Details of the System and Organization Controls (SOC) 2 Regulatory Compliance built-in initiative

Artikkel
10/30/2024

The following article details how the Azure Policy Regulatory Compliance built-in initiative definition maps to compliance domains and controls in System and Organization Controls (SOC) 2. For more information about this compliance standard, see System and Organization Controls (SOC) 2. To understand Ownership, review the policy type and Shared responsibility in the cloud.

The following mappings are to the System and Organization Controls (SOC) 2 controls. Many of the controls are implemented with an Azure Policy initiative definition. To review the complete initiative definition, open Policy in the Azure portal and select the Definitions page. Then, find and select the SOC 2 Type 2 Regulatory Compliance built-in initiative definition.

Important

Each control below is associated with one or more Azure Policy definitions. These policies may help you assess compliance with the control; however, there often is not a one-to-one or complete match between a control and one or more policies. As such, Compliant in Azure Policy refers only to the policy definitions themselves; this doesn't ensure you're fully compliant with all requirements of a control. In addition, the compliance standard includes controls that aren't addressed by any Azure Policy definitions at this time. Therefore, compliance in Azure Policy is only a partial view of your overall compliance status. The associations between compliance domains, controls, and Azure Policy definitions for this compliance standard may change over time. To view the change history, see the GitHub Commit History.

Additional Criteria For Availability

Capacity management

ID: SOC 2 Type 2 A1.1 Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Conduct capacity planning	CMA_C1252 - Conduct capacity planning	Manual, Disabled	1.1.0

Environmental protections, software, data back-up processes, and recovery infrastructure

ID: SOC 2 Type 2 A1.2 Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Azure Backup should be enabled for Virtual Machines	Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.	AuditIfNotExists, Disabled	3.0.0
Employ automatic emergency lighting	CMA_0209 - Employ automatic emergency lighting	Manual, Disabled	1.1.0
Establish an alternate processing site	CMA_0262 - Establish an alternate processing site	Manual, Disabled	1.1.0
Geo-redundant backup should be enabled for Azure Database for MariaDB	Azure Database for MariaDB allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create.	Audit, Disabled	1.0.1
Geo-redundant backup should be enabled for Azure Database for MySQL	Azure Database for MySQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create.	Audit, Disabled	1.0.1
Geo-redundant backup should be enabled for Azure Database for PostgreSQL	Azure Database for PostgreSQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create.	Audit, Disabled	1.0.1
Implement a penetration testing methodology	CMA_0306 - Implement a penetration testing methodology	Manual, Disabled	1.1.0
Implement physical security for offices, working areas, and secure areas	CMA_0323 - Implement physical security for offices, working areas, and secure areas	Manual, Disabled	1.1.0
Install an alarm system	CMA_0338 - Install an alarm system	Manual, Disabled	1.1.0
Recover and reconstitute resources after any disruption	CMA_C1295 - Recover and reconstitute resources after any disruption	Manual, Disabled	1.1.1
Run simulation attacks	CMA_0486 - Run simulation attacks	Manual, Disabled	1.1.0
Separately store backup information	CMA_C1293 - Separately store backup information	Manual, Disabled	1.1.0
Transfer backup information to an alternate storage site	CMA_C1294 - Transfer backup information to an alternate storage site	Manual, Disabled	1.1.0

Recovery plan testing

ID: SOC 2 Type 2 A1.3 Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Coordinate contingency plans with related plans	CMA_0086 - Coordinate contingency plans with related plans	Manual, Disabled	1.1.0
Initiate contingency plan testing corrective actions	CMA_C1263 - Initiate contingency plan testing corrective actions	Manual, Disabled	1.1.0
Review the results of contingency plan testing	CMA_C1262 - Review the results of contingency plan testing	Manual, Disabled	1.1.0
Test the business continuity and disaster recovery plan	CMA_0509 - Test the business continuity and disaster recovery plan	Manual, Disabled	1.1.0

Additional Criteria For Confidentiality

Protection of confidential information

ID: SOC 2 Type 2 C1.1 Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Control physical access	CMA_0081 - Control physical access	Manual, Disabled	1.1.0
Manage the input, output, processing, and storage of data	CMA_0369 - Manage the input, output, processing, and storage of data	Manual, Disabled	1.1.0
Review label activity and analytics	CMA_0474 - Review label activity and analytics	Manual, Disabled	1.1.0

Disposal of confidential information

ID: SOC 2 Type 2 C1.2 Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Control physical access	CMA_0081 - Control physical access	Manual, Disabled	1.1.0
Manage the input, output, processing, and storage of data	CMA_0369 - Manage the input, output, processing, and storage of data	Manual, Disabled	1.1.0
Review label activity and analytics	CMA_0474 - Review label activity and analytics	Manual, Disabled	1.1.0

Control Environment

COSO Principle 1

ID: SOC 2 Type 2 CC1.1 Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Develop acceptable use policies and procedures	CMA_0143 - Develop acceptable use policies and procedures	Manual, Disabled	1.1.0
Develop organization code of conduct policy	CMA_0159 - Develop organization code of conduct policy	Manual, Disabled	1.1.0
Document personnel acceptance of privacy requirements	CMA_0193 - Document personnel acceptance of privacy requirements	Manual, Disabled	1.1.0
Enforce rules of behavior and access agreements	CMA_0248 - Enforce rules of behavior and access agreements	Manual, Disabled	1.1.0
Prohibit unfair practices	CMA_0396 - Prohibit unfair practices	Manual, Disabled	1.1.0
Review and sign revised rules of behavior	CMA_0465 - Review and sign revised rules of behavior	Manual, Disabled	1.1.0
Update rules of behavior and access agreements	CMA_0521 - Update rules of behavior and access agreements	Manual, Disabled	1.1.0
Update rules of behavior and access agreements every 3 years	CMA_0522 - Update rules of behavior and access agreements every 3 years	Manual, Disabled	1.1.0

COSO Principle 2

ID: SOC 2 Type 2 CC1.2 Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Appoint a senior information security officer	CMA_C1733 - Appoint a senior information security officer	Manual, Disabled	1.1.0
Develop and establish a system security plan	CMA_0151 - Develop and establish a system security plan	Manual, Disabled	1.1.0
Establish a risk management strategy	CMA_0258 - Establish a risk management strategy	Manual, Disabled	1.1.0
Establish security requirements for the manufacturing of connected devices	CMA_0279 - Establish security requirements for the manufacturing of connected devices	Manual, Disabled	1.1.0
Implement security engineering principles of information systems	CMA_0325 - Implement security engineering principles of information systems	Manual, Disabled	1.1.0

COSO Principle 3

ID: SOC 2 Type 2 CC1.3 Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Appoint a senior information security officer	CMA_C1733 - Appoint a senior information security officer	Manual, Disabled	1.1.0
Develop and establish a system security plan	CMA_0151 - Develop and establish a system security plan	Manual, Disabled	1.1.0
Establish a risk management strategy	CMA_0258 - Establish a risk management strategy	Manual, Disabled	1.1.0
Establish security requirements for the manufacturing of connected devices	CMA_0279 - Establish security requirements for the manufacturing of connected devices	Manual, Disabled	1.1.0
Implement security engineering principles of information systems	CMA_0325 - Implement security engineering principles of information systems	Manual, Disabled	1.1.0

COSO Principle 4

ID: SOC 2 Type 2 CC1.4 Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Provide periodic role-based security training	CMA_C1095 - Provide periodic role-based security training	Manual, Disabled	1.1.0
Provide periodic security awareness training	CMA_C1091 - Provide periodic security awareness training	Manual, Disabled	1.1.0
Provide role-based practical exercises	CMA_C1096 - Provide role-based practical exercises	Manual, Disabled	1.1.0
Provide security training before providing access	CMA_0418 - Provide security training before providing access	Manual, Disabled	1.1.0
Provide security training for new users	CMA_0419 - Provide security training for new users	Manual, Disabled	1.1.0

COSO Principle 5

ID: SOC 2 Type 2 CC1.5 Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Develop acceptable use policies and procedures	CMA_0143 - Develop acceptable use policies and procedures	Manual, Disabled	1.1.0
Enforce rules of behavior and access agreements	CMA_0248 - Enforce rules of behavior and access agreements	Manual, Disabled	1.1.0
Implement formal sanctions process	CMA_0317 - Implement formal sanctions process	Manual, Disabled	1.1.0
Notify personnel upon sanctions	CMA_0380 - Notify personnel upon sanctions	Manual, Disabled	1.1.0

Communication and Information

COSO Principle 13

ID: SOC 2 Type 2 CC2.1 Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Control physical access	CMA_0081 - Control physical access	Manual, Disabled	1.1.0
Manage the input, output, processing, and storage of data	CMA_0369 - Manage the input, output, processing, and storage of data	Manual, Disabled	1.1.0
Review label activity and analytics	CMA_0474 - Review label activity and analytics	Manual, Disabled	1.1.0

COSO Principle 14

ID: SOC 2 Type 2 CC2.2 Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Develop acceptable use policies and procedures	CMA_0143 - Develop acceptable use policies and procedures	Manual, Disabled	1.1.0
Email notification for high severity alerts should be enabled	To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Security Center.	AuditIfNotExists, Disabled	1.2.0
Email notification to subscription owner for high severity alerts should be enabled	To ensure your subscription owners are notified when there is a potential security breach in their subscription, set email notifications to subscription owners for high severity alerts in Security Center.	AuditIfNotExists, Disabled	2.1.0
Enforce rules of behavior and access agreements	CMA_0248 - Enforce rules of behavior and access agreements	Manual, Disabled	1.1.0
Provide periodic role-based security training	CMA_C1095 - Provide periodic role-based security training	Manual, Disabled	1.1.0
Provide periodic security awareness training	CMA_C1091 - Provide periodic security awareness training	Manual, Disabled	1.1.0
Provide security training before providing access	CMA_0418 - Provide security training before providing access	Manual, Disabled	1.1.0
Provide security training for new users	CMA_0419 - Provide security training for new users	Manual, Disabled	1.1.0
Subscriptions should have a contact email address for security issues	To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, set a security contact to receive email notifications from Security Center.	AuditIfNotExists, Disabled	1.0.1

COSO Principle 15

ID: SOC 2 Type 2 CC2.3 Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Define the duties of processors	CMA_0127 - Define the duties of processors	Manual, Disabled	1.1.0
Deliver security assessment results	CMA_C1147 - Deliver security assessment results	Manual, Disabled	1.1.0
Develop and establish a system security plan	CMA_0151 - Develop and establish a system security plan	Manual, Disabled	1.1.0
Email notification for high severity alerts should be enabled	To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Security Center.	AuditIfNotExists, Disabled	1.2.0
Email notification to subscription owner for high severity alerts should be enabled	To ensure your subscription owners are notified when there is a potential security breach in their subscription, set email notifications to subscription owners for high severity alerts in Security Center.	AuditIfNotExists, Disabled	2.1.0
Establish security requirements for the manufacturing of connected devices	CMA_0279 - Establish security requirements for the manufacturing of connected devices	Manual, Disabled	1.1.0
Establish third-party personnel security requirements	CMA_C1529 - Establish third-party personnel security requirements	Manual, Disabled	1.1.0
Implement privacy notice delivery methods	CMA_0324 - Implement privacy notice delivery methods	Manual, Disabled	1.1.0
Implement security engineering principles of information systems	CMA_0325 - Implement security engineering principles of information systems	Manual, Disabled	1.1.0
Produce Security Assessment report	CMA_C1146 - Produce Security Assessment report	Manual, Disabled	1.1.0
Provide privacy notice	CMA_0414 - Provide privacy notice	Manual, Disabled	1.1.0
Require third-party providers to comply with personnel security policies and procedures	CMA_C1530 - Require third-party providers to comply with personnel security policies and procedures	Manual, Disabled	1.1.0
Restrict communications	CMA_0449 - Restrict communications	Manual, Disabled	1.1.0
Subscriptions should have a contact email address for security issues	To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, set a security contact to receive email notifications from Security Center.	AuditIfNotExists, Disabled	1.0.1

Risk Assessment

COSO Principle 6

ID: SOC 2 Type 2 CC3.1 Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Categorize information	CMA_0052 - Categorize information	Manual, Disabled	1.1.0
Determine information protection needs	CMA_C1750 - Determine information protection needs	Manual, Disabled	1.1.0
Develop business classification schemes	CMA_0155 - Develop business classification schemes	Manual, Disabled	1.1.0
Develop SSP that meets criteria	CMA_C1492 - Develop SSP that meets criteria	Manual, Disabled	1.1.0
Establish a risk management strategy	CMA_0258 - Establish a risk management strategy	Manual, Disabled	1.1.0
Perform a risk assessment	CMA_0388 - Perform a risk assessment	Manual, Disabled	1.1.0
Review label activity and analytics	CMA_0474 - Review label activity and analytics	Manual, Disabled	1.1.0

COSO Principle 7

ID: SOC 2 Type 2 CC3.2 Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
A vulnerability assessment solution should be enabled on your virtual machines	Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.	AuditIfNotExists, Disabled	3.0.0
Categorize information	CMA_0052 - Categorize information	Manual, Disabled	1.1.0
Determine information protection needs	CMA_C1750 - Determine information protection needs	Manual, Disabled	1.1.0
Develop business classification schemes	CMA_0155 - Develop business classification schemes	Manual, Disabled	1.1.0
Establish a risk management strategy	CMA_0258 - Establish a risk management strategy	Manual, Disabled	1.1.0
Perform a risk assessment	CMA_0388 - Perform a risk assessment	Manual, Disabled	1.1.0
Perform vulnerability scans	CMA_0393 - Perform vulnerability scans	Manual, Disabled	1.1.0
Remediate information system flaws	CMA_0427 - Remediate information system flaws	Manual, Disabled	1.1.0
Review label activity and analytics	CMA_0474 - Review label activity and analytics	Manual, Disabled	1.1.0
Vulnerability assessment should be enabled on SQL Managed Instance	Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.	AuditIfNotExists, Disabled	1.0.1
Vulnerability assessment should be enabled on your SQL servers	Audit Azure SQL servers which do not have vulnerability assessment properly configured. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.	AuditIfNotExists, Disabled	3.0.0

COSO Principle 8

ID: SOC 2 Type 2 CC3.3 Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Perform a risk assessment	CMA_0388 - Perform a risk assessment	Manual, Disabled	1.1.0

COSO Principle 9

ID: SOC 2 Type 2 CC3.4 Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Assess risk in third party relationships	CMA_0014 - Assess risk in third party relationships	Manual, Disabled	1.1.0
Define requirements for supplying goods and services	CMA_0126 - Define requirements for supplying goods and services	Manual, Disabled	1.1.0
Determine supplier contract obligations	CMA_0140 - Determine supplier contract obligations	Manual, Disabled	1.1.0
Establish a risk management strategy	CMA_0258 - Establish a risk management strategy	Manual, Disabled	1.1.0
Establish policies for supply chain risk management	CMA_0275 - Establish policies for supply chain risk management	Manual, Disabled	1.1.0
Perform a risk assessment	CMA_0388 - Perform a risk assessment	Manual, Disabled	1.1.0

Monitoring Activities

COSO Principle 16

ID: SOC 2 Type 2 CC4.1 Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Assess Security Controls	CMA_C1145 - Assess Security Controls	Manual, Disabled	1.1.0
Develop security assessment plan	CMA_C1144 - Develop security assessment plan	Manual, Disabled	1.1.0
Select additional testing for security control assessments	CMA_C1149 - Select additional testing for security control assessments	Manual, Disabled	1.1.0

COSO Principle 17

ID: SOC 2 Type 2 CC4.2 Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Deliver security assessment results	CMA_C1147 - Deliver security assessment results	Manual, Disabled	1.1.0
Produce Security Assessment report	CMA_C1146 - Produce Security Assessment report	Manual, Disabled	1.1.0

Control Activities

COSO Principle 10

ID: SOC 2 Type 2 CC5.1 Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Establish a risk management strategy	CMA_0258 - Establish a risk management strategy	Manual, Disabled	1.1.0
Perform a risk assessment	CMA_0388 - Perform a risk assessment	Manual, Disabled	1.1.0

COSO Principle 11

ID: SOC 2 Type 2 CC5.2 Ownership: Shared

COSO Principle 12

ID: SOC 2 Type 2 CC5.3 Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Configure detection whitelist	CMA_0068 - Configure detection whitelist	Manual, Disabled	1.1.0
Perform a risk assessment	CMA_0388 - Perform a risk assessment	Manual, Disabled	1.1.0
Turn on sensors for endpoint security solution	CMA_0514 - Turn on sensors for endpoint security solution	Manual, Disabled	1.1.0
Undergo independent security review	CMA_0515 - Undergo independent security review	Manual, Disabled	1.1.0

Logical and Physical Access Controls

Logical access security software, infrastructure, and architectures

ID: SOC 2 Type 2 CC6.1 Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
A maximum of 3 owners should be designated for your subscription	It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner.	AuditIfNotExists, Disabled	3.0.0
Accounts with owner permissions on Azure resources should be MFA enabled	Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources.	AuditIfNotExists, Disabled	1.0.0
Accounts with read permissions on Azure resources should be MFA enabled	Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources.	AuditIfNotExists, Disabled	1.0.0
Accounts with write permissions on Azure resources should be MFA enabled	Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources.	AuditIfNotExists, Disabled	1.0.0
Adopt biometric authentication mechanisms	CMA_0005 - Adopt biometric authentication mechanisms	Manual, Disabled	1.1.0
All network ports should be restricted on network security groups associated to your virtual machine	Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.	AuditIfNotExists, Disabled	3.0.0
App Service apps should only be accessible over HTTPS	Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.	Audit, Disabled, Deny	4.0.0
App Service apps should require FTPS only	Enable FTPS enforcement for enhanced security.	AuditIfNotExists, Disabled	3.0.0
Authentication to Linux machines should require SSH keys	Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.	AuditIfNotExists, Disabled	3.2.0
Authorize access to security functions and information	CMA_0022 - Authorize access to security functions and information	Manual, Disabled	1.1.0
Authorize and manage access	CMA_0023 - Authorize and manage access	Manual, Disabled	1.1.0
Authorize remote access	CMA_0024 - Authorize remote access	Manual, Disabled	1.1.0
Automation account variables should be encrypted	It is important to enable encryption of Automation account variable assets when storing sensitive data	Audit, Deny, Disabled	1.1.0
Azure AI Services resources should encrypt data at rest with a customer-managed key (CMK)	Using customer-managed keys to encrypt data at rest provides more control over the key lifecycle, including rotation and management. This is particularly relevant for organizations with related compliance requirements. This is not assessed by default and should only be applied when required by compliance or restrictive policy requirements. If not enabled, the data will be encrypted using platform-managed keys. To implement this, update the 'Effect' parameter in the Security Policy for the applicable scope.	Audit, Deny, Disabled	2.2.0
Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest	Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/cosmosdb-cmk.	audit, Audit, deny, Deny, disabled, Disabled	1.1.0
Azure Machine Learning workspaces should be encrypted with a customer-managed key	Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/azureml-workspaces-cmk.	Audit, Deny, Disabled	1.1.0
Blocked accounts with owner permissions on Azure resources should be removed	Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in.	AuditIfNotExists, Disabled	1.0.0
Certificates should have the specified maximum validity period	Manage your organizational compliance requirements by specifying the maximum amount of time that a certificate can be valid within your key vault.	audit, Audit, deny, Deny, disabled, Disabled	2.2.1
Container registries should be encrypted with a customer-managed key	Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/acr/CMK.	Audit, Deny, Disabled	1.1.2
Control information flow	CMA_0079 - Control information flow	Manual, Disabled	1.1.0
Control physical access	CMA_0081 - Control physical access	Manual, Disabled	1.1.0
Create a data inventory	CMA_0096 - Create a data inventory	Manual, Disabled	1.1.0
Define a physical key management process	CMA_0115 - Define a physical key management process	Manual, Disabled	1.1.0
Define cryptographic use	CMA_0120 - Define cryptographic use	Manual, Disabled	1.1.0
Define organizational requirements for cryptographic key management	CMA_0123 - Define organizational requirements for cryptographic key management	Manual, Disabled	1.1.0
Design an access control model	CMA_0129 - Design an access control model	Manual, Disabled	1.1.0
Determine assertion requirements	CMA_0136 - Determine assertion requirements	Manual, Disabled	1.1.0
Document mobility training	CMA_0191 - Document mobility training	Manual, Disabled	1.1.0
Document remote access guidelines	CMA_0196 - Document remote access guidelines	Manual, Disabled	1.1.0
Employ flow control mechanisms of encrypted information	CMA_0211 - Employ flow control mechanisms of encrypted information	Manual, Disabled	1.1.0
Employ least privilege access	CMA_0212 - Employ least privilege access	Manual, Disabled	1.1.0
Enforce logical access	CMA_0245 - Enforce logical access	Manual, Disabled	1.1.0
Enforce mandatory and discretionary access control policies	CMA_0246 - Enforce mandatory and discretionary access control policies	Manual, Disabled	1.1.0
Enforce SSL connection should be enabled for MySQL database servers	Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.	Audit, Disabled	1.0.1
Enforce SSL connection should be enabled for PostgreSQL database servers	Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.	Audit, Disabled	1.0.1
Establish a data leakage management procedure	CMA_0255 - Establish a data leakage management procedure	Manual, Disabled	1.1.0
Establish firewall and router configuration standards	CMA_0272 - Establish firewall and router configuration standards	Manual, Disabled	1.1.0
Establish network segmentation for card holder data environment	CMA_0273 - Establish network segmentation for card holder data environment	Manual, Disabled	1.1.0
Function apps should only be accessible over HTTPS	Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.	Audit, Disabled, Deny	5.0.0
Function apps should require FTPS only	Enable FTPS enforcement for enhanced security.	AuditIfNotExists, Disabled	3.0.0
Function apps should use the latest TLS version	Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.	AuditIfNotExists, Disabled	2.0.1
Guest accounts with owner permissions on Azure resources should be removed	External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access.	AuditIfNotExists, Disabled	1.0.0
Identify and manage downstream information exchanges	CMA_0298 - Identify and manage downstream information exchanges	Manual, Disabled	1.1.0
Implement controls to secure alternate work sites	CMA_0315 - Implement controls to secure alternate work sites	Manual, Disabled	1.1.0
Implement physical security for offices, working areas, and secure areas	CMA_0323 - Implement physical security for offices, working areas, and secure areas	Manual, Disabled	1.1.0
Internet-facing virtual machines should be protected with network security groups	Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc	AuditIfNotExists, Disabled	3.0.0
Issue public key certificates	CMA_0347 - Issue public key certificates	Manual, Disabled	1.1.0
Key Vault keys should have an expiration date	Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.	Audit, Deny, Disabled	1.0.2
Key Vault secrets should have an expiration date	Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.	Audit, Deny, Disabled	1.0.2
Key vaults should have deletion protection enabled	Malicious deletion of a key vault can lead to permanent data loss. You can prevent permanent data loss by enabling purge protection and soft delete. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. Keep in mind that key vaults created after September 1st 2019 have soft-delete enabled by default.	Audit, Deny, Disabled	2.1.0
Key vaults should have soft delete enabled	Deleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period.	Audit, Deny, Disabled	3.0.0
Kubernetes clusters should be accessible only over HTTPS	Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc	audit, Audit, deny, Deny, disabled, Disabled	8.2.0
Maintain records of processing of personal data	CMA_0353 - Maintain records of processing of personal data	Manual, Disabled	1.1.0
Manage symmetric cryptographic keys	CMA_0367 - Manage symmetric cryptographic keys	Manual, Disabled	1.1.0
Manage the input, output, processing, and storage of data	CMA_0369 - Manage the input, output, processing, and storage of data	Manual, Disabled	1.1.0
Management ports of virtual machines should be protected with just-in-time network access control	Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations	AuditIfNotExists, Disabled	3.0.0
Management ports should be closed on your virtual machines	Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.	AuditIfNotExists, Disabled	3.0.0
MySQL servers should use customer-managed keys to encrypt data at rest	Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.	AuditIfNotExists, Disabled	1.0.4
Non-internet-facing virtual machines should be protected with network security groups	Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc	AuditIfNotExists, Disabled	3.0.0
Notify users of system logon or access	CMA_0382 - Notify users of system logon or access	Manual, Disabled	1.1.0
Only secure connections to your Azure Cache for Redis should be enabled	Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking	Audit, Deny, Disabled	1.0.0
PostgreSQL servers should use customer-managed keys to encrypt data at rest	Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.	AuditIfNotExists, Disabled	1.0.4
Protect data in transit using encryption	CMA_0403 - Protect data in transit using encryption	Manual, Disabled	1.1.0
Protect special information	CMA_0409 - Protect special information	Manual, Disabled	1.1.0
Provide privacy training	CMA_0415 - Provide privacy training	Manual, Disabled	1.1.0
Require approval for account creation	CMA_0431 - Require approval for account creation	Manual, Disabled	1.1.0
Restrict access to private keys	CMA_0445 - Restrict access to private keys	Manual, Disabled	1.1.0
Review user groups and applications with access to sensitive data	CMA_0481 - Review user groups and applications with access to sensitive data	Manual, Disabled	1.1.0
Secure transfer to storage accounts should be enabled	Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking	Audit, Deny, Disabled	2.0.0
Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign	Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed	Audit, Deny, Disabled	1.1.0
SQL managed instances should use customer-managed keys to encrypt data at rest	Implementing Transparent Data Encryption (TDE) with your own key provides you with increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.	Audit, Deny, Disabled	2.0.0
SQL servers should use customer-managed keys to encrypt data at rest	Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.	Audit, Deny, Disabled	2.0.1
Storage account containing the container with activity logs must be encrypted with BYOK	This policy audits if the Storage account containing the container with activity logs is encrypted with BYOK. The policy works only if the storage account lies on the same subscription as activity logs by design. More information on Azure Storage encryption at rest can be found here https://aka.ms/azurestoragebyok.	AuditIfNotExists, Disabled	1.0.0
Storage accounts should use customer-managed key for encryption	Secure your blob and file storage account with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.	Audit, Disabled	1.0.3
Subnets should be associated with a Network Security Group	Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.	AuditIfNotExists, Disabled	3.0.0
There should be more than one owner assigned to your subscription	It is recommended to designate more than one subscription owner in order to have administrator access redundancy.	AuditIfNotExists, Disabled	3.0.0
Transparent Data Encryption on SQL databases should be enabled	Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements	AuditIfNotExists, Disabled	2.0.0
Windows machines should be configured to use secure communication protocols	To protect the privacy of information communicated over the Internet, your machines should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by encrypting a connection between machines.	AuditIfNotExists, Disabled	4.1.1

Access provisioning and removal

ID: SOC 2 Type 2 CC6.2 Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Assign account managers	CMA_0015 - Assign account managers	Manual, Disabled	1.1.0
Audit user account status	CMA_0020 - Audit user account status	Manual, Disabled	1.1.0
Blocked accounts with read and write permissions on Azure resources should be removed	Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in.	AuditIfNotExists, Disabled	1.0.0
Document access privileges	CMA_0186 - Document access privileges	Manual, Disabled	1.1.0
Establish conditions for role membership	CMA_0269 - Establish conditions for role membership	Manual, Disabled	1.1.0
Guest accounts with read permissions on Azure resources should be removed	External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access.	AuditIfNotExists, Disabled	1.0.0
Guest accounts with write permissions on Azure resources should be removed	External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access.	AuditIfNotExists, Disabled	1.0.0
Require approval for account creation	CMA_0431 - Require approval for account creation	Manual, Disabled	1.1.0
Restrict access to privileged accounts	CMA_0446 - Restrict access to privileged accounts	Manual, Disabled	1.1.0
Review account provisioning logs	CMA_0460 - Review account provisioning logs	Manual, Disabled	1.1.0
Review user accounts	CMA_0480 - Review user accounts	Manual, Disabled	1.1.0

Rol based access and least privilege

ID: SOC 2 Type 2 CC6.3 Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
A maximum of 3 owners should be designated for your subscription	It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner.	AuditIfNotExists, Disabled	3.0.0
Audit privileged functions	CMA_0019 - Audit privileged functions	Manual, Disabled	1.1.0
Audit usage of custom RBAC roles	Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling	Audit, Disabled	1.0.1
Audit user account status	CMA_0020 - Audit user account status	Manual, Disabled	1.1.0
Blocked accounts with owner permissions on Azure resources should be removed	Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in.	AuditIfNotExists, Disabled	1.0.0
Blocked accounts with read and write permissions on Azure resources should be removed	Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in.	AuditIfNotExists, Disabled	1.0.0
Design an access control model	CMA_0129 - Design an access control model	Manual, Disabled	1.1.0
Employ least privilege access	CMA_0212 - Employ least privilege access	Manual, Disabled	1.1.0
Guest accounts with owner permissions on Azure resources should be removed	External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access.	AuditIfNotExists, Disabled	1.0.0
Guest accounts with read permissions on Azure resources should be removed	External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access.	AuditIfNotExists, Disabled	1.0.0
Guest accounts with write permissions on Azure resources should be removed	External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access.	AuditIfNotExists, Disabled	1.0.0
Monitor privileged role assignment	CMA_0378 - Monitor privileged role assignment	Manual, Disabled	1.1.0
Restrict access to privileged accounts	CMA_0446 - Restrict access to privileged accounts	Manual, Disabled	1.1.0
Review account provisioning logs	CMA_0460 - Review account provisioning logs	Manual, Disabled	1.1.0
Review user accounts	CMA_0480 - Review user accounts	Manual, Disabled	1.1.0
Review user privileges	CMA_C1039 - Review user privileges	Manual, Disabled	1.1.0
Revoke privileged roles as appropriate	CMA_0483 - Revoke privileged roles as appropriate	Manual, Disabled	1.1.0
Role-Based Access Control (RBAC) should be used on Kubernetes Services	To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies.	Audit, Disabled	1.0.4
There should be more than one owner assigned to your subscription	It is recommended to designate more than one subscription owner in order to have administrator access redundancy.	AuditIfNotExists, Disabled	3.0.0
Use privileged identity management	CMA_0533 - Use privileged identity management	Manual, Disabled	1.1.0

Restricted physical access

ID: SOC 2 Type 2 CC6.4 Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Control physical access	CMA_0081 - Control physical access	Manual, Disabled	1.1.0

Logical and physical protections over physical assets

ID: SOC 2 Type 2 CC6.5 Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Employ a media sanitization mechanism	CMA_0208 - Employ a media sanitization mechanism	Manual, Disabled	1.1.0
Implement controls to secure all media	CMA_0314 - Implement controls to secure all media	Manual, Disabled	1.1.0

Security measures against threats outside system boundaries

ID: SOC 2 Type 2 CC6.6 Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
[Preview]: All Internet traffic should be routed via your deployed Azure Firewall	Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall	AuditIfNotExists, Disabled	3.0.0-preview
Accounts with owner permissions on Azure resources should be MFA enabled	Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources.	AuditIfNotExists, Disabled	1.0.0
Accounts with read permissions on Azure resources should be MFA enabled	Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources.	AuditIfNotExists, Disabled	1.0.0
Accounts with write permissions on Azure resources should be MFA enabled	Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources.	AuditIfNotExists, Disabled	1.0.0
Adopt biometric authentication mechanisms	CMA_0005 - Adopt biometric authentication mechanisms	Manual, Disabled	1.1.0
All network ports should be restricted on network security groups associated to your virtual machine	Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.	AuditIfNotExists, Disabled	3.0.0
App Service apps should only be accessible over HTTPS	Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.	Audit, Disabled, Deny	4.0.0
App Service apps should require FTPS only	Enable FTPS enforcement for enhanced security.	AuditIfNotExists, Disabled	3.0.0
Authentication to Linux machines should require SSH keys	Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.	AuditIfNotExists, Disabled	3.2.0
Authorize remote access	CMA_0024 - Authorize remote access	Manual, Disabled	1.1.0
Azure Web Application Firewall should be enabled for Azure Front Door entry-points	Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules.	Audit, Deny, Disabled	1.0.2
Control information flow	CMA_0079 - Control information flow	Manual, Disabled	1.1.0
Document mobility training	CMA_0191 - Document mobility training	Manual, Disabled	1.1.0
Document remote access guidelines	CMA_0196 - Document remote access guidelines	Manual, Disabled	1.1.0
Employ flow control mechanisms of encrypted information	CMA_0211 - Employ flow control mechanisms of encrypted information	Manual, Disabled	1.1.0
Enforce SSL connection should be enabled for MySQL database servers	Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.	Audit, Disabled	1.0.1
Enforce SSL connection should be enabled for PostgreSQL database servers	Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.	Audit, Disabled	1.0.1
Establish firewall and router configuration standards	CMA_0272 - Establish firewall and router configuration standards	Manual, Disabled	1.1.0
Establish network segmentation for card holder data environment	CMA_0273 - Establish network segmentation for card holder data environment	Manual, Disabled	1.1.0
Function apps should only be accessible over HTTPS	Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.	Audit, Disabled, Deny	5.0.0
Function apps should require FTPS only	Enable FTPS enforcement for enhanced security.	AuditIfNotExists, Disabled	3.0.0
Function apps should use the latest TLS version	Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.	AuditIfNotExists, Disabled	2.0.1
Identify and authenticate network devices	CMA_0296 - Identify and authenticate network devices	Manual, Disabled	1.1.0
Identify and manage downstream information exchanges	CMA_0298 - Identify and manage downstream information exchanges	Manual, Disabled	1.1.0
Implement controls to secure alternate work sites	CMA_0315 - Implement controls to secure alternate work sites	Manual, Disabled	1.1.0
Implement system boundary protection	CMA_0328 - Implement system boundary protection	Manual, Disabled	1.1.0
Internet-facing virtual machines should be protected with network security groups	Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc	AuditIfNotExists, Disabled	3.0.0
IP Forwarding on your virtual machine should be disabled	Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.	AuditIfNotExists, Disabled	3.0.0
Kubernetes clusters should be accessible only over HTTPS	Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc	audit, Audit, deny, Deny, disabled, Disabled	8.2.0
Management ports of virtual machines should be protected with just-in-time network access control	Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations	AuditIfNotExists, Disabled	3.0.0
Management ports should be closed on your virtual machines	Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.	AuditIfNotExists, Disabled	3.0.0
Non-internet-facing virtual machines should be protected with network security groups	Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc	AuditIfNotExists, Disabled	3.0.0
Notify users of system logon or access	CMA_0382 - Notify users of system logon or access	Manual, Disabled	1.1.0
Only secure connections to your Azure Cache for Redis should be enabled	Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking	Audit, Deny, Disabled	1.0.0
Protect data in transit using encryption	CMA_0403 - Protect data in transit using encryption	Manual, Disabled	1.1.0
Provide privacy training	CMA_0415 - Provide privacy training	Manual, Disabled	1.1.0
Secure transfer to storage accounts should be enabled	Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking	Audit, Deny, Disabled	2.0.0
Subnets should be associated with a Network Security Group	Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.	AuditIfNotExists, Disabled	3.0.0
Web Application Firewall (WAF) should be enabled for Application Gateway	Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules.	Audit, Deny, Disabled	2.0.0
Windows machines should be configured to use secure communication protocols	To protect the privacy of information communicated over the Internet, your machines should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by encrypting a connection between machines.	AuditIfNotExists, Disabled	4.1.1

Restrict the movement of information to authorized users

ID: SOC 2 Type 2 CC6.7 Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
All network ports should be restricted on network security groups associated to your virtual machine	Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.	AuditIfNotExists, Disabled	3.0.0
App Service apps should only be accessible over HTTPS	Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.	Audit, Disabled, Deny	4.0.0
App Service apps should require FTPS only	Enable FTPS enforcement for enhanced security.	AuditIfNotExists, Disabled	3.0.0
Configure workstations to check for digital certificates	CMA_0073 - Configure workstations to check for digital certificates	Manual, Disabled	1.1.0
Control information flow	CMA_0079 - Control information flow	Manual, Disabled	1.1.0
Define mobile device requirements	CMA_0122 - Define mobile device requirements	Manual, Disabled	1.1.0
Employ a media sanitization mechanism	CMA_0208 - Employ a media sanitization mechanism	Manual, Disabled	1.1.0
Employ flow control mechanisms of encrypted information	CMA_0211 - Employ flow control mechanisms of encrypted information	Manual, Disabled	1.1.0
Enforce SSL connection should be enabled for MySQL database servers	Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.	Audit, Disabled	1.0.1
Enforce SSL connection should be enabled for PostgreSQL database servers	Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.	Audit, Disabled	1.0.1
Establish firewall and router configuration standards	CMA_0272 - Establish firewall and router configuration standards	Manual, Disabled	1.1.0
Establish network segmentation for card holder data environment	CMA_0273 - Establish network segmentation for card holder data environment	Manual, Disabled	1.1.0
Function apps should only be accessible over HTTPS	Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.	Audit, Disabled, Deny	5.0.0
Function apps should require FTPS only	Enable FTPS enforcement for enhanced security.	AuditIfNotExists, Disabled	3.0.0
Function apps should use the latest TLS version	Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.	AuditIfNotExists, Disabled	2.0.1
Identify and manage downstream information exchanges	CMA_0298 - Identify and manage downstream information exchanges	Manual, Disabled	1.1.0
Implement controls to secure all media	CMA_0314 - Implement controls to secure all media	Manual, Disabled	1.1.0
Internet-facing virtual machines should be protected with network security groups	Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc	AuditIfNotExists, Disabled	3.0.0
Kubernetes clusters should be accessible only over HTTPS	Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc	audit, Audit, deny, Deny, disabled, Disabled	8.2.0
Manage the transportation of assets	CMA_0370 - Manage the transportation of assets	Manual, Disabled	1.1.0
Management ports of virtual machines should be protected with just-in-time network access control	Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations	AuditIfNotExists, Disabled	3.0.0
Management ports should be closed on your virtual machines	Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.	AuditIfNotExists, Disabled	3.0.0
Non-internet-facing virtual machines should be protected with network security groups	Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc	AuditIfNotExists, Disabled	3.0.0
Only secure connections to your Azure Cache for Redis should be enabled	Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking	Audit, Deny, Disabled	1.0.0
Protect data in transit using encryption	CMA_0403 - Protect data in transit using encryption	Manual, Disabled	1.1.0
Protect passwords with encryption	CMA_0408 - Protect passwords with encryption	Manual, Disabled	1.1.0
Secure transfer to storage accounts should be enabled	Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking	Audit, Deny, Disabled	2.0.0
Subnets should be associated with a Network Security Group	Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.	AuditIfNotExists, Disabled	3.0.0
Windows machines should be configured to use secure communication protocols	To protect the privacy of information communicated over the Internet, your machines should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by encrypting a connection between machines.	AuditIfNotExists, Disabled	4.1.1

Prevent or detect against unauthorized or malicious software

ID: SOC 2 Type 2 CC6.8 Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
[Deprecated]: Function apps should have 'Client Certificates (Incoming client certificates)' enabled	Client certificates allow for the app to request a certificate for incoming requests. Only clients with valid certificates will be able to reach the app. This policy has been replaced by a new policy with the same name because Http 2.0 doesn't support client certificates.	Audit, Disabled	3.1.0-deprecated
[Preview]: Guest Attestation extension should be installed on supported Linux virtual machines	Install Guest Attestation extension on supported Linux virtual machines to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Linux virtual machines.	AuditIfNotExists, Disabled	6.0.0-preview
[Preview]: Guest Attestation extension should be installed on supported Linux virtual machines scale sets	Install Guest Attestation extension on supported Linux virtual machines scale sets to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Linux virtual machine scale sets.	AuditIfNotExists, Disabled	5.1.0-preview
[Preview]: Guest Attestation extension should be installed on supported Windows virtual machines	Install Guest Attestation extension on supported virtual machines to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Windows virtual machines.	AuditIfNotExists, Disabled	4.0.0-preview
[Preview]: Guest Attestation extension should be installed on supported Windows virtual machines scale sets	Install Guest Attestation extension on supported virtual machines scale sets to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Windows virtual machine scale sets.	AuditIfNotExists, Disabled	3.1.0-preview
[Preview]: Secure Boot should be enabled on supported Windows virtual machines	Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.	Audit, Disabled	4.0.0-preview
[Preview]: vTPM should be enabled on supported virtual machines	Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.	Audit, Disabled	2.0.0-preview
App Service apps should have Client Certificates (Incoming client certificates) enabled	Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. This policy applies to apps with Http version set to 1.1.	AuditIfNotExists, Disabled	1.0.0
App Service apps should have remote debugging turned off	Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off.	AuditIfNotExists, Disabled	2.0.0
App Service apps should not have CORS configured to allow every resource to access your apps	Cross-Origin Resource Sharing (CORS) should not allow all domains to access your app. Allow only required domains to interact with your app.	AuditIfNotExists, Disabled	2.0.0
App Service apps should use latest 'HTTP Version'	Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version.	AuditIfNotExists, Disabled	4.0.0
Audit VMs that do not use managed disks	This policy audits VMs that do not use managed disks	audit	1.0.0
Azure Arc enabled Kubernetes clusters should have the Azure Policy extension installed	The Azure Policy extension for Azure Arc provides at-scale enforcements and safeguards on your Arc enabled Kubernetes clusters in a centralized, consistent manner. Learn more at https://aka.ms/akspolicydoc.	AuditIfNotExists, Disabled	1.1.0
Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters	Azure Policy Add-on for Kubernetes service (AKS) extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner.	Audit, Disabled	1.0.2
Block untrusted and unsigned processes that run from USB	CMA_0050 - Block untrusted and unsigned processes that run from USB	Manual, Disabled	1.1.0
Function apps should have remote debugging turned off	Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off.	AuditIfNotExists, Disabled	2.0.0
Function apps should not have CORS configured to allow every resource to access your apps	Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app.	AuditIfNotExists, Disabled	2.0.0
Function apps should use latest 'HTTP Version'	Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version.	AuditIfNotExists, Disabled	4.0.0
Guest Configuration extension should be installed on your machines	To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.	AuditIfNotExists, Disabled	1.0.3
Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits	Enforce container CPU and memory resource limits to prevent resource exhaustion attacks in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.	audit, Audit, deny, Deny, disabled, Disabled	9.3.0
Kubernetes cluster containers should not share host process ID or host IPC namespace	Block pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. This recommendation is part of CIS 5.2.2 and CIS 5.2.3 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.	audit, Audit, deny, Deny, disabled, Disabled	5.2.0
Kubernetes cluster containers should only use allowed AppArmor profiles	Containers should only use allowed AppArmor profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.	audit, Audit, deny, Deny, disabled, Disabled	6.2.0
Kubernetes cluster containers should only use allowed capabilities	Restrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.	audit, Audit, deny, Deny, disabled, Disabled	6.2.0
Kubernetes cluster containers should only use allowed images	Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. For more information, see https://aka.ms/kubepolicydoc.	audit, Audit, deny, Deny, disabled, Disabled	9.3.0
Kubernetes cluster containers should run with a read only root file system	Run containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.	audit, Audit, deny, Deny, disabled, Disabled	6.3.0
Kubernetes cluster pod hostPath volumes should only use allowed host paths	Limit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.	audit, Audit, deny, Deny, disabled, Disabled	6.2.0
Kubernetes cluster pods and containers should only run with approved user and group IDs	Control the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.	audit, Audit, deny, Deny, disabled, Disabled	6.2.0
Kubernetes cluster pods should only use approved host network and port range	Restrict pod access to the host network and the allowable host port range in a Kubernetes cluster. This recommendation is part of CIS 5.2.4 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.	audit, Audit, deny, Deny, disabled, Disabled	6.2.0
Kubernetes cluster services should listen only on allowed ports	Restrict services to listen only on allowed ports to secure access to the Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.	audit, Audit, deny, Deny, disabled, Disabled	8.2.0
Kubernetes cluster should not allow privileged containers	Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.	audit, Audit, deny, Deny, disabled, Disabled	9.2.0
Kubernetes clusters should disable automounting API credentials	Disable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For more information, see https://aka.ms/kubepolicydoc.	audit, Audit, deny, Deny, disabled, Disabled	4.2.0
Kubernetes clusters should not allow container privilege escalation	Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.	audit, Audit, deny, Deny, disabled, Disabled	7.2.0
Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities	To reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see https://aka.ms/kubepolicydoc.	audit, Audit, deny, Deny, disabled, Disabled	5.1.0
Kubernetes clusters should not use the default namespace	Prevent usage of the default namespace in Kubernetes clusters to protect against unauthorized access for ConfigMap, Pod, Secret, Service, and ServiceAccount resource types. For more information, see https://aka.ms/kubepolicydoc.	audit, Audit, deny, Deny, disabled, Disabled	4.2.0
Linux machines should meet requirements for the Azure compute security baseline	Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.	AuditIfNotExists, Disabled	2.2.0
Manage gateways	CMA_0363 - Manage gateways	Manual, Disabled	1.1.0
Only approved VM extensions should be installed	This policy governs the virtual machine extensions that are not approved.	Audit, Deny, Disabled	1.0.0
Perform a trend analysis on threats	CMA_0389 - Perform a trend analysis on threats	Manual, Disabled	1.1.0
Perform vulnerability scans	CMA_0393 - Perform vulnerability scans	Manual, Disabled	1.1.0
Review malware detections report weekly	CMA_0475 - Review malware detections report weekly	Manual, Disabled	1.1.0
Review threat protection status weekly	CMA_0479 - Review threat protection status weekly	Manual, Disabled	1.1.0
Storage accounts should allow access from trusted Microsoft services	Some Microsoft services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules. These services will then use strong authentication to access the storage account.	Audit, Deny, Disabled	1.0.0
Update antivirus definitions	CMA_0517 - Update antivirus definitions	Manual, Disabled	1.1.0
Verify software, firmware and information integrity	CMA_0542 - Verify software, firmware and information integrity	Manual, Disabled	1.1.0
View and configure system diagnostic data	CMA_0544 - View and configure system diagnostic data	Manual, Disabled	1.1.0
Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity	The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol	AuditIfNotExists, Disabled	1.0.1
Windows machines should meet requirements of the Azure compute security baseline	Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.	AuditIfNotExists, Disabled	2.0.0

System Operations

Detection and monitoring of new vulnerabilities

ID: SOC 2 Type 2 CC7.1 Ownership: Shared

Monitor system components for anomalous behavior

ID: SOC 2 Type 2 CC7.2 Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
[Preview]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed	Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc.	AuditIfNotExists, Disabled	6.0.0-preview
An activity log alert should exist for specific Administrative operations	This policy audits specific Administrative operations with no activity log alerts configured.	AuditIfNotExists, Disabled	1.0.0
An activity log alert should exist for specific Policy operations	This policy audits specific Policy operations with no activity log alerts configured.	AuditIfNotExists, Disabled	3.0.0
An activity log alert should exist for specific Security operations	This policy audits specific Security operations with no activity log alerts configured.	AuditIfNotExists, Disabled	1.0.0
Azure Defender for App Service should be enabled	Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks.	AuditIfNotExists, Disabled	1.0.3
Azure Defender for Azure SQL Database servers should be enabled	Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data.	AuditIfNotExists, Disabled	1.0.2
Azure Defender for Key Vault should be enabled	Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts.	AuditIfNotExists, Disabled	1.0.3
Azure Defender for open-source relational databases should be enabled	Azure Defender for open-source relational databases detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Learn more about the capabilities of Azure Defender for open-source relational databases at https://aka.ms/AzDforOpenSourceDBsDocu. Important: Enabling this plan will result in charges for protecting your open-source relational databases. Learn about the pricing on Security Center's pricing page: https://aka.ms/pricing-security-center	AuditIfNotExists, Disabled	1.0.0
Azure Defender for Resource Manager should be enabled	Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center .	AuditIfNotExists, Disabled	1.0.0
Azure Defender for servers should be enabled	Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities.	AuditIfNotExists, Disabled	1.0.3
Azure Defender for SQL servers on machines should be enabled	Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data.	AuditIfNotExists, Disabled	1.0.2
Azure Defender for SQL should be enabled for unprotected Azure SQL servers	Audit SQL servers without Advanced Data Security	AuditIfNotExists, Disabled	2.0.1
Azure Defender for SQL should be enabled for unprotected SQL Managed Instances	Audit each SQL Managed Instance without advanced data security.	AuditIfNotExists, Disabled	1.0.2
Azure Kubernetes Service clusters should have Defender profile enabled	Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.AzureDefender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks	Audit, Disabled	2.0.1
Detect network services that have not been authorized or approved	CMA_C1700 - Detect network services that have not been authorized or approved	Manual, Disabled	1.1.0
Govern and monitor audit processing activities	CMA_0289 - Govern and monitor audit processing activities	Manual, Disabled	1.1.0
Microsoft Defender for Containers should be enabled	Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments.	AuditIfNotExists, Disabled	1.0.0
Microsoft Defender for Storage should be enabled	Microsoft Defender for Storage detects potential threats to your storage accounts. It helps prevent the three major impacts on your data and workload: malicious file uploads, sensitive data exfiltration, and data corruption. The new Defender for Storage plan includes Malware Scanning and Sensitive Data Threat Detection. This plan also provides a predictable pricing structure (per storage account) for control over coverage and costs.	AuditIfNotExists, Disabled	1.0.0
Perform a trend analysis on threats	CMA_0389 - Perform a trend analysis on threats	Manual, Disabled	1.1.0
Windows Defender Exploit Guard should be enabled on your machines	Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).	AuditIfNotExists, Disabled	2.0.0

Security incidents detection

ID: SOC 2 Type 2 CC7.3 Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Review and update incident response policies and procedures	CMA_C1352 - Review and update incident response policies and procedures	Manual, Disabled	1.1.0

Security incidents response

ID: SOC 2 Type 2 CC7.4 Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Assess information security events	CMA_0013 - Assess information security events	Manual, Disabled	1.1.0
Coordinate contingency plans with related plans	CMA_0086 - Coordinate contingency plans with related plans	Manual, Disabled	1.1.0
Develop an incident response plan	CMA_0145 - Develop an incident response plan	Manual, Disabled	1.1.0
Develop security safeguards	CMA_0161 - Develop security safeguards	Manual, Disabled	1.1.0
Email notification for high severity alerts should be enabled	To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Security Center.	AuditIfNotExists, Disabled	1.2.0
Email notification to subscription owner for high severity alerts should be enabled	To ensure your subscription owners are notified when there is a potential security breach in their subscription, set email notifications to subscription owners for high severity alerts in Security Center.	AuditIfNotExists, Disabled	2.1.0
Enable network protection	CMA_0238 - Enable network protection	Manual, Disabled	1.1.0
Eradicate contaminated information	CMA_0253 - Eradicate contaminated information	Manual, Disabled	1.1.0
Execute actions in response to information spills	CMA_0281 - Execute actions in response to information spills	Manual, Disabled	1.1.0
Identify classes of Incidents and Actions taken	CMA_C1365 - Identify classes of Incidents and Actions taken	Manual, Disabled	1.1.0
Implement incident handling	CMA_0318 - Implement incident handling	Manual, Disabled	1.1.0
Include dynamic reconfig of customer deployed resources	CMA_C1364 - Include dynamic reconfig of customer deployed resources	Manual, Disabled	1.1.0
Maintain incident response plan	CMA_0352 - Maintain incident response plan	Manual, Disabled	1.1.0
Network Watcher should be enabled	Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.	AuditIfNotExists, Disabled	3.0.0
Perform a trend analysis on threats	CMA_0389 - Perform a trend analysis on threats	Manual, Disabled	1.1.0
Subscriptions should have a contact email address for security issues	To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, set a security contact to receive email notifications from Security Center.	AuditIfNotExists, Disabled	1.0.1
View and investigate restricted users	CMA_0545 - View and investigate restricted users	Manual, Disabled	1.1.0

Recovery from identified security incidents

ID: SOC 2 Type 2 CC7.5 Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Assess information security events	CMA_0013 - Assess information security events	Manual, Disabled	1.1.0
Conduct incident response testing	CMA_0060 - Conduct incident response testing	Manual, Disabled	1.1.0
Coordinate contingency plans with related plans	CMA_0086 - Coordinate contingency plans with related plans	Manual, Disabled	1.1.0
Coordinate with external organizations to achieve cross org perspective	CMA_C1368 - Coordinate with external organizations to achieve cross org perspective	Manual, Disabled	1.1.0
Develop an incident response plan	CMA_0145 - Develop an incident response plan	Manual, Disabled	1.1.0
Develop security safeguards	CMA_0161 - Develop security safeguards	Manual, Disabled	1.1.0
Email notification for high severity alerts should be enabled	To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Security Center.	AuditIfNotExists, Disabled	1.2.0
Email notification to subscription owner for high severity alerts should be enabled	To ensure your subscription owners are notified when there is a potential security breach in their subscription, set email notifications to subscription owners for high severity alerts in Security Center.	AuditIfNotExists, Disabled	2.1.0
Enable network protection	CMA_0238 - Enable network protection	Manual, Disabled	1.1.0
Eradicate contaminated information	CMA_0253 - Eradicate contaminated information	Manual, Disabled	1.1.0
Establish an information security program	CMA_0263 - Establish an information security program	Manual, Disabled	1.1.0
Execute actions in response to information spills	CMA_0281 - Execute actions in response to information spills	Manual, Disabled	1.1.0
Implement incident handling	CMA_0318 - Implement incident handling	Manual, Disabled	1.1.0
Maintain incident response plan	CMA_0352 - Maintain incident response plan	Manual, Disabled	1.1.0
Network Watcher should be enabled	Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.	AuditIfNotExists, Disabled	3.0.0
Perform a trend analysis on threats	CMA_0389 - Perform a trend analysis on threats	Manual, Disabled	1.1.0
Run simulation attacks	CMA_0486 - Run simulation attacks	Manual, Disabled	1.1.0
Subscriptions should have a contact email address for security issues	To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, set a security contact to receive email notifications from Security Center.	AuditIfNotExists, Disabled	1.0.1
View and investigate restricted users	CMA_0545 - View and investigate restricted users	Manual, Disabled	1.1.0

Change Management

Changes to infrastructure, data, and software

ID: SOC 2 Type 2 CC8.1 Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
[Deprecated]: Function apps should have 'Client Certificates (Incoming client certificates)' enabled	Client certificates allow for the app to request a certificate for incoming requests. Only clients with valid certificates will be able to reach the app. This policy has been replaced by a new policy with the same name because Http 2.0 doesn't support client certificates.	Audit, Disabled	3.1.0-deprecated
[Preview]: Guest Attestation extension should be installed on supported Linux virtual machines	Install Guest Attestation extension on supported Linux virtual machines to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Linux virtual machines.	AuditIfNotExists, Disabled	6.0.0-preview
[Preview]: Guest Attestation extension should be installed on supported Linux virtual machines scale sets	Install Guest Attestation extension on supported Linux virtual machines scale sets to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Linux virtual machine scale sets.	AuditIfNotExists, Disabled	5.1.0-preview
[Preview]: Guest Attestation extension should be installed on supported Windows virtual machines	Install Guest Attestation extension on supported virtual machines to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Windows virtual machines.	AuditIfNotExists, Disabled	4.0.0-preview
[Preview]: Guest Attestation extension should be installed on supported Windows virtual machines scale sets	Install Guest Attestation extension on supported virtual machines scale sets to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Windows virtual machine scale sets.	AuditIfNotExists, Disabled	3.1.0-preview
[Preview]: Secure Boot should be enabled on supported Windows virtual machines	Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.	Audit, Disabled	4.0.0-preview
[Preview]: vTPM should be enabled on supported virtual machines	Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.	Audit, Disabled	2.0.0-preview
App Service apps should have Client Certificates (Incoming client certificates) enabled	Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. This policy applies to apps with Http version set to 1.1.	AuditIfNotExists, Disabled	1.0.0
App Service apps should have remote debugging turned off	Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off.	AuditIfNotExists, Disabled	2.0.0
App Service apps should not have CORS configured to allow every resource to access your apps	Cross-Origin Resource Sharing (CORS) should not allow all domains to access your app. Allow only required domains to interact with your app.	AuditIfNotExists, Disabled	2.0.0
App Service apps should use latest 'HTTP Version'	Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version.	AuditIfNotExists, Disabled	4.0.0
Audit VMs that do not use managed disks	This policy audits VMs that do not use managed disks	audit	1.0.0
Azure Arc enabled Kubernetes clusters should have the Azure Policy extension installed	The Azure Policy extension for Azure Arc provides at-scale enforcements and safeguards on your Arc enabled Kubernetes clusters in a centralized, consistent manner. Learn more at https://aka.ms/akspolicydoc.	AuditIfNotExists, Disabled	1.1.0
Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters	Azure Policy Add-on for Kubernetes service (AKS) extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner.	Audit, Disabled	1.0.2
Conduct a security impact analysis	CMA_0057 - Conduct a security impact analysis	Manual, Disabled	1.1.0
Configure actions for noncompliant devices	CMA_0062 - Configure actions for noncompliant devices	Manual, Disabled	1.1.0
Develop and maintain a vulnerability management standard	CMA_0152 - Develop and maintain a vulnerability management standard	Manual, Disabled	1.1.0
Develop and maintain baseline configurations	CMA_0153 - Develop and maintain baseline configurations	Manual, Disabled	1.1.0
Enforce security configuration settings	CMA_0249 - Enforce security configuration settings	Manual, Disabled	1.1.0
Establish a configuration control board	CMA_0254 - Establish a configuration control board	Manual, Disabled	1.1.0
Establish a risk management strategy	CMA_0258 - Establish a risk management strategy	Manual, Disabled	1.1.0
Establish and document a configuration management plan	CMA_0264 - Establish and document a configuration management plan	Manual, Disabled	1.1.0
Establish and document change control processes	CMA_0265 - Establish and document change control processes	Manual, Disabled	1.1.0
Establish configuration management requirements for developers	CMA_0270 - Establish configuration management requirements for developers	Manual, Disabled	1.1.0
Function apps should have remote debugging turned off	Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off.	AuditIfNotExists, Disabled	2.0.0
Function apps should not have CORS configured to allow every resource to access your apps	Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app.	AuditIfNotExists, Disabled	2.0.0
Function apps should use latest 'HTTP Version'	Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version.	AuditIfNotExists, Disabled	4.0.0
Guest Configuration extension should be installed on your machines	To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.	AuditIfNotExists, Disabled	1.0.3
Implement an automated configuration management tool	CMA_0311 - Implement an automated configuration management tool	Manual, Disabled	1.1.0
Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits	Enforce container CPU and memory resource limits to prevent resource exhaustion attacks in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.	audit, Audit, deny, Deny, disabled, Disabled	9.3.0
Kubernetes cluster containers should not share host process ID or host IPC namespace	Block pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. This recommendation is part of CIS 5.2.2 and CIS 5.2.3 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.	audit, Audit, deny, Deny, disabled, Disabled	5.2.0
Kubernetes cluster containers should only use allowed AppArmor profiles	Containers should only use allowed AppArmor profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.	audit, Audit, deny, Deny, disabled, Disabled	6.2.0
Kubernetes cluster containers should only use allowed capabilities	Restrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.	audit, Audit, deny, Deny, disabled, Disabled	6.2.0
Kubernetes cluster containers should only use allowed images	Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. For more information, see https://aka.ms/kubepolicydoc.	audit, Audit, deny, Deny, disabled, Disabled	9.3.0
Kubernetes cluster containers should run with a read only root file system	Run containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.	audit, Audit, deny, Deny, disabled, Disabled	6.3.0
Kubernetes cluster pod hostPath volumes should only use allowed host paths	Limit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.	audit, Audit, deny, Deny, disabled, Disabled	6.2.0
Kubernetes cluster pods and containers should only run with approved user and group IDs	Control the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.	audit, Audit, deny, Deny, disabled, Disabled	6.2.0
Kubernetes cluster pods should only use approved host network and port range	Restrict pod access to the host network and the allowable host port range in a Kubernetes cluster. This recommendation is part of CIS 5.2.4 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.	audit, Audit, deny, Deny, disabled, Disabled	6.2.0
Kubernetes cluster services should listen only on allowed ports	Restrict services to listen only on allowed ports to secure access to the Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.	audit, Audit, deny, Deny, disabled, Disabled	8.2.0
Kubernetes cluster should not allow privileged containers	Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.	audit, Audit, deny, Deny, disabled, Disabled	9.2.0
Kubernetes clusters should disable automounting API credentials	Disable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For more information, see https://aka.ms/kubepolicydoc.	audit, Audit, deny, Deny, disabled, Disabled	4.2.0
Kubernetes clusters should not allow container privilege escalation	Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.	audit, Audit, deny, Deny, disabled, Disabled	7.2.0
Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities	To reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see https://aka.ms/kubepolicydoc.	audit, Audit, deny, Deny, disabled, Disabled	5.1.0
Kubernetes clusters should not use the default namespace	Prevent usage of the default namespace in Kubernetes clusters to protect against unauthorized access for ConfigMap, Pod, Secret, Service, and ServiceAccount resource types. For more information, see https://aka.ms/kubepolicydoc.	audit, Audit, deny, Deny, disabled, Disabled	4.2.0
Linux machines should meet requirements for the Azure compute security baseline	Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.	AuditIfNotExists, Disabled	2.2.0
Only approved VM extensions should be installed	This policy governs the virtual machine extensions that are not approved.	Audit, Deny, Disabled	1.0.0
Perform a privacy impact assessment	CMA_0387 - Perform a privacy impact assessment	Manual, Disabled	1.1.0
Perform a risk assessment	CMA_0388 - Perform a risk assessment	Manual, Disabled	1.1.0
Perform audit for configuration change control	CMA_0390 - Perform audit for configuration change control	Manual, Disabled	1.1.0
Storage accounts should allow access from trusted Microsoft services	Some Microsoft services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules. These services will then use strong authentication to access the storage account.	Audit, Deny, Disabled	1.0.0
Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity	The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol	AuditIfNotExists, Disabled	1.0.1
Windows machines should meet requirements of the Azure compute security baseline	Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.	AuditIfNotExists, Disabled	2.0.0

Risk Mitigation

Risk mitigation activities

ID: SOC 2 Type 2 CC9.1 Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Determine information protection needs	CMA_C1750 - Determine information protection needs	Manual, Disabled	1.1.0
Establish a risk management strategy	CMA_0258 - Establish a risk management strategy	Manual, Disabled	1.1.0
Perform a risk assessment	CMA_0388 - Perform a risk assessment	Manual, Disabled	1.1.0

Vendors and business partners risk management

ID: SOC 2 Type 2 CC9.2 Ownership: Shared

Additional Criteria For Privacy

Privacy notice

ID: SOC 2 Type 2 P1.1 Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Document and distribute a privacy policy	CMA_0188 - Document and distribute a privacy policy	Manual, Disabled	1.1.0
Ensure privacy program information is publicly available	CMA_C1867 - Ensure privacy program information is publicly available	Manual, Disabled	1.1.0
Implement privacy notice delivery methods	CMA_0324 - Implement privacy notice delivery methods	Manual, Disabled	1.1.0
Provide privacy notice	CMA_0414 - Provide privacy notice	Manual, Disabled	1.1.0
Provide privacy notice to the public and to individuals	CMA_C1861 - Provide privacy notice to the public and to individuals	Manual, Disabled	1.1.0

ID: SOC 2 Type 2 P2.1 Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Document personnel acceptance of privacy requirements	CMA_0193 - Document personnel acceptance of privacy requirements	Manual, Disabled	1.1.0
Implement privacy notice delivery methods	CMA_0324 - Implement privacy notice delivery methods	Manual, Disabled	1.1.0
Obtain consent prior to collection or processing of personal data	CMA_0385 - Obtain consent prior to collection or processing of personal data	Manual, Disabled	1.1.0
Provide privacy notice	CMA_0414 - Provide privacy notice	Manual, Disabled	1.1.0

Consistent personal information collection

ID: SOC 2 Type 2 P3.1 Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Determine legal authority to collect PII	CMA_C1800 - Determine legal authority to collect PII	Manual, Disabled	1.1.0
Document process to ensure integrity of PII	CMA_C1827 - Document process to ensure integrity of PII	Manual, Disabled	1.1.0
Evaluate and review PII holdings regularly	CMA_C1832 - Evaluate and review PII holdings regularly	Manual, Disabled	1.1.0
Obtain consent prior to collection or processing of personal data	CMA_0385 - Obtain consent prior to collection or processing of personal data	Manual, Disabled	1.1.0

ID: SOC 2 Type 2 P3.2 Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Collect PII directly from the individual	CMA_C1822 - Collect PII directly from the individual	Manual, Disabled	1.1.0
Obtain consent prior to collection or processing of personal data	CMA_0385 - Obtain consent prior to collection or processing of personal data	Manual, Disabled	1.1.0

Personal information use

ID: SOC 2 Type 2 P4.1 Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Document the legal basis for processing personal information	CMA_0206 - Document the legal basis for processing personal information	Manual, Disabled	1.1.0
Implement privacy notice delivery methods	CMA_0324 - Implement privacy notice delivery methods	Manual, Disabled	1.1.0
Obtain consent prior to collection or processing of personal data	CMA_0385 - Obtain consent prior to collection or processing of personal data	Manual, Disabled	1.1.0
Provide privacy notice	CMA_0414 - Provide privacy notice	Manual, Disabled	1.1.0
Restrict communications	CMA_0449 - Restrict communications	Manual, Disabled	1.1.0

Personal information retention

ID: SOC 2 Type 2 P4.2 Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Adhere to retention periods defined	CMA_0004 - Adhere to retention periods defined	Manual, Disabled	1.1.0
Document process to ensure integrity of PII	CMA_C1827 - Document process to ensure integrity of PII	Manual, Disabled	1.1.0

Personal information disposal

ID: SOC 2 Type 2 P4.3 Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Perform disposition review	CMA_0391 - Perform disposition review	Manual, Disabled	1.1.0
Verify personal data is deleted at the end of processing	CMA_0540 - Verify personal data is deleted at the end of processing	Manual, Disabled	1.1.0

Personal information access

ID: SOC 2 Type 2 P5.1 Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Implement methods for consumer requests	CMA_0319 - Implement methods for consumer requests	Manual, Disabled	1.1.0
Publish rules and regulations accessing Privacy Act records	CMA_C1847 - Publish rules and regulations accessing Privacy Act records	Manual, Disabled	1.1.0

Personal information correction

ID: SOC 2 Type 2 P5.2 Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Respond to rectification requests	CMA_0442 - Respond to rectification requests	Manual, Disabled	1.1.0

Personal information third party disclosure

ID: SOC 2 Type 2 P6.1 Ownership: Shared

Authorized disclosure of personal information record

ID: SOC 2 Type 2 P6.2 Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Keep accurate accounting of disclosures of information	CMA_C1818 - Keep accurate accounting of disclosures of information	Manual, Disabled	1.1.0

Unauthorized disclosure of personal information record

ID: SOC 2 Type 2 P6.3 Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Keep accurate accounting of disclosures of information	CMA_C1818 - Keep accurate accounting of disclosures of information	Manual, Disabled	1.1.0

Third party agreements

ID: SOC 2 Type 2 P6.4 Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Define the duties of processors	CMA_0127 - Define the duties of processors	Manual, Disabled	1.1.0

Third party unauthorized disclosure notification

ID: SOC 2 Type 2 P6.5 Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Determine supplier contract obligations	CMA_0140 - Determine supplier contract obligations	Manual, Disabled	1.1.0
Document acquisition contract acceptance criteria	CMA_0187 - Document acquisition contract acceptance criteria	Manual, Disabled	1.1.0
Document protection of personal data in acquisition contracts	CMA_0194 - Document protection of personal data in acquisition contracts	Manual, Disabled	1.1.0
Document protection of security information in acquisition contracts	CMA_0195 - Document protection of security information in acquisition contracts	Manual, Disabled	1.1.0
Document requirements for the use of shared data in contracts	CMA_0197 - Document requirements for the use of shared data in contracts	Manual, Disabled	1.1.0
Document security assurance requirements in acquisition contracts	CMA_0199 - Document security assurance requirements in acquisition contracts	Manual, Disabled	1.1.0
Document security documentation requirements in acquisition contract	CMA_0200 - Document security documentation requirements in acquisition contract	Manual, Disabled	1.1.0
Document security functional requirements in acquisition contracts	CMA_0201 - Document security functional requirements in acquisition contracts	Manual, Disabled	1.1.0
Document security strength requirements in acquisition contracts	CMA_0203 - Document security strength requirements in acquisition contracts	Manual, Disabled	1.1.0
Document the information system environment in acquisition contracts	CMA_0205 - Document the information system environment in acquisition contracts	Manual, Disabled	1.1.0
Document the protection of cardholder data in third party contracts	CMA_0207 - Document the protection of cardholder data in third party contracts	Manual, Disabled	1.1.0
Information security and personal data protection	CMA_0332 - Information security and personal data protection	Manual, Disabled	1.1.0

Privacy incident notification

ID: SOC 2 Type 2 P6.6 Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Develop an incident response plan	CMA_0145 - Develop an incident response plan	Manual, Disabled	1.1.0
Information security and personal data protection	CMA_0332 - Information security and personal data protection	Manual, Disabled	1.1.0

Accounting of disclosure of personal information

ID: SOC 2 Type 2 P6.7 Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Implement privacy notice delivery methods	CMA_0324 - Implement privacy notice delivery methods	Manual, Disabled	1.1.0
Keep accurate accounting of disclosures of information	CMA_C1818 - Keep accurate accounting of disclosures of information	Manual, Disabled	1.1.0
Make accounting of disclosures available upon request	CMA_C1820 - Make accounting of disclosures available upon request	Manual, Disabled	1.1.0
Provide privacy notice	CMA_0414 - Provide privacy notice	Manual, Disabled	1.1.0
Restrict communications	CMA_0449 - Restrict communications	Manual, Disabled	1.1.0

Personal information quality

ID: SOC 2 Type 2 P7.1 Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Confirm quality and integrity of PII	CMA_C1821 - Confirm quality and integrity of PII	Manual, Disabled	1.1.0
Issue guidelines for ensuring data quality and integrity	CMA_C1824 - Issue guidelines for ensuring data quality and integrity	Manual, Disabled	1.1.0
Verify inaccurate or outdated PII	CMA_C1823 - Verify inaccurate or outdated PII	Manual, Disabled	1.1.0

Privacy complaint management and compliance management

ID: SOC 2 Type 2 P8.1 Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Document and implement privacy complaint procedures	CMA_0189 - Document and implement privacy complaint procedures	Manual, Disabled	1.1.0
Evaluate and review PII holdings regularly	CMA_C1832 - Evaluate and review PII holdings regularly	Manual, Disabled	1.1.0
Information security and personal data protection	CMA_0332 - Information security and personal data protection	Manual, Disabled	1.1.0
Respond to complaints, concerns, or questions timely	CMA_C1853 - Respond to complaints, concerns, or questions timely	Manual, Disabled	1.1.0
Train staff on PII sharing and its consequences	CMA_C1871 - Train staff on PII sharing and its consequences	Manual, Disabled	1.1.0

Additional Criteria For Processing Integrity

Data processing definitions

ID: SOC 2 Type 2 PI1.1 Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Implement privacy notice delivery methods	CMA_0324 - Implement privacy notice delivery methods	Manual, Disabled	1.1.0
Provide privacy notice	CMA_0414 - Provide privacy notice	Manual, Disabled	1.1.0
Restrict communications	CMA_0449 - Restrict communications	Manual, Disabled	1.1.0

System inputs over completeness and accuracy

ID: SOC 2 Type 2 PI1.2 Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Perform information input validation	CMA_C1723 - Perform information input validation	Manual, Disabled	1.1.0

System processing

ID: SOC 2 Type 2 PI1.3 Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Control physical access	CMA_0081 - Control physical access	Manual, Disabled	1.1.0
Generate error messages	CMA_C1724 - Generate error messages	Manual, Disabled	1.1.0
Manage the input, output, processing, and storage of data	CMA_0369 - Manage the input, output, processing, and storage of data	Manual, Disabled	1.1.0
Perform information input validation	CMA_C1723 - Perform information input validation	Manual, Disabled	1.1.0
Review label activity and analytics	CMA_0474 - Review label activity and analytics	Manual, Disabled	1.1.0

System output is complete, accurate, and timely

ID: SOC 2 Type 2 PI1.4 Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Control physical access	CMA_0081 - Control physical access	Manual, Disabled	1.1.0
Manage the input, output, processing, and storage of data	CMA_0369 - Manage the input, output, processing, and storage of data	Manual, Disabled	1.1.0
Review label activity and analytics	CMA_0474 - Review label activity and analytics	Manual, Disabled	1.1.0

Store inputs and outputs completely, accurately, and timely

ID: SOC 2 Type 2 PI1.5 Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Azure Backup should be enabled for Virtual Machines	Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.	AuditIfNotExists, Disabled	3.0.0
Control physical access	CMA_0081 - Control physical access	Manual, Disabled	1.1.0
Establish backup policies and procedures	CMA_0268 - Establish backup policies and procedures	Manual, Disabled	1.1.0
Geo-redundant backup should be enabled for Azure Database for MariaDB	Azure Database for MariaDB allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create.	Audit, Disabled	1.0.1
Geo-redundant backup should be enabled for Azure Database for MySQL	Azure Database for MySQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create.	Audit, Disabled	1.0.1
Geo-redundant backup should be enabled for Azure Database for PostgreSQL	Azure Database for PostgreSQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create.	Audit, Disabled	1.0.1
Implement controls to secure all media	CMA_0314 - Implement controls to secure all media	Manual, Disabled	1.1.0
Manage the input, output, processing, and storage of data	CMA_0369 - Manage the input, output, processing, and storage of data	Manual, Disabled	1.1.0
Review label activity and analytics	CMA_0474 - Review label activity and analytics	Manual, Disabled	1.1.0
Separately store backup information	CMA_C1293 - Separately store backup information	Manual, Disabled	1.1.0

Next steps

Additional articles about Azure Policy:

Regulatory Compliance overview.
See the initiative definition structure.
Review other examples at Azure Policy samples.
Review Understanding policy effects.
Learn how to remediate non-compliant resources.

Jagamisviis: