | Audit, Disabled | 1.0.0 |
| Azure Cache for Redis should use private link | Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link. | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Cognitive Search service should use a SKU that supports private link | With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. | Audit, Deny, Disabled | 1.0.0 |
| Azure Cognitive Search services should disable public network access | Disabling public network access improves security by ensuring that your Azure Cognitive Search service is not exposed on the public internet. Creating private endpoints can limit exposure of your Search service. Learn more at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. | Audit, Deny, Disabled | 1.0.0 |
| Azure Cognitive Search services should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Cognitive Search, data leakage risks are reduced. Learn more about private links at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. | Audit, Disabled | 1.0.0 |
| Azure Cosmos DB accounts should have firewall rules | Firewall rules should be defined on your Azure Cosmos DB accounts to prevent traffic from unauthorized sources. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant. | Audit, Deny, Disabled | 2.0.0 |
| Azure Data Factory should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Data Factory, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/data-factory/data-factory-private-link. | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Event Grid domains should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid domain instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. | Audit, Disabled | 1.0.2 |
| Azure Event Grid topics should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid topic instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. | Audit, Disabled | 1.0.2 |
| Azure File Sync should use private link | Creating a private endpoint for the indicated Storage Sync Service resource allows you to address your Storage Sync Service resource from within the private IP address space of your organization's network, rather than through the internet-accessible public endpoint. Creating a private endpoint by itself does not disable the public endpoint. | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Key Vault should disable public network access | Disable public network access for your key vault so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/akvprivatelink. | Audit, Deny, Disabled | 2.0.0-preview |
| Azure Machine Learning workspaces should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Machine Learning workspaces, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link. | Audit, Deny, Disabled | 1.1.0 |
| Azure Service Bus namespaces should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Service Bus namespaces, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/service-bus-messaging/private-link-service. | AuditIfNotExists, Disabled | 1.0.0 |
| Azure SignalR Service should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure SignalR Service resource instead of the entire service, you'll reduce your data leakage risks. Learn more about private links at: https://aka.ms/asrs/privatelink. | Audit, Deny, Disabled | 1.0.1 |
| Azure Synapse workspaces should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Synapse workspace, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/synapse-analytics/security/how-to-connect-to-workspace-with-private-links. | Audit, Disabled | 1.0.1 |
| Azure Web PubSub Service should use private link | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure Web PubSub Service, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/awps/privatelink. | Audit, Deny, Disabled | 1.0.0 |
| Cognitive Services accounts should disable public network access | Disabling public network access improves security by ensuring that Cognitive Services account isn't exposed on the public internet. Creating private endpoints can limit exposure of Cognitive Services account. Learn more at: https://go.microsoft.com/fwlink/?linkid=2129800. | Audit, Deny, Disabled | 2.0.0 |
| Cognitive Services accounts should restrict network access | Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges. | Audit, Deny, Disabled | 2.0.0 |
| Cognitive Services should use private link | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: https://go.microsoft.com/fwlink/?linkid=2129800. | Audit, Disabled | 2.0.0 |
| Container registries should not allow unrestricted network access | Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific public IP addresses or address ranges. If your registry doesn't have an IP/firewall rule or a configured virtual network, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://aka.ms/acr/portal/public-network and here https://aka.ms/acr/vnet. | Audit, Deny, Disabled | 1.1.0 |
| Container registries should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link. | Audit, Disabled | 1.0.1 |
| CosmosDB accounts should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints. | Audit, Disabled | 1.0.0 |
| Disk access resources should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: https://aka.ms/disksprivatelinksdoc. | AuditIfNotExists, Disabled | 1.0.0 |
| Event Hub namespaces should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/event-hubs/private-link-service. | AuditIfNotExists, Disabled | 1.0.0 |
| Internet-facing virtual machines should be protected with network security groups | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | AuditIfNotExists, Disabled | 3.0.0 |
| IoT Hub device provisioning service instances should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to the IoT Hub device provisioning service, data leakage risks are reduced. Learn more about private links at: https://aka.ms/iotdpsvnet. | Audit, Disabled | 1.0.0 |
| IP Forwarding on your virtual machine should be disabled | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | AuditIfNotExists, Disabled | 3.0.0 |
| Management ports of virtual machines should be protected with just-in-time network access control | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | AuditIfNotExists, Disabled | 3.0.0 |
| Management ports should be closed on your virtual machines | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | AuditIfNotExists, Disabled | 3.0.0 |
| Microsoft Managed Control 1625 - Boundary Protection | Access Points | Microsoft implements this System and Communications Protection control | audit | 1.0.0 |
| Non-internet-facing virtual machines should be protected with network security groups | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | AuditIfNotExists, Disabled | 3.0.0 |
| Private endpoint connections on Azure SQL Database should be enabled | Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database. | Audit, Disabled | 1.1.0 |
| Private endpoint should be configured for Key Vault | Private link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration. | Audit, Deny, Disabled | 1.1.0-preview |
| Private endpoint should be enabled for MariaDB servers | Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MariaDB. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. | AuditIfNotExists, Disabled | 1.0.2 |
| Private endpoint should be enabled for MySQL servers | Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MySQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. | AuditIfNotExists, Disabled | 1.0.2 |
| Private endpoint should be enabled for PostgreSQL servers | Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for PostgreSQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. | AuditIfNotExists, Disabled | 1.0.2 |
| Public network access on Azure SQL Database should be disabled | Disabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules. | Audit, Deny, Disabled | 1.1.0 |
| Public network access should be disabled for MariaDB servers | Disable the public network access property to improve security and ensure your Azure Database for MariaDB can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. | Audit, Disabled | 1.0.2 |
| Public network access should be disabled for MySQL servers | Disable the public network access property to improve security and ensure your Azure Database for MySQL can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. | Audit, Disabled | 1.0.2 |
| Public network access should be disabled for PostgreSQL servers | Disable the public network access property to improve security and ensure your Azure Database for PostgreSQL can only be accessed from a private endpoint. This configuration disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. | Audit, Disabled | 1.0.2 |
| Storage account public access should be disallowed | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | disabled | 3.0.1-preview |
| Storage accounts should restrict network access | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Audit, Deny, Disabled | 1.1.1 |
| Storage accounts should restrict network access using virtual network rules | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Audit, Deny, Disabled | 1.0.1 |
| Storage accounts should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | AuditIfNotExists, Disabled | 2.0.0 |
| Subnets should be associated with a Network Security Group | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | AuditIfNotExists, Disabled | 3.0.0 |
| VM Image Builder templates should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your VM Image Builder building resources, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/virtual-machines/linux/image-builder-networking#deploy-using-an-existing-vnet. | Audit, Disabled, Deny | 1.1.0 |
| Web Application Firewall (WAF) should be enabled for Application Gateway | Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. | Audit, Deny, Disabled | 1.0.1 |
| Web Application Firewall (WAF) should be enabled for Azure Front Door Service service | Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. | Audit, Deny, Disabled | 1.0.1 |
External Telecommunications Services
ID: NIST SP 800-53 Rev. 4 SC-7 (4)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1626 - Boundary Protection | External Telecommunications Services | Microsoft implements this System and Communications Protection control | audit | 1.0.0 |
| Microsoft Managed Control 1627 - Boundary Protection | External Telecommunications Services | Microsoft implements this System and Communications Protection control | audit | 1.0.0 |
| Microsoft Managed Control 1628 - Boundary Protection | External Telecommunications Services | Microsoft implements this System and Communications Protection control | audit | 1.0.0 |
| Microsoft Managed Control 1629 - Boundary Protection | External Telecommunications Services | Microsoft implements this System and Communications Protection control | audit | 1.0.0 |
| Microsoft Managed Control 1630 - Boundary Protection | External Telecommunications Services | Microsoft implements this System and Communications Protection control | audit | 1.0.0 |
Deny by Default / Allow by Exception
ID: NIST SP 800-53 Rev. 4 SC-7 (5)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1631 - Boundary Protection | Deny By Default / Allow By Exception | Microsoft implements this System and Communications Protection control | audit | 1.0.0 |
Prevent Split Tunneling for Remote Devices
ID: NIST SP 800-53 Rev. 4 SC-7 (7)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1632 - Boundary Protection | Prevent Split Tunneling For Remote Devices | Microsoft implements this System and Communications Protection control | audit | 1.0.0 |
Route Traffic to Authenticated Proxy Servers
ID: NIST SP 800-53 Rev. 4 SC-7 (8)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1633 - Boundary Protection | Route Traffic To Authenticated Proxy Servers | Microsoft implements this System and Communications Protection control | audit | 1.0.0 |
Prevent Unauthorized Exfiltration
ID: NIST SP 800-53 Rev. 4 SC-7 (10)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1634 - Boundary Protection | Prevent Unauthorized Exfiltration | Microsoft implements this System and Communications Protection control | audit | 1.0.0 |
Host-based Protection
ID: NIST SP 800-53 Rev. 4 SC-7 (12)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1635 - Boundary Protection | Host-Based Protection | Microsoft implements this System and Communications Protection control | audit | 1.0.0 |
Isolation of Security Tools / Mechanisms / Support Components
ID: NIST SP 800-53 Rev. 4 SC-7 (13)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1636 - Boundary Protection | Isolation Of Security Tools / Mechanisms / Support Components | Microsoft implements this System and Communications Protection control | audit | 1.0.0 |
Fail Secure
ID: NIST SP 800-53 Rev. 4 SC-7 (18)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1637 - Boundary Protection | Fail Secure | Microsoft implements this System and Communications Protection control | audit | 1.0.0 |
Dynamic Isolation / Segregation
ID: NIST SP 800-53 Rev. 4 SC-7 (20)
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1638 - Boundary Protection | Dynamic Isolation / Segregation | Microsoft implements this System and Communications Protection control | audit |