Details of the NIST SP 800-53 Rev. 4 Regulatory Compliance built-in initiative
The following article details how the Azure Policy Regulatory Compliance built-in initiative definition maps to compliance domains and controls in NIST SP 800-53 Rev. 4. For more information about this compliance standard, see NIST SP 800-53 Rev. 4. To understand Ownership, review the policy type and Shared responsibility in the cloud.
The following mappings are to the NIST SP 800-53 Rev. 4 controls. Many of the controls are implemented with an Azure Policy initiative definition. To review the complete initiative definition, open Policy in the Azure portal and select the Definitions page. Then, find and select the NIST SP 800-53 Rev. 4 Regulatory Compliance built-in initiative definition.
Important
Each control below is associated with one or more Azure Policy definitions. These policies may help you assess compliance with the control; however, there often is not a one-to-one or complete match between a control and one or more policies. As such, Compliant in Azure Policy refers only to the policy definitions themselves; this doesn't ensure you're fully compliant with all requirements of a control. In addition, the compliance standard includes controls that aren't addressed by any Azure Policy definitions at this time. Therefore, compliance in Azure Policy is only a partial view of your overall compliance status. The associations between compliance domains, controls, and Azure Policy definitions for this compliance standard may change over time. To view the change history, see the GitHub Commit History.
Access Control
Access Control Policy And Procedures
ID: NIST SP 800-53 Rev. 4 AC-1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Develop access control policies and procedures | CMA_0144 - Develop access control policies and procedures | Manual, Disabled | 1.1.0 |
| Enforce mandatory and discretionary access control policies | CMA_0246 - Enforce mandatory and discretionary access control policies | Manual, Disabled | 1.1.0 |
| Govern policies and procedures | CMA_0292 - Govern policies and procedures | Manual, Disabled | 1.1.0 |
| Review access control policies and procedures | CMA_0457 - Review access control policies and procedures | Manual, Disabled | 1.1.0 |
Account Management
ID: NIST SP 800-53 Rev. 4 AC-2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| A maximum of 3 owners should be designated for your subscription | It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner. | AuditIfNotExists, Disabled | 3.0.0 |
| An Azure Active Directory administrator should be provisioned for SQL servers | Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services | AuditIfNotExists, Disabled | 1.0.0 |
| App Service apps should use managed identity | Use a managed identity for enhanced authentication security | AuditIfNotExists, Disabled | 3.0.0 |
| Assign account managers | CMA_0015 - Assign account managers | Manual, Disabled | 1.1.0 |
| Audit usage of custom RBAC roles | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | Audit, Disabled | 1.0.1 |
| Audit user account status | CMA_0020 - Audit user account status | Manual, Disabled | 1.1.0 |
| Azure AI Services resources should have key access disabled (disable local authentication) | Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: https://aka.ms/AI/auth | Audit, Deny, Disabled | 1.1.0 |
| Blocked accounts with owner permissions on Azure resources should be removed | Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. | AuditIfNotExists, Disabled | 1.0.0 |
| Blocked accounts with read and write permissions on Azure resources should be removed | Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. | AuditIfNotExists, Disabled | 1.0.0 |
| Define and enforce conditions for shared and group accounts | CMA_0117 - Define and enforce conditions for shared and group accounts | Manual, Disabled | 1.1.0 |
| Define information system account types | CMA_0121 - Define information system account types | Manual, Disabled | 1.1.0 |
| Document access privileges | CMA_0186 - Document access privileges | Manual, Disabled | 1.1.0 |
| Establish conditions for role membership | CMA_0269 - Establish conditions for role membership | Manual, Disabled | 1.1.0 |
| Function apps should use managed identity | Use a managed identity for enhanced authentication security | AuditIfNotExists, Disabled | 3.0.0 |
| Guest accounts with owner permissions on Azure resources should be removed | External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. | AuditIfNotExists, Disabled | 1.0.0 |
| Guest accounts with read permissions on Azure resources should be removed | External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access. | AuditIfNotExists, Disabled | 1.0.0 |
| Guest accounts with write permissions on Azure resources should be removed | External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access. | AuditIfNotExists, Disabled | 1.0.0 |
| Monitor account activity | CMA_0377 - Monitor account activity | Manual, Disabled | 1.1.0 |
| Notify Account Managers of customer controlled accounts | CMA_C1009 - Notify Account Managers of customer controlled accounts | Manual, Disabled | 1.1.0 |
| Reissue authenticators for changed groups and accounts | CMA_0426 - Reissue authenticators for changed groups and accounts | Manual, Disabled | 1.1.0 |
| Require approval for account creation | CMA_0431 - Require approval for account creation | Manual, Disabled | 1.1.0 |
| Restrict access to privileged accounts | CMA_0446 - Restrict access to privileged accounts | Manual, Disabled | 1.1.0 |
| Review account provisioning logs | CMA_0460 - Review account provisioning logs | Manual, Disabled | 1.1.0 |
| Review user accounts | CMA_0480 - Review user accounts | Manual, Disabled | 1.1.0 |
| Service Fabric clusters should only use Azure Active Directory for client authentication | Audit usage of client authentication only via Azure Active Directory in Service Fabric | Audit, Deny, Disabled | 1.1.0 |
Automated System Account Management
ID: NIST SP 800-53 Rev. 4 AC-2 (1) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| An Azure Active Directory administrator should be provisioned for SQL servers | Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services | AuditIfNotExists, Disabled | 1.0.0 |
| Automate account management | CMA_0026 - Automate account management | Manual, Disabled | 1.1.0 |
| Azure AI Services resources should have key access disabled (disable local authentication) | Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: https://aka.ms/AI/auth | Audit, Deny, Disabled | 1.1.0 |
| Manage system and admin accounts | CMA_0368 - Manage system and admin accounts | Manual, Disabled | 1.1.0 |
| Monitor access across the organization | CMA_0376 - Monitor access across the organization | Manual, Disabled | 1.1.0 |
| Notify when account is not needed | CMA_0383 - Notify when account is not needed | Manual, Disabled | 1.1.0 |
| Service Fabric clusters should only use Azure Active Directory for client authentication | Audit usage of client authentication only via Azure Active Directory in Service Fabric | Audit, Deny, Disabled | 1.1.0 |
Disable Inactive Accounts
ID: NIST SP 800-53 Rev. 4 AC-2 (3) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Disable authenticators upon termination | CMA_0169 - Disable authenticators upon termination | Manual, Disabled | 1.1.0 |
| Revoke privileged roles as appropriate | CMA_0483 - Revoke privileged roles as appropriate | Manual, Disabled | 1.1.0 |
Automated Audit Actions
ID: NIST SP 800-53 Rev. 4 AC-2 (4) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Audit user account status | CMA_0020 - Audit user account status | Manual, Disabled | 1.1.0 |
| Automate account management | CMA_0026 - Automate account management | Manual, Disabled | 1.1.0 |
| Manage system and admin accounts | CMA_0368 - Manage system and admin accounts | Manual, Disabled | 1.1.0 |
| Monitor access across the organization | CMA_0376 - Monitor access across the organization | Manual, Disabled | 1.1.0 |
| Notify when account is not needed | CMA_0383 - Notify when account is not needed | Manual, Disabled | 1.1.0 |
Inactivity Logout
ID: NIST SP 800-53 Rev. 4 AC-2 (5) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Define and enforce inactivity log policy | CMA_C1017 - Define and enforce inactivity log policy | Manual, Disabled | 1.1.0 |
Role-Based Schemes
ID: NIST SP 800-53 Rev. 4 AC-2 (7) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| An Azure Active Directory administrator should be provisioned for SQL servers | Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services | AuditIfNotExists, Disabled | 1.0.0 |
| Audit privileged functions | CMA_0019 - Audit privileged functions | Manual, Disabled | 1.1.0 |
| Audit usage of custom RBAC roles | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | Audit, Disabled | 1.0.1 |
| Azure AI Services resources should have key access disabled (disable local authentication) | Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: https://aka.ms/AI/auth | Audit, Deny, Disabled | 1.1.0 |
| Monitor account activity | CMA_0377 - Monitor account activity | Manual, Disabled | 1.1.0 |
| Monitor privileged role assignment | CMA_0378 - Monitor privileged role assignment | Manual, Disabled | 1.1.0 |
| Restrict access to privileged accounts | CMA_0446 - Restrict access to privileged accounts | Manual, Disabled | 1.1.0 |
| Revoke privileged roles as appropriate | CMA_0483 - Revoke privileged roles as appropriate | Manual, Disabled | 1.1.0 |
| Service Fabric clusters should only use Azure Active Directory for client authentication | Audit usage of client authentication only via Azure Active Directory in Service Fabric | Audit, Deny, Disabled | 1.1.0 |
| Use privileged identity management | CMA_0533 - Use privileged identity management | Manual, Disabled | 1.1.0 |
Restrictions On Use Of Shared Groups / Accounts
ID: NIST SP 800-53 Rev. 4 AC-2 (9) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Define and enforce conditions for shared and group accounts | CMA_0117 - Define and enforce conditions for shared and group accounts | Manual, Disabled | 1.1.0 |
Shared / Group Account Credential Termination
ID: NIST SP 800-53 Rev. 4 AC-2 (10) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Terminate customer controlled account credentials | CMA_C1022 - Terminate customer controlled account credentials | Manual, Disabled | 1.1.0 |
Usage Conditions
ID: NIST SP 800-53 Rev. 4 AC-2 (11) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Enforce appropriate usage of all accounts | CMA_C1023 - Enforce appropriate usage of all accounts | Manual, Disabled | 1.1.0 |
Account Monitoring / Atypical Usage
ID: NIST SP 800-53 Rev. 4 AC-2 (12) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| [Preview]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed | Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. | AuditIfNotExists, Disabled | 6.0.0-preview |
| Azure Defender for App Service should be enabled | Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. | AuditIfNotExists, Disabled | 1.0.3 |
| Azure Defender for Azure SQL Database servers should be enabled | Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. | AuditIfNotExists, Disabled | 1.0.2 |
| Azure Defender for Key Vault should be enabled | Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. | AuditIfNotExists, Disabled | 1.0.3 |
| Azure Defender for Resource Manager should be enabled | Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Defender for servers should be enabled | Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. | AuditIfNotExists, Disabled | 1.0.3 |
| Azure Defender for SQL servers on machines should be enabled | Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. | AuditIfNotExists, Disabled | 1.0.2 |
| Azure Defender for SQL should be enabled for unprotected SQL Managed Instances | Audit each SQL Managed Instance without advanced data security. | AuditIfNotExists, Disabled | 1.0.2 |
| Management ports of virtual machines should be protected with just-in-time network access control | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | AuditIfNotExists, Disabled | 3.0.0 |
| Microsoft Defender for Containers should be enabled | Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. | AuditIfNotExists, Disabled | 1.0.0 |
| Microsoft Defender for Storage should be enabled | Microsoft Defender for Storage detects potential threats to your storage accounts. It helps prevent the three major impacts on your data and workload: malicious file uploads, sensitive data exfiltration, and data corruption. The new Defender for Storage plan includes Malware Scanning and Sensitive Data Threat Detection. This plan also provides a predictable pricing structure (per storage account) for control over coverage and costs. | AuditIfNotExists, Disabled | 1.0.0 |
| Monitor account activity | CMA_0377 - Monitor account activity | Manual, Disabled | 1.1.0 |
| Report atypical behavior of user accounts | CMA_C1025 - Report atypical behavior of user accounts | Manual, Disabled | 1.1.0 |
Disable Accounts For High-Risk Individuals
ID: NIST SP 800-53 Rev. 4 AC-2 (13) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Disable user accounts posing a significant risk | CMA_C1026 - Disable user accounts posing a significant risk | Manual, Disabled | 1.1.0 |
Access Enforcement
ID: NIST SP 800-53 Rev. 4 AC-3 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Accounts with owner permissions on Azure resources should be MFA enabled | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. | AuditIfNotExists, Disabled | 1.0.0 |
| Accounts with read permissions on Azure resources should be MFA enabled | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. | AuditIfNotExists, Disabled | 1.0.0 |
| Accounts with write permissions on Azure resources should be MFA enabled | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. | AuditIfNotExists, Disabled | 1.0.0 |
| Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | modify | 4.1.0 |
| Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | modify | 4.1.0 |
| An Azure Active Directory administrator should be provisioned for SQL servers | Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services | AuditIfNotExists, Disabled | 1.0.0 |
| App Service apps should use managed identity | Use a managed identity for enhanced authentication security | AuditIfNotExists, Disabled | 3.0.0 |
| Audit Linux machines that have accounts without passwords | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that have accounts without passwords | AuditIfNotExists, Disabled | 3.1.0 |
| Authentication to Linux machines should require SSH keys | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | AuditIfNotExists, Disabled | 3.2.0 |
| Authorize access to security functions and information | CMA_0022 - Authorize access to security functions and information | Manual, Disabled | 1.1.0 |
| Authorize and manage access | CMA_0023 - Authorize and manage access | Manual, Disabled | 1.1.0 |
| Azure AI Services resources should have key access disabled (disable local authentication) | Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: https://aka.ms/AI/auth | Audit, Deny, Disabled | 1.1.0 |
| Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | deployIfNotExists | 3.1.0 |
| Enforce logical access | CMA_0245 - Enforce logical access | Manual, Disabled | 1.1.0 |
| Enforce mandatory and discretionary access control policies | CMA_0246 - Enforce mandatory and discretionary access control policies | Manual, Disabled | 1.1.0 |
| Function apps should use managed identity | Use a managed identity for enhanced authentication security | AuditIfNotExists, Disabled | 3.0.0 |
| Require approval for account creation | CMA_0431 - Require approval for account creation | Manual, Disabled | 1.1.0 |
| Review user groups and applications with access to sensitive data | CMA_0481 - Review user groups and applications with access to sensitive data | Manual, Disabled | 1.1.0 |
| Service Fabric clusters should only use Azure Active Directory for client authentication | Audit usage of client authentication only via Azure Active Directory in Service Fabric | Audit, Deny, Disabled | 1.1.0 |
| Storage accounts should be migrated to new Azure Resource Manager resources | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Audit, Deny, Disabled | 1.0.0 |
| Virtual machines should be migrated to new Azure Resource Manager resources | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Audit, Deny, Disabled | 1.0.0 |
Role-based Access Control
ID: NIST SP 800-53 Rev. 4 AC-3 (7) Ownership: Customer
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Role-Based Access Control (RBAC) should be used on Kubernetes Services | To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. | Audit, Disabled | 1.0.4 |
Information Flow Enforcement
ID: NIST SP 800-53 Rev. 4 AC-4 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| [Deprecated]: Azure Cognitive Search services should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Cognitive Search, data leakage risks are reduced. Learn more about private links at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. | Audit, Disabled | 1.0.1-deprecated |
| [Deprecated]: Cognitive Services should use private link | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: https://go.microsoft.com/fwlink/?linkid=2129800. | Audit, Disabled | 3.0.1-deprecated |
| [Preview]: All Internet traffic should be routed via your deployed Azure Firewall | Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall | AuditIfNotExists, Disabled | 3.0.0-preview |
| [Preview]: Storage account public access should be disallowed | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | audit, Audit, deny, Deny, disabled, Disabled | 3.1.0-preview |
| All network ports should be restricted on network security groups associated to your virtual machine | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | AuditIfNotExists, Disabled | 3.0.0 |
| API Management services should use a virtual network | Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. | Audit, Deny, Disabled | 1.0.2 |
| App Configuration should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/appconfig/private-endpoint. | AuditIfNotExists, Disabled | 1.0.2 |
| App Service apps should not have CORS configured to allow every resource to access your apps | Cross-Origin Resource Sharing (CORS) should not allow all domains to access your app. Allow only required domains to interact with your app. | AuditIfNotExists, Disabled | 2.0.0 |
| Authorized IP ranges should be defined on Kubernetes Services | Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. | Audit, Disabled | 2.0.1 |
| Azure AI Services resources should restrict network access | By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. | Audit, Deny, Disabled | 3.2.0 |
| Azure API for FHIR should use private link | Azure API for FHIR should have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. For more information, visit: https://aka.ms/fhir-privatelink. | Audit, Disabled | 1.0.0 |
| Azure Cache for Redis should use private link | Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link. | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Cognitive Search service should use a SKU that supports private link | With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. | Audit, Deny, Disabled | 1.0.0 |
| Azure Cognitive Search services should disable public network access | Disabling public network access improves security by ensuring that your Azure Cognitive Search service is not exposed on the public internet. Creating private endpoints can limit exposure of your Search service. Learn more at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. | Audit, Deny, Disabled | 1.0.0 |
| Azure Cosmos DB accounts should have firewall rules | Firewall rules should be defined on your Azure Cosmos DB accounts to prevent traffic from unauthorized sources. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant. | Audit, Deny, Disabled | 2.1.0 |
| Azure Data Factory should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Data Factory, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/data-factory/data-factory-private-link. | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Event Grid domains should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid domain instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. | Audit, Disabled | 1.0.2 |
| Azure Event Grid topics should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid topic instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. | Audit, Disabled | 1.0.2 |
| Azure File Sync should use private link | Creating a private endpoint for the indicated Storage Sync Service resource allows you to address your Storage Sync Service resource from within the private IP address space of your organization's network, rather than through the internet-accessible public endpoint. Creating a private endpoint by itself does not disable the public endpoint. | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Key Vault should have firewall enabled | Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. Optionally, you can configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security | Audit, Deny, Disabled | 3.2.1 |
| Azure Key Vaults should use private link | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to key vault, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/akvprivatelink. | [parameters('audit_effect')] | 1.2.1 |
| Azure Machine Learning workspaces should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Machine Learning workspaces, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link. | Audit, Disabled | 1.0.0 |
| Azure Service Bus namespaces should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Service Bus namespaces, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/service-bus-messaging/private-link-service. | AuditIfNotExists, Disabled | 1.0.0 |
| Azure SignalR Service should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure SignalR Service resource instead of the entire service, you'll reduce your data leakage risks. Learn more about private links at: https://aka.ms/asrs/privatelink. | Audit, Disabled | 1.0.0 |
| Azure Synapse workspaces should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Synapse workspace, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/synapse-analytics/security/how-to-connect-to-workspace-with-private-links. | Audit, Disabled | 1.0.1 |
| Azure Web PubSub Service should use private link | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure Web PubSub Service, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/awps/privatelink. | Audit, Disabled | 1.0.0 |
| Container registries should not allow unrestricted network access | Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://aka.ms/acr/privatelink, https://aka.ms/acr/portal/public-network and https://aka.ms/acr/vnet. | Audit, Deny, Disabled | 2.0.0 |
| Container registries should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link. | Audit, Disabled | 1.0.1 |
| Control information flow | CMA_0079 - Control information flow | Manual, Disabled | 1.1.0 |
| CosmosDB accounts should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints. | Audit, Disabled | 1.0.0 |
| Disk access resources should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: https://aka.ms/disksprivatelinksdoc. | AuditIfNotExists, Disabled | 1.0.0 |
| Employ flow control mechanisms of encrypted information | CMA_0211 - Employ flow control mechanisms of encrypted information | Manual, Disabled | 1.1.0 |
| Event Hub namespaces should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/event-hubs/private-link-service. | AuditIfNotExists, Disabled | 1.0.0 |
| Internet-facing virtual machines should be protected with network security groups | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | AuditIfNotExists, Disabled | 3.0.0 |
| IoT Hub device provisioning service instances should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to the IoT Hub device provisioning service, data leakage risks are reduced. Learn more about private links at: https://aka.ms/iotdpsvnet. | Audit, Disabled | 1.0.0 |
| IP Forwarding on your virtual machine should be disabled | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | AuditIfNotExists, Disabled | 3.0.0 |
| Management ports of virtual machines should be protected with just-in-time network access control | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | AuditIfNotExists, Disabled | 3.0.0 |
| Management ports should be closed on your virtual machines | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | AuditIfNotExists, Disabled | 3.0.0 |
| Non-internet-facing virtual machines should be protected with network security groups | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | AuditIfNotExists, Disabled | 3.0.0 |
| Private endpoint connections on Azure SQL Database should be enabled | Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database. | Audit, Disabled | 1.1.0 |
| Private endpoint should be enabled for MariaDB servers | Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MariaDB. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. | AuditIfNotExists, Disabled | 1.0.2 |
| Private endpoint should be enabled for MySQL servers | Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MySQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. | AuditIfNotExists, Disabled | 1.0.2 |
| Private endpoint should be enabled for PostgreSQL servers | Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for PostgreSQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. | AuditIfNotExists, Disabled | 1.0.2 |
| Public network access on Azure SQL Database should be disabled | Disabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules. | Audit, Deny, Disabled | 1.1.0 |
| Public network access should be disabled for MariaDB servers | Disable the public network access property to improve security and ensure your Azure Database for MariaDB can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. | Audit, Deny, Disabled | 2.0.0 |
| Public network access should be disabled for MySQL servers | Disable the public network access property to improve security and ensure your Azure Database for MySQL can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. | Audit, Deny, Disabled | 2.0.0 |
| Public network access should be disabled for PostgreSQL servers | Disable the public network access property to improve security and ensure your Azure Database for PostgreSQL can only be accessed from a private endpoint. This configuration disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. | Audit, Deny, Disabled | 2.0.1 |
| Storage accounts should restrict network access | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Audit, Deny, Disabled | 1.1.1 |
| Storage accounts should restrict network access using virtual network rules | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Audit, Deny, Disabled | 1.0.1 |
| Storage accounts should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | AuditIfNotExists, Disabled | 2.0.0 |
| Subnets should be associated with a Network Security Group | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | AuditIfNotExists, Disabled | 3.0.0 |
| VM Image Builder templates should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your VM Image Builder building resources, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/virtual-machines/linux/image-builder-networking#deploy-using-an-existing-vnet. | Audit, Disabled, Deny | 1.1.0 |
Dynamic Information Flow Control
ID: NIST SP 800-53 Rev. 4 AC-4 (3) Ownership: Customer
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Management ports of virtual machines should be protected with just-in-time network access control | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | AuditIfNotExists, Disabled | 3.0.0 |
Security Policy Filters
ID: NIST SP 800-53 Rev. 4 AC-4 (8) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Information flow control using security policy filters | CMA_C1029 - Information flow control using security policy filters | Manual, Disabled | 1.1.0 |
Physical / Logical Separation Of Information Flows
ID: NIST SP 800-53 Rev. 4 AC-4 (21) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Control information flow | CMA_0079 - Control information flow | Manual, Disabled | 1.1.0 |
| Establish firewall and router configuration standards | CMA_0272 - Establish firewall and router configuration standards | Manual, Disabled | 1.1.0 |
| Establish network segmentation for card holder data environment | CMA_0273 - Establish network segmentation for card holder data environment | Manual, Disabled | 1.1.0 |
| Identify and manage downstream information exchanges | CMA_0298 - Identify and manage downstream information exchanges | Manual, Disabled | 1.1.0 |
Separation Of Duties
ID: NIST SP 800-53 Rev. 4 AC-5 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Define access authorizations to support separation of duties | CMA_0116 - Define access authorizations to support separation of duties | Manual, Disabled | 1.1.0 |
| Document separation of duties | CMA_0204 - Document separation of duties | Manual, Disabled | 1.1.0 |
| Separate duties of individuals | CMA_0492 - Separate duties of individuals | Manual, Disabled | 1.1.0 |
| There should be more than one owner assigned to your subscription | It is recommended to designate more than one subscription owner in order to have administrator access redundancy. | AuditIfNotExists, Disabled | 3.0.0 |
Least Privilege
ID: NIST SP 800-53 Rev. 4 AC-6 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| A maximum of 3 owners should be designated for your subscription | It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner. | AuditIfNotExists, Disabled | 3.0.0 |
| Audit usage of custom RBAC roles | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | Audit, Disabled | 1.0.1 |
| Design an access control model | CMA_0129 - Design an access control model | Manual, Disabled | 1.1.0 |
| Employ least privilege access | CMA_0212 - Employ least privilege access | Manual, Disabled | 1.1.0 |
Authorize Access To Security Functions
ID: NIST SP 800-53 Rev. 4 AC-6 (1) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Authorize access to security functions and information | CMA_0022 - Authorize access to security functions and information | Manual, Disabled | 1.1.0 |
| Authorize and manage access | CMA_0023 - Authorize and manage access | Manual, Disabled | 1.1.0 |
| Enforce mandatory and discretionary access control policies | CMA_0246 - Enforce mandatory and discretionary access control policies | Manual, Disabled | 1.1.0 |
Privileged Accounts
ID: NIST SP 800-53 Rev. 4 AC-6 (5) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Restrict access to privileged accounts | CMA_0446 - Restrict access to privileged accounts | Manual, Disabled | 1.1.0 |
Review Of User Privileges
ID: NIST SP 800-53 Rev. 4 AC-6 (7) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| A maximum of 3 owners should be designated for your subscription | It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner. | AuditIfNotExists, Disabled | 3.0.0 |
| Audit usage of custom RBAC roles | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | Audit, Disabled | 1.0.1 |
| Reassign or remove user privileges as needed | CMA_C1040 - Reassign or remove user privileges as needed | Manual, Disabled | 1.1.0 |
| Review user privileges | CMA_C1039 - Review user privileges | Manual, Disabled | 1.1.0 |
Privilege Levels For Code Execution
ID: NIST SP 800-53 Rev. 4 AC-6 (8) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Enforce software execution privileges | CMA_C1041 - Enforce software execution privileges | Manual, Disabled | 1.1.0 |
Auditing Use Of Privileged Functions
ID: NIST SP 800-53 Rev. 4 AC-6 (9) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Audit privileged functions | CMA_0019 - Audit privileged functions | Manual, Disabled | 1.1.0 |
| Conduct a full text analysis of logged privileged commands | CMA_0056 - Conduct a full text analysis of logged privileged commands | Manual, Disabled | 1.1.0 |
| Monitor privileged role assignment | CMA_0378 - Monitor privileged role assignment | Manual, Disabled | 1.1.0 |
| Restrict access to privileged accounts | CMA_0446 - Restrict access to privileged accounts | Manual, Disabled | 1.1.0 |
| Revoke privileged roles as appropriate | CMA_0483 - Revoke privileged roles as appropriate | Manual, Disabled | 1.1.0 |
| Use privileged identity management | CMA_0533 - Use privileged identity management | Manual, Disabled | 1.1.0 |
Unsuccessful Logon Attempts
ID: NIST SP 800-53 Rev. 4 AC-7 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Enforce a limit of consecutive failed login attempts | CMA_C1044 - Enforce a limit of consecutive failed login attempts | Manual, Disabled | 1.1.0 |
Concurrent Session Control
ID: NIST SP 800-53 Rev. 4 AC-10 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Define and enforce the limit of concurrent sessions | CMA_C1050 - Define and enforce the limit of concurrent sessions | Manual, Disabled | 1.1.0 |
Session Termination
ID: NIST SP 800-53 Rev. 4 AC-12 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Terminate user session automatically | CMA_C1054 - Terminate user session automatically | Manual, Disabled | 1.1.0 |
User-Initiated Logouts / Message Displays
ID: NIST SP 800-53 Rev. 4 AC-12 (1) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Display an explicit logout message | CMA_C1056 - Display an explicit logout message | Manual, Disabled | 1.1.0 |
| Provide the logout capability | CMA_C1055 - Provide the logout capability | Manual, Disabled | 1.1.0 |
Permitted Actions Without Identification Or Authentication
ID: NIST SP 800-53 Rev. 4 AC-14 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Identify actions allowed without authentication | CMA_0295 - Identify actions allowed without authentication | Manual, Disabled | 1.1.0 |
Security Attributes
ID: NIST SP 800-53 Rev. 4 AC-16 Ownership: Customer
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Azure Defender for SQL should be enabled for unprotected Azure SQL servers | Audit SQL servers without Advanced Data Security | AuditIfNotExists, Disabled | 2.0.1 |
| Azure Defender for SQL should be enabled for unprotected SQL Managed Instances | Audit each SQL Managed Instance without advanced data security. | AuditIfNotExists, Disabled | 1.0.2 |
Remote Access
ID: NIST SP 800-53 Rev. 4 AC-17 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| [Deprecated]: Azure Cognitive Search services should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Cognitive Search, data leakage risks are reduced. Learn more about private links at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. | Audit, Disabled | 1.0.1-deprecated |
| [Deprecated]: Cognitive Services should use private link | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: https://go.microsoft.com/fwlink/?linkid=2129800. | Audit, Disabled | 3.0.1-deprecated |
| Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | modify | 4.1.0 |
| Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | modify | 4.1.0 |
| App Configuration should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/appconfig/private-endpoint. | AuditIfNotExists, Disabled | 1.0.2 |
| App Service apps should have remote debugging turned off | Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off. | AuditIfNotExists, Disabled | 2.0.0 |
| Audit Linux machines that allow remote connections from accounts without passwords | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that allow remote connections from accounts without passwords | AuditIfNotExists, Disabled | 3.1.0 |
| Authorize remote access | CMA_0024 - Authorize remote access | Manual, Disabled | 1.1.0 |
| Azure API for FHIR should use private link | Azure API for FHIR should have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. For more information, visit: https://aka.ms/fhir-privatelink. | Audit, Disabled | 1.0.0 |
| Azure Cache for Redis should use private link | Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link. | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Cognitive Search service should use a SKU that supports private link | With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. | Audit, Deny, Disabled | 1.0.0 |
| Azure Data Factory should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Data Factory, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/data-factory/data-factory-private-link. | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Event Grid domains should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid domain instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. | Audit, Disabled | 1.0.2 |
| Azure Event Grid topics should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid topic instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. | Audit, Disabled | 1.0.2 |
| Azure File Sync should use private link | Creating a private endpoint for the indicated Storage Sync Service resource allows you to address your Storage Sync Service resource from within the private IP address space of your organization's network, rather than through the internet-accessible public endpoint. Creating a private endpoint by itself does not disable the public endpoint. | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Key Vaults should use private link | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to key vault, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/akvprivatelink. | [parameters('audit_effect')] | 1.2.1 |
| Azure Machine Learning workspaces should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Machine Learning workspaces, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link. | Audit, Disabled | 1.0.0 |
| Azure Service Bus namespaces should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Service Bus namespaces, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/service-bus-messaging/private-link-service. | AuditIfNotExists, Disabled | 1.0.0 |
| Azure SignalR Service should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure SignalR Service resource instead of the entire service, you'll reduce your data leakage risks. Learn more about private links at: https://aka.ms/asrs/privatelink. | Audit, Disabled | 1.0.0 |
| Azure Spring Cloud should use network injection | Azure Spring Cloud instances should use virtual network injection for the following purposes: 1. Isolate Azure Spring Cloud from Internet. 2. Enable Azure Spring Cloud to interact with systems in either on premises data centers or Azure service in other virtual networks. 3. Empower customers to control inbound and outbound network communications for Azure Spring Cloud. | Audit, Disabled, Deny | 1.2.0 |
| Azure Synapse workspaces should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Synapse workspace, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/synapse-analytics/security/how-to-connect-to-workspace-with-private-links. | Audit, Disabled | 1.0.1 |
| Azure Web PubSub Service should use private link | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure Web PubSub Service, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/awps/privatelink. | Audit, Disabled | 1.0.0 |
| Container registries should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link. | Audit, Disabled | 1.0.1 |
| CosmosDB accounts should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints. | Audit, Disabled | 1.0.0 |
| Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | deployIfNotExists | 3.1.0 |
| Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs | This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | deployIfNotExists | 1.2.0 |
| Disk access resources should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: https://aka.ms/disksprivatelinksdoc. | AuditIfNotExists, Disabled | 1.0.0 |
| Document mobility training | CMA_0191 - Document mobility training | Manual, Disabled | 1.1.0 |
| Document remote access guidelines | CMA_0196 - Document remote access guidelines | Manual, Disabled | 1.1.0 |
| Event Hub namespaces should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/event-hubs/private-link-service. | AuditIfNotExists, Disabled | 1.0.0 |
| Function apps should have remote debugging turned off | Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off. | AuditIfNotExists, Disabled | 2.0.0 |
| Implement controls to secure alternate work sites | CMA_0315 - Implement controls to secure alternate work sites | Manual, Disabled | 1.1.0 |
| IoT Hub device provisioning service instances should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to the IoT Hub device provisioning service, data leakage risks are reduced. Learn more about private links at: https://aka.ms/iotdpsvnet. | Audit, Disabled | 1.0.0 |
| Private endpoint connections on Azure SQL Database should be enabled | Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database. | Audit, Disabled | 1.1.0 |
| Private endpoint should be enabled for MariaDB servers | Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MariaDB. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. | AuditIfNotExists, Disabled | 1.0.2 |
| Private endpoint should be enabled for MySQL servers | Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MySQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. | AuditIfNotExists, Disabled | 1.0.2 |
| Private endpoint should be enabled for PostgreSQL servers | Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for PostgreSQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. | AuditIfNotExists, Disabled | 1.0.2 |
| Provide privacy training | CMA_0415 - Provide privacy training | Manual, Disabled | 1.1.0 |
| Storage accounts should restrict network access | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Audit, Deny, Disabled | 1.1.1 |
| Storage accounts should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | AuditIfNotExists, Disabled | 2.0.0 |
| VM Image Builder templates should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your VM Image Builder building resources, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/virtual-machines/linux/image-builder-networking#deploy-using-an-existing-vnet. | Audit, Disabled, Deny | 1.1.0 |
Automated Monitoring / Control
ID: NIST SP 800-53 Rev. 4 AC-17 (1) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| [Deprecated]: Azure Cognitive Search services should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Cognitive Search, data leakage risks are reduced. Learn more about private links at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. | Audit, Disabled | 1.0.1-deprecated |
| [Deprecated]: Cognitive Services should use private link | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: https://go.microsoft.com/fwlink/?linkid=2129800. | Audit, Disabled | 3.0.1-deprecated |
| Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | modify | 4.1.0 |
| Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | modify | 4.1.0 |
| App Configuration should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/appconfig/private-endpoint. | AuditIfNotExists, Disabled | 1.0.2 |
| App Service apps should have remote debugging turned off | Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off. | AuditIfNotExists, Disabled | 2.0.0 |
| Audit Linux machines that allow remote connections from accounts without passwords | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that allow remote connections from accounts without passwords | AuditIfNotExists, Disabled | 3.1.0 |
| Azure API for FHIR should use private link | Azure API for FHIR should have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. For more information, visit: https://aka.ms/fhir-privatelink. | Audit, Disabled | 1.0.0 |
| Azure Cache for Redis should use private link | Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link. | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Cognitive Search service should use a SKU that supports private link | With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. | Audit, Deny, Disabled | 1.0.0 |
| Azure Data Factory should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Data Factory, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/data-factory/data-factory-private-link. | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Event Grid domains should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid domain instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. | Audit, Disabled | 1.0.2 |
| Azure Event Grid topics should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid topic instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. | Audit, Disabled | 1.0.2 |
| Azure File Sync should use private link | Creating a private endpoint for the indicated Storage Sync Service resource allows you to address your Storage Sync Service resource from within the private IP address space of your organization's network, rather than through the internet-accessible public endpoint. Creating a private endpoint by itself does not disable the public endpoint. | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Key Vaults should use private link | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to key vault, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/akvprivatelink. | [parameters('audit_effect')] | 1.2.1 |
| Azure Machine Learning workspaces should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Machine Learning workspaces, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link. | Audit, Disabled | 1.0.0 |
| Azure Service Bus namespaces should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Service Bus namespaces, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/service-bus-messaging/private-link-service. | AuditIfNotExists, Disabled | 1.0.0 |
| Azure SignalR Service should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure SignalR Service resource instead of the entire service, you'll reduce your data leakage risks. Learn more about private links at: https://aka.ms/asrs/privatelink. | Audit, Disabled | 1.0.0 |
| Azure Spring Cloud should use network injection | Azure Spring Cloud instances should use virtual network injection for the following purposes: 1. Isolate Azure Spring Cloud from Internet. 2. Enable Azure Spring Cloud to interact with systems in either on premises data centers or Azure service in other virtual networks. 3. Empower customers to control inbound and outbound network communications for Azure Spring Cloud. | Audit, Disabled, Deny | 1.2.0 |
| Azure Synapse workspaces should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Synapse workspace, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/synapse-analytics/security/how-to-connect-to-workspace-with-private-links. | Audit, Disabled | 1.0.1 |
| Azure Web PubSub Service should use private link | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure Web PubSub Service, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/awps/privatelink. | Audit, Disabled | 1.0.0 |
| Container registries should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link. | Audit, Disabled | 1.0.1 |
| CosmosDB accounts should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints. | Audit, Disabled | 1.0.0 |
| Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | deployIfNotExists | 3.1.0 |
| Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs | This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | deployIfNotExists | 1.2.0 |
| Disk access resources should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: https://aka.ms/disksprivatelinksdoc. | AuditIfNotExists, Disabled | 1.0.0 |
| Event Hub namespaces should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/event-hubs/private-link-service. | AuditIfNotExists, Disabled | 1.0.0 |
| Function apps should have remote debugging turned off | Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off. | AuditIfNotExists, Disabled | 2.0.0 |
| IoT Hub device provisioning service instances should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to the IoT Hub device provisioning service, data leakage risks are reduced. Learn more about private links at: https://aka.ms/iotdpsvnet. | Audit, Disabled | 1.0.0 |
| Monitor access across the organization | CMA_0376 - Monitor access across the organization | Manual, Disabled | 1.1.0 |
| Private endpoint connections on Azure SQL Database should be enabled | Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database. | Audit, Disabled | 1.1.0 |
| Private endpoint should be enabled for MariaDB servers | Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MariaDB. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. | AuditIfNotExists, Disabled | 1.0.2 |
| Private endpoint should be enabled for MySQL servers | Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MySQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. | AuditIfNotExists, Disabled | 1.0.2 |
| Private endpoint should be enabled for PostgreSQL servers | Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for PostgreSQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. | AuditIfNotExists, Disabled | 1.0.2 |
| Storage accounts should restrict network access | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Audit, Deny, Disabled | 1.1.1 |
| Storage accounts should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | AuditIfNotExists, Disabled | 2.0.0 |
| VM Image Builder templates should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your VM Image Builder building resources, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/virtual-machines/linux/image-builder-networking#deploy-using-an-existing-vnet. | Audit, Disabled, Deny | 1.1.0 |
Protection Of Confidentiality / Integrity Using Encryption
ID: NIST SP 800-53 Rev. 4 AC-17 (2) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Notify users of system logon or access | CMA_0382 - Notify users of system logon or access | Manual, Disabled | 1.1.0 |
| Protect data in transit using encryption | CMA_0403 - Protect data in transit using encryption | Manual, Disabled | 1.1.0 |
Managed Access Control Points
ID: NIST SP 800-53 Rev. 4 AC-17 (3) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Route traffic through managed network access points | CMA_0484 - Route traffic through managed network access points | Manual, Disabled | 1.1.0 |
Privileged Commands / Access
ID: NIST SP 800-53 Rev. 4 AC-17 (4) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Authorize remote access | CMA_0024 - Authorize remote access | Manual, Disabled | 1.1.0 |
| Authorize remote access to privileged commands | CMA_C1064 - Authorize remote access to privileged commands | Manual, Disabled | 1.1.0 |
| Document remote access guidelines | CMA_0196 - Document remote access guidelines | Manual, Disabled | 1.1.0 |
| Implement controls to secure alternate work sites | CMA_0315 - Implement controls to secure alternate work sites | Manual, Disabled | 1.1.0 |
| Provide privacy training | CMA_0415 - Provide privacy training | Manual, Disabled | 1.1.0 |
Disconnect / Disable Access
ID: NIST SP 800-53 Rev. 4 AC-17 (9) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Provide capability to disconnect or disable remote access | CMA_C1066 - Provide capability to disconnect or disable remote access | Manual, Disabled | 1.1.0 |
Wireless Access
ID: NIST SP 800-53 Rev. 4 AC-18 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Document and implement wireless access guidelines | CMA_0190 - Document and implement wireless access guidelines | Manual, Disabled | 1.1.0 |
| Protect wireless access | CMA_0411 - Protect wireless access | Manual, Disabled | 1.1.0 |
Authentication And Encryption
ID: NIST SP 800-53 Rev. 4 AC-18 (1) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Document and implement wireless access guidelines | CMA_0190 - Document and implement wireless access guidelines | Manual, Disabled | 1.1.0 |
| Identify and authenticate network devices | CMA_0296 - Identify and authenticate network devices | Manual, Disabled | 1.1.0 |
| Protect wireless access | CMA_0411 - Protect wireless access | Manual, Disabled | 1.1.0 |
Access Control For Mobile Devices
ID: NIST SP 800-53 Rev. 4 AC-19 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Define mobile device requirements | CMA_0122 - Define mobile device requirements | Manual, Disabled | 1.1.0 |
Full Device / Container-Based Encryption
ID: NIST SP 800-53 Rev. 4 AC-19 (5) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Define mobile device requirements | CMA_0122 - Define mobile device requirements | Manual, Disabled | 1.1.0 |
| Protect data in transit using encryption | CMA_0403 - Protect data in transit using encryption | Manual, Disabled | 1.1.0 |
Use Of External Information Systems
ID: NIST SP 800-53 Rev. 4 AC-20 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Establish terms and conditions for accessing resources | CMA_C1076 - Establish terms and conditions for accessing resources | Manual, Disabled | 1.1.0 |
| Establish terms and conditions for processing resources | CMA_C1077 - Establish terms and conditions for processing resources | Manual, Disabled | 1.1.0 |
Limits On Authorized Use
ID: NIST SP 800-53 Rev. 4 AC-20 (1) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Verify security controls for external information systems | CMA_0541 - Verify security controls for external information systems | Manual, Disabled | 1.1.0 |
Portable Storage Devices
ID: NIST SP 800-53 Rev. 4 AC-20 (2) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Block untrusted and unsigned processes that run from USB | CMA_0050 - Block untrusted and unsigned processes that run from USB | Manual, Disabled | 1.1.0 |
| Control use of portable storage devices | CMA_0083 - Control use of portable storage devices | Manual, Disabled | 1.1.0 |
| Implement controls to secure all media | CMA_0314 - Implement controls to secure all media | Manual, Disabled | 1.1.0 |
Information Sharing
ID: NIST SP 800-53 Rev. 4 AC-21 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Automate information sharing decisions | CMA_0028 - Automate information sharing decisions | Manual, Disabled | 1.1.0 |
| Facilitate information sharing | CMA_0284 - Facilitate information sharing | Manual, Disabled | 1.1.0 |
Publicly Accessible Content
ID: NIST SP 800-53 Rev. 4 AC-22 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Designate authorized personnel to post publicly accessible information | CMA_C1083 - Designate authorized personnel to post publicly accessible information | Manual, Disabled | 1.1.0 |
| Review content prior to posting publicly accessible information | CMA_C1085 - Review content prior to posting publicly accessible information | Manual, Disabled | 1.1.0 |
| Review publicly accessible content for nonpublic information | CMA_C1086 - Review publicly accessible content for nonpublic information | Manual, Disabled | 1.1.0 |
| Train personnel on disclosure of nonpublic information | CMA_C1084 - Train personnel on disclosure of nonpublic information | Manual, Disabled | 1.1.0 |
Awareness And Training
Security Awareness And Training Policy Andprocedures
ID: NIST SP 800-53 Rev. 4 AT-1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Document security and privacy training activities | CMA_0198 - Document security and privacy training activities | Manual, Disabled | 1.1.0 |
| Update information security policies | CMA_0518 - Update information security policies | Manual, Disabled | 1.1.0 |
Security Awareness Training
ID: NIST SP 800-53 Rev. 4 AT-2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Provide periodic security awareness training | CMA_C1091 - Provide periodic security awareness training | Manual, Disabled | 1.1.0 |
| Provide security training for new users | CMA_0419 - Provide security training for new users | Manual, Disabled | 1.1.0 |
| Provide updated security awareness training | CMA_C1090 - Provide updated security awareness training | Manual, Disabled | 1.1.0 |
Insider Threat
ID: NIST SP 800-53 Rev. 4 AT-2 (2) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Provide security awareness training for insider threats | CMA_0417 - Provide security awareness training for insider threats | Manual, Disabled | 1.1.0 |
Role-Based Security Training
ID: NIST SP 800-53 Rev. 4 AT-3 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Provide periodic role-based security training | CMA_C1095 - Provide periodic role-based security training | Manual, Disabled | 1.1.0 |
| Provide role-based security training | CMA_C1094 - Provide role-based security training | Manual, Disabled | 1.1.0 |
| Provide security training before providing access | CMA_0418 - Provide security training before providing access | Manual, Disabled | 1.1.0 |
Practical Exercises
ID: NIST SP 800-53 Rev. 4 AT-3 (3) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Provide role-based practical exercises | CMA_C1096 - Provide role-based practical exercises | Manual, Disabled | 1.1.0 |
Suspicious Communications And Anomalous System Behavior
ID: NIST SP 800-53 Rev. 4 AT-3 (4) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Provide role-based training on suspicious activities | CMA_C1097 - Provide role-based training on suspicious activities | Manual, Disabled | 1.1.0 |
Security Training Records
ID: NIST SP 800-53 Rev. 4 AT-4 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Document security and privacy training activities | CMA_0198 - Document security and privacy training activities | Manual, Disabled | 1.1.0 |
| Monitor security and privacy training completion | CMA_0379 - Monitor security and privacy training completion | Manual, Disabled | 1.1.0 |
| Retain training records | CMA_0456 - Retain training records | Manual, Disabled | 1.1.0 |
Audit And Accountability
Audit And Accountability Policy And Procedures
ID: NIST SP 800-53 Rev. 4 AU-1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Develop audit and accountability policies and procedures | CMA_0154 - Develop audit and accountability policies and procedures | Manual, Disabled | 1.1.0 |
| Develop information security policies and procedures | CMA_0158 - Develop information security policies and procedures | Manual, Disabled | 1.1.0 |
| Govern policies and procedures | CMA_0292 - Govern policies and procedures | Manual, Disabled | 1.1.0 |
| Update information security policies | CMA_0518 - Update information security policies | Manual, Disabled | 1.1.0 |
Audit Events
ID: NIST SP 800-53 Rev. 4 AU-2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Determine auditable events | CMA_0137 - Determine auditable events | Manual, Disabled | 1.1.0 |
Reviews And Updates
ID: NIST SP 800-53 Rev. 4 AU-2 (3) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Review and update the events defined in AU-02 | CMA_C1106 - Review and update the events defined in AU-02 | Manual, Disabled | 1.1.0 |
Content Of Audit Records
ID: NIST SP 800-53 Rev. 4 AU-3 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Determine auditable events | CMA_0137 - Determine auditable events | Manual, Disabled | 1.1.0 |
Additional Audit Information
ID: NIST SP 800-53 Rev. 4 AU-3 (1) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Configure Azure Audit capabilities | CMA_C1108 - Configure Azure Audit capabilities | Manual, Disabled | 1.1.1 |
Audit Storage Capacity
ID: NIST SP 800-53 Rev. 4 AU-4 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Govern and monitor audit processing activities | CMA_0289 - Govern and monitor audit processing activities | Manual, Disabled | 1.1.0 |
Response To Audit Processing Failures
ID: NIST SP 800-53 Rev. 4 AU-5 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Govern and monitor audit processing activities | CMA_0289 - Govern and monitor audit processing activities | Manual, Disabled | 1.1.0 |
Real-Time Alerts
ID: NIST SP 800-53 Rev. 4 AU-5 (2) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Provide real-time alerts for audit event failures | CMA_C1114 - Provide real-time alerts for audit event failures | Manual, Disabled | 1.1.0 |
Audit Review, Analysis, And Reporting
ID: NIST SP 800-53 Rev. 4 AU-6 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| [Preview]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed | Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. | AuditIfNotExists, Disabled | 6.0.0-preview |
| [Preview]: Network traffic data collection agent should be installed on Linux virtual machines | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | AuditIfNotExists, Disabled | 1.0.2-preview |
| [Preview]: Network traffic data collection agent should be installed on Windows virtual machines | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | AuditIfNotExists, Disabled | 1.0.2-preview |
| Azure Defender for App Service should be enabled | Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. | AuditIfNotExists, Disabled | 1.0.3 |
| Azure Defender for Azure SQL Database servers should be enabled | Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. | AuditIfNotExists, Disabled | 1.0.2 |
| Azure Defender for Key Vault should be enabled | Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. | AuditIfNotExists, Disabled | 1.0.3 |
| Azure Defender for Resource Manager should be enabled | Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Defender for servers should be enabled | Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. | AuditIfNotExists, Disabled | 1.0.3 |
| Azure Defender for SQL servers on machines should be enabled | Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. | AuditIfNotExists, Disabled | 1.0.2 |
| Azure Defender for SQL should be enabled for unprotected Azure SQL servers | Audit SQL servers without Advanced Data Security | AuditIfNotExists, Disabled | 2.0.1 |
| Azure Defender for SQL should be enabled for unprotected SQL Managed Instances | Audit each SQL Managed Instance without advanced data security. | AuditIfNotExists, Disabled | 1.0.2 |
| Correlate audit records | CMA_0087 - Correlate audit records | Manual, Disabled | 1.1.0 |
| Establish requirements for audit review and reporting | CMA_0277 - Establish requirements for audit review and reporting | Manual, Disabled | 1.1.0 |
| Integrate audit review, analysis, and reporting | CMA_0339 - Integrate audit review, analysis, and reporting | Manual, Disabled | 1.1.0 |
| Integrate cloud app security with a siem | CMA_0340 - Integrate cloud app security with a siem | Manual, Disabled | 1.1.0 |
| Microsoft Defender for Containers should be enabled | Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. | AuditIfNotExists, Disabled | 1.0.0 |
| Microsoft Defender for Storage should be enabled | Microsoft Defender for Storage detects potential threats to your storage accounts. It helps prevent the three major impacts on your data and workload: malicious file uploads, sensitive data exfiltration, and data corruption. The new Defender for Storage plan includes Malware Scanning and Sensitive Data Threat Detection. This plan also provides a predictable pricing structure (per storage account) for control over coverage and costs. | AuditIfNotExists, Disabled | 1.0.0 |
| Network Watcher should be enabled | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | AuditIfNotExists, Disabled | 3.0.0 |
| Review account provisioning logs | CMA_0460 - Review account provisioning logs | Manual, Disabled | 1.1.0 |
| Review administrator assignments weekly | CMA_0461 - Review administrator assignments weekly | Manual, Disabled | 1.1.0 |
| Review audit data | CMA_0466 - Review audit data | Manual, Disabled | 1.1.0 |
| Review cloud identity report overview | CMA_0468 - Review cloud identity report overview | Manual, Disabled | 1.1.0 |
| Review controlled folder access events | CMA_0471 - Review controlled folder access events | Manual, Disabled | 1.1.0 |
| Review file and folder activity | CMA_0473 - Review file and folder activity | Manual, Disabled | 1.1.0 |
| Review role group changes weekly | CMA_0476 - Review role group changes weekly | Manual, Disabled | 1.1.0 |
Process Integration
ID: NIST SP 800-53 Rev. 4 AU-6 (1) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Correlate audit records | CMA_0087 - Correlate audit records | Manual, Disabled | 1.1.0 |
| Establish requirements for audit review and reporting | CMA_0277 - Establish requirements for audit review and reporting | Manual, Disabled | 1.1.0 |
| Integrate audit review, analysis, and reporting | CMA_0339 - Integrate audit review, analysis, and reporting | Manual, Disabled | 1.1.0 |
| Integrate cloud app security with a siem | CMA_0340 - Integrate cloud app security with a siem | Manual, Disabled | 1.1.0 |
| Review account provisioning logs | CMA_0460 - Review account provisioning logs | Manual, Disabled | 1.1.0 |
| Review administrator assignments weekly | CMA_0461 - Review administrator assignments weekly | Manual, Disabled | 1.1.0 |
| Review audit data | CMA_0466 - Review audit data | Manual, Disabled | 1.1.0 |
| Review cloud identity report overview | CMA_0468 - Review cloud identity report overview | Manual, Disabled | 1.1.0 |
| Review controlled folder access events | CMA_0471 - Review controlled folder access events | Manual, Disabled | 1.1.0 |
| Review file and folder activity | CMA_0473 - Review file and folder activity | Manual, Disabled | 1.1.0 |
| Review role group changes weekly | CMA_0476 - Review role group changes weekly | Manual, Disabled | 1.1.0 |
Correlate Audit Repositories
ID: NIST SP 800-53 Rev. 4 AU-6 (3) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Correlate audit records | CMA_0087 - Correlate audit records | Manual, Disabled | 1.1.0 |
| Integrate cloud app security with a siem | CMA_0340 - Integrate cloud app security with a siem | Manual, Disabled | 1.1.0 |
Central Review And Analysis
ID: NIST SP 800-53 Rev. 4 AU-6 (4) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| [Preview]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed | Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. | AuditIfNotExists, Disabled | 6.0.0-preview |
| [Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines | This policy audits Linux Azure Arc machines if the Log Analytics extension is not installed. | AuditIfNotExists, Disabled | 1.0.1-preview |
| [Preview]: Log Analytics extension should be installed on your Windows Azure Arc machines | This policy audits Windows Azure Arc machines if the Log Analytics extension is not installed. | AuditIfNotExists, Disabled | 1.0.1-preview |
| [Preview]: Network traffic data collection agent should be installed on Linux virtual machines | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | AuditIfNotExists, Disabled | 1.0.2-preview |
| [Preview]: Network traffic data collection agent should be installed on Windows virtual machines | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | AuditIfNotExists, Disabled | 1.0.2-preview |
| App Service apps should have resource logs enabled | Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. | AuditIfNotExists, Disabled | 2.0.1 |
| Auditing on SQL server should be enabled | Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. | AuditIfNotExists, Disabled | 2.0.0 |
| Azure Defender for App Service should be enabled | Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. | AuditIfNotExists, Disabled | 1.0.3 |
| Azure Defender for Azure SQL Database servers should be enabled | Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. | AuditIfNotExists, Disabled | 1.0.2 |
| Azure Defender for Key Vault should be enabled | Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. | AuditIfNotExists, Disabled | 1.0.3 |
| Azure Defender for Resource Manager should be enabled | Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Defender for servers should be enabled | Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. | AuditIfNotExists, Disabled | 1.0.3 |
| Azure Defender for SQL servers on machines should be enabled | Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. | AuditIfNotExists, Disabled | 1.0.2 |
| Azure Defender for SQL should be enabled for unprotected Azure SQL servers | Audit SQL servers without Advanced Data Security | AuditIfNotExists, Disabled | 2.0.1 |
| Azure Defender for SQL should be enabled for unprotected SQL Managed Instances | Audit each SQL Managed Instance without advanced data security. | AuditIfNotExists, Disabled | 1.0.2 |
| Guest Configuration extension should be installed on your machines | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | AuditIfNotExists, Disabled | 1.0.3 |
| Microsoft Defender for Containers should be enabled | Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. | AuditIfNotExists, Disabled | 1.0.0 |
| Microsoft Defender for Storage should be enabled | Microsoft Defender for Storage detects potential threats to your storage accounts. It helps prevent the three major impacts on your data and workload: malicious file uploads, sensitive data exfiltration, and data corruption. The new Defender for Storage plan includes Malware Scanning and Sensitive Data Threat Detection. This plan also provides a predictable pricing structure (per storage account) for control over coverage and costs. | AuditIfNotExists, Disabled | 1.0.0 |
| Network Watcher should be enabled | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | AuditIfNotExists, Disabled | 3.0.0 |
| Resource logs in Azure Data Lake Store should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Azure Stream Analytics should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Batch accounts should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Data Lake Analytics should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Event Hub should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in IoT Hub should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 3.1.0 |
| Resource logs in Key Vault should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Logic Apps should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.1.0 |
| Resource logs in Search services should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Service Bus should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | AuditIfNotExists, Disabled | 1.0.1 |
Integration / Scanning And Monitoring Capabilities
ID: NIST SP 800-53 Rev. 4 AU-6 (5) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| [Preview]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed | Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. | AuditIfNotExists, Disabled | 6.0.0-preview |
| [Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines | This policy audits Linux Azure Arc machines if the Log Analytics extension is not installed. | AuditIfNotExists, Disabled | 1.0.1-preview |
| [Preview]: Log Analytics extension should be installed on your Windows Azure Arc machines | This policy audits Windows Azure Arc machines if the Log Analytics extension is not installed. | AuditIfNotExists, Disabled | 1.0.1-preview |
| [Preview]: Network traffic data collection agent should be installed on Linux virtual machines | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | AuditIfNotExists, Disabled | 1.0.2-preview |
| [Preview]: Network traffic data collection agent should be installed on Windows virtual machines | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | AuditIfNotExists, Disabled | 1.0.2-preview |
| App Service apps should have resource logs enabled | Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. | AuditIfNotExists, Disabled | 2.0.1 |
| Auditing on SQL server should be enabled | Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. | AuditIfNotExists, Disabled | 2.0.0 |
| Azure Defender for App Service should be enabled | Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. | AuditIfNotExists, Disabled | 1.0.3 |
| Azure Defender for Azure SQL Database servers should be enabled | Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. | AuditIfNotExists, Disabled | 1.0.2 |
| Azure Defender for Key Vault should be enabled | Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. | AuditIfNotExists, Disabled | 1.0.3 |
| Azure Defender for Resource Manager should be enabled | Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Defender for servers should be enabled | Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. | AuditIfNotExists, Disabled | 1.0.3 |
| Azure Defender for SQL servers on machines should be enabled | Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. | AuditIfNotExists, Disabled | 1.0.2 |
| Azure Defender for SQL should be enabled for unprotected Azure SQL servers | Audit SQL servers without Advanced Data Security | AuditIfNotExists, Disabled | 2.0.1 |
| Azure Defender for SQL should be enabled for unprotected SQL Managed Instances | Audit each SQL Managed Instance without advanced data security. | AuditIfNotExists, Disabled | 1.0.2 |
| Guest Configuration extension should be installed on your machines | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | AuditIfNotExists, Disabled | 1.0.3 |
| Integrate Audit record analysis | CMA_C1120 - Integrate Audit record analysis | Manual, Disabled | 1.1.0 |
| Microsoft Defender for Containers should be enabled | Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. | AuditIfNotExists, Disabled | 1.0.0 |
| Microsoft Defender for Storage should be enabled | Microsoft Defender for Storage detects potential threats to your storage accounts. It helps prevent the three major impacts on your data and workload: malicious file uploads, sensitive data exfiltration, and data corruption. The new Defender for Storage plan includes Malware Scanning and Sensitive Data Threat Detection. This plan also provides a predictable pricing structure (per storage account) for control over coverage and costs. | AuditIfNotExists, Disabled | 1.0.0 |
| Network Watcher should be enabled | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | AuditIfNotExists, Disabled | 3.0.0 |
| Resource logs in Azure Data Lake Store should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Azure Stream Analytics should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Batch accounts should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Data Lake Analytics should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Event Hub should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in IoT Hub should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 3.1.0 |
| Resource logs in Key Vault should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Logic Apps should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.1.0 |
| Resource logs in Search services should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Service Bus should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | AuditIfNotExists, Disabled | 1.0.1 |
Permitted Actions
ID: NIST SP 800-53 Rev. 4 AU-6 (7) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Specify permitted actions associated with customer audit information | CMA_C1122 - Specify permitted actions associated with customer audit information | Manual, Disabled | 1.1.0 |
Audit Level Adjustment
ID: NIST SP 800-53 Rev. 4 AU-6 (10) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Adjust level of audit review, analysis, and reporting | CMA_C1123 - Adjust level of audit review, analysis, and reporting | Manual, Disabled | 1.1.0 |
Audit Reduction And Report Generation
ID: NIST SP 800-53 Rev. 4 AU-7 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Ensure audit records are not altered | CMA_C1125 - Ensure audit records are not altered | Manual, Disabled | 1.1.0 |
| Provide audit review, analysis, and reporting capability | CMA_C1124 - Provide audit review, analysis, and reporting capability | Manual, Disabled | 1.1.0 |
Automatic Processing
ID: NIST SP 800-53 Rev. 4 AU-7 (1) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Provide capability to process customer-controlled audit records | CMA_C1126 - Provide capability to process customer-controlled audit records | Manual, Disabled | 1.1.0 |
Time Stamps
ID: NIST SP 800-53 Rev. 4 AU-8 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Use system clocks for audit records | CMA_0535 - Use system clocks for audit records | Manual, Disabled | 1.1.0 |
Synchronization With Authoritative Time Source
ID: NIST SP 800-53 Rev. 4 AU-8 (1) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Use system clocks for audit records | CMA_0535 - Use system clocks for audit records | Manual, Disabled | 1.1.0 |
Protection Of Audit Information
ID: NIST SP 800-53 Rev. 4 AU-9 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Enable dual or joint authorization | CMA_0226 - Enable dual or joint authorization | Manual, Disabled | 1.1.0 |
| Protect audit information | CMA_0401 - Protect audit information | Manual, Disabled | 1.1.0 |
Audit Backup On Separate Physical Systems / Components
ID: NIST SP 800-53 Rev. 4 AU-9 (2) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Establish backup policies and procedures | CMA_0268 - Establish backup policies and procedures | Manual, Disabled | 1.1.0 |
Cryptographic Protection
ID: NIST SP 800-53 Rev. 4 AU-9 (3) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Maintain integrity of audit system | CMA_C1133 - Maintain integrity of audit system | Manual, Disabled | 1.1.0 |
Access By Subset Of Privileged Users
ID: NIST SP 800-53 Rev. 4 AU-9 (4) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Protect audit information | CMA_0401 - Protect audit information | Manual, Disabled | 1.1.0 |
Non-Repudiation
ID: NIST SP 800-53 Rev. 4 AU-10 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Establish electronic signature and certificate requirements | CMA_0271 - Establish electronic signature and certificate requirements | Manual, Disabled | 1.1.0 |
Audit Record Retention
ID: NIST SP 800-53 Rev. 4 AU-11 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Adhere to retention periods defined | CMA_0004 - Adhere to retention periods defined | Manual, Disabled | 1.1.0 |
| Retain security policies and procedures | CMA_0454 - Retain security policies and procedures | Manual, Disabled | 1.1.0 |
| Retain terminated user data | CMA_0455 - Retain terminated user data | Manual, Disabled | 1.1.0 |
| SQL servers with auditing to storage account destination should be configured with 90 days retention or higher | For incident investigation purposes, we recommend setting the data retention for your SQL Server' auditing to storage account destination to at least 90 days. Confirm that you are meeting the necessary retention rules for the regions in which you are operating. This is sometimes required for compliance with regulatory standards. | AuditIfNotExists, Disabled | 3.0.0 |
Audit Generation
ID: NIST SP 800-53 Rev. 4 AU-12 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| [Preview]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed | Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. | AuditIfNotExists, Disabled | 6.0.0-preview |
| [Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines | This policy audits Linux Azure Arc machines if the Log Analytics extension is not installed. | AuditIfNotExists, Disabled | 1.0.1-preview |
| [Preview]: Log Analytics extension should be installed on your Windows Azure Arc machines | This policy audits Windows Azure Arc machines if the Log Analytics extension is not installed. | AuditIfNotExists, Disabled | 1.0.1-preview |
| [Preview]: Network traffic data collection agent should be installed on Linux virtual machines | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | AuditIfNotExists, Disabled | 1.0.2-preview |
| [Preview]: Network traffic data collection agent should be installed on Windows virtual machines | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | AuditIfNotExists, Disabled | 1.0.2-preview |
| App Service apps should have resource logs enabled | Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. | AuditIfNotExists, Disabled | 2.0.1 |
| Audit privileged functions | CMA_0019 - Audit privileged functions | Manual, Disabled | 1.1.0 |
| Audit user account status | CMA_0020 - Audit user account status | Manual, Disabled | 1.1.0 |
| Auditing on SQL server should be enabled | Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. | AuditIfNotExists, Disabled | 2.0.0 |
| Azure Defender for App Service should be enabled | Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. | AuditIfNotExists, Disabled | 1.0.3 |
| Azure Defender for Azure SQL Database servers should be enabled | Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. | AuditIfNotExists, Disabled | 1.0.2 |
| Azure Defender for Key Vault should be enabled | Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. | AuditIfNotExists, Disabled | 1.0.3 |
| Azure Defender for Resource Manager should be enabled | Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Defender for servers should be enabled | Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. | AuditIfNotExists, Disabled | 1.0.3 |
| Azure Defender for SQL servers on machines should be enabled | Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. | AuditIfNotExists, Disabled | 1.0.2 |
| Azure Defender for SQL should be enabled for unprotected Azure SQL servers | Audit SQL servers without Advanced Data Security | AuditIfNotExists, Disabled | 2.0.1 |
| Azure Defender for SQL should be enabled for unprotected SQL Managed Instances | Audit each SQL Managed Instance without advanced data security. | AuditIfNotExists, Disabled | 1.0.2 |
| Determine auditable events | CMA_0137 - Determine auditable events | Manual, Disabled | 1.1.0 |
| Guest Configuration extension should be installed on your machines | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | AuditIfNotExists, Disabled | 1.0.3 |
| Microsoft Defender for Containers should be enabled | Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. | AuditIfNotExists, Disabled | 1.0.0 |
| Microsoft Defender for Storage should be enabled | Microsoft Defender for Storage detects potential threats to your storage accounts. It helps prevent the three major impacts on your data and workload: malicious file uploads, sensitive data exfiltration, and data corruption. The new Defender for Storage plan includes Malware Scanning and Sensitive Data Threat Detection. This plan also provides a predictable pricing structure (per storage account) for control over coverage and costs. | AuditIfNotExists, Disabled | 1.0.0 |
| Network Watcher should be enabled | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | AuditIfNotExists, Disabled | 3.0.0 |
| Resource logs in Azure Data Lake Store should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Azure Stream Analytics should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Batch accounts should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Data Lake Analytics should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Event Hub should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in IoT Hub should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 3.1.0 |
| Resource logs in Key Vault should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Logic Apps should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.1.0 |
| Resource logs in Search services should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Service Bus should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Review audit data | CMA_0466 - Review audit data | Manual, Disabled | 1.1.0 |
| Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | AuditIfNotExists, Disabled | 1.0.1 |
System-Wide / Time-Correlated Audit Trail
ID: NIST SP 800-53 Rev. 4 AU-12 (1) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| [Preview]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed | Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. | AuditIfNotExists, Disabled | 6.0.0-preview |
| [Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines | This policy audits Linux Azure Arc machines if the Log Analytics extension is not installed. | AuditIfNotExists, Disabled | 1.0.1-preview |
| [Preview]: Log Analytics extension should be installed on your Windows Azure Arc machines | This policy audits Windows Azure Arc machines if the Log Analytics extension is not installed. | AuditIfNotExists, Disabled | 1.0.1-preview |
| [Preview]: Network traffic data collection agent should be installed on Linux virtual machines | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | AuditIfNotExists, Disabled | 1.0.2-preview |
| [Preview]: Network traffic data collection agent should be installed on Windows virtual machines | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | AuditIfNotExists, Disabled | 1.0.2-preview |
| App Service apps should have resource logs enabled | Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. | AuditIfNotExists, Disabled | 2.0.1 |
| Auditing on SQL server should be enabled | Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. | AuditIfNotExists, Disabled | 2.0.0 |
| Azure Defender for App Service should be enabled | Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. | AuditIfNotExists, Disabled | 1.0.3 |
| Azure Defender for Azure SQL Database servers should be enabled | Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. | AuditIfNotExists, Disabled | 1.0.2 |
| Azure Defender for Key Vault should be enabled | Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. | AuditIfNotExists, Disabled | 1.0.3 |
| Azure Defender for Resource Manager should be enabled | Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Defender for servers should be enabled | Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. | AuditIfNotExists, Disabled | 1.0.3 |
| Azure Defender for SQL servers on machines should be enabled | Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. | AuditIfNotExists, Disabled | 1.0.2 |
| Azure Defender for SQL should be enabled for unprotected Azure SQL servers | Audit SQL servers without Advanced Data Security | AuditIfNotExists, Disabled | 2.0.1 |
| Azure Defender for SQL should be enabled for unprotected SQL Managed Instances | Audit each SQL Managed Instance without advanced data security. | AuditIfNotExists, Disabled | 1.0.2 |
| Compile Audit records into system wide audit | CMA_C1140 - Compile Audit records into system wide audit | Manual, Disabled | 1.1.0 |
| Guest Configuration extension should be installed on your machines | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | AuditIfNotExists, Disabled | 1.0.3 |
| Microsoft Defender for Containers should be enabled | Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. | AuditIfNotExists, Disabled | 1.0.0 |
| Microsoft Defender for Storage should be enabled | Microsoft Defender for Storage detects potential threats to your storage accounts. It helps prevent the three major impacts on your data and workload: malicious file uploads, sensitive data exfiltration, and data corruption. The new Defender for Storage plan includes Malware Scanning and Sensitive Data Threat Detection. This plan also provides a predictable pricing structure (per storage account) for control over coverage and costs. | AuditIfNotExists, Disabled | 1.0.0 |
| Network Watcher should be enabled | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | AuditIfNotExists, Disabled | 3.0.0 |
| Resource logs in Azure Data Lake Store should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Azure Stream Analytics should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Batch accounts should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Data Lake Analytics should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Event Hub should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in IoT Hub should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 3.1.0 |
| Resource logs in Key Vault should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Logic Apps should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.1.0 |
| Resource logs in Search services should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Service Bus should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | AuditIfNotExists, Disabled | 1.0.1 |
Changes By Authorized Individuals
ID: NIST SP 800-53 Rev. 4 AU-12 (3) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Provide the capability to extend or limit auditing on customer-deployed resources | CMA_C1141 - Provide the capability to extend or limit auditing on customer-deployed resources | Manual, Disabled | 1.1.0 |
Security Assessment And Authorization
Security Assessment And Authorization Policy And Procedures
ID: NIST SP 800-53 Rev. 4 CA-1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Review security assessment and authorization policies and procedures | CMA_C1143 - Review security assessment and authorization policies and procedures | Manual, Disabled | 1.1.0 |
Security Assessments
ID: NIST SP 800-53 Rev. 4 CA-2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Assess Security Controls | CMA_C1145 - Assess Security Controls | Manual, Disabled | 1.1.0 |
| Deliver security assessment results | CMA_C1147 - Deliver security assessment results | Manual, Disabled | 1.1.0 |
| Develop security assessment plan | CMA_C1144 - Develop security assessment plan | Manual, Disabled | 1.1.0 |
| Produce Security Assessment report | CMA_C1146 - Produce Security Assessment report | Manual, Disabled | 1.1.0 |
Independent Assessors
ID: NIST SP 800-53 Rev. 4 CA-2 (1) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Employ independent assessors to conduct security control assessments | CMA_C1148 - Employ independent assessors to conduct security control assessments | Manual, Disabled | 1.1.0 |
Specialized Assessments
ID: NIST SP 800-53 Rev. 4 CA-2 (2) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Select additional testing for security control assessments | CMA_C1149 - Select additional testing for security control assessments | Manual, Disabled | 1.1.0 |
External Organizations
ID: NIST SP 800-53 Rev. 4 CA-2 (3) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Accept assessment results | CMA_C1150 - Accept assessment results | Manual, Disabled | 1.1.0 |
System Interconnections
ID: NIST SP 800-53 Rev. 4 CA-3 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Require interconnection security agreements | CMA_C1151 - Require interconnection security agreements | Manual, Disabled | 1.1.0 |
| Update interconnection security agreements | CMA_0519 - Update interconnection security agreements | Manual, Disabled | 1.1.0 |
Unclassified Non-National Security System Connections
ID: NIST SP 800-53 Rev. 4 CA-3 (3) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Implement system boundary protection | CMA_0328 - Implement system boundary protection | Manual, Disabled | 1.1.0 |
Restrictions On External System Connections
ID: NIST SP 800-53 Rev. 4 CA-3 (5) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Employ restrictions on external system interconnections | CMA_C1155 - Employ restrictions on external system interconnections | Manual, Disabled | 1.1.0 |
Plan Of Action And Milestones
ID: NIST SP 800-53 Rev. 4 CA-5 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Develop POA&M | CMA_C1156 - Develop POA&M | Manual, Disabled | 1.1.0 |
| Update POA&M items | CMA_C1157 - Update POA&M items | Manual, Disabled | 1.1.0 |
Security Authorization
ID: NIST SP 800-53 Rev. 4 CA-6 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Assign an authorizing official (AO) | CMA_C1158 - Assign an authorizing official (AO) | Manual, Disabled | 1.1.0 |
| Ensure resources are authorized | CMA_C1159 - Ensure resources are authorized | Manual, Disabled | 1.1.0 |
| Update the security authorization | CMA_C1160 - Update the security authorization | Manual, Disabled | 1.1.0 |
Continuous Monitoring
ID: NIST SP 800-53 Rev. 4 CA-7 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Configure detection whitelist | CMA_0068 - Configure detection whitelist | Manual, Disabled | 1.1.0 |
| Turn on sensors for endpoint security solution | CMA_0514 - Turn on sensors for endpoint security solution | Manual, Disabled | 1.1.0 |
| Undergo independent security review | CMA_0515 - Undergo independent security review | Manual, Disabled | 1.1.0 |
Independent Assessment
ID: NIST SP 800-53 Rev. 4 CA-7 (1) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Employ independent assessors for continuous monitoring | CMA_C1168 - Employ independent assessors for continuous monitoring | Manual, Disabled | 1.1.0 |
Trend Analyses
ID: NIST SP 800-53 Rev. 4 CA-7 (3) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Analyse data obtained from continuous monitoring | CMA_C1169 - Analyse data obtained from continuous monitoring | Manual, Disabled | 1.1.0 |
Independent Penetration Agent Or Team
ID: NIST SP 800-53 Rev. 4 CA-8 (1) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Employ independent team for penetration testing | CMA_C1171 - Employ independent team for penetration testing | Manual, Disabled | 1.1.0 |
Internal System Connections
ID: NIST SP 800-53 Rev. 4 CA-9 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Check for privacy and security compliance before establishing internal connections | CMA_0053 - Check for privacy and security compliance before establishing internal connections | Manual, Disabled | 1.1.0 |
Configuration Management
Configuration Management Policy And Procedures
ID: NIST SP 800-53 Rev. 4 CM-1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Review and update configuration management policies and procedures | CMA_C1175 - Review and update configuration management policies and procedures | Manual, Disabled | 1.1.0 |
Baseline Configuration
ID: NIST SP 800-53 Rev. 4 CM-2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Configure actions for noncompliant devices | CMA_0062 - Configure actions for noncompliant devices | Manual, Disabled | 1.1.0 |
| Develop and maintain baseline configurations | CMA_0153 - Develop and maintain baseline configurations | Manual, Disabled | 1.1.0 |
| Enforce security configuration settings | CMA_0249 - Enforce security configuration settings | Manual, Disabled | 1.1.0 |
| Establish a configuration control board | CMA_0254 - Establish a configuration control board | Manual, Disabled | 1.1.0 |
| Establish and document a configuration management plan | CMA_0264 - Establish and document a configuration management plan | Manual, Disabled | 1.1.0 |
| Implement an automated configuration management tool | CMA_0311 - Implement an automated configuration management tool | Manual, Disabled | 1.1.0 |
Automation Support For Accuracy / Currency
ID: NIST SP 800-53 Rev. 4 CM-2 (2) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Configure actions for noncompliant devices | CMA_0062 - Configure actions for noncompliant devices | Manual, Disabled | 1.1.0 |
| Develop and maintain baseline configurations | CMA_0153 - Develop and maintain baseline configurations | Manual, Disabled | 1.1.0 |
| Enforce security configuration settings | CMA_0249 - Enforce security configuration settings | Manual, Disabled | 1.1.0 |
| Establish a configuration control board | CMA_0254 - Establish a configuration control board | Manual, Disabled | 1.1.0 |
| Establish and document a configuration management plan | CMA_0264 - Establish and document a configuration management plan | Manual, Disabled | 1.1.0 |
| Implement an automated configuration management tool | CMA_0311 - Implement an automated configuration management tool | Manual, Disabled | 1.1.0 |
Retention Of Previous Configurations
ID: NIST SP 800-53 Rev. 4 CM-2 (3) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Retain previous versions of baseline configs | CMA_C1181 - Retain previous versions of baseline configs | Manual, Disabled | 1.1.0 |
Configure Systems, Components, Or Devices For High-Risk Areas
ID: NIST SP 800-53 Rev. 4 CM-2 (7) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Ensure security safeguards not needed when the individuals return | CMA_C1183 - Ensure security safeguards not needed when the individuals return | Manual, Disabled | 1.1.0 |
| Not allow for information systems to accompany with individuals | CMA_C1182 - Not allow for information systems to accompany with individuals | Manual, Disabled | 1.1.0 |
Configuration Change Control
ID: NIST SP 800-53 Rev. 4 CM-3 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Conduct a security impact analysis | CMA_0057 - Conduct a security impact analysis | Manual, Disabled | 1.1.0 |
| Develop and maintain a vulnerability management standard | CMA_0152 - Develop and maintain a vulnerability management standard | Manual, Disabled | 1.1.0 |
| Establish a risk management strategy | CMA_0258 - Establish a risk management strategy | Manual, Disabled | 1.1.0 |
| Establish and document change control processes | CMA_0265 - Establish and document change control processes | Manual, Disabled | 1.1.0 |
| Establish configuration management requirements for developers | CMA_0270 - Establish configuration management requirements for developers | Manual, Disabled | 1.1.0 |
| Perform a privacy impact assessment | CMA_0387 - Perform a privacy impact assessment | Manual, Disabled | 1.1.0 |
| Perform a risk assessment | CMA_0388 - Perform a risk assessment | Manual, Disabled | 1.1.0 |
| Perform audit for configuration change control | CMA_0390 - Perform audit for configuration change control | Manual, Disabled | 1.1.0 |
Automated Document / Notification / Prohibition Of Changes
ID: NIST SP 800-53 Rev. 4 CM-3 (1) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Automate approval request for proposed changes | CMA_C1192 - Automate approval request for proposed changes | Manual, Disabled | 1.1.0 |
| Automate implementation of approved change notifications | CMA_C1196 - Automate implementation of approved change notifications | Manual, Disabled | 1.1.0 |
| Automate process to document implemented changes | CMA_C1195 - Automate process to document implemented changes | Manual, Disabled | 1.1.0 |
| Automate process to highlight unreviewed change proposals | CMA_C1193 - Automate process to highlight unreviewed change proposals | Manual, Disabled | 1.1.0 |
| Automate process to prohibit implementation of unapproved changes | CMA_C1194 - Automate process to prohibit implementation of unapproved changes | Manual, Disabled | 1.1.0 |
| Automate proposed documented changes | CMA_C1191 - Automate proposed documented changes | Manual, Disabled | 1.1.0 |
Test / Validate / Document Changes
ID: NIST SP 800-53 Rev. 4 CM-3 (2) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Establish and document change control processes | CMA_0265 - Establish and document change control processes | Manual, Disabled | 1.1.0 |
| Establish configuration management requirements for developers | CMA_0270 - Establish configuration management requirements for developers | Manual, Disabled | 1.1.0 |
| Perform audit for configuration change control | CMA_0390 - Perform audit for configuration change control | Manual, Disabled | 1.1.0 |
Security Representative
ID: NIST SP 800-53 Rev. 4 CM-3 (4) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Assign information security representative to change control | CMA_C1198 - Assign information security representative to change control | Manual, Disabled | 1.1.0 |
Cryptography Management
ID: NIST SP 800-53 Rev. 4 CM-3 (6) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Ensure cryptographic mechanisms are under configuration management | CMA_C1199 - Ensure cryptographic mechanisms are under configuration management | Manual, Disabled | 1.1.0 |
Security Impact Analysis
ID: NIST SP 800-53 Rev. 4 CM-4 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Conduct a security impact analysis | CMA_0057 - Conduct a security impact analysis | Manual, Disabled | 1.1.0 |
| Develop and maintain a vulnerability management standard | CMA_0152 - Develop and maintain a vulnerability management standard | Manual, Disabled | 1.1.0 |
| Establish a risk management strategy | CMA_0258 - Establish a risk management strategy | Manual, Disabled | 1.1.0 |
| Establish and document change control processes | CMA_0265 - Establish and document change control processes | Manual, Disabled | 1.1.0 |
| Establish configuration management requirements for developers | CMA_0270 - Establish configuration management requirements for developers | Manual, Disabled | 1.1.0 |
| Perform a privacy impact assessment | CMA_0387 - Perform a privacy impact assessment | Manual, Disabled | 1.1.0 |
| Perform a risk assessment | CMA_0388 - Perform a risk assessment | Manual, Disabled | 1.1.0 |
| Perform audit for configuration change control | CMA_0390 - Perform audit for configuration change control | Manual, Disabled | 1.1.0 |
Separate Test Environments
ID: NIST SP 800-53 Rev. 4 CM-4 (1) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Conduct a security impact analysis | CMA_0057 - Conduct a security impact analysis | Manual, Disabled | 1.1.0 |
| Establish and document change control processes | CMA_0265 - Establish and document change control processes | Manual, Disabled | 1.1.0 |
| Establish configuration management requirements for developers | CMA_0270 - Establish configuration management requirements for developers | Manual, Disabled | 1.1.0 |
| Perform a privacy impact assessment | CMA_0387 - Perform a privacy impact assessment | Manual, Disabled | 1.1.0 |
| Perform audit for configuration change control | CMA_0390 - Perform audit for configuration change control | Manual, Disabled | 1.1.0 |
Access Restrictions For Change
ID: NIST SP 800-53 Rev. 4 CM-5 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Establish and document change control processes | CMA_0265 - Establish and document change control processes | Manual, Disabled | 1.1.0 |
Automated Access Enforcement / Auditing
ID: NIST SP 800-53 Rev. 4 CM-5 (1) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Enforce and audit access restrictions | CMA_C1203 - Enforce and audit access restrictions | Manual, Disabled | 1.1.0 |
Review System Changes
ID: NIST SP 800-53 Rev. 4 CM-5 (2) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Review changes for any unauthorized changes | CMA_C1204 - Review changes for any unauthorized changes | Manual, Disabled | 1.1.0 |
Signed Components
ID: NIST SP 800-53 Rev. 4 CM-5 (3) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Restrict unauthorized software and firmware installation | CMA_C1205 - Restrict unauthorized software and firmware installation | Manual, Disabled | 1.1.0 |
Limit Production / Operational Privileges
ID: NIST SP 800-53 Rev. 4 CM-5 (5) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Limit privileges to make changes in production environment | CMA_C1206 - Limit privileges to make changes in production environment | Manual, Disabled | 1.1.0 |
| Review and reevaluate privileges | CMA_C1207 - Review and reevaluate privileges | Manual, Disabled | 1.1.0 |
Configuration Settings
ID: NIST SP 800-53 Rev. 4 CM-6 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| [Deprecated]: Function apps should have 'Client Certificates (Incoming client certificates)' enabled | Client certificates allow for the app to request a certificate for incoming requests. Only clients with valid certificates will be able to reach the app. This policy has been replaced by a new policy with the same name because Http 2.0 doesn't support client certificates. | Audit, Disabled | 3.1.0-deprecated |
| App Service apps should have Client Certificates (Incoming client certificates) enabled | Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. This policy applies to apps with Http version set to 1.1. | AuditIfNotExists, Disabled | 1.0.0 |
| App Service apps should have remote debugging turned off | Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off. | AuditIfNotExists, Disabled | 2.0.0 |
| App Service apps should not have CORS configured to allow every resource to access your apps | Cross-Origin Resource Sharing (CORS) should not allow all domains to access your app. Allow only required domains to interact with your app. | AuditIfNotExists, Disabled | 2.0.0 |
| Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters | Azure Policy Add-on for Kubernetes service (AKS) extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner. | Audit, Disabled | 1.0.2 |
| Enforce security configuration settings | CMA_0249 - Enforce security configuration settings | Manual, Disabled | 1.1.0 |
| Function apps should have remote debugging turned off | Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off. | AuditIfNotExists, Disabled | 2.0.0 |
| Function apps should not have CORS configured to allow every resource to access your apps | Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app. | AuditIfNotExists, Disabled | 2.0.0 |
| Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits | Enforce container CPU and memory resource limits to prevent resource exhaustion attacks in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 9.3.0 |
| Kubernetes cluster containers should not share host process ID or host IPC namespace | Block pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. This recommendation is part of CIS 5.2.2 and CIS 5.2.3 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 5.2.0 |
| Kubernetes cluster containers should only use allowed AppArmor profiles | Containers should only use allowed AppArmor profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 6.2.0 |
| Kubernetes cluster containers should only use allowed capabilities | Restrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 6.2.0 |
| Kubernetes cluster containers should only use allowed images | Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 9.3.0 |
| Kubernetes cluster containers should run with a read only root file system | Run containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 6.3.0 |
| Kubernetes cluster pod hostPath volumes should only use allowed host paths | Limit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 6.2.0 |
| Kubernetes cluster pods and containers should only run with approved user and group IDs | Control the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 6.2.0 |
| Kubernetes cluster pods should only use approved host network and port range | Restrict pod access to the host network and the allowable host port range in a Kubernetes cluster. This recommendation is part of CIS 5.2.4 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 6.2.0 |
| Kubernetes cluster services should listen only on allowed ports | Restrict services to listen only on allowed ports to secure access to the Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 8.2.0 |
| Kubernetes cluster should not allow privileged containers | Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 9.2.0 |
| Kubernetes clusters should not allow container privilege escalation | Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 7.2.0 |
| Linux machines should meet requirements for the Azure compute security baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | AuditIfNotExists, Disabled | 2.2.0 |
| Remediate information system flaws | CMA_0427 - Remediate information system flaws | Manual, Disabled | 1.1.0 |
| Windows machines should meet requirements of the Azure compute security baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | AuditIfNotExists, Disabled | 2.0.0 |
Automated Central Management / Application / Verification
ID: NIST SP 800-53 Rev. 4 CM-6 (1) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Enforce security configuration settings | CMA_0249 - Enforce security configuration settings | Manual, Disabled | 1.1.0 |
| Govern compliance of cloud service providers | CMA_0290 - Govern compliance of cloud service providers | Manual, Disabled | 1.1.0 |
| View and configure system diagnostic data | CMA_0544 - View and configure system diagnostic data | Manual, Disabled | 1.1.0 |
Least Functionality
ID: NIST SP 800-53 Rev. 4 CM-7 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Azure Defender for servers should be enabled | Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. | AuditIfNotExists, Disabled | 1.0.3 |
Information System Component Inventory
ID: NIST SP 800-53 Rev. 4 CM-8 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Create a data inventory | CMA_0096 - Create a data inventory | Manual, Disabled | 1.1.0 |
| Maintain records of processing of personal data | CMA_0353 - Maintain records of processing of personal data | Manual, Disabled | 1.1.0 |
Updates During Installations / Removals
ID: NIST SP 800-53 Rev. 4 CM-8 (1) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Create a data inventory | CMA_0096 - Create a data inventory | Manual, Disabled | 1.1.0 |
| Maintain records of processing of personal data | CMA_0353 - Maintain records of processing of personal data | Manual, Disabled | 1.1.0 |
Automated Unauthorized Component Detection
ID: NIST SP 800-53 Rev. 4 CM-8 (3) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Enable detection of network devices | CMA_0220 - Enable detection of network devices | Manual, Disabled | 1.1.0 |
| Set automated notifications for new and trending cloud applications in your organization | CMA_0495 - Set automated notifications for new and trending cloud applications in your organization | Manual, Disabled | 1.1.0 |
Accountability Information
ID: NIST SP 800-53 Rev. 4 CM-8 (4) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Create a data inventory | CMA_0096 - Create a data inventory | Manual, Disabled | 1.1.0 |
| Establish and maintain an asset inventory | CMA_0266 - Establish and maintain an asset inventory | Manual, Disabled | 1.1.0 |
Configuration Management Plan
ID: NIST SP 800-53 Rev. 4 CM-9 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Create configuration plan protection | CMA_C1233 - Create configuration plan protection | Manual, Disabled | 1.1.0 |
| Develop and maintain baseline configurations | CMA_0153 - Develop and maintain baseline configurations | Manual, Disabled | 1.1.0 |
| Develop configuration item identification plan | CMA_C1231 - Develop configuration item identification plan | Manual, Disabled | 1.1.0 |
| Develop configuration management plan | CMA_C1232 - Develop configuration management plan | Manual, Disabled | 1.1.0 |
| Establish and document a configuration management plan | CMA_0264 - Establish and document a configuration management plan | Manual, Disabled | 1.1.0 |
| Implement an automated configuration management tool | CMA_0311 - Implement an automated configuration management tool | Manual, Disabled | 1.1.0 |
Software Usage Restrictions
ID: NIST SP 800-53 Rev. 4 CM-10 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Require compliance with intellectual property rights | CMA_0432 - Require compliance with intellectual property rights | Manual, Disabled | 1.1.0 |
| Track software license usage | CMA_C1235 - Track software license usage | Manual, Disabled | 1.1.0 |
Open Source Software
ID: NIST SP 800-53 Rev. 4 CM-10 (1) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Restrict use of open source software | CMA_C1237 - Restrict use of open source software | Manual, Disabled | 1.1.0 |
Contingency Planning
Contingency Planning Policy And Procedures
ID: NIST SP 800-53 Rev. 4 CP-1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Review and update contingency planning policies and procedures | CMA_C1243 - Review and update contingency planning policies and procedures | Manual, Disabled | 1.1.0 |
Contingency Plan
ID: NIST SP 800-53 Rev. 4 CP-2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Communicate contingency plan changes | CMA_C1249 - Communicate contingency plan changes | Manual, Disabled | 1.1.0 |
| Coordinate contingency plans with related plans | CMA_0086 - Coordinate contingency plans with related plans | Manual, Disabled | 1.1.0 |
| Develop and document a business continuity and disaster recovery plan | CMA_0146 - Develop and document a business continuity and disaster recovery plan | Manual, Disabled | 1.1.0 |
| Develop contingency plan | CMA_C1244 - Develop contingency plan | Manual, Disabled | 1.1.0 |
| Develop contingency planning policies and procedures | CMA_0156 - Develop contingency planning policies and procedures | Manual, Disabled | 1.1.0 |
| Distribute policies and procedures | CMA_0185 - Distribute policies and procedures | Manual, Disabled | 1.1.0 |
| Review contingency plan | CMA_C1247 - Review contingency plan | Manual, Disabled | 1.1.0 |
| Update contingency plan | CMA_C1248 - Update contingency plan | Manual, Disabled | 1.1.0 |
Coordinate With Related Plans
ID: NIST SP 800-53 Rev. 4 CP-2 (1) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Coordinate contingency plans with related plans | CMA_0086 - Coordinate contingency plans with related plans | Manual, Disabled | 1.1.0 |
Capacity Planning
ID: NIST SP 800-53 Rev. 4 CP-2 (2) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Conduct capacity planning | CMA_C1252 - Conduct capacity planning | Manual, Disabled | 1.1.0 |
Resume Essential Missions / Business Functions
ID: NIST SP 800-53 Rev. 4 CP-2 (3) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Plan for resumption of essential business functions | CMA_C1253 - Plan for resumption of essential business functions | Manual, Disabled | 1.1.0 |
Resume All Missions / Business Functions
ID: NIST SP 800-53 Rev. 4 CP-2 (4) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Resume all mission and business functions | CMA_C1254 - Resume all mission and business functions | Manual, Disabled | 1.1.0 |
Continue Essential Missions / Business Functions
ID: NIST SP 800-53 Rev. 4 CP-2 (5) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Plan for continuance of essential business functions | CMA_C1255 - Plan for continuance of essential business functions | Manual, Disabled | 1.1.0 |
Identify Critical Assets
ID: NIST SP 800-53 Rev. 4 CP-2 (8) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Perform a business impact assessment and application criticality assessment | CMA_0386 - Perform a business impact assessment and application criticality assessment | Manual, Disabled | 1.1.0 |
Contingency Training
ID: NIST SP 800-53 Rev. 4 CP-3 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Provide contingency training | CMA_0412 - Provide contingency training | Manual, Disabled | 1.1.0 |
Simulated Events
ID: NIST SP 800-53 Rev. 4 CP-3 (1) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Incorporate simulated contingency training | CMA_C1260 - Incorporate simulated contingency training | Manual, Disabled | 1.1.0 |
Contingency Plan Testing
ID: NIST SP 800-53 Rev. 4 CP-4 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Initiate contingency plan testing corrective actions | CMA_C1263 - Initiate contingency plan testing corrective actions | Manual, Disabled | 1.1.0 |
| Review the results of contingency plan testing | CMA_C1262 - Review the results of contingency plan testing | Manual, Disabled | 1.1.0 |
| Test the business continuity and disaster recovery plan | CMA_0509 - Test the business continuity and disaster recovery plan | Manual, Disabled | 1.1.0 |
Coordinate With Related Plans
ID: NIST SP 800-53 Rev. 4 CP-4 (1) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Coordinate contingency plans with related plans | CMA_0086 - Coordinate contingency plans with related plans | Manual, Disabled | 1.1.0 |
Alternate Processing Site
ID: NIST SP 800-53 Rev. 4 CP-4 (2) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Evaluate alternate processing site capabilities | CMA_C1266 - Evaluate alternate processing site capabilities | Manual, Disabled | 1.1.0 |
| Test contingency plan at an alternate processing location | CMA_C1265 - Test contingency plan at an alternate processing location | Manual, Disabled | 1.1.0 |
Alternate Storage Site
ID: NIST SP 800-53 Rev. 4 CP-6 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Ensure alternate storage site safeguards are equivalent to primary site | CMA_C1268 - Ensure alternate storage site safeguards are equivalent to primary site | Manual, Disabled | 1.1.0 |
| Establish alternate storage site to store and retrieve backup information | CMA_C1267 - Establish alternate storage site to store and retrieve backup information | Manual, Disabled | 1.1.0 |
| Geo-redundant backup should be enabled for Azure Database for MariaDB | Azure Database for MariaDB allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. | Audit, Disabled | 1.0.1 |
| Geo-redundant backup should be enabled for Azure Database for MySQL | Azure Database for MySQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. | Audit, Disabled | 1.0.1 |
| Geo-redundant backup should be enabled for Azure Database for PostgreSQL | Azure Database for PostgreSQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. | Audit, Disabled | 1.0.1 |
| Geo-redundant storage should be enabled for Storage Accounts | Use geo-redundancy to create highly available applications | Audit, Disabled | 1.0.0 |
| Long-term geo-redundant backup should be enabled for Azure SQL Databases | This policy audits any Azure SQL Database with long-term geo-redundant backup not enabled. | AuditIfNotExists, Disabled | 2.0.0 |
Separation From Primary Site
ID: NIST SP 800-53 Rev. 4 CP-6 (1) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Create separate alternate and primary storage sites | CMA_C1269 - Create separate alternate and primary storage sites | Manual, Disabled | 1.1.0 |
| Geo-redundant backup should be enabled for Azure Database for MariaDB | Azure Database for MariaDB allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. | Audit, Disabled | 1.0.1 |
| Geo-redundant backup should be enabled for Azure Database for MySQL | Azure Database for MySQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. | Audit, Disabled | 1.0.1 |
| Geo-redundant backup should be enabled for Azure Database for PostgreSQL | Azure Database for PostgreSQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. | Audit, Disabled | 1.0.1 |
| Geo-redundant storage should be enabled for Storage Accounts | Use geo-redundancy to create highly available applications | Audit, Disabled | 1.0.0 |
| Long-term geo-redundant backup should be enabled for Azure SQL Databases | This policy audits any Azure SQL Database with long-term geo-redundant backup not enabled. | AuditIfNotExists, Disabled | 2.0.0 |
Recovery Time / Point Objectives
ID: NIST SP 800-53 Rev. 4 CP-6 (2) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Establish alternate storage site that facilitates recovery operations | CMA_C1270 - Establish alternate storage site that facilitates recovery operations | Manual, Disabled | 1.1.0 |
Accessibility
ID: NIST SP 800-53 Rev. 4 CP-6 (3) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Identify and mitigate potential issues at alternate storage site | CMA_C1271 - Identify and mitigate potential issues at alternate storage site | Manual, Disabled | 1.1.0 |
Alternate Processing Site
ID: NIST SP 800-53 Rev. 4 CP-7 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Audit virtual machines without disaster recovery configured | Audit virtual machines which do not have disaster recovery configured. To learn more about disaster recovery, visit https://aka.ms/asr-doc. | auditIfNotExists | 1.0.0 |
| Establish an alternate processing site | CMA_0262 - Establish an alternate processing site | Manual, Disabled | 1.1.0 |
Separation From Primary Site
ID: NIST SP 800-53 Rev. 4 CP-7 (1) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Establish an alternate processing site | CMA_0262 - Establish an alternate processing site | Manual, Disabled | 1.1.0 |
Accessibility
ID: NIST SP 800-53 Rev. 4 CP-7 (2) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Establish an alternate processing site | CMA_0262 - Establish an alternate processing site | Manual, Disabled | 1.1.0 |
Priority Of Service
ID: NIST SP 800-53 Rev. 4 CP-7 (3) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Establish an alternate processing site | CMA_0262 - Establish an alternate processing site | Manual, Disabled | 1.1.0 |
| Establish requirements for internet service providers | CMA_0278 - Establish requirements for internet service providers | Manual, Disabled | 1.1.0 |
Preparation For Use
ID: NIST SP 800-53 Rev. 4 CP-7 (4) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Prepare alternate processing site for use as operational site | CMA_C1278 - Prepare alternate processing site for use as operational site | Manual, Disabled | 1.1.0 |
Priority Of Service Provisions
ID: NIST SP 800-53 Rev. 4 CP-8 (1) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Establish requirements for internet service providers | CMA_0278 - Establish requirements for internet service providers | Manual, Disabled | 1.1.0 |
Information System Backup
ID: NIST SP 800-53 Rev. 4 CP-9 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Azure Backup should be enabled for Virtual Machines | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | AuditIfNotExists, Disabled | 3.0.0 |
| Conduct backup of information system documentation | CMA_C1289 - Conduct backup of information system documentation | Manual, Disabled | 1.1.0 |
| Establish backup policies and procedures | CMA_0268 - Establish backup policies and procedures | Manual, Disabled | 1.1.0 |
| Geo-redundant backup should be enabled for Azure Database for MariaDB | Azure Database for MariaDB allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. | Audit, Disabled | 1.0.1 |
| Geo-redundant backup should be enabled for Azure Database for MySQL | Azure Database for MySQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. | Audit, Disabled | 1.0.1 |
| Geo-redundant backup should be enabled for Azure Database for PostgreSQL | Azure Database for PostgreSQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. | Audit, Disabled | 1.0.1 |
| Implement controls to secure all media | CMA_0314 - Implement controls to secure all media | Manual, Disabled | 1.1.0 |
| Key vaults should have deletion protection enabled | Malicious deletion of a key vault can lead to permanent data loss. You can prevent permanent data loss by enabling purge protection and soft delete. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. Keep in mind that key vaults created after September 1st 2019 have soft-delete enabled by default. | Audit, Deny, Disabled | 2.1.0 |
| Key vaults should have soft delete enabled | Deleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period. | Audit, Deny, Disabled | 3.0.0 |
Separate Storage For Critical Information
ID: NIST SP 800-53 Rev. 4 CP-9 (3) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Separately store backup information | CMA_C1293 - Separately store backup information | Manual, Disabled | 1.1.0 |
Transfer To Alternate Storage Site
ID: NIST SP 800-53 Rev. 4 CP-9 (5) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Transfer backup information to an alternate storage site | CMA_C1294 - Transfer backup information to an alternate storage site | Manual, Disabled | 1.1.0 |
Information System Recovery And Reconstitution
ID: NIST SP 800-53 Rev. 4 CP-10 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Recover and reconstitute resources after any disruption | CMA_C1295 - Recover and reconstitute resources after any disruption | Manual, Disabled | 1.1.1 |
Transaction Recovery
ID: NIST SP 800-53 Rev. 4 CP-10 (2) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Implement transaction based recovery | CMA_C1296 - Implement transaction based recovery | Manual, Disabled | 1.1.0 |
Restore Within Time Period
ID: NIST SP 800-53 Rev. 4 CP-10 (4) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Restore resources to operational state | CMA_C1297 - Restore resources to operational state | Manual, Disabled | 1.1.1 |
Identification And Authentication
Identification And Authentication Policy And Procedures
ID: NIST SP 800-53 Rev. 4 IA-1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Review and update identification and authentication policies and procedures | CMA_C1299 - Review and update identification and authentication policies and procedures | Manual, Disabled | 1.1.0 |
Identification And Authentication (Organizational Users)
ID: NIST SP 800-53 Rev. 4 IA-2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Accounts with owner permissions on Azure resources should be MFA enabled | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. | AuditIfNotExists, Disabled | 1.0.0 |
| Accounts with read permissions on Azure resources should be MFA enabled | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. | AuditIfNotExists, Disabled | 1.0.0 |
| Accounts with write permissions on Azure resources should be MFA enabled | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. | AuditIfNotExists, Disabled | 1.0.0 |
| An Azure Active Directory administrator should be provisioned for SQL servers | Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services | AuditIfNotExists, Disabled | 1.0.0 |
| App Service apps should use managed identity | Use a managed identity for enhanced authentication security | AuditIfNotExists, Disabled | 3.0.0 |
| Azure AI Services resources should have key access disabled (disable local authentication) | Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: https://aka.ms/AI/auth | Audit, Deny, Disabled | 1.1.0 |
| Enforce user uniqueness | CMA_0250 - Enforce user uniqueness | Manual, Disabled | 1.1.0 |
| Function apps should use managed identity | Use a managed identity for enhanced authentication security | AuditIfNotExists, Disabled | 3.0.0 |
| Service Fabric clusters should only use Azure Active Directory for client authentication | Audit usage of client authentication only via Azure Active Directory in Service Fabric | Audit, Deny, Disabled | 1.1.0 |
| Support personal verification credentials issued by legal authorities | CMA_0507 - Support personal verification credentials issued by legal authorities | Manual, Disabled | 1.1.0 |
Network Access To Privileged Accounts
ID: NIST SP 800-53 Rev. 4 IA-2 (1) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Accounts with owner permissions on Azure resources should be MFA enabled | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. | AuditIfNotExists, Disabled | 1.0.0 |
| Accounts with write permissions on Azure resources should be MFA enabled | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. | AuditIfNotExists, Disabled | 1.0.0 |
| Adopt biometric authentication mechanisms | CMA_0005 - Adopt biometric authentication mechanisms | Manual, Disabled | 1.1.0 |
Network Access To Non-Privileged Accounts
ID: NIST SP 800-53 Rev. 4 IA-2 (2) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Accounts with read permissions on Azure resources should be MFA enabled | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. | AuditIfNotExists, Disabled | 1.0.0 |
| Adopt biometric authentication mechanisms | CMA_0005 - Adopt biometric authentication mechanisms | Manual, Disabled | 1.1.0 |
Local Access To Privileged Accounts
ID: NIST SP 800-53 Rev. 4 IA-2 (3) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Adopt biometric authentication mechanisms | CMA_0005 - Adopt biometric authentication mechanisms | Manual, Disabled | 1.1.0 |
Group Authentication
ID: NIST SP 800-53 Rev. 4 IA-2 (5) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Require use of individual authenticators | CMA_C1305 - Require use of individual authenticators | Manual, Disabled | 1.1.0 |
Remote Access - Separate Device
ID: NIST SP 800-53 Rev. 4 IA-2 (11) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Adopt biometric authentication mechanisms | CMA_0005 - Adopt biometric authentication mechanisms | Manual, Disabled | 1.1.0 |
| Identify and authenticate network devices | CMA_0296 - Identify and authenticate network devices | Manual, Disabled | 1.1.0 |
Acceptance Of Piv Credentials
ID: NIST SP 800-53 Rev. 4 IA-2 (12) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Support personal verification credentials issued by legal authorities | CMA_0507 - Support personal verification credentials issued by legal authorities | Manual, Disabled | 1.1.0 |
Identifier Management
ID: NIST SP 800-53 Rev. 4 IA-4 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| An Azure Active Directory administrator should be provisioned for SQL servers | Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services | AuditIfNotExists, Disabled | 1.0.0 |
| App Service apps should use managed identity | Use a managed identity for enhanced authentication security | AuditIfNotExists, Disabled | 3.0.0 |
| Assign system identifiers | CMA_0018 - Assign system identifiers | Manual, Disabled | 1.1.0 |
| Azure AI Services resources should have key access disabled (disable local authentication) | Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: https://aka.ms/AI/auth | Audit, Deny, Disabled | 1.1.0 |
| Function apps should use managed identity | Use a managed identity for enhanced authentication security | AuditIfNotExists, Disabled | 3.0.0 |
| Prevent identifier reuse for the defined time period | CMA_C1314 - Prevent identifier reuse for the defined time period | Manual, Disabled | 1.1.0 |
| Service Fabric clusters should only use Azure Active Directory for client authentication | Audit usage of client authentication only via Azure Active Directory in Service Fabric | Audit, Deny, Disabled | 1.1.0 |
Identify User Status
ID: NIST SP 800-53 Rev. 4 IA-4 (4) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Identify status of individual users | CMA_C1316 - Identify status of individual users | Manual, Disabled | 1.1.0 |
Authenticator Management
ID: NIST SP 800-53 Rev. 4 IA-5 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | modify | 4.1.0 |
| Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | modify | 4.1.0 |
| Audit Linux machines that do not have the passwd file permissions set to 0644 | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that do not have the passwd file permissions set to 0644 | AuditIfNotExists, Disabled | 3.1.0 |
| Audit Windows machines that do not store passwords using reversible encryption | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not store passwords using reversible encryption | AuditIfNotExists, Disabled | 2.0.0 |
| Authentication to Linux machines should require SSH keys | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | AuditIfNotExists, Disabled | 3.2.0 |
| Certificates should have the specified maximum validity period | Manage your organizational compliance requirements by specifying the maximum amount of time that a certificate can be valid within your key vault. | audit, Audit, deny, Deny, disabled, Disabled | 2.2.1 |
| Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | deployIfNotExists | 3.1.0 |
| Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs | This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | deployIfNotExists | 1.2.0 |
| Establish authenticator types and processes | CMA_0267 - Establish authenticator types and processes | Manual, Disabled | 1.1.0 |
| Establish procedures for initial authenticator distribution | CMA_0276 - Establish procedures for initial authenticator distribution | Manual, Disabled | 1.1.0 |
| Implement training for protecting authenticators | CMA_0329 - Implement training for protecting authenticators | Manual, Disabled | 1.1.0 |
| Key Vault keys should have an expiration date | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Audit, Deny, Disabled | 1.0.2 |
| Key Vault secrets should have an expiration date | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Audit, Deny, Disabled | 1.0.2 |
| Manage authenticator lifetime and reuse | CMA_0355 - Manage authenticator lifetime and reuse | Manual, Disabled | 1.1.0 |
| Manage Authenticators | CMA_C1321 - Manage Authenticators | Manual, Disabled | 1.1.0 |
| Refresh authenticators | CMA_0425 - Refresh authenticators | Manual, Disabled | 1.1.0 |
| Reissue authenticators for changed groups and accounts | CMA_0426 - Reissue authenticators for changed groups and accounts | Manual, Disabled | 1.1.0 |
| Verify identity before distributing authenticators | CMA_0538 - Verify identity before distributing authenticators | Manual, Disabled | 1.1.0 |
Password-Based Authentication
ID: NIST SP 800-53 Rev. 4 IA-5 (1) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | modify | 4.1.0 |
| Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | modify | 4.1.0 |
| Audit Linux machines that do not have the passwd file permissions set to 0644 | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that do not have the passwd file permissions set to 0644 | AuditIfNotExists, Disabled | 3.1.0 |
| Audit Windows machines that allow re-use of the passwords after the specified number of unique passwords | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that allow re-use of the passwords after the specified number of unique passwords. Default value for unique passwords is 24 | AuditIfNotExists, Disabled | 2.1.0 |
| Audit Windows machines that do not have the maximum password age set to specified number of days | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have the maximum password age set to specified number of days. Default value for maximum password age is 70 days | AuditIfNotExists, Disabled | 2.1.0 |
| Audit Windows machines that do not have the minimum password age set to specified number of days | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have the minimum password age set to specified number of days. Default value for minimum password age is 1 day | AuditIfNotExists, Disabled | 2.1.0 |
| Audit Windows machines that do not have the password complexity setting enabled | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have the password complexity setting enabled | AuditIfNotExists, Disabled | 2.0.0 |
| Audit Windows machines that do not restrict the minimum password length to specified number of characters | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not restrict the minimum password length to specified number of characters. Default value for minimum password length is 14 characters | AuditIfNotExists, Disabled | 2.1.0 |
| Audit Windows machines that do not store passwords using reversible encryption | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not store passwords using reversible encryption | AuditIfNotExists, Disabled | 2.0.0 |
| Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | deployIfNotExists | 3.1.0 |
| Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs | This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | deployIfNotExists | 1.2.0 |
| Document security strength requirements in acquisition contracts | CMA_0203 - Document security strength requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
| Establish a password policy | CMA_0256 - Establish a password policy | Manual, Disabled | 1.1.0 |
| Implement parameters for memorized secret verifiers | CMA_0321 - Implement parameters for memorized secret verifiers | Manual, Disabled | 1.1.0 |
| Protect passwords with encryption | CMA_0408 - Protect passwords with encryption | Manual, Disabled | 1.1.0 |
Pki-Based Authentication
ID: NIST SP 800-53 Rev. 4 IA-5 (2) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Bind authenticators and identities dynamically | CMA_0035 - Bind authenticators and identities dynamically | Manual, Disabled | 1.1.0 |
| Establish authenticator types and processes | CMA_0267 - Establish authenticator types and processes | Manual, Disabled | 1.1.0 |
| Establish parameters for searching secret authenticators and verifiers | CMA_0274 - Establish parameters for searching secret authenticators and verifiers | Manual, Disabled | 1.1.0 |
| Establish procedures for initial authenticator distribution | CMA_0276 - Establish procedures for initial authenticator distribution | Manual, Disabled | 1.1.0 |
| Map authenticated identities to individuals | CMA_0372 - Map authenticated identities to individuals | Manual, Disabled | 1.1.0 |
| Restrict access to private keys | CMA_0445 - Restrict access to private keys | Manual, Disabled | 1.1.0 |
| Verify identity before distributing authenticators | CMA_0538 - Verify identity before distributing authenticators | Manual, Disabled | 1.1.0 |
In-Person Or Trusted Third-Party Registration
ID: NIST SP 800-53 Rev. 4 IA-5 (3) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Distribute authenticators | CMA_0184 - Distribute authenticators | Manual, Disabled | 1.1.0 |
Automated Support For Password Strength Determination
ID: NIST SP 800-53 Rev. 4 IA-5 (4) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Document security strength requirements in acquisition contracts | CMA_0203 - Document security strength requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
| Establish a password policy | CMA_0256 - Establish a password policy | Manual, Disabled | 1.1.0 |
| Implement parameters for memorized secret verifiers | CMA_0321 - Implement parameters for memorized secret verifiers | Manual, Disabled | 1.1.0 |
Protection Of Authenticators
ID: NIST SP 800-53 Rev. 4 IA-5 (6) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Ensure authorized users protect provided authenticators | CMA_C1339 - Ensure authorized users protect provided authenticators | Manual, Disabled | 1.1.0 |
No Embedded Unencrypted Static Authenticators
ID: NIST SP 800-53 Rev. 4 IA-5 (7) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Ensure there are no unencrypted static authenticators | CMA_C1340 - Ensure there are no unencrypted static authenticators | Manual, Disabled | 1.1.0 |
Hardware Token-Based Authentication
ID: NIST SP 800-53 Rev. 4 IA-5 (11) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Satisfy token quality requirements | CMA_0487 - Satisfy token quality requirements | Manual, Disabled | 1.1.0 |
Expiration Of Cached Authenticators
ID: NIST SP 800-53 Rev. 4 IA-5 (13) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Enforce expiration of cached authenticators | CMA_C1343 - Enforce expiration of cached authenticators | Manual, Disabled | 1.1.0 |
Authenticator Feedback
ID: NIST SP 800-53 Rev. 4 IA-6 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Obscure feedback information during authentication process | CMA_C1344 - Obscure feedback information during authentication process | Manual, Disabled | 1.1.0 |
Cryptographic Module Authentication
ID: NIST SP 800-53 Rev. 4 IA-7 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Authenticate to cryptographic module | CMA_0021 - Authenticate to cryptographic module | Manual, Disabled | 1.1.0 |
Identification And Authentication (Non- Organizational Users)
ID: NIST SP 800-53 Rev. 4 IA-8 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Identify and authenticate non-organizational users | CMA_C1346 - Identify and authenticate non-organizational users | Manual, Disabled | 1.1.0 |
Acceptance Of Piv Credentials From Other Agencies
ID: NIST SP 800-53 Rev. 4 IA-8 (1) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Accept PIV credentials | CMA_C1347 - Accept PIV credentials | Manual, Disabled | 1.1.0 |
Acceptance Of Third-Party Credentials
ID: NIST SP 800-53 Rev. 4 IA-8 (2) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Accept only FICAM-approved third-party credentials | CMA_C1348 - Accept only FICAM-approved third-party credentials | Manual, Disabled | 1.1.0 |
Use Of Ficam-Approved Products
ID: NIST SP 800-53 Rev. 4 IA-8 (3) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Employ FICAM-approved resources to accept third-party credentials | CMA_C1349 - Employ FICAM-approved resources to accept third-party credentials | Manual, Disabled | 1.1.0 |
Use Of Ficam-Issued Profiles
ID: NIST SP 800-53 Rev. 4 IA-8 (4) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Conform to FICAM-issued profiles | CMA_C1350 - Conform to FICAM-issued profiles | Manual, Disabled | 1.1.0 |
Incident Response
Incident Response Policy And Procedures
ID: NIST SP 800-53 Rev. 4 IR-1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Review and update incident response policies and procedures | CMA_C1352 - Review and update incident response policies and procedures | Manual, Disabled | 1.1.0 |
Incident Response Training
ID: NIST SP 800-53 Rev. 4 IR-2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Provide information spillage training | CMA_0413 - Provide information spillage training | Manual, Disabled | 1.1.0 |
Simulated Events
ID: NIST SP 800-53 Rev. 4 IR-2 (1) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Incorporate simulated events into incident response training | CMA_C1356 - Incorporate simulated events into incident response training | Manual, Disabled | 1.1.0 |
Automated Training Environments
ID: NIST SP 800-53 Rev. 4 IR-2 (2) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Employ automated training environment | CMA_C1357 - Employ automated training environment | Manual, Disabled | 1.1.0 |
Incident Response Testing
ID: NIST SP 800-53 Rev. 4 IR-3 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Conduct incident response testing | CMA_0060 - Conduct incident response testing | Manual, Disabled | 1.1.0 |
| Establish an information security program | CMA_0263 - Establish an information security program | Manual, Disabled | 1.1.0 |
| Run simulation attacks | CMA_0486 - Run simulation attacks | Manual, Disabled | 1.1.0 |
Coordination With Related Plans
ID: NIST SP 800-53 Rev. 4 IR-3 (2) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Conduct incident response testing | CMA_0060 - Conduct incident response testing | Manual, Disabled | 1.1.0 |
| Establish an information security program | CMA_0263 - Establish an information security program | Manual, Disabled | 1.1.0 |
| Run simulation attacks | CMA_0486 - Run simulation attacks | Manual, Disabled | 1.1.0 |
Incident Handling
ID: NIST SP 800-53 Rev. 4 IR-4 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Assess information security events | CMA_0013 - Assess information security events | Manual, Disabled | 1.1.0 |
| Azure Defender for App Service should be enabled | Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. | AuditIfNotExists, Disabled | 1.0.3 |
| Azure Defender for Azure SQL Database servers should be enabled | Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. | AuditIfNotExists, Disabled | 1.0.2 |
| Azure Defender for Key Vault should be enabled | Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. | AuditIfNotExists, Disabled | 1.0.3 |
| Azure Defender for Resource Manager should be enabled | Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Defender for servers should be enabled | Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. | AuditIfNotExists, Disabled | 1.0.3 |
| Azure Defender for SQL servers on machines should be enabled | Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. | AuditIfNotExists, Disabled | 1.0.2 |
| Azure Defender for SQL should be enabled for unprotected Azure SQL servers | Audit SQL servers without Advanced Data Security | AuditIfNotExists, Disabled | 2.0.1 |
| Azure Defender for SQL should be enabled for unprotected SQL Managed Instances | Audit each SQL Managed Instance without advanced data security. | AuditIfNotExists, Disabled | 1.0.2 |
| Coordinate contingency plans with related plans | CMA_0086 - Coordinate contingency plans with related plans | Manual, Disabled | 1.1.0 |
| Develop an incident response plan | CMA_0145 - Develop an incident response plan | Manual, Disabled | 1.1.0 |
| Develop security safeguards | CMA_0161 - Develop security safeguards | Manual, Disabled | 1.1.0 |
| Email notification for high severity alerts should be enabled | To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Security Center. | AuditIfNotExists, Disabled | 1.2.0 |
| Email notification to subscription owner for high severity alerts should be enabled | To ensure your subscription owners are notified when there is a potential security breach in their subscription, set email notifications to subscription owners for high severity alerts in Security Center. | AuditIfNotExists, Disabled | 2.1.0 |
| Enable network protection | CMA_0238 - Enable network protection | Manual, Disabled | 1.1.0 |
| Eradicate contaminated information | CMA_0253 - Eradicate contaminated information | Manual, Disabled | 1.1.0 |
| Execute actions in response to information spills | CMA_0281 - Execute actions in response to information spills | Manual, Disabled | 1.1.0 |
| Implement incident handling | CMA_0318 - Implement incident handling | Manual, Disabled | 1.1.0 |
| Maintain incident response plan | CMA_0352 - Maintain incident response plan | Manual, Disabled | 1.1.0 |
| Microsoft Defender for Containers should be enabled | Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. | AuditIfNotExists, Disabled | 1.0.0 |
| Microsoft Defender for Storage should be enabled | Microsoft Defender for Storage detects potential threats to your storage accounts. It helps prevent the three major impacts on your data and workload: malicious file uploads, sensitive data exfiltration, and data corruption. The new Defender for Storage plan includes Malware Scanning and Sensitive Data Threat Detection. This plan also provides a predictable pricing structure (per storage account) for control over coverage and costs. | AuditIfNotExists, Disabled | 1.0.0 |
| Perform a trend analysis on threats | CMA_0389 - Perform a trend analysis on threats | Manual, Disabled | 1.1.0 |
| Subscriptions should have a contact email address for security issues | To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, set a security contact to receive email notifications from Security Center. | AuditIfNotExists, Disabled | 1.0.1 |
| View and investigate restricted users | CMA_0545 - View and investigate restricted users | Manual, Disabled | 1.1.0 |
Automated Incident Handling Processes
ID: NIST SP 800-53 Rev. 4 IR-4 (1) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Develop an incident response plan | CMA_0145 - Develop an incident response plan | Manual, Disabled | 1.1.0 |
| Enable network protection | CMA_0238 - Enable network protection | Manual, Disabled | 1.1.0 |
| Implement incident handling | CMA_0318 - Implement incident handling | Manual, Disabled | 1.1.0 |
Dynamic Reconfiguration
ID: NIST SP 800-53 Rev. 4 IR-4 (2) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Include dynamic reconfig of customer deployed resources | CMA_C1364 - Include dynamic reconfig of customer deployed resources | Manual, Disabled | 1.1.0 |
Continuity Of Operations
ID: NIST SP 800-53 Rev. 4 IR-4 (3) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Identify classes of Incidents and Actions taken | CMA_C1365 - Identify classes of Incidents and Actions taken | Manual, Disabled | 1.1.0 |
Information Correlation
ID: NIST SP 800-53 Rev. 4 IR-4 (4) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Implement incident handling | CMA_0318 - Implement incident handling | Manual, Disabled | 1.1.0 |
Insider Threats - Specific Capabilities
ID: NIST SP 800-53 Rev. 4 IR-4 (6) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Implement Incident handling capability | CMA_C1367 - Implement Incident handling capability | Manual, Disabled | 1.1.0 |
Correlation With External Organizations
ID: NIST SP 800-53 Rev. 4 IR-4 (8) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Coordinate with external organizations to achieve cross org perspective | CMA_C1368 - Coordinate with external organizations to achieve cross org perspective | Manual, Disabled | 1.1.0 |
Incident Monitoring
ID: NIST SP 800-53 Rev. 4 IR-5 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Azure Defender for App Service should be enabled | Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. | AuditIfNotExists, Disabled | 1.0.3 |
| Azure Defender for Azure SQL Database servers should be enabled | Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. | AuditIfNotExists, Disabled | 1.0.2 |
| Azure Defender for Key Vault should be enabled | Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. | AuditIfNotExists, Disabled | 1.0.3 |
| Azure Defender for Resource Manager should be enabled | Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Defender for servers should be enabled | Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. | AuditIfNotExists, Disabled | 1.0.3 |
| Azure Defender for SQL servers on machines should be enabled | Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. | AuditIfNotExists, Disabled | 1.0.2 |
| Azure Defender for SQL should be enabled for unprotected Azure SQL servers | Audit SQL servers without Advanced Data Security | AuditIfNotExists, Disabled | 2.0.1 |
| Azure Defender for SQL should be enabled for unprotected SQL Managed Instances | Audit each SQL Managed Instance without advanced data security. | AuditIfNotExists, Disabled | 1.0.2 |
| Email notification for high severity alerts should be enabled | To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Security Center. | AuditIfNotExists, Disabled | 1.2.0 |
| Email notification to subscription owner for high severity alerts should be enabled | To ensure your subscription owners are notified when there is a potential security breach in their subscription, set email notifications to subscription owners for high severity alerts in Security Center. | AuditIfNotExists, Disabled | 2.1.0 |
| Microsoft Defender for Containers should be enabled | Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. | AuditIfNotExists, Disabled | 1.0.0 |
| Microsoft Defender for Storage should be enabled | Microsoft Defender for Storage detects potential threats to your storage accounts. It helps prevent the three major impacts on your data and workload: malicious file uploads, sensitive data exfiltration, and data corruption. The new Defender for Storage plan includes Malware Scanning and Sensitive Data Threat Detection. This plan also provides a predictable pricing structure (per storage account) for control over coverage and costs. | AuditIfNotExists, Disabled | 1.0.0 |
| Subscriptions should have a contact email address for security issues | To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, set a security contact to receive email notifications from Security Center. | AuditIfNotExists, Disabled | 1.0.1 |
Automated Reporting
ID: NIST SP 800-53 Rev. 4 IR-6 (1) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Document security operations | CMA_0202 - Document security operations | Manual, Disabled | 1.1.0 |
Vulnerabilities Related to Incidents
ID: NIST SP 800-53 Rev. 4 IR-6 (2) Ownership: Customer
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Email notification for high severity alerts should be enabled | To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Security Center. | AuditIfNotExists, Disabled | 1.2.0 |
| Email notification to subscription owner for high severity alerts should be enabled | To ensure your subscription owners are notified when there is a potential security breach in their subscription, set email notifications to subscription owners for high severity alerts in Security Center. | AuditIfNotExists, Disabled | 2.1.0 |
| Subscriptions should have a contact email address for security issues | To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, set a security contact to receive email notifications from Security Center. | AuditIfNotExists, Disabled | 1.0.1 |
Incident Response Assistance
ID: NIST SP 800-53 Rev. 4 IR-7 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Document security operations | CMA_0202 - Document security operations | Manual, Disabled | 1.1.0 |
Automation Support For Availability Of Information / Support
ID: NIST SP 800-53 Rev. 4 IR-7 (1) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Develop an incident response plan | CMA_0145 - Develop an incident response plan | Manual, Disabled | 1.1.0 |
| Enable network protection | CMA_0238 - Enable network protection | Manual, Disabled | 1.1.0 |
| Eradicate contaminated information | CMA_0253 - Eradicate contaminated information | Manual, Disabled | 1.1.0 |
| Execute actions in response to information spills | CMA_0281 - Execute actions in response to information spills | Manual, Disabled | 1.1.0 |
| Implement incident handling | CMA_0318 - Implement incident handling | Manual, Disabled | 1.1.0 |
| Perform a trend analysis on threats | CMA_0389 - Perform a trend analysis on threats | Manual, Disabled | 1.1.0 |
| View and investigate restricted users | CMA_0545 - View and investigate restricted users | Manual, Disabled | 1.1.0 |
Coordination With External Providers
ID: NIST SP 800-53 Rev. 4 IR-7 (2) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Establish relationship between incident response capability and external providers | CMA_C1376 - Establish relationship between incident response capability and external providers | Manual, Disabled | 1.1.0 |
| Identify incident response personnel | CMA_0301 - Identify incident response personnel | Manual, Disabled | 1.1.0 |
Incident Response Plan
ID: NIST SP 800-53 Rev. 4 IR-8 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Assess information security events | CMA_0013 - Assess information security events | Manual, Disabled | 1.1.0 |
| Develop an incident response plan | CMA_0145 - Develop an incident response plan | Manual, Disabled | 1.1.0 |
| Implement incident handling | CMA_0318 - Implement incident handling | Manual, Disabled | 1.1.0 |
| Maintain data breach records | CMA_0351 - Maintain data breach records | Manual, Disabled | 1.1.0 |
| Maintain incident response plan | CMA_0352 - Maintain incident response plan | Manual, Disabled | 1.1.0 |
| Protect incident response plan | CMA_0405 - Protect incident response plan | Manual, Disabled | 1.1.0 |
Information Spillage Response
ID: NIST SP 800-53 Rev. 4 IR-9 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Alert personnel of information spillage | CMA_0007 - Alert personnel of information spillage | Manual, Disabled | 1.1.0 |
| Develop an incident response plan | CMA_0145 - Develop an incident response plan | Manual, Disabled | 1.1.0 |
| Eradicate contaminated information | CMA_0253 - Eradicate contaminated information | Manual, Disabled | 1.1.0 |
| Execute actions in response to information spills | CMA_0281 - Execute actions in response to information spills | Manual, Disabled | 1.1.0 |
| Identify contaminated systems and components | CMA_0300 - Identify contaminated systems and components | Manual, Disabled | 1.1.0 |
| Identify spilled information | CMA_0303 - Identify spilled information | Manual, Disabled | 1.1.0 |
| Isolate information spills | CMA_0346 - Isolate information spills | Manual, Disabled | 1.1.0 |
Responsible Personnel
ID: NIST SP 800-53 Rev. 4 IR-9 (1) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Identify incident response personnel | CMA_0301 - Identify incident response personnel | Manual, Disabled | 1.1.0 |
Training
ID: NIST SP 800-53 Rev. 4 IR-9 (2) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Provide information spillage training | CMA_0413 - Provide information spillage training | Manual, Disabled | 1.1.0 |
Post-Spill Operations
ID: NIST SP 800-53 Rev. 4 IR-9 (3) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Develop spillage response procedures | CMA_0162 - Develop spillage response procedures | Manual, Disabled | 1.1.0 |
Exposure To Unauthorized Personnel
ID: NIST SP 800-53 Rev. 4 IR-9 (4) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Develop security safeguards | CMA_0161 - Develop security safeguards | Manual, Disabled | 1.1.0 |
Maintenance
System Maintenance Policy And Procedures
ID: NIST SP 800-53 Rev. 4 MA-1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Review and update system maintenance policies and procedures | CMA_C1395 - Review and update system maintenance policies and procedures | Manual, Disabled | 1.1.0 |
Controlled Maintenance
ID: NIST SP 800-53 Rev. 4 MA-2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Control maintenance and repair activities | CMA_0080 - Control maintenance and repair activities | Manual, Disabled | 1.1.0 |
| Employ a media sanitization mechanism | CMA_0208 - Employ a media sanitization mechanism | Manual, Disabled | 1.1.0 |
| Implement controls to secure all media | CMA_0314 - Implement controls to secure all media | Manual, Disabled | 1.1.0 |
| Manage nonlocal maintenance and diagnostic activities | CMA_0364 - Manage nonlocal maintenance and diagnostic activities | Manual, Disabled | 1.1.0 |
Automated Maintenance Activities
ID: NIST SP 800-53 Rev. 4 MA-2 (2) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Automate remote maintenance activities | CMA_C1402 - Automate remote maintenance activities | Manual, Disabled | 1.1.0 |
| Produce complete records of remote maintenance activities | CMA_C1403 - Produce complete records of remote maintenance activities | Manual, Disabled | 1.1.0 |
Maintenance Tools
ID: NIST SP 800-53 Rev. 4 MA-3 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Control maintenance and repair activities | CMA_0080 - Control maintenance and repair activities | Manual, Disabled | 1.1.0 |
| Manage nonlocal maintenance and diagnostic activities | CMA_0364 - Manage nonlocal maintenance and diagnostic activities | Manual, Disabled | 1.1.0 |
Inspect Tools
ID: NIST SP 800-53 Rev. 4 MA-3 (1) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Control maintenance and repair activities | CMA_0080 - Control maintenance and repair activities | Manual, Disabled | 1.1.0 |
| Manage nonlocal maintenance and diagnostic activities | CMA_0364 - Manage nonlocal maintenance and diagnostic activities | Manual, Disabled | 1.1.0 |
Inspect Media
ID: NIST SP 800-53 Rev. 4 MA-3 (2) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Control maintenance and repair activities | CMA_0080 - Control maintenance and repair activities | Manual, Disabled | 1.1.0 |
| Manage nonlocal maintenance and diagnostic activities | CMA_0364 - Manage nonlocal maintenance and diagnostic activities | Manual, Disabled | 1.1.0 |
Prevent Unauthorized Removal
ID: NIST SP 800-53 Rev. 4 MA-3 (3) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Control maintenance and repair activities | CMA_0080 - Control maintenance and repair activities | Manual, Disabled | 1.1.0 |
| Employ a media sanitization mechanism | CMA_0208 - Employ a media sanitization mechanism | Manual, Disabled | 1.1.0 |
| Implement controls to secure all media | CMA_0314 - Implement controls to secure all media | Manual, Disabled | 1.1.0 |
| Manage nonlocal maintenance and diagnostic activities | CMA_0364 - Manage nonlocal maintenance and diagnostic activities | Manual, Disabled | 1.1.0 |
Nonlocal Maintenance
ID: NIST SP 800-53 Rev. 4 MA-4 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Manage nonlocal maintenance and diagnostic activities | CMA_0364 - Manage nonlocal maintenance and diagnostic activities | Manual, Disabled | 1.1.0 |
Document Nonlocal Maintenance
ID: NIST SP 800-53 Rev. 4 MA-4 (2) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Manage nonlocal maintenance and diagnostic activities | CMA_0364 - Manage nonlocal maintenance and diagnostic activities | Manual, Disabled | 1.1.0 |
Comparable Security / Sanitization
ID: NIST SP 800-53 Rev. 4 MA-4 (3) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Perform all non-local maintenance | CMA_C1417 - Perform all non-local maintenance | Manual, Disabled | 1.1.0 |
Cryptographic Protection
ID: NIST SP 800-53 Rev. 4 MA-4 (6) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Implement cryptographic mechanisms | CMA_C1419 - Implement cryptographic mechanisms | Manual, Disabled | 1.1.0 |
Maintenance Personnel
ID: NIST SP 800-53 Rev. 4 MA-5 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Designate personnel to supervise unauthorized maintenance activities | CMA_C1422 - Designate personnel to supervise unauthorized maintenance activities | Manual, Disabled | 1.1.0 |
| Maintain list of authorized remote maintenance personnel | CMA_C1420 - Maintain list of authorized remote maintenance personnel | Manual, Disabled | 1.1.0 |
| Manage maintenance personnel | CMA_C1421 - Manage maintenance personnel | Manual, Disabled | 1.1.0 |
Individuals Without Appropriate Access
ID: NIST SP 800-53 Rev. 4 MA-5 (1) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Employ a media sanitization mechanism | CMA_0208 - Employ a media sanitization mechanism | Manual, Disabled | 1.1.0 |
| Implement controls to secure all media | CMA_0314 - Implement controls to secure all media | Manual, Disabled | 1.1.0 |
Timely Maintenance
ID: NIST SP 800-53 Rev. 4 MA-6 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Provide timely maintenance support | CMA_C1425 - Provide timely maintenance support | Manual, Disabled | 1.1.0 |
Media Protection
Media Protection Policy And Procedures
ID: NIST SP 800-53 Rev. 4 MP-1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Review and update media protection policies and procedures | CMA_C1427 - Review and update media protection policies and procedures | Manual, Disabled | 1.1.0 |
Media Access
ID: NIST SP 800-53 Rev. 4 MP-2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Implement controls to secure all media | CMA_0314 - Implement controls to secure all media | Manual, Disabled | 1.1.0 |
Media Marking
ID: NIST SP 800-53 Rev. 4 MP-3 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Implement controls to secure all media | CMA_0314 - Implement controls to secure all media | Manual, Disabled | 1.1.0 |
Media Storage
ID: NIST SP 800-53 Rev. 4 MP-4 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Employ a media sanitization mechanism | CMA_0208 - Employ a media sanitization mechanism | Manual, Disabled | 1.1.0 |
| Implement controls to secure all media | CMA_0314 - Implement controls to secure all media | Manual, Disabled | 1.1.0 |
Media Transport
ID: NIST SP 800-53 Rev. 4 MP-5 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Implement controls to secure all media | CMA_0314 - Implement controls to secure all media | Manual, Disabled | 1.1.0 |
| Manage the transportation of assets | CMA_0370 - Manage the transportation of assets | Manual, Disabled | 1.1.0 |
Cryptographic Protection
ID: NIST SP 800-53 Rev. 4 MP-5 (4) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Implement controls to secure all media | CMA_0314 - Implement controls to secure all media | Manual, Disabled | 1.1.0 |
| Manage the transportation of assets | CMA_0370 - Manage the transportation of assets | Manual, Disabled | 1.1.0 |
Media Sanitization
ID: NIST SP 800-53 Rev. 4 MP-6 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Employ a media sanitization mechanism | CMA_0208 - Employ a media sanitization mechanism | Manual, Disabled | 1.1.0 |
| Implement controls to secure all media | CMA_0314 - Implement controls to secure all media | Manual, Disabled | 1.1.0 |
Review / Approve / Track / Document / Verify
ID: NIST SP 800-53 Rev. 4 MP-6 (1) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Employ a media sanitization mechanism | CMA_0208 - Employ a media sanitization mechanism | Manual, Disabled | 1.1.0 |
| Implement controls to secure all media | CMA_0314 - Implement controls to secure all media | Manual, Disabled | 1.1.0 |
Equipment Testing
ID: NIST SP 800-53 Rev. 4 MP-6 (2) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Employ a media sanitization mechanism | CMA_0208 - Employ a media sanitization mechanism | Manual, Disabled | 1.1.0 |
| Implement controls to secure all media | CMA_0314 - Implement controls to secure all media | Manual, Disabled | 1.1.0 |
Media Use
ID: NIST SP 800-53 Rev. 4 MP-7 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Block untrusted and unsigned processes that run from USB | CMA_0050 - Block untrusted and unsigned processes that run from USB | Manual, Disabled | 1.1.0 |
| Control use of portable storage devices | CMA_0083 - Control use of portable storage devices | Manual, Disabled | 1.1.0 |
| Implement controls to secure all media | CMA_0314 - Implement controls to secure all media | Manual, Disabled | 1.1.0 |
| Restrict media use | CMA_0450 - Restrict media use | Manual, Disabled | 1.1.0 |
Prohibit Use Without Owner
ID: NIST SP 800-53 Rev. 4 MP-7 (1) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Block untrusted and unsigned processes that run from USB | CMA_0050 - Block untrusted and unsigned processes that run from USB | Manual, Disabled | 1.1.0 |
| Control use of portable storage devices | CMA_0083 - Control use of portable storage devices | Manual, Disabled | 1.1.0 |
| Implement controls to secure all media | CMA_0314 - Implement controls to secure all media | Manual, Disabled | 1.1.0 |
| Restrict media use | CMA_0450 - Restrict media use | Manual, Disabled | 1.1.0 |
Physical And Environmental Protection
Physical And Environmental Protection Policy And Procedures
ID: NIST SP 800-53 Rev. 4 PE-1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Review and update physical and environmental policies and procedures | CMA_C1446 - Review and update physical and environmental policies and procedures | Manual, Disabled | 1.1.0 |
Physical Access Authorizations
ID: NIST SP 800-53 Rev. 4 PE-2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Control physical access | CMA_0081 - Control physical access | Manual, Disabled | 1.1.0 |
Physical Access Control
ID: NIST SP 800-53 Rev. 4 PE-3 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Control physical access | CMA_0081 - Control physical access | Manual, Disabled | 1.1.0 |
| Define a physical key management process | CMA_0115 - Define a physical key management process | Manual, Disabled | 1.1.0 |
| Establish and maintain an asset inventory | CMA_0266 - Establish and maintain an asset inventory | Manual, Disabled | 1.1.0 |
| Implement physical security for offices, working areas, and secure areas | CMA_0323 - Implement physical security for offices, working areas, and secure areas | Manual, Disabled | 1.1.0 |
Access Control For Transmission Medium
ID: NIST SP 800-53 Rev. 4 PE-4 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Control physical access | CMA_0081 - Control physical access | Manual, Disabled | 1.1.0 |
| Implement physical security for offices, working areas, and secure areas | CMA_0323 - Implement physical security for offices, working areas, and secure areas | Manual, Disabled | 1.1.0 |
Access Control For Output Devices
ID: NIST SP 800-53 Rev. 4 PE-5 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Control physical access | CMA_0081 - Control physical access | Manual, Disabled | 1.1.0 |
| Implement physical security for offices, working areas, and secure areas | CMA_0323 - Implement physical security for offices, working areas, and secure areas | Manual, Disabled | 1.1.0 |
| Manage the input, output, processing, and storage of data | CMA_0369 - Manage the input, output, processing, and storage of data | Manual, Disabled | 1.1.0 |
Intrusion Alarms / Surveillance Equipment
ID: NIST SP 800-53 Rev. 4 PE-6 (1) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Install an alarm system | CMA_0338 - Install an alarm system | Manual, Disabled | 1.1.0 |
| Manage a secure surveillance camera system | CMA_0354 - Manage a secure surveillance camera system | Manual, Disabled | 1.1.0 |
Visitor Access Records
ID: NIST SP 800-53 Rev. 4 PE-8 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Control physical access | CMA_0081 - Control physical access | Manual, Disabled | 1.1.0 |
| Implement physical security for offices, working areas, and secure areas | CMA_0323 - Implement physical security for offices, working areas, and secure areas | Manual, Disabled | 1.1.0 |
Emergency Lighting
ID: NIST SP 800-53 Rev. 4 PE-12 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Employ automatic emergency lighting | CMA_0209 - Employ automatic emergency lighting | Manual, Disabled | 1.1.0 |
Fire Protection
ID: NIST SP 800-53 Rev. 4 PE-13 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Implement physical security for offices, working areas, and secure areas | CMA_0323 - Implement physical security for offices, working areas, and secure areas | Manual, Disabled | 1.1.0 |
Detection Devices / Systems
ID: NIST SP 800-53 Rev. 4 PE-13 (1) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Implement a penetration testing methodology | CMA_0306 - Implement a penetration testing methodology | Manual, Disabled | 1.1.0 |
| Implement physical security for offices, working areas, and secure areas | CMA_0323 - Implement physical security for offices, working areas, and secure areas | Manual, Disabled | 1.1.0 |
| Run simulation attacks | CMA_0486 - Run simulation attacks | Manual, Disabled | 1.1.0 |
Suppression Devices / Systems
ID: NIST SP 800-53 Rev. 4 PE-13 (2) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Implement physical security for offices, working areas, and secure areas | CMA_0323 - Implement physical security for offices, working areas, and secure areas | Manual, Disabled | 1.1.0 |
Automatic Fire Suppression
ID: NIST SP 800-53 Rev. 4 PE-13 (3) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Implement physical security for offices, working areas, and secure areas | CMA_0323 - Implement physical security for offices, working areas, and secure areas | Manual, Disabled | 1.1.0 |
Temperature And Humidity Controls
ID: NIST SP 800-53 Rev. 4 PE-14 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Implement physical security for offices, working areas, and secure areas | CMA_0323 - Implement physical security for offices, working areas, and secure areas | Manual, Disabled | 1.1.0 |
Monitoring With Alarms / Notifications
ID: NIST SP 800-53 Rev. 4 PE-14 (2) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Implement physical security for offices, working areas, and secure areas | CMA_0323 - Implement physical security for offices, working areas, and secure areas | Manual, Disabled | 1.1.0 |
| Install an alarm system | CMA_0338 - Install an alarm system | Manual, Disabled | 1.1.0 |
Water Damage Protection
ID: NIST SP 800-53 Rev. 4 PE-15 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Implement physical security for offices, working areas, and secure areas | CMA_0323 - Implement physical security for offices, working areas, and secure areas | Manual, Disabled | 1.1.0 |
Delivery And Removal
ID: NIST SP 800-53 Rev. 4 PE-16 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Define requirements for managing assets | CMA_0125 - Define requirements for managing assets | Manual, Disabled | 1.1.0 |
| Manage the transportation of assets | CMA_0370 - Manage the transportation of assets | Manual, Disabled | 1.1.0 |
Alternate Work Site
ID: NIST SP 800-53 Rev. 4 PE-17 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Implement controls to secure alternate work sites | CMA_0315 - Implement controls to secure alternate work sites | Manual, Disabled | 1.1.0 |
Location Of Information System Components
ID: NIST SP 800-53 Rev. 4 PE-18 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Implement physical security for offices, working areas, and secure areas | CMA_0323 - Implement physical security for offices, working areas, and secure areas | Manual, Disabled | 1.1.0 |
Planning
Security Planning Policy And Procedures
ID: NIST SP 800-53 Rev. 4 PL-1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Review and update planning policies and procedures | CMA_C1491 - Review and update planning policies and procedures | Manual, Disabled | 1.1.0 |
System Security Plan
ID: NIST SP 800-53 Rev. 4 PL-2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Develop and establish a system security plan | CMA_0151 - Develop and establish a system security plan | Manual, Disabled | 1.1.0 |
| Develop information security policies and procedures | CMA_0158 - Develop information security policies and procedures | Manual, Disabled | 1.1.0 |
| Develop SSP that meets criteria | CMA_C1492 - Develop SSP that meets criteria | Manual, Disabled | 1.1.0 |
| Establish a privacy program | CMA_0257 - Establish a privacy program | Manual, Disabled | 1.1.0 |
| Establish security requirements for the manufacturing of connected devices | CMA_0279 - Establish security requirements for the manufacturing of connected devices | Manual, Disabled | 1.1.0 |
| Implement security engineering principles of information systems | CMA_0325 - Implement security engineering principles of information systems | Manual, Disabled | 1.1.0 |
Plan / Coordinate With Other Organizational Entities
ID: NIST SP 800-53 Rev. 4 PL-2 (3) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Develop and establish a system security plan | CMA_0151 - Develop and establish a system security plan | Manual, Disabled | 1.1.0 |
| Establish security requirements for the manufacturing of connected devices | CMA_0279 - Establish security requirements for the manufacturing of connected devices | Manual, Disabled | 1.1.0 |
| Implement security engineering principles of information systems | CMA_0325 - Implement security engineering principles of information systems | Manual, Disabled | 1.1.0 |
Rules Of Behavior
ID: NIST SP 800-53 Rev. 4 PL-4 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Develop acceptable use policies and procedures | CMA_0143 - Develop acceptable use policies and procedures | Manual, Disabled | 1.1.0 |
| Develop organization code of conduct policy | CMA_0159 - Develop organization code of conduct policy | Manual, Disabled | 1.1.0 |
| Document personnel acceptance of privacy requirements | CMA_0193 - Document personnel acceptance of privacy requirements | Manual, Disabled | 1.1.0 |
| Enforce rules of behavior and access agreements | CMA_0248 - Enforce rules of behavior and access agreements | Manual, Disabled | 1.1.0 |
| Prohibit unfair practices | CMA_0396 - Prohibit unfair practices | Manual, Disabled | 1.1.0 |
| Review and sign revised rules of behavior | CMA_0465 - Review and sign revised rules of behavior | Manual, Disabled | 1.1.0 |
| Update information security policies | CMA_0518 - Update information security policies | Manual, Disabled | 1.1.0 |
| Update rules of behavior and access agreements | CMA_0521 - Update rules of behavior and access agreements | Manual, Disabled | 1.1.0 |
| Update rules of behavior and access agreements every 3 years | CMA_0522 - Update rules of behavior and access agreements every 3 years | Manual, Disabled | 1.1.0 |
Social Media And Networking Restrictions
ID: NIST SP 800-53 Rev. 4 PL-4 (1) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Develop acceptable use policies and procedures | CMA_0143 - Develop acceptable use policies and procedures | Manual, Disabled | 1.1.0 |
Information Security Architecture
ID: NIST SP 800-53 Rev. 4 PL-8 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Develop a concept of operations (CONOPS) | CMA_0141 - Develop a concept of operations (CONOPS) | Manual, Disabled | 1.1.0 |
| Review and update the information security architecture | CMA_C1504 - Review and update the information security architecture | Manual, Disabled | 1.1.0 |
Personnel Security
Personnel Security Policy And Procedures
ID: NIST SP 800-53 Rev. 4 PS-1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Review and update personnel security policies and procedures | CMA_C1507 - Review and update personnel security policies and procedures | Manual, Disabled | 1.1.0 |
Position Risk Designation
ID: NIST SP 800-53 Rev. 4 PS-2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Assign risk designations | CMA_0016 - Assign risk designations | Manual, Disabled | 1.1.0 |
Personnel Screening
ID: NIST SP 800-53 Rev. 4 PS-3 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Clear personnel with access to classified information | CMA_0054 - Clear personnel with access to classified information | Manual, Disabled | 1.1.0 |
| Implement personnel screening | CMA_0322 - Implement personnel screening | Manual, Disabled | 1.1.0 |
| Rescreen individuals at a defined frequency | CMA_C1512 - Rescreen individuals at a defined frequency | Manual, Disabled | 1.1.0 |
Information With Special Protection Measures
ID: NIST SP 800-53 Rev. 4 PS-3 (3) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Protect special information | CMA_0409 - Protect special information | Manual, Disabled | 1.1.0 |
Personnel Termination
ID: NIST SP 800-53 Rev. 4 PS-4 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Conduct exit interview upon termination | CMA_0058 - Conduct exit interview upon termination | Manual, Disabled | 1.1.0 |
| Disable authenticators upon termination | CMA_0169 - Disable authenticators upon termination | Manual, Disabled | 1.1.0 |
| Notify upon termination or transfer | CMA_0381 - Notify upon termination or transfer | Manual, Disabled | 1.1.0 |
| Protect against and prevent data theft from departing employees | CMA_0398 - Protect against and prevent data theft from departing employees | Manual, Disabled | 1.1.0 |
| Retain terminated user data | CMA_0455 - Retain terminated user data | Manual, Disabled | 1.1.0 |
Automated Notification
ID: NIST SP 800-53 Rev. 4 PS-4 (2) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Automate notification of employee termination | CMA_C1521 - Automate notification of employee termination | Manual, Disabled | 1.1.0 |
Personnel Transfer
ID: NIST SP 800-53 Rev. 4 PS-5 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Initiate transfer or reassignment actions | CMA_0333 - Initiate transfer or reassignment actions | Manual, Disabled | 1.1.0 |
| Modify access authorizations upon personnel transfer | CMA_0374 - Modify access authorizations upon personnel transfer | Manual, Disabled | 1.1.0 |
| Notify upon termination or transfer | CMA_0381 - Notify upon termination or transfer | Manual, Disabled | 1.1.0 |
| Reevaluate access upon personnel transfer | CMA_0424 - Reevaluate access upon personnel transfer | Manual, Disabled | 1.1.0 |
Access Agreements
ID: NIST SP 800-53 Rev. 4 PS-6 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Document organizational access agreements | CMA_0192 - Document organizational access agreements | Manual, Disabled | 1.1.0 |
| Enforce rules of behavior and access agreements | CMA_0248 - Enforce rules of behavior and access agreements | Manual, Disabled | 1.1.0 |
| Ensure access agreements are signed or resigned timely | CMA_C1528 - Ensure access agreements are signed or resigned timely | Manual, Disabled | 1.1.0 |
| Require users to sign access agreement | CMA_0440 - Require users to sign access agreement | Manual, Disabled | 1.1.0 |
| Update organizational access agreements | CMA_0520 - Update organizational access agreements | Manual, Disabled | 1.1.0 |
Third-Party Personnel Security
ID: NIST SP 800-53 Rev. 4 PS-7 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Document third-party personnel security requirements | CMA_C1531 - Document third-party personnel security requirements | Manual, Disabled | 1.1.0 |
| Establish third-party personnel security requirements | CMA_C1529 - Establish third-party personnel security requirements | Manual, Disabled | 1.1.0 |
| Monitor third-party provider compliance | CMA_C1533 - Monitor third-party provider compliance | Manual, Disabled | 1.1.0 |
| Require notification of third-party personnel transfer or termination | CMA_C1532 - Require notification of third-party personnel transfer or termination | Manual, Disabled | 1.1.0 |
| Require third-party providers to comply with personnel security policies and procedures | CMA_C1530 - Require third-party providers to comply with personnel security policies and procedures | Manual, Disabled | 1.1.0 |
Personnel Sanctions
ID: NIST SP 800-53 Rev. 4 PS-8 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Implement formal sanctions process | CMA_0317 - Implement formal sanctions process | Manual, Disabled | 1.1.0 |
| Notify personnel upon sanctions | CMA_0380 - Notify personnel upon sanctions | Manual, Disabled | 1.1.0 |
Risk Assessment
Risk Assessment Policy And Procedures
ID: NIST SP 800-53 Rev. 4 RA-1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Review and update risk assessment policies and procedures | CMA_C1537 - Review and update risk assessment policies and procedures | Manual, Disabled | 1.1.0 |
Security Categorization
ID: NIST SP 800-53 Rev. 4 RA-2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Categorize information | CMA_0052 - Categorize information | Manual, Disabled | 1.1.0 |
| Develop business classification schemes | CMA_0155 - Develop business classification schemes | Manual, Disabled | 1.1.0 |
| Ensure security categorization is approved | CMA_C1540 - Ensure security categorization is approved | Manual, Disabled | 1.1.0 |
| Review label activity and analytics | CMA_0474 - Review label activity and analytics | Manual, Disabled | 1.1.0 |
Risk Assessment
ID: NIST SP 800-53 Rev. 4 RA-3 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Conduct Risk Assessment | CMA_C1543 - Conduct Risk Assessment | Manual, Disabled | 1.1.0 |
| Conduct risk assessment and distribute its results | CMA_C1544 - Conduct risk assessment and distribute its results | Manual, Disabled | 1.1.0 |
| Conduct risk assessment and document its results | CMA_C1542 - Conduct risk assessment and document its results | Manual, Disabled | 1.1.0 |
| Perform a risk assessment | CMA_0388 - Perform a risk assessment | Manual, Disabled | 1.1.0 |
Vulnerability Scanning
ID: NIST SP 800-53 Rev. 4 RA-5 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| A vulnerability assessment solution should be enabled on your virtual machines | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | AuditIfNotExists, Disabled | 3.0.0 |
| Azure Defender for App Service should be enabled | Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. | AuditIfNotExists, Disabled | 1.0.3 |
| Azure Defender for Azure SQL Database servers should be enabled | Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. | AuditIfNotExists, Disabled | 1.0.2 |
| Azure Defender for Key Vault should be enabled | Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. | AuditIfNotExists, Disabled | 1.0.3 |
| Azure Defender for Resource Manager should be enabled | Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Defender for servers should be enabled | Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. | AuditIfNotExists, Disabled | 1.0.3 |
| Azure Defender for SQL servers on machines should be enabled | Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. | AuditIfNotExists, Disabled | 1.0.2 |
| Azure Defender for SQL should be enabled for unprotected Azure SQL servers | Audit SQL servers without Advanced Data Security | AuditIfNotExists, Disabled | 2.0.1 |
| Azure Defender for SQL should be enabled for unprotected SQL Managed Instances | Audit each SQL Managed Instance without advanced data security. | AuditIfNotExists, Disabled | 1.0.2 |
| Microsoft Defender for Containers should be enabled | Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. | AuditIfNotExists, Disabled | 1.0.0 |
| Microsoft Defender for Storage should be enabled | Microsoft Defender for Storage detects potential threats to your storage accounts. It helps prevent the three major impacts on your data and workload: malicious file uploads, sensitive data exfiltration, and data corruption. The new Defender for Storage plan includes Malware Scanning and Sensitive Data Threat Detection. This plan also provides a predictable pricing structure (per storage account) for control over coverage and costs. | AuditIfNotExists, Disabled | 1.0.0 |
| Perform vulnerability scans | CMA_0393 - Perform vulnerability scans | Manual, Disabled | 1.1.0 |
| Remediate information system flaws | CMA_0427 - Remediate information system flaws | Manual, Disabled | 1.1.0 |
| SQL databases should have vulnerability findings resolved | Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. | AuditIfNotExists, Disabled | 4.1.0 |
| SQL servers on machines should have vulnerability findings resolved | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | AuditIfNotExists, Disabled | 1.0.0 |
| Vulnerabilities in security configuration on your machines should be remediated | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | AuditIfNotExists, Disabled | 3.1.0 |
| Vulnerability assessment should be enabled on SQL Managed Instance | Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. | AuditIfNotExists, Disabled | 1.0.1 |
| Vulnerability assessment should be enabled on your SQL servers | Audit Azure SQL servers which do not have vulnerability assessment properly configured. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. | AuditIfNotExists, Disabled | 3.0.0 |
| Vulnerability assessment should be enabled on your Synapse workspaces | Discover, track, and remediate potential vulnerabilities by configuring recurring SQL vulnerability assessment scans on your Synapse workspaces. | AuditIfNotExists, Disabled | 1.0.0 |
Update Tool Capability
ID: NIST SP 800-53 Rev. 4 RA-5 (1) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Perform vulnerability scans | CMA_0393 - Perform vulnerability scans | Manual, Disabled | 1.1.0 |
| Remediate information system flaws | CMA_0427 - Remediate information system flaws | Manual, Disabled | 1.1.0 |
Update By Frequency / Prior To New Scan / When Identified
ID: NIST SP 800-53 Rev. 4 RA-5 (2) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Perform vulnerability scans | CMA_0393 - Perform vulnerability scans | Manual, Disabled | 1.1.0 |
| Remediate information system flaws | CMA_0427 - Remediate information system flaws | Manual, Disabled | 1.1.0 |
Breadth / Depth Of Coverage
ID: NIST SP 800-53 Rev. 4 RA-5 (3) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Perform vulnerability scans | CMA_0393 - Perform vulnerability scans | Manual, Disabled | 1.1.0 |
| Remediate information system flaws | CMA_0427 - Remediate information system flaws | Manual, Disabled | 1.1.0 |
Discoverable Information
ID: NIST SP 800-53 Rev. 4 RA-5 (4) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Take action in response to customer information | CMA_C1554 - Take action in response to customer information | Manual, Disabled | 1.1.0 |
Privileged Access
ID: NIST SP 800-53 Rev. 4 RA-5 (5) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Implement privileged access for executing vulnerability scanning activities | CMA_C1555 - Implement privileged access for executing vulnerability scanning activities | Manual, Disabled | 1.1.0 |
Automated Trend Analyses
ID: NIST SP 800-53 Rev. 4 RA-5 (6) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Observe and report security weaknesses | CMA_0384 - Observe and report security weaknesses | Manual, Disabled | 1.1.0 |
| Perform a trend analysis on threats | CMA_0389 - Perform a trend analysis on threats | Manual, Disabled | 1.1.0 |
| Perform threat modeling | CMA_0392 - Perform threat modeling | Manual, Disabled | 1.1.0 |
| Perform vulnerability scans | CMA_0393 - Perform vulnerability scans | Manual, Disabled | 1.1.0 |
| Remediate information system flaws | CMA_0427 - Remediate information system flaws | Manual, Disabled | 1.1.0 |
Review Historic Audit Logs
ID: NIST SP 800-53 Rev. 4 RA-5 (8) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Audit privileged functions | CMA_0019 - Audit privileged functions | Manual, Disabled | 1.1.0 |
| Audit user account status | CMA_0020 - Audit user account status | Manual, Disabled | 1.1.0 |
| Correlate audit records | CMA_0087 - Correlate audit records | Manual, Disabled | 1.1.0 |
| Determine auditable events | CMA_0137 - Determine auditable events | Manual, Disabled | 1.1.0 |
| Establish requirements for audit review and reporting | CMA_0277 - Establish requirements for audit review and reporting | Manual, Disabled | 1.1.0 |
| Integrate audit review, analysis, and reporting | CMA_0339 - Integrate audit review, analysis, and reporting | Manual, Disabled | 1.1.0 |
| Integrate cloud app security with a siem | CMA_0340 - Integrate cloud app security with a siem | Manual, Disabled | 1.1.0 |
| Review account provisioning logs | CMA_0460 - Review account provisioning logs | Manual, Disabled | 1.1.0 |
| Review administrator assignments weekly | CMA_0461 - Review administrator assignments weekly | Manual, Disabled | 1.1.0 |
| Review audit data | CMA_0466 - Review audit data | Manual, Disabled | 1.1.0 |
| Review cloud identity report overview | CMA_0468 - Review cloud identity report overview | Manual, Disabled | 1.1.0 |
| Review controlled folder access events | CMA_0471 - Review controlled folder access events | Manual, Disabled | 1.1.0 |
| Review exploit protection events | CMA_0472 - Review exploit protection events | Manual, Disabled | 1.1.0 |
| Review file and folder activity | CMA_0473 - Review file and folder activity | Manual, Disabled | 1.1.0 |
| Review role group changes weekly | CMA_0476 - Review role group changes weekly | Manual, Disabled | 1.1.0 |
Correlate Scanning Information
ID: NIST SP 800-53 Rev. 4 RA-5 (10) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Correlate Vulnerability scan information | CMA_C1558 - Correlate Vulnerability scan information | Manual, Disabled | 1.1.1 |
System And Services Acquisition
System And Services Acquisition Policy And Procedures
ID: NIST SP 800-53 Rev. 4 SA-1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Review and update system and services acquisition policies and procedures | CMA_C1560 - Review and update system and services acquisition policies and procedures | Manual, Disabled | 1.1.0 |
Allocation Of Resources
ID: NIST SP 800-53 Rev. 4 SA-2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Align business objectives and IT goals | CMA_0008 - Align business objectives and IT goals | Manual, Disabled | 1.1.0 |
| Allocate resources in determining information system requirements | CMA_C1561 - Allocate resources in determining information system requirements | Manual, Disabled | 1.1.0 |
| Establish a discrete line item in budgeting documentation | CMA_C1563 - Establish a discrete line item in budgeting documentation | Manual, Disabled | 1.1.0 |
| Establish a privacy program | CMA_0257 - Establish a privacy program | Manual, Disabled | 1.1.0 |
| Govern the allocation of resources | CMA_0293 - Govern the allocation of resources | Manual, Disabled | 1.1.0 |
| Secure commitment from leadership | CMA_0489 - Secure commitment from leadership | Manual, Disabled | 1.1.0 |
System Development Life Cycle
ID: NIST SP 800-53 Rev. 4 SA-3 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Define information security roles and responsibilities | CMA_C1565 - Define information security roles and responsibilities | Manual, Disabled | 1.1.0 |
| Identify individuals with security roles and responsibilities | CMA_C1566 - Identify individuals with security roles and responsibilities | Manual, Disabled | 1.1.1 |
| Integrate risk management process into SDLC | CMA_C1567 - Integrate risk management process into SDLC | Manual, Disabled | 1.1.0 |
Acquisition Process
ID: NIST SP 800-53 Rev. 4 SA-4 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Determine supplier contract obligations | CMA_0140 - Determine supplier contract obligations | Manual, Disabled | 1.1.0 |
| Document acquisition contract acceptance criteria | CMA_0187 - Document acquisition contract acceptance criteria | Manual, Disabled | 1.1.0 |
| Document protection of personal data in acquisition contracts | CMA_0194 - Document protection of personal data in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document protection of security information in acquisition contracts | CMA_0195 - Document protection of security information in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document requirements for the use of shared data in contracts | CMA_0197 - Document requirements for the use of shared data in contracts | Manual, Disabled | 1.1.0 |
| Document security assurance requirements in acquisition contracts | CMA_0199 - Document security assurance requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document security documentation requirements in acquisition contract | CMA_0200 - Document security documentation requirements in acquisition contract | Manual, Disabled | 1.1.0 |
| Document security functional requirements in acquisition contracts | CMA_0201 - Document security functional requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document security strength requirements in acquisition contracts | CMA_0203 - Document security strength requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document the information system environment in acquisition contracts | CMA_0205 - Document the information system environment in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document the protection of cardholder data in third party contracts | CMA_0207 - Document the protection of cardholder data in third party contracts | Manual, Disabled | 1.1.0 |
Functional Properties Of Security Controls
ID: NIST SP 800-53 Rev. 4 SA-4 (1) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Obtain functional properties of security controls | CMA_C1575 - Obtain functional properties of security controls | Manual, Disabled | 1.1.0 |
Design / Implementation Information For Security Controls
ID: NIST SP 800-53 Rev. 4 SA-4 (2) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Obtain design and implementation information for the security controls | CMA_C1576 - Obtain design and implementation information for the security controls | Manual, Disabled | 1.1.1 |
Continuous Monitoring Plan
ID: NIST SP 800-53 Rev. 4 SA-4 (8) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Obtain continuous monitoring plan for security controls | CMA_C1577 - Obtain continuous monitoring plan for security controls | Manual, Disabled | 1.1.0 |
Functions / Ports / Protocols / Services In Use
ID: NIST SP 800-53 Rev. 4 SA-4 (9) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Require developer to identify SDLC ports, protocols, and services | CMA_C1578 - Require developer to identify SDLC ports, protocols, and services | Manual, Disabled | 1.1.0 |
Use Of Approved Piv Products
ID: NIST SP 800-53 Rev. 4 SA-4 (10) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Employ FIPS 201-approved technology for PIV | CMA_C1579 - Employ FIPS 201-approved technology for PIV | Manual, Disabled | 1.1.0 |
Information System Documentation
ID: NIST SP 800-53 Rev. 4 SA-5 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Distribute information system documentation | CMA_C1584 - Distribute information system documentation | Manual, Disabled | 1.1.0 |
| Document customer-defined actions | CMA_C1582 - Document customer-defined actions | Manual, Disabled | 1.1.0 |
| Obtain Admin documentation | CMA_C1580 - Obtain Admin documentation | Manual, Disabled | 1.1.0 |
| Obtain user security function documentation | CMA_C1581 - Obtain user security function documentation | Manual, Disabled | 1.1.0 |
| Protect administrator and user documentation | CMA_C1583 - Protect administrator and user documentation | Manual, Disabled | 1.1.0 |
External Information System Services
ID: NIST SP 800-53 Rev. 4 SA-9 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Define and document government oversight | CMA_C1587 - Define and document government oversight | Manual, Disabled | 1.1.0 |
| Require external service providers to comply with security requirements | CMA_C1586 - Require external service providers to comply with security requirements | Manual, Disabled | 1.1.0 |
| Review cloud service provider's compliance with policies and agreements | CMA_0469 - Review cloud service provider's compliance with policies and agreements | Manual, Disabled | 1.1.0 |
| Undergo independent security review | CMA_0515 - Undergo independent security review | Manual, Disabled | 1.1.0 |
Risk Assessments / Organizational Approvals
ID: NIST SP 800-53 Rev. 4 SA-9 (1) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Assess risk in third party relationships | CMA_0014 - Assess risk in third party relationships | Manual, Disabled | 1.1.0 |
| Obtain approvals for acquisitions and outsourcing | CMA_C1590 - Obtain approvals for acquisitions and outsourcing | Manual, Disabled | 1.1.0 |
Identification Of Functions / Ports / Protocols / Services
ID: NIST SP 800-53 Rev. 4 SA-9 (2) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Identify external service providers | CMA_C1591 - Identify external service providers | Manual, Disabled | 1.1.0 |
Consistent Interests Of Consumers And Providers
ID: NIST SP 800-53 Rev. 4 SA-9 (4) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Ensure external providers consistently meet interests of the customers | CMA_C1592 - Ensure external providers consistently meet interests of the customers | Manual, Disabled | 1.1.0 |
Processing, Storage, And Service Location
ID: NIST SP 800-53 Rev. 4 SA-9 (5) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Restrict location of information processing, storage and services | CMA_C1593 - Restrict location of information processing, storage and services | Manual, Disabled | 1.1.0 |
Developer Configuration Management
ID: NIST SP 800-53 Rev. 4 SA-10 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Address coding vulnerabilities | CMA_0003 - Address coding vulnerabilities | Manual, Disabled | 1.1.0 |
| Develop and document application security requirements | CMA_0148 - Develop and document application security requirements | Manual, Disabled | 1.1.0 |
| Document the information system environment in acquisition contracts | CMA_0205 - Document the information system environment in acquisition contracts | Manual, Disabled | 1.1.0 |
| Establish a secure software development program | CMA_0259 - Establish a secure software development program | Manual, Disabled | 1.1.0 |
| Perform vulnerability scans | CMA_0393 - Perform vulnerability scans | Manual, Disabled | 1.1.0 |
| Remediate information system flaws | CMA_0427 - Remediate information system flaws | Manual, Disabled | 1.1.0 |
| Require developers to document approved changes and potential impact | CMA_C1597 - Require developers to document approved changes and potential impact | Manual, Disabled | 1.1.0 |
| Require developers to implement only approved changes | CMA_C1596 - Require developers to implement only approved changes | Manual, Disabled | 1.1.0 |
| Require developers to manage change integrity | CMA_C1595 - Require developers to manage change integrity | Manual, Disabled | 1.1.0 |
Software / Firmware Integrity Verification
ID: NIST SP 800-53 Rev. 4 SA-10 (1) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Verify software, firmware and information integrity | CMA_0542 - Verify software, firmware and information integrity | Manual, Disabled | 1.1.0 |
Developer Security Testing And Evaluation
ID: NIST SP 800-53 Rev. 4 SA-11 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Perform vulnerability scans | CMA_0393 - Perform vulnerability scans | Manual, Disabled | 1.1.0 |
| Remediate information system flaws | CMA_0427 - Remediate information system flaws | Manual, Disabled | 1.1.0 |
| Require developers to produce evidence of security assessment plan execution | CMA_C1602 - Require developers to produce evidence of security assessment plan execution | Manual, Disabled | 1.1.0 |
Supply Chain Protection
ID: NIST SP 800-53 Rev. 4 SA-12 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Assess risk in third party relationships | CMA_0014 - Assess risk in third party relationships | Manual, Disabled | 1.1.0 |
| Define requirements for supplying goods and services | CMA_0126 - Define requirements for supplying goods and services | Manual, Disabled | 1.1.0 |
| Determine supplier contract obligations | CMA_0140 - Determine supplier contract obligations | Manual, Disabled | 1.1.0 |
| Establish policies for supply chain risk management | CMA_0275 - Establish policies for supply chain risk management | Manual, Disabled | 1.1.0 |
Development Process, Standards, And Tools
ID: NIST SP 800-53 Rev. 4 SA-15 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Review development process, standards and tools | CMA_C1610 - Review development process, standards and tools | Manual, Disabled | 1.1.0 |
Developer-Provided Training
ID: NIST SP 800-53 Rev. 4 SA-16 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Require developers to provide training | CMA_C1611 - Require developers to provide training | Manual, Disabled | 1.1.0 |
Developer Security Architecture And Design
ID: NIST SP 800-53 Rev. 4 SA-17 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Require developers to build security architecture | CMA_C1612 - Require developers to build security architecture | Manual, Disabled | 1.1.0 |
| Require developers to describe accurate security functionality | CMA_C1613 - Require developers to describe accurate security functionality | Manual, Disabled | 1.1.0 |
| Require developers to provide unified security protection approach | CMA_C1614 - Require developers to provide unified security protection approach | Manual, Disabled | 1.1.0 |
System And Communications Protection
System And Communications Protection Policy And Procedures
ID: NIST SP 800-53 Rev. 4 SC-1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Review and update system and communications protection policies and procedures | CMA_C1616 - Review and update system and communications protection policies and procedures | Manual, Disabled | 1.1.0 |
Application Partitioning
ID: NIST SP 800-53 Rev. 4 SC-2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Authorize remote access | CMA_0024 - Authorize remote access | Manual, Disabled | 1.1.0 |
| Separate user and information system management functionality | CMA_0493 - Separate user and information system management functionality | Manual, Disabled | 1.1.0 |
| Use dedicated machines for administrative tasks | CMA_0527 - Use dedicated machines for administrative tasks | Manual, Disabled | 1.1.0 |
Security Function Isolation
ID: NIST SP 800-53 Rev. 4 SC-3 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Azure Defender for servers should be enabled | Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. | AuditIfNotExists, Disabled | 1.0.3 |
| Windows Defender Exploit Guard should be enabled on your machines | Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). | AuditIfNotExists, Disabled | 2.0.0 |
Denial Of Service Protection
ID: NIST SP 800-53 Rev. 4 SC-5 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Azure DDoS Protection should be enabled | DDoS protection should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. | AuditIfNotExists, Disabled | 3.0.1 |
| Azure Web Application Firewall should be enabled for Azure Front Door entry-points | Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. | Audit, Deny, Disabled | 1.0.2 |
| Develop and document a DDoS response plan | CMA_0147 - Develop and document a DDoS response plan | Manual, Disabled | 1.1.0 |
| IP Forwarding on your virtual machine should be disabled | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | AuditIfNotExists, Disabled | 3.0.0 |
| Web Application Firewall (WAF) should be enabled for Application Gateway | Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. | Audit, Deny, Disabled | 2.0.0 |
Resource Availability
ID: NIST SP 800-53 Rev. 4 SC-6 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Govern the allocation of resources | CMA_0293 - Govern the allocation of resources | Manual, Disabled | 1.1.0 |
| Manage availability and capacity | CMA_0356 - Manage availability and capacity | Manual, Disabled | 1.1.0 |
| Secure commitment from leadership | CMA_0489 - Secure commitment from leadership | Manual, Disabled | 1.1.0 |
Boundary Protection
ID: NIST SP 800-53 Rev. 4 SC-7 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| [Deprecated]: Azure Cognitive Search services should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Cognitive Search, data leakage risks are reduced. Learn more about private links at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. | Audit, Disabled | 1.0.1-deprecated |
| [Deprecated]: Cognitive Services should use private link | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: https://go.microsoft.com/fwlink/?linkid=2129800. | Audit, Disabled | 3.0.1-deprecated |
| [Preview]: All Internet traffic should be routed via your deployed Azure Firewall | Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall | AuditIfNotExists, Disabled | 3.0.0-preview |
| [Preview]: Storage account public access should be disallowed | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | audit, Audit, deny, Deny, disabled, Disabled | 3.1.0-preview |
| All network ports should be restricted on network security groups associated to your virtual machine | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | AuditIfNotExists, Disabled | 3.0.0 |
| API Management services should use a virtual network | Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. | Audit, Deny, Disabled | 1.0.2 |
| App Configuration should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/appconfig/private-endpoint. | AuditIfNotExists, Disabled | 1.0.2 |
| Authorized IP ranges should be defined on Kubernetes Services | Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. | Audit, Disabled | 2.0.1 |
| Azure AI Services resources should restrict network access | By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. | Audit, Deny, Disabled | 3.2.0 |
| Azure API for FHIR should use private link | Azure API for FHIR should have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. For more information, visit: https://aka.ms/fhir-privatelink. | Audit, Disabled | 1.0.0 |
| Azure Cache for Redis should use private link | Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link. | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Cognitive Search service should use a SKU that supports private link | With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. | Audit, Deny, Disabled | 1.0.0 |
| Azure Cognitive Search services should disable public network access | Disabling public network access improves security by ensuring that your Azure Cognitive Search service is not exposed on the public internet. Creating private endpoints can limit exposure of your Search service. Learn more at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. | Audit, Deny, Disabled | 1.0.0 |
| Azure Cosmos DB accounts should have firewall rules | Firewall rules should be defined on your Azure Cosmos DB accounts to prevent traffic from unauthorized sources. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant. | Audit, Deny, Disabled | 2.1.0 |
| Azure Data Factory should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Data Factory, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/data-factory/data-factory-private-link. | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Event Grid domains should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid domain instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. | Audit, Disabled | 1.0.2 |
| Azure Event Grid topics should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid topic instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. | Audit, Disabled | 1.0.2 |
| Azure File Sync should use private link | Creating a private endpoint for the indicated Storage Sync Service resource allows you to address your Storage Sync Service resource from within the private IP address space of your organization's network, rather than through the internet-accessible public endpoint. Creating a private endpoint by itself does not disable the public endpoint. | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Key Vault should have firewall enabled | Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. Optionally, you can configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security | Audit, Deny, Disabled | 3.2.1 |
| Azure Key Vaults should use private link | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to key vault, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/akvprivatelink. | [parameters('audit_effect')] | 1.2.1 |
| Azure Machine Learning workspaces should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Machine Learning workspaces, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link. | Audit, Disabled | 1.0.0 |
| Azure Service Bus namespaces should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Service Bus namespaces, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/service-bus-messaging/private-link-service. | AuditIfNotExists, Disabled | 1.0.0 |
| Azure SignalR Service should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure SignalR Service resource instead of the entire service, you'll reduce your data leakage risks. Learn more about private links at: https://aka.ms/asrs/privatelink. | Audit, Disabled | 1.0.0 |
| Azure Synapse workspaces should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Synapse workspace, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/synapse-analytics/security/how-to-connect-to-workspace-with-private-links. | Audit, Disabled | 1.0.1 |
| Azure Web Application Firewall should be enabled for Azure Front Door entry-points | Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. | Audit, Deny, Disabled | 1.0.2 |
| Azure Web PubSub Service should use private link | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure Web PubSub Service, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/awps/privatelink. | Audit, Disabled | 1.0.0 |
| Container registries should not allow unrestricted network access | Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://aka.ms/acr/privatelink, https://aka.ms/acr/portal/public-network and https://aka.ms/acr/vnet. | Audit, Deny, Disabled | 2.0.0 |
| Container registries should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link. | Audit, Disabled | 1.0.1 |
| CosmosDB accounts should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints. | Audit, Disabled | 1.0.0 |
| Disk access resources should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: https://aka.ms/disksprivatelinksdoc. | AuditIfNotExists, Disabled | 1.0.0 |
| Event Hub namespaces should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/event-hubs/private-link-service. | AuditIfNotExists, Disabled | 1.0.0 |
| Implement system boundary protection | CMA_0328 - Implement system boundary protection | Manual, Disabled | 1.1.0 |
| Internet-facing virtual machines should be protected with network security groups | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | AuditIfNotExists, Disabled | 3.0.0 |
| IoT Hub device provisioning service instances should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to the IoT Hub device provisioning service, data leakage risks are reduced. Learn more about private links at: https://aka.ms/iotdpsvnet. | Audit, Disabled | 1.0.0 |
| IP Forwarding on your virtual machine should be disabled | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | AuditIfNotExists, Disabled | 3.0.0 |
| Management ports of virtual machines should be protected with just-in-time network access control | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | AuditIfNotExists, Disabled | 3.0.0 |
| Management ports should be closed on your virtual machines | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | AuditIfNotExists, Disabled | 3.0.0 |
| Non-internet-facing virtual machines should be protected with network security groups | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | AuditIfNotExists, Disabled | 3.0.0 |
| Private endpoint connections on Azure SQL Database should be enabled | Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database. | Audit, Disabled | 1.1.0 |
| Private endpoint should be enabled for MariaDB servers | Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MariaDB. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. | AuditIfNotExists, Disabled | 1.0.2 |
| Private endpoint should be enabled for MySQL servers | Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MySQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. | AuditIfNotExists, Disabled | 1.0.2 |
| Private endpoint should be enabled for PostgreSQL servers | Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for PostgreSQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. | AuditIfNotExists, Disabled | 1.0.2 |
| Public network access on Azure SQL Database should be disabled | Disabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules. | Audit, Deny, Disabled | 1.1.0 |
| Public network access should be disabled for MariaDB servers | Disable the public network access property to improve security and ensure your Azure Database for MariaDB can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. | Audit, Deny, Disabled | 2.0.0 |
| Public network access should be disabled for MySQL servers | Disable the public network access property to improve security and ensure your Azure Database for MySQL can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. | Audit, Deny, Disabled | 2.0.0 |
| Public network access should be disabled for PostgreSQL servers | Disable the public network access property to improve security and ensure your Azure Database for PostgreSQL can only be accessed from a private endpoint. This configuration disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. | Audit, Deny, Disabled | 2.0.1 |
| Storage accounts should restrict network access | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Audit, Deny, Disabled | 1.1.1 |
| Storage accounts should restrict network access using virtual network rules | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Audit, Deny, Disabled | 1.0.1 |
| Storage accounts should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | AuditIfNotExists, Disabled | 2.0.0 |
| Subnets should be associated with a Network Security Group | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | AuditIfNotExists, Disabled | 3.0.0 |
| VM Image Builder templates should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your VM Image Builder building resources, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/virtual-machines/linux/image-builder-networking#deploy-using-an-existing-vnet. | Audit, Disabled, Deny | 1.1.0 |
| Web Application Firewall (WAF) should be enabled for Application Gateway | Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. | Audit, Deny, Disabled | 2.0.0 |
Access Points
ID: NIST SP 800-53 Rev. 4 SC-7 (3) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| [Deprecated]: Azure Cognitive Search services should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Cognitive Search, data leakage risks are reduced. Learn more about private links at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. | Audit, Disabled | 1.0.1-deprecated |
| [Deprecated]: Cognitive Services should use private link | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: https://go.microsoft.com/fwlink/?linkid=2129800. | Audit, Disabled | 3.0.1-deprecated |
| [Preview]: All Internet traffic should be routed via your deployed Azure Firewall | Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall | AuditIfNotExists, Disabled | 3.0.0-preview |
| [Preview]: Storage account public access should be disallowed | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | audit, Audit, deny, Deny, disabled, Disabled | 3.1.0-preview |
| All network ports should be restricted on network security groups associated to your virtual machine | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | AuditIfNotExists, Disabled | 3.0.0 |
| API Management services should use a virtual network | Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. | Audit, Deny, Disabled | 1.0.2 |
| App Configuration should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/appconfig/private-endpoint. | AuditIfNotExists, Disabled | 1.0.2 |
| Authorized IP ranges should be defined on Kubernetes Services | Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. | Audit, Disabled | 2.0.1 |
| Azure AI Services resources should restrict network access | By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. | Audit, Deny, Disabled | 3.2.0 |
| Azure API for FHIR should use private link | Azure API for FHIR should have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. For more information, visit: https://aka.ms/fhir-privatelink. | Audit, Disabled | 1.0.0 |
| Azure Cache for Redis should use private link | Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link. | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Cognitive Search service should use a SKU that supports private link | With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. | Audit, Deny, Disabled | 1.0.0 |
| Azure Cognitive Search services should disable public network access | Disabling public network access improves security by ensuring that your Azure Cognitive Search service is not exposed on the public internet. Creating private endpoints can limit exposure of your Search service. Learn more at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. | Audit, Deny, Disabled | 1.0.0 |
| Azure Cosmos DB accounts should have firewall rules | Firewall rules should be defined on your Azure Cosmos DB accounts to prevent traffic from unauthorized sources. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant. | Audit, Deny, Disabled | 2.1.0 |
| Azure Data Factory should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Data Factory, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/data-factory/data-factory-private-link. | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Event Grid domains should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid domain instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. | Audit, Disabled | 1.0.2 |
| Azure Event Grid topics should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid topic instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. | Audit, Disabled | 1.0.2 |
| Azure File Sync should use private link | Creating a private endpoint for the indicated Storage Sync Service resource allows you to address your Storage Sync Service resource from within the private IP address space of your organization's network, rather than through the internet-accessible public endpoint. Creating a private endpoint by itself does not disable the public endpoint. | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Key Vault should have firewall enabled | Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. Optionally, you can configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security | Audit, Deny, Disabled | 3.2.1 |
| Azure Key Vaults should use private link | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to key vault, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/akvprivatelink. | [parameters('audit_effect')] | 1.2.1 |
| Azure Machine Learning workspaces should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Machine Learning workspaces, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link. | Audit, Disabled | 1.0.0 |
| Azure Service Bus namespaces should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Service Bus namespaces, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/service-bus-messaging/private-link-service. | AuditIfNotExists, Disabled | 1.0.0 |
| Azure SignalR Service should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure SignalR Service resource instead of the entire service, you'll reduce your data leakage risks. Learn more about private links at: https://aka.ms/asrs/privatelink. | Audit, Disabled | 1.0.0 |
| Azure Synapse workspaces should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Synapse workspace, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/synapse-analytics/security/how-to-connect-to-workspace-with-private-links. | Audit, Disabled | 1.0.1 |
| Azure Web Application Firewall should be enabled for Azure Front Door entry-points | Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. | Audit, Deny, Disabled | 1.0.2 |
| Azure Web PubSub Service should use private link | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure Web PubSub Service, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/awps/privatelink. | Audit, Disabled | 1.0.0 |
| Container registries should not allow unrestricted network access | Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://aka.ms/acr/privatelink, https://aka.ms/acr/portal/public-network and https://aka.ms/acr/vnet. | Audit, Deny, Disabled | 2.0.0 |
| Container registries should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link. | Audit, Disabled | 1.0.1 |
| CosmosDB accounts should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints. | Audit, Disabled | 1.0.0 |
| Disk access resources should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: https://aka.ms/disksprivatelinksdoc. | AuditIfNotExists, Disabled | 1.0.0 |
| Event Hub namespaces should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/event-hubs/private-link-service. | AuditIfNotExists, Disabled | 1.0.0 |
| Internet-facing virtual machines should be protected with network security groups | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | AuditIfNotExists, Disabled | 3.0.0 |
| IoT Hub device provisioning service instances should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to the IoT Hub device provisioning service, data leakage risks are reduced. Learn more about private links at: https://aka.ms/iotdpsvnet. | Audit, Disabled | 1.0.0 |
| IP Forwarding on your virtual machine should be disabled | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | AuditIfNotExists, Disabled | 3.0.0 |
| Management ports of virtual machines should be protected with just-in-time network access control | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | AuditIfNotExists, Disabled | 3.0.0 |
| Management ports should be closed on your virtual machines | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | AuditIfNotExists, Disabled | 3.0.0 |
| Non-internet-facing virtual machines should be protected with network security groups | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | AuditIfNotExists, Disabled | 3.0.0 |
| Private endpoint connections on Azure SQL Database should be enabled | Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database. | Audit, Disabled | 1.1.0 |
| Private endpoint should be enabled for MariaDB servers | Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MariaDB. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. | AuditIfNotExists, Disabled | 1.0.2 |
| Private endpoint should be enabled for MySQL servers | Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MySQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. | AuditIfNotExists, Disabled | 1.0.2 |
| Private endpoint should be enabled for PostgreSQL servers | Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for PostgreSQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. | AuditIfNotExists, Disabled | 1.0.2 |
| Public network access on Azure SQL Database should be disabled | Disabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules. | Audit, Deny, Disabled | 1.1.0 |
| Public network access should be disabled for MariaDB servers | Disable the public network access property to improve security and ensure your Azure Database for MariaDB can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. | Audit, Deny, Disabled | 2.0.0 |
| Public network access should be disabled for MySQL servers | Disable the public network access property to improve security and ensure your Azure Database for MySQL can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. | Audit, Deny, Disabled | 2.0.0 |
| Public network access should be disabled for PostgreSQL servers | Disable the public network access property to improve security and ensure your Azure Database for PostgreSQL can only be accessed from a private endpoint. This configuration disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. | Audit, Deny, Disabled | 2.0.1 |
| Storage accounts should restrict network access | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Audit, Deny, Disabled | 1.1.1 |
| Storage accounts should restrict network access using virtual network rules | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Audit, Deny, Disabled | 1.0.1 |
| Storage accounts should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | AuditIfNotExists, Disabled | 2.0.0 |
| Subnets should be associated with a Network Security Group | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | AuditIfNotExists, Disabled | 3.0.0 |
| VM Image Builder templates should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your VM Image Builder building resources, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/virtual-machines/linux/image-builder-networking#deploy-using-an-existing-vnet. | Audit, Disabled, Deny | 1.1.0 |
| Web Application Firewall (WAF) should be enabled for Application Gateway | Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. | Audit, Deny, Disabled | 2.0.0 |
External Telecommunications Services
ID: NIST SP 800-53 Rev. 4 SC-7 (4) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Implement managed interface for each external service | CMA_C1626 - Implement managed interface for each external service | Manual, Disabled | 1.1.0 |
| Implement system boundary protection | CMA_0328 - Implement system boundary protection | Manual, Disabled | 1.1.0 |
| Secure the interface to external systems | CMA_0491 - Secure the interface to external systems | Manual, Disabled | 1.1.0 |
Prevent Split Tunneling For Remote Devices
ID: NIST SP 800-53 Rev. 4 SC-7 (7) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Prevent split tunneling for remote devices | CMA_C1632 - Prevent split tunneling for remote devices | Manual, Disabled | 1.1.0 |
Route Traffic To Authenticated Proxy Servers
ID: NIST SP 800-53 Rev. 4 SC-7 (8) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Route traffic through authenticated proxy network | CMA_C1633 - Route traffic through authenticated proxy network | Manual, Disabled | 1.1.0 |
Host-Based Protection
ID: NIST SP 800-53 Rev. 4 SC-7 (12) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Implement system boundary protection | CMA_0328 - Implement system boundary protection | Manual, Disabled | 1.1.0 |
Isolation Of Security Tools / Mechanisms / Support Components
ID: NIST SP 800-53 Rev. 4 SC-7 (13) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Isolate SecurID systems, Security Incident Management systems | CMA_C1636 - Isolate SecurID systems, Security Incident Management systems | Manual, Disabled | 1.1.0 |
Fail Secure
ID: NIST SP 800-53 Rev. 4 SC-7 (18) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Implement system boundary protection | CMA_0328 - Implement system boundary protection | Manual, Disabled | 1.1.0 |
| Manage transfers between standby and active system components | CMA_0371 - Manage transfers between standby and active system components | Manual, Disabled | 1.1.0 |
Dynamic Isolation / Segregation
ID: NIST SP 800-53 Rev. 4 SC-7 (20) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Ensure system capable of dynamic isolation of resources | CMA_C1638 - Ensure system capable of dynamic isolation of resources | Manual, Disabled | 1.1.0 |
Isolation Of Information System Components
ID: NIST SP 800-53 Rev. 4 SC-7 (21) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Employ boundary protection to isolate information systems | CMA_C1639 - Employ boundary protection to isolate information systems | Manual, Disabled | 1.1.0 |
Transmission Confidentiality And Integrity
ID: NIST SP 800-53 Rev. 4 SC-8 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| App Service apps should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Audit, Disabled, Deny | 4.0.0 |
| App Service apps should require FTPS only | Enable FTPS enforcement for enhanced security. | AuditIfNotExists, Disabled | 3.0.0 |
| App Service apps should use the latest TLS version | Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. | AuditIfNotExists, Disabled | 2.0.1 |
| Azure HDInsight clusters should use encryption in transit to encrypt communication between Azure HDInsight cluster nodes | Data can be tampered with during transmission between Azure HDInsight cluster nodes. Enabling encryption in transit addresses problems of misuse and tampering during this transmission. | Audit, Deny, Disabled | 1.0.0 |
| Enforce SSL connection should be enabled for MySQL database servers | Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. | Audit, Disabled | 1.0.1 |
| Enforce SSL connection should be enabled for PostgreSQL database servers | Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. | Audit, Disabled | 1.0.1 |
| Function apps should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Audit, Disabled, Deny | 5.0.0 |
| Function apps should require FTPS only | Enable FTPS enforcement for enhanced security. | AuditIfNotExists, Disabled | 3.0.0 |
| Function apps should use the latest TLS version | Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. | AuditIfNotExists, Disabled | 2.0.1 |
| Kubernetes clusters should be accessible only over HTTPS | Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc | audit, Audit, deny, Deny, disabled, Disabled | 8.2.0 |
| Only secure connections to your Azure Cache for Redis should be enabled | Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Audit, Deny, Disabled | 1.0.0 |
| Protect data in transit using encryption | CMA_0403 - Protect data in transit using encryption | Manual, Disabled | 1.1.0 |
| Protect passwords with encryption | CMA_0408 - Protect passwords with encryption | Manual, Disabled | 1.1.0 |
| Secure transfer to storage accounts should be enabled | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Audit, Deny, Disabled | 2.0.0 |
| Windows machines should be configured to use secure communication protocols | To protect the privacy of information communicated over the Internet, your machines should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by encrypting a connection between machines. | AuditIfNotExists, Disabled | 4.1.1 |
Cryptographic Or Alternate Physical Protection
ID: NIST SP 800-53 Rev. 4 SC-8 (1) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| App Service apps should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Audit, Disabled, Deny | 4.0.0 |
| App Service apps should require FTPS only | Enable FTPS enforcement for enhanced security. | AuditIfNotExists, Disabled | 3.0.0 |
| App Service apps should use the latest TLS version | Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. | AuditIfNotExists, Disabled | 2.0.1 |
| Azure HDInsight clusters should use encryption in transit to encrypt communication between Azure HDInsight cluster nodes | Data can be tampered with during transmission between Azure HDInsight cluster nodes. Enabling encryption in transit addresses problems of misuse and tampering during this transmission. | Audit, Deny, Disabled | 1.0.0 |
| Configure workstations to check for digital certificates | CMA_0073 - Configure workstations to check for digital certificates | Manual, Disabled | 1.1.0 |
| Enforce SSL connection should be enabled for MySQL database servers | Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. | Audit, Disabled | 1.0.1 |
| Enforce SSL connection should be enabled for PostgreSQL database servers | Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. | Audit, Disabled | 1.0.1 |
| Function apps should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Audit, Disabled, Deny | 5.0.0 |
| Function apps should require FTPS only | Enable FTPS enforcement for enhanced security. | AuditIfNotExists, Disabled | 3.0.0 |
| Function apps should use the latest TLS version | Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. | AuditIfNotExists, Disabled | 2.0.1 |
| Kubernetes clusters should be accessible only over HTTPS | Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc | audit, Audit, deny, Deny, disabled, Disabled | 8.2.0 |
| Only secure connections to your Azure Cache for Redis should be enabled | Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Audit, Deny, Disabled | 1.0.0 |
| Secure transfer to storage accounts should be enabled | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Audit, Deny, Disabled | 2.0.0 |
| Windows machines should be configured to use secure communication protocols | To protect the privacy of information communicated over the Internet, your machines should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by encrypting a connection between machines. | AuditIfNotExists, Disabled | 4.1.1 |
Network Disconnect
ID: NIST SP 800-53 Rev. 4 SC-10 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Reauthenticate or terminate a user session | CMA_0421 - Reauthenticate or terminate a user session | Manual, Disabled | 1.1.0 |
Cryptographic Key Establishment And Management
ID: NIST SP 800-53 Rev. 4 SC-12 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| [Preview]: Azure Recovery Services vaults should use customer-managed keys for encrypting backup data | Use customer-managed keys to manage the encryption at rest of your backup data. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/AB-CmkEncryption. | Audit, Deny, Disabled | 1.0.0-preview |
| [Preview]: IoT Hub device provisioning service data should be encrypted using customer-managed keys (CMK) | Use customer-managed keys to manage the encryption at rest of your IoT Hub device provisioning service. The data is automatically encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. Learn more about CMK encryption at https://aka.ms/dps/CMK. | Audit, Deny, Disabled | 1.0.0-preview |
| Azure AI Services resources should encrypt data at rest with a customer-managed key (CMK) | Using customer-managed keys to encrypt data at rest provides more control over the key lifecycle, including rotation and management. This is particularly relevant for organizations with related compliance requirements. This is not assessed by default and should only be applied when required by compliance or restrictive policy requirements. If not enabled, the data will be encrypted using platform-managed keys. To implement this, update the 'Effect' parameter in the Security Policy for the applicable scope. | Audit, Deny, Disabled | 2.2.0 |
| Azure API for FHIR should use a customer-managed key to encrypt data at rest | Use a customer-managed key to control the encryption at rest of the data stored in Azure API for FHIR when this is a regulatory or compliance requirement. Customer-managed keys also deliver double encryption by adding a second layer of encryption on top of the default one done with service-managed keys. | audit, Audit, disabled, Disabled | 1.1.0 |
| Azure Automation accounts should use customer-managed keys to encrypt data at rest | Use customer-managed keys to manage the encryption at rest of your Azure Automation Accounts. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/automation-cmk. | Audit, Deny, Disabled | 1.0.0 |
| Azure Batch account should use customer-managed keys to encrypt data | Use customer-managed keys to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/Batch-CMK. | Audit, Deny, Disabled | 1.0.1 |
| Azure Container Instance container group should use customer-managed key for encryption | Secure your containers with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data. | Audit, Disabled, Deny | 1.0.0 |
| Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest | Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/cosmosdb-cmk. | audit, Audit, deny, Deny, disabled, Disabled | 1.1.0 |
| Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password | Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key. | Audit, Deny, Disabled | 1.0.0 |
| Azure Data Explorer encryption at rest should use a customer-managed key | Enabling encryption at rest using a customer-managed key on your Azure Data Explorer cluster provides additional control over the key being used by the encryption at rest. This feature is oftentimes applicable to customers with special compliance requirements and requires a Key Vault to managing the keys. | Audit, Deny, Disabled | 1.0.0 |
| Azure data factories should be encrypted with a customer-managed key | Use customer-managed keys to manage the encryption at rest of your Azure Data Factory. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/adf-cmk. | Audit, Deny, Disabled | 1.0.1 |
| Azure HDInsight clusters should use customer-managed keys to encrypt data at rest | Use customer-managed keys to manage the encryption at rest of your Azure HDInsight clusters. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/hdi.cmk. | Audit, Deny, Disabled | 1.0.1 |
| Azure HDInsight clusters should use encryption at host to encrypt data at rest | Enabling encryption at host helps protect and safeguard your data to meet your organizational security and compliance commitments. When you enable encryption at host, data stored on the VM host is encrypted at rest and flows encrypted to the Storage service. | Audit, Deny, Disabled | 1.0.0 |
| Azure Machine Learning workspaces should be encrypted with a customer-managed key | Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/azureml-workspaces-cmk. | Audit, Deny, Disabled | 1.1.0 |
| Azure Monitor Logs clusters should be encrypted with customer-managed key | Create Azure Monitor logs cluster with customer-managed keys encryption. By default, the log data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance. Customer-managed key in Azure Monitor gives you more control over the access to you data, see https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys. | audit, Audit, deny, Deny, disabled, Disabled | 1.1.0 |
| Azure Stream Analytics jobs should use customer-managed keys to encrypt data | Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted. | audit, Audit, deny, Deny, disabled, Disabled | 1.1.0 |
| Azure Synapse workspaces should use customer-managed keys to encrypt data at rest | Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys. | Audit, Deny, Disabled | 1.0.0 |
| Bot Service should be encrypted with a customer-managed key | Azure Bot Service automatically encrypts your resource to protect your data and meet organizational security and compliance commitments. By default, Microsoft-managed encryption keys are used. For greater flexibility in managing keys or controlling access to your subscription, select customer-managed keys, also known as bring your own key (BYOK). Learn more about Azure Bot Service encryption: https://docs.microsoft.com/azure/bot-service/bot-service-encryption. | audit, Audit, deny, Deny, disabled, Disabled | 1.1.0 |
| Both operating systems and data disks in Azure Kubernetes Service clusters should be encrypted by customer-managed keys | Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards. | Audit, Deny, Disabled | 1.0.1 |
| Container registries should be encrypted with a customer-managed key | Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/acr/CMK. | Audit, Deny, Disabled | 1.1.2 |
| Define a physical key management process | CMA_0115 - Define a physical key management process | Manual, Disabled | 1.1.0 |
| Define cryptographic use | CMA_0120 - Define cryptographic use | Manual, Disabled | 1.1.0 |
| Define organizational requirements for cryptographic key management | CMA_0123 - Define organizational requirements for cryptographic key management | Manual, Disabled | 1.1.0 |
| Determine assertion requirements | CMA_0136 - Determine assertion requirements | Manual, Disabled | 1.1.0 |
| Event Hub namespaces should use a customer-managed key for encryption | Azure Event Hubs supports the option of encrypting data at rest with either Microsoft-managed keys (default) or customer-managed keys. Choosing to encrypt data using customer-managed keys enables you to assign, rotate, disable, and revoke access to the keys that Event Hub will use to encrypt data in your namespace. Note that Event Hub only supports encryption with customer-managed keys for namespaces in dedicated clusters. | Audit, Disabled | 1.0.0 |
| HPC Cache accounts should use customer-managed key for encryption | Manage encryption at rest of Azure HPC Cache with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. | Audit, Disabled, Deny | 2.0.0 |
| Issue public key certificates | CMA_0347 - Issue public key certificates | Manual, Disabled | 1.1.0 |
| Logic Apps Integration Service Environment should be encrypted with customer-managed keys | Deploy into Integration Service Environment to manage encryption at rest of Logic Apps data using customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. | Audit, Deny, Disabled | 1.0.0 |
| Manage symmetric cryptographic keys | CMA_0367 - Manage symmetric cryptographic keys | Manual, Disabled | 1.1.0 |
| Managed disks should be double encrypted with both platform-managed and customer-managed keys | High security sensitive customers who are concerned of the risk associated with any particular encryption algorithm, implementation, or key being compromised can opt for additional layer of encryption using a different encryption algorithm/mode at the infrastructure layer using platform managed encryption keys. The disk encryption sets are required to use double encryption. Learn more at https://aka.ms/disks-doubleEncryption. | Audit, Deny, Disabled | 1.0.0 |
| MySQL servers should use customer-managed keys to encrypt data at rest | Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. | AuditIfNotExists, Disabled | 1.0.4 |
| OS and data disks should be encrypted with a customer-managed key | Use customer-managed keys to manage the encryption at rest of the contents of your managed disks. By default, the data is encrypted at rest with platform-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/disks-cmk. | Audit, Deny, Disabled | 3.0.0 |
| PostgreSQL servers should use customer-managed keys to encrypt data at rest | Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. | AuditIfNotExists, Disabled | 1.0.4 |
| Restrict access to private keys | CMA_0445 - Restrict access to private keys | Manual, Disabled | 1.1.0 |
| Saved-queries in Azure Monitor should be saved in customer storage account for logs encryption | Link storage account to Log Analytics workspace to protect saved-queries with storage account encryption. Customer-managed keys are commonly required to meet regulatory compliance and for more control over the access to your saved-queries in Azure Monitor. For more details on the above, see https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys?tabs=portal#customer-managed-key-for-saved-queries. | audit, Audit, deny, Deny, disabled, Disabled | 1.1.0 |
| Service Bus Premium namespaces should use a customer-managed key for encryption | Azure Service Bus supports the option of encrypting data at rest with either Microsoft-managed keys (default) or customer-managed keys. Choosing to encrypt data using customer-managed keys enables you to assign, rotate, disable, and revoke access to the keys that Service Bus will use to encrypt data in your namespace. Note that Service Bus only supports encryption with customer-managed keys for premium namespaces. | Audit, Disabled | 1.0.0 |
| SQL managed instances should use customer-managed keys to encrypt data at rest | Implementing Transparent Data Encryption (TDE) with your own key provides you with increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement. | Audit, Deny, Disabled | 2.0.0 |
| SQL servers should use customer-managed keys to encrypt data at rest | Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement. | Audit, Deny, Disabled | 2.0.1 |
| Storage account encryption scopes should use customer-managed keys to encrypt data at rest | Use customer-managed keys to manage the encryption at rest of your storage account encryption scopes. Customer-managed keys enable the data to be encrypted with an Azure key-vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about storage account encryption scopes at https://aka.ms/encryption-scopes-overview. | Audit, Deny, Disabled | 1.0.0 |
| Storage accounts should use customer-managed key for encryption | Secure your blob and file storage account with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data. | Audit, Disabled | 1.0.3 |
Availability
ID: NIST SP 800-53 Rev. 4 SC-12 (1) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Maintain availability of information | CMA_C1644 - Maintain availability of information | Manual, Disabled | 1.1.0 |
Symmetric Keys
ID: NIST SP 800-53 Rev. 4 SC-12 (2) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Produce, control and distribute symmetric cryptographic keys | CMA_C1645 - Produce, control and distribute symmetric cryptographic keys | Manual, Disabled | 1.1.0 |
Asymmetric Keys
ID: NIST SP 800-53 Rev. 4 SC-12 (3) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Produce, control and distribute asymmetric cryptographic keys | CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys | Manual, Disabled | 1.1.0 |
Cryptographic Protection
ID: NIST SP 800-53 Rev. 4 SC-13 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Define cryptographic use | CMA_0120 - Define cryptographic use | Manual, Disabled | 1.1.0 |
Collaborative Computing Devices
ID: NIST SP 800-53 Rev. 4 SC-15 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Explicitly notify use of collaborative computing devices | CMA_C1649 - Explicitly notify use of collaborative computing devices | Manual, Disabled | 1.1.1 |
| Prohibit remote activation of collaborative computing devices | CMA_C1648 - Prohibit remote activation of collaborative computing devices | Manual, Disabled | 1.1.0 |
Public Key Infrastructure Certificates
ID: NIST SP 800-53 Rev. 4 SC-17 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Issue public key certificates | CMA_0347 - Issue public key certificates | Manual, Disabled | 1.1.0 |
Mobile Code
ID: NIST SP 800-53 Rev. 4 SC-18 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Authorize, monitor, and control usage of mobile code technologies | CMA_C1653 - Authorize, monitor, and control usage of mobile code technologies | Manual, Disabled | 1.1.0 |
| Define acceptable and unacceptable mobile code technologies | CMA_C1651 - Define acceptable and unacceptable mobile code technologies | Manual, Disabled | 1.1.0 |
| Establish usage restrictions for mobile code technologies | CMA_C1652 - Establish usage restrictions for mobile code technologies | Manual, Disabled | 1.1.0 |
Voice Over Internet Protocol
ID: NIST SP 800-53 Rev. 4 SC-19 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Authorize, monitor, and control voip | CMA_0025 - Authorize, monitor, and control voip | Manual, Disabled | 1.1.0 |
| Establish voip usage restrictions | CMA_0280 - Establish voip usage restrictions | Manual, Disabled | 1.1.0 |
Secure Name /Address Resolution Service (Authoritative Source)
ID: NIST SP 800-53 Rev. 4 SC-20 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Implement a fault tolerant name/address service | CMA_0305 - Implement a fault tolerant name/address service | Manual, Disabled | 1.1.0 |
| Provide secure name and address resolution services | CMA_0416 - Provide secure name and address resolution services | Manual, Disabled | 1.1.0 |
Secure Name /Address Resolution Service (Recursive Or Caching Resolver)
ID: NIST SP 800-53 Rev. 4 SC-21 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Implement a fault tolerant name/address service | CMA_0305 - Implement a fault tolerant name/address service | Manual, Disabled | 1.1.0 |
| Verify software, firmware and information integrity | CMA_0542 - Verify software, firmware and information integrity | Manual, Disabled | 1.1.0 |
Architecture And Provisioning For Name/Address Resolution Service
ID: NIST SP 800-53 Rev. 4 SC-22 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Implement a fault tolerant name/address service | CMA_0305 - Implement a fault tolerant name/address service | Manual, Disabled | 1.1.0 |
Session Authenticity
ID: NIST SP 800-53 Rev. 4 SC-23 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Configure workstations to check for digital certificates | CMA_0073 - Configure workstations to check for digital certificates | Manual, Disabled | 1.1.0 |
| Enforce random unique session identifiers | CMA_0247 - Enforce random unique session identifiers | Manual, Disabled | 1.1.0 |
Invalidate Session Identifiers At Logout
ID: NIST SP 800-53 Rev. 4 SC-23 (1) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Invalidate session identifiers at logout | CMA_C1661 - Invalidate session identifiers at logout | Manual, Disabled | 1.1.0 |
Fail In Known State
ID: NIST SP 800-53 Rev. 4 SC-24 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Ensure information system fails in known state | CMA_C1662 - Ensure information system fails in known state | Manual, Disabled | 1.1.0 |
Protection Of Information At Rest
ID: NIST SP 800-53 Rev. 4 SC-28 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| App Service Environment should have internal encryption enabled | Setting InternalEncryption to true encrypts the pagefile, worker disks, and internal network traffic between the front ends and workers in an App Service Environment. To learn more, refer to https://docs.microsoft.com/azure/app-service/environment/app-service-app-service-environment-custom-settings#enable-internal-encryption. | Audit, Disabled | 1.0.1 |
| Automation account variables should be encrypted | It is important to enable encryption of Automation account variable assets when storing sensitive data | Audit, Deny, Disabled | 1.1.0 |
| Azure Data Box jobs should enable double encryption for data at rest on the device | Enable a second layer of software-based encryption for data at rest on the device. The device is already protected via Advanced Encryption Standard 256-bit encryption for data at rest. This option adds a second layer of data encryption. | Audit, Deny, Disabled | 1.0.0 |
| Azure Monitor Logs clusters should be created with infrastructure-encryption enabled (double encryption) | To ensure secure data encryption is enabled at the service level and the infrastructure level with two different encryption algorithms and two different keys, use an Azure Monitor dedicated cluster. This option is enabled by default when supported at the region, see https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys#customer-managed-key-overview. | audit, Audit, deny, Deny, disabled, Disabled | 1.1.0 |
| Azure Stack Edge devices should use double-encryption | To secure the data at rest on the device, ensure it's double-encrypted, the access to data is controlled, and once the device is deactivated, the data is securely erased off the data disks. Double encryption is the use of two layers of encryption: BitLocker XTS-AES 256-bit encryption on the data volumes and built-in encryption of the hard drives. Learn more in the security overview documentation for the specific Stack Edge device. | audit, Audit, deny, Deny, disabled, Disabled | 1.1.0 |
| Disk encryption should be enabled on Azure Data Explorer | Enabling disk encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. | Audit, Deny, Disabled | 2.0.0 |
| Double encryption should be enabled on Azure Data Explorer | Enabling double encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. When double encryption has been enabled, data in the storage account is encrypted twice, once at the service level and once at the infrastructure level, using two different encryption algorithms and two different keys. | Audit, Deny, Disabled | 2.0.0 |
| Establish a data leakage management procedure | CMA_0255 - Establish a data leakage management procedure | Manual, Disabled | 1.1.0 |
| Infrastructure encryption should be enabled for Azure Database for MySQL servers | Enable infrastructure encryption for Azure Database for MySQL servers to have higher level of assurance that the data is secure. When infrastructure encryption is enabled, the data at rest is encrypted twice using FIPS 140-2 compliant Microsoft managed keys. | Audit, Deny, Disabled | 1.0.0 |
| Infrastructure encryption should be enabled for Azure Database for PostgreSQL servers | Enable infrastructure encryption for Azure Database for PostgreSQL servers to have higher level of assurance that the data is secure. When infrastructure encryption is enabled, the data at rest is encrypted twice using FIPS 140-2 compliant Microsoft managed keys | Audit, Deny, Disabled | 1.0.0 |
| Protect special information | CMA_0409 - Protect special information | Manual, Disabled | 1.1.0 |
| Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign | Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed | Audit, Deny, Disabled | 1.1.0 |
| Storage accounts should have infrastructure encryption | Enable infrastructure encryption for higher level of assurance that the data is secure. When infrastructure encryption is enabled, data in a storage account is encrypted twice. | Audit, Deny, Disabled | 1.0.0 |
| Temp disks and cache for agent node pools in Azure Kubernetes Service clusters should be encrypted at host | To enhance data security, the data stored on the virtual machine (VM) host of your Azure Kubernetes Service nodes VMs should be encrypted at rest. This is a common requirement in many regulatory and industry compliance standards. | Audit, Deny, Disabled | 1.0.1 |
| Transparent Data Encryption on SQL databases should be enabled | Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements | AuditIfNotExists, Disabled | 2.0.0 |
| Virtual machines and virtual machine scale sets should have encryption at host enabled | Use encryption at host to get end-to-end encryption for your virtual machine and virtual machine scale set data. Encryption at host enables encryption at rest for your temporary disk and OS/data disk caches. Temporary and ephemeral OS disks are encrypted with platform-managed keys when encryption at host is enabled. OS/data disk caches are encrypted at rest with either customer-managed or platform-managed key, depending on the encryption type selected on the disk. Learn more at https://aka.ms/vm-hbe. | Audit, Deny, Disabled | 1.0.0 |
Cryptographic Protection
ID: NIST SP 800-53 Rev. 4 SC-28 (1) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| App Service Environment should have internal encryption enabled | Setting InternalEncryption to true encrypts the pagefile, worker disks, and internal network traffic between the front ends and workers in an App Service Environment. To learn more, refer to https://docs.microsoft.com/azure/app-service/environment/app-service-app-service-environment-custom-settings#enable-internal-encryption. | Audit, Disabled | 1.0.1 |
| Automation account variables should be encrypted | It is important to enable encryption of Automation account variable assets when storing sensitive data | Audit, Deny, Disabled | 1.1.0 |
| Azure Data Box jobs should enable double encryption for data at rest on the device | Enable a second layer of software-based encryption for data at rest on the device. The device is already protected via Advanced Encryption Standard 256-bit encryption for data at rest. This option adds a second layer of data encryption. | Audit, Deny, Disabled | 1.0.0 |
| Azure Monitor Logs clusters should be created with infrastructure-encryption enabled (double encryption) | To ensure secure data encryption is enabled at the service level and the infrastructure level with two different encryption algorithms and two different keys, use an Azure Monitor dedicated cluster. This option is enabled by default when supported at the region, see https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys#customer-managed-key-overview. | audit, Audit, deny, Deny, disabled, Disabled | 1.1.0 |
| Azure Stack Edge devices should use double-encryption | To secure the data at rest on the device, ensure it's double-encrypted, the access to data is controlled, and once the device is deactivated, the data is securely erased off the data disks. Double encryption is the use of two layers of encryption: BitLocker XTS-AES 256-bit encryption on the data volumes and built-in encryption of the hard drives. Learn more in the security overview documentation for the specific Stack Edge device. | audit, Audit, deny, Deny, disabled, Disabled | 1.1.0 |
| Disk encryption should be enabled on Azure Data Explorer | Enabling disk encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. | Audit, Deny, Disabled | 2.0.0 |
| Double encryption should be enabled on Azure Data Explorer | Enabling double encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. When double encryption has been enabled, data in the storage account is encrypted twice, once at the service level and once at the infrastructure level, using two different encryption algorithms and two different keys. | Audit, Deny, Disabled | 2.0.0 |
| Implement controls to secure all media | CMA_0314 - Implement controls to secure all media | Manual, Disabled | 1.1.0 |
| Infrastructure encryption should be enabled for Azure Database for MySQL servers | Enable infrastructure encryption for Azure Database for MySQL servers to have higher level of assurance that the data is secure. When infrastructure encryption is enabled, the data at rest is encrypted twice using FIPS 140-2 compliant Microsoft managed keys. | Audit, Deny, Disabled | 1.0.0 |
| Infrastructure encryption should be enabled for Azure Database for PostgreSQL servers | Enable infrastructure encryption for Azure Database for PostgreSQL servers to have higher level of assurance that the data is secure. When infrastructure encryption is enabled, the data at rest is encrypted twice using FIPS 140-2 compliant Microsoft managed keys | Audit, Deny, Disabled | 1.0.0 |
| Protect data in transit using encryption | CMA_0403 - Protect data in transit using encryption | Manual, Disabled | 1.1.0 |
| Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign | Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed | Audit, Deny, Disabled | 1.1.0 |
| Storage accounts should have infrastructure encryption | Enable infrastructure encryption for higher level of assurance that the data is secure. When infrastructure encryption is enabled, data in a storage account is encrypted twice. | Audit, Deny, Disabled | 1.0.0 |
| Temp disks and cache for agent node pools in Azure Kubernetes Service clusters should be encrypted at host | To enhance data security, the data stored on the virtual machine (VM) host of your Azure Kubernetes Service nodes VMs should be encrypted at rest. This is a common requirement in many regulatory and industry compliance standards. | Audit, Deny, Disabled | 1.0.1 |
| Transparent Data Encryption on SQL databases should be enabled | Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements | AuditIfNotExists, Disabled | 2.0.0 |
| Virtual machines and virtual machine scale sets should have encryption at host enabled | Use encryption at host to get end-to-end encryption for your virtual machine and virtual machine scale set data. Encryption at host enables encryption at rest for your temporary disk and OS/data disk caches. Temporary and ephemeral OS disks are encrypted with platform-managed keys when encryption at host is enabled. OS/data disk caches are encrypted at rest with either customer-managed or platform-managed key, depending on the encryption type selected on the disk. Learn more at https://aka.ms/vm-hbe. | Audit, Deny, Disabled | 1.0.0 |
Process Isolation
ID: NIST SP 800-53 Rev. 4 SC-39 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Maintain separate execution domains for running processes | CMA_C1665 - Maintain separate execution domains for running processes | Manual, Disabled | 1.1.0 |
System And Information Integrity
System And Information Integrity Policy And Procedures
ID: NIST SP 800-53 Rev. 4 SI-1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Review and update information integrity policies and procedures | CMA_C1667 - Review and update information integrity policies and procedures | Manual, Disabled | 1.1.0 |
Flaw Remediation
ID: NIST SP 800-53 Rev. 4 SI-2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| A vulnerability assessment solution should be enabled on your virtual machines | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | AuditIfNotExists, Disabled | 3.0.0 |
| App Service apps should use latest 'HTTP Version' | Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. | AuditIfNotExists, Disabled | 4.0.0 |
| Azure Defender for App Service should be enabled | Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. | AuditIfNotExists, Disabled | 1.0.3 |
| Azure Defender for Azure SQL Database servers should be enabled | Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. | AuditIfNotExists, Disabled | 1.0.2 |
| Azure Defender for Key Vault should be enabled | Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. | AuditIfNotExists, Disabled | 1.0.3 |
| Azure Defender for Resource Manager should be enabled | Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Defender for servers should be enabled | Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. | AuditIfNotExists, Disabled | 1.0.3 |
| Azure Defender for SQL servers on machines should be enabled | Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. | AuditIfNotExists, Disabled | 1.0.2 |
| Function apps should use latest 'HTTP Version' | Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. | AuditIfNotExists, Disabled | 4.0.0 |
| Incorporate flaw remediation into configuration management | CMA_C1671 - Incorporate flaw remediation into configuration management | Manual, Disabled | 1.1.0 |
| Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version | Upgrade your Kubernetes service cluster to a later Kubernetes version to protect against known vulnerabilities in your current Kubernetes version. Vulnerability CVE-2019-9946 has been patched in Kubernetes versions 1.11.9+, 1.12.7+, 1.13.5+, and 1.14.0+ | Audit, Disabled | 1.0.2 |
| Microsoft Defender for Containers should be enabled | Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. | AuditIfNotExists, Disabled | 1.0.0 |
| Microsoft Defender for Storage should be enabled | Microsoft Defender for Storage detects potential threats to your storage accounts. It helps prevent the three major impacts on your data and workload: malicious file uploads, sensitive data exfiltration, and data corruption. The new Defender for Storage plan includes Malware Scanning and Sensitive Data Threat Detection. This plan also provides a predictable pricing structure (per storage account) for control over coverage and costs. | AuditIfNotExists, Disabled | 1.0.0 |
| Remediate information system flaws | CMA_0427 - Remediate information system flaws | Manual, Disabled | 1.1.0 |
| SQL databases should have vulnerability findings resolved | Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. | AuditIfNotExists, Disabled | 4.1.0 |
| Vulnerabilities in security configuration on your machines should be remediated | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | AuditIfNotExists, Disabled | 3.1.0 |
Automated Flaw Remediation Status
ID: NIST SP 800-53 Rev. 4 SI-2 (2) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Automate flaw remediation | CMA_0027 - Automate flaw remediation | Manual, Disabled | 1.1.0 |
| Remediate information system flaws | CMA_0427 - Remediate information system flaws | Manual, Disabled | 1.1.0 |
Time To Remediate Flaws / Benchmarks For Corrective Actions
ID: NIST SP 800-53 Rev. 4 SI-2 (3) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Establish benchmarks for flaw remediation | CMA_C1675 - Establish benchmarks for flaw remediation | Manual, Disabled | 1.1.0 |
| Measure the time between flaw identification and flaw remediation | CMA_C1674 - Measure the time between flaw identification and flaw remediation | Manual, Disabled | 1.1.0 |
Removal of Previous Versions of Software / Firmware
ID: NIST SP 800-53 Rev. 4 SI-2 (6) Ownership: Customer
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| App Service apps should use latest 'HTTP Version' | Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. | AuditIfNotExists, Disabled | 4.0.0 |
| Function apps should use latest 'HTTP Version' | Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. | AuditIfNotExists, Disabled | 4.0.0 |
| Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version | Upgrade your Kubernetes service cluster to a later Kubernetes version to protect against known vulnerabilities in your current Kubernetes version. Vulnerability CVE-2019-9946 has been patched in Kubernetes versions 1.11.9+, 1.12.7+, 1.13.5+, and 1.14.0+ | Audit, Disabled | 1.0.2 |
Malicious Code Protection
ID: NIST SP 800-53 Rev. 4 SI-3 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Azure Defender for servers should be enabled | Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. | AuditIfNotExists, Disabled | 1.0.3 |
| Block untrusted and unsigned processes that run from USB | CMA_0050 - Block untrusted and unsigned processes that run from USB | Manual, Disabled | 1.1.0 |
| Manage gateways | CMA_0363 - Manage gateways | Manual, Disabled | 1.1.0 |
| Perform a trend analysis on threats | CMA_0389 - Perform a trend analysis on threats | Manual, Disabled | 1.1.0 |
| Perform vulnerability scans | CMA_0393 - Perform vulnerability scans | Manual, Disabled | 1.1.0 |
| Review malware detections report weekly | CMA_0475 - Review malware detections report weekly | Manual, Disabled | 1.1.0 |
| Review threat protection status weekly | CMA_0479 - Review threat protection status weekly | Manual, Disabled | 1.1.0 |
| Update antivirus definitions | CMA_0517 - Update antivirus definitions | Manual, Disabled | 1.1.0 |
| Windows Defender Exploit Guard should be enabled on your machines | Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). | AuditIfNotExists, Disabled | 2.0.0 |
Central Management
ID: NIST SP 800-53 Rev. 4 SI-3 (1) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Azure Defender for servers should be enabled | Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. | AuditIfNotExists, Disabled | 1.0.3 |
| Block untrusted and unsigned processes that run from USB | CMA_0050 - Block untrusted and unsigned processes that run from USB | Manual, Disabled | 1.1.0 |
| Manage gateways | CMA_0363 - Manage gateways | Manual, Disabled | 1.1.0 |
| Perform a trend analysis on threats | CMA_0389 - Perform a trend analysis on threats | Manual, Disabled | 1.1.0 |
| Perform vulnerability scans | CMA_0393 - Perform vulnerability scans | Manual, Disabled | 1.1.0 |
| Review malware detections report weekly | CMA_0475 - Review malware detections report weekly | Manual, Disabled | 1.1.0 |
| Update antivirus definitions | CMA_0517 - Update antivirus definitions | Manual, Disabled | 1.1.0 |
| Windows Defender Exploit Guard should be enabled on your machines | Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). | AuditIfNotExists, Disabled | 2.0.0 |
Automatic Updates
ID: NIST SP 800-53 Rev. 4 SI-3 (2) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Block untrusted and unsigned processes that run from USB | CMA_0050 - Block untrusted and unsigned processes that run from USB | Manual, Disabled | 1.1.0 |
| Manage gateways | CMA_0363 - Manage gateways | Manual, Disabled | 1.1.0 |
| Perform a trend analysis on threats | CMA_0389 - Perform a trend analysis on threats | Manual, Disabled | 1.1.0 |
| Perform vulnerability scans | CMA_0393 - Perform vulnerability scans | Manual, Disabled | 1.1.0 |
| Review malware detections report weekly | CMA_0475 - Review malware detections report weekly | Manual, Disabled | 1.1.0 |
| Update antivirus definitions | CMA_0517 - Update antivirus definitions | Manual, Disabled | 1.1.0 |
Nonsignature-Based Detection
ID: NIST SP 800-53 Rev. 4 SI-3 (7) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Block untrusted and unsigned processes that run from USB | CMA_0050 - Block untrusted and unsigned processes that run from USB | Manual, Disabled | 1.1.0 |
| Manage gateways | CMA_0363 - Manage gateways | Manual, Disabled | 1.1.0 |
| Perform a trend analysis on threats | CMA_0389 - Perform a trend analysis on threats | Manual, Disabled | 1.1.0 |
| Perform vulnerability scans | CMA_0393 - Perform vulnerability scans | Manual, Disabled | 1.1.0 |
| Review malware detections report weekly | CMA_0475 - Review malware detections report weekly | Manual, Disabled | 1.1.0 |
| Update antivirus definitions | CMA_0517 - Update antivirus definitions | Manual, Disabled | 1.1.0 |
Information System Monitoring
ID: NIST SP 800-53 Rev. 4 SI-4 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| [Preview]: All Internet traffic should be routed via your deployed Azure Firewall | Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall | AuditIfNotExists, Disabled | 3.0.0-preview |
| [Preview]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed | Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. | AuditIfNotExists, Disabled | 6.0.0-preview |
| [Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines | This policy audits Linux Azure Arc machines if the Log Analytics extension is not installed. | AuditIfNotExists, Disabled | 1.0.1-preview |
| [Preview]: Log Analytics extension should be installed on your Windows Azure Arc machines | This policy audits Windows Azure Arc machines if the Log Analytics extension is not installed. | AuditIfNotExists, Disabled | 1.0.1-preview |
| [Preview]: Network traffic data collection agent should be installed on Linux virtual machines | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | AuditIfNotExists, Disabled | 1.0.2-preview |
| [Preview]: Network traffic data collection agent should be installed on Windows virtual machines | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | AuditIfNotExists, Disabled | 1.0.2-preview |
| Azure Defender for App Service should be enabled | Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. | AuditIfNotExists, Disabled | 1.0.3 |
| Azure Defender for Azure SQL Database servers should be enabled | Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. | AuditIfNotExists, Disabled | 1.0.2 |
| Azure Defender for Key Vault should be enabled | Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. | AuditIfNotExists, Disabled | 1.0.3 |
| Azure Defender for Resource Manager should be enabled | Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Defender for servers should be enabled | Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. | AuditIfNotExists, Disabled | 1.0.3 |
| Azure Defender for SQL servers on machines should be enabled | Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. | AuditIfNotExists, Disabled | 1.0.2 |
| Azure Defender for SQL should be enabled for unprotected Azure SQL servers | Audit SQL servers without Advanced Data Security | AuditIfNotExists, Disabled | 2.0.1 |
| Azure Defender for SQL should be enabled for unprotected SQL Managed Instances | Audit each SQL Managed Instance without advanced data security. | AuditIfNotExists, Disabled | 1.0.2 |
| Guest Configuration extension should be installed on your machines | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | AuditIfNotExists, Disabled | 1.0.3 |
| Microsoft Defender for Containers should be enabled | Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. | AuditIfNotExists, Disabled | 1.0.0 |
| Microsoft Defender for Storage should be enabled | Microsoft Defender for Storage detects potential threats to your storage accounts. It helps prevent the three major impacts on your data and workload: malicious file uploads, sensitive data exfiltration, and data corruption. The new Defender for Storage plan includes Malware Scanning and Sensitive Data Threat Detection. This plan also provides a predictable pricing structure (per storage account) for control over coverage and costs. | AuditIfNotExists, Disabled | 1.0.0 |
| Network Watcher should be enabled | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | AuditIfNotExists, Disabled | 3.0.0 |
| Obtain legal opinion for monitoring system activities | CMA_C1688 - Obtain legal opinion for monitoring system activities | Manual, Disabled | 1.1.0 |
| Perform a trend analysis on threats | CMA_0389 - Perform a trend analysis on threats | Manual, Disabled | 1.1.0 |
| Provide monitoring information as needed | CMA_C1689 - Provide monitoring information as needed | Manual, Disabled | 1.1.0 |
| Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | AuditIfNotExists, Disabled | 1.0.1 |
Automated Tools For Real-Time Analysis
ID: NIST SP 800-53 Rev. 4 SI-4 (2) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Document security operations | CMA_0202 - Document security operations | Manual, Disabled | 1.1.0 |
| Turn on sensors for endpoint security solution | CMA_0514 - Turn on sensors for endpoint security solution | Manual, Disabled | 1.1.0 |
Inbound And Outbound Communications Traffic
ID: NIST SP 800-53 Rev. 4 SI-4 (4) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Authorize, monitor, and control voip | CMA_0025 - Authorize, monitor, and control voip | Manual, Disabled | 1.1.0 |
| Implement system boundary protection | CMA_0328 - Implement system boundary protection | Manual, Disabled | 1.1.0 |
| Manage gateways | CMA_0363 - Manage gateways | Manual, Disabled | 1.1.0 |
| Route traffic through managed network access points | CMA_0484 - Route traffic through managed network access points | Manual, Disabled | 1.1.0 |
System-Generated Alerts
ID: NIST SP 800-53 Rev. 4 SI-4 (5) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Alert personnel of information spillage | CMA_0007 - Alert personnel of information spillage | Manual, Disabled | 1.1.0 |
| Develop an incident response plan | CMA_0145 - Develop an incident response plan | Manual, Disabled | 1.1.0 |
| Set automated notifications for new and trending cloud applications in your organization | CMA_0495 - Set automated notifications for new and trending cloud applications in your organization | Manual, Disabled | 1.1.0 |
Automated Alerts
ID: NIST SP 800-53 Rev. 4 SI-4 (12) Ownership: Customer
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Email notification for high severity alerts should be enabled | To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Security Center. | AuditIfNotExists, Disabled | 1.2.0 |
| Email notification to subscription owner for high severity alerts should be enabled | To ensure your subscription owners are notified when there is a potential security breach in their subscription, set email notifications to subscription owners for high severity alerts in Security Center. | AuditIfNotExists, Disabled | 2.1.0 |
| Subscriptions should have a contact email address for security issues | To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, set a security contact to receive email notifications from Security Center. | AuditIfNotExists, Disabled | 1.0.1 |
Wireless Intrusion Detection
ID: NIST SP 800-53 Rev. 4 SI-4 (14) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Document wireless access security controls | CMA_C1695 - Document wireless access security controls | Manual, Disabled | 1.1.0 |
Unauthorized Network Services
ID: NIST SP 800-53 Rev. 4 SI-4 (22) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Detect network services that have not been authorized or approved | CMA_C1700 - Detect network services that have not been authorized or approved | Manual, Disabled | 1.1.0 |
Indicators Of Compromise
ID: NIST SP 800-53 Rev. 4 SI-4 (24) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Discover any indicators of compromise | CMA_C1702 - Discover any indicators of compromise | Manual, Disabled | 1.1.0 |
Security Alerts, Advisories, And Directives
ID: NIST SP 800-53 Rev. 4 SI-5 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Disseminate security alerts to personnel | CMA_C1705 - Disseminate security alerts to personnel | Manual, Disabled | 1.1.0 |
| Establish a threat intelligence program | CMA_0260 - Establish a threat intelligence program | Manual, Disabled | 1.1.0 |
| Generate internal security alerts | CMA_C1704 - Generate internal security alerts | Manual, Disabled | 1.1.0 |
| Implement security directives | CMA_C1706 - Implement security directives | Manual, Disabled | 1.1.0 |
Automated Alerts And Advisories
ID: NIST SP 800-53 Rev. 4 SI-5 (1) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Use automated mechanisms for security alerts | CMA_C1707 - Use automated mechanisms for security alerts | Manual, Disabled | 1.1.0 |
Security Function Verification
ID: NIST SP 800-53 Rev. 4 SI-6 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Create alternative actions for identified anomalies | CMA_C1711 - Create alternative actions for identified anomalies | Manual, Disabled | 1.1.0 |
| Notify personnel of any failed security verification tests | CMA_C1710 - Notify personnel of any failed security verification tests | Manual, Disabled | 1.1.0 |
| Perform security function verification at a defined frequency | CMA_C1709 - Perform security function verification at a defined frequency | Manual, Disabled | 1.1.0 |
| Verify security functions | CMA_C1708 - Verify security functions | Manual, Disabled | 1.1.0 |
Software, Firmware, And Information Integrity
ID: NIST SP 800-53 Rev. 4 SI-7 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Verify software, firmware and information integrity | CMA_0542 - Verify software, firmware and information integrity | Manual, Disabled | 1.1.0 |
Integrity Checks
ID: NIST SP 800-53 Rev. 4 SI-7 (1) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Verify software, firmware and information integrity | CMA_0542 - Verify software, firmware and information integrity | Manual, Disabled | 1.1.0 |
| View and configure system diagnostic data | CMA_0544 - View and configure system diagnostic data | Manual, Disabled | 1.1.0 |
Automated Response To Integrity Violations
ID: NIST SP 800-53 Rev. 4 SI-7 (5) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Employ automatic shutdown/restart when violations are detected | CMA_C1715 - Employ automatic shutdown/restart when violations are detected | Manual, Disabled | 1.1.0 |
Binary Or Machine Executable Code
ID: NIST SP 800-53 Rev. 4 SI-7 (14) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Prohibit binary/machine-executable code | CMA_C1717 - Prohibit binary/machine-executable code | Manual, Disabled | 1.1.0 |
Information Input Validation
ID: NIST SP 800-53 Rev. 4 SI-10 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Perform information input validation | CMA_C1723 - Perform information input validation | Manual, Disabled | 1.1.0 |
Error Handling
ID: NIST SP 800-53 Rev. 4 SI-11 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Generate error messages | CMA_C1724 - Generate error messages | Manual, Disabled | 1.1.0 |
| Reveal error messages | CMA_C1725 - Reveal error messages | Manual, Disabled | 1.1.0 |
Information Handling And Retention
ID: NIST SP 800-53 Rev. 4 SI-12 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Control physical access | CMA_0081 - Control physical access | Manual, Disabled | 1.1.0 |
| Manage the input, output, processing, and storage of data | CMA_0369 - Manage the input, output, processing, and storage of data | Manual, Disabled | 1.1.0 |
| Review label activity and analytics | CMA_0474 - Review label activity and analytics | Manual, Disabled | 1.1.0 |
Memory Protection
ID: NIST SP 800-53 Rev. 4 SI-16 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Azure Defender for servers should be enabled | Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. | AuditIfNotExists, Disabled | 1.0.3 |
| Windows Defender Exploit Guard should be enabled on your machines | Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). | AuditIfNotExists, Disabled | 2.0.0 |
Next steps
Additional articles about Azure Policy:
- Regulatory Compliance overview.
- See the initiative definition structure.
- Review other examples at Azure Policy samples.
- Review Understanding policy effects.
- Learn how to remediate non-compliant resources.