Azure CIS Benchmarks (CIS Microsoft Azure Foundations v1.1.0)
The CIS Microsoft Azure Foundations Security Benchmark provides prescriptive guidance for establishing a secure baseline configuration for Microsoft Azure. their guide was tested against the listed Azure services as of Feb-2018. The scope of the benchmark is to establish the foundation level of security for anyone adopting Microsoft Azure Cloud. The benchmark is, however, not an exhaustive list of all possible security configurations and architecture. You should take the benchmark as a starting point and do the required site-specific tailoring wherever needed and is prudent to do so.
| Control | Description |
|---|---|
| 1.3 Ensure that there are no guest users | Do not add guest users if not needed. |
| 2.2 Ensure that 'Automatic provisioning of monitoring agent' is set to 'On' | Enable automatic provisioning of the monitoring agent to collect security data. |
| 2.3 Ensure ASC Default policy setting "Monitor System Updates" is not "Disabled" | Enable system updates recommendations for virtual machines. |
| 2.4 Ensure ASC Default policy setting "Monitor OS Vulnerabilities" is not "Disabled" | Enable Monitor OS vulnerability recommendations for virtual machines. |
| 2.5 Ensure ASC Default policy setting "Monitor Endpoint Protection" is not "Disabled" | Enable Endpoint protection recommendations for virtual machines. |
| 2.6 Ensure ASC Default policy setting "Monitor Disk Encryption" is not "Disabled" | Enable Disk encryption recommendations for virtual machines. |
| 2.7 Ensure ASC Default policy setting "Monitor Network Security Groups" is not "Disabled" | Enable Network security group recommendations for virtual machines. |
| 2.10 Ensure ASC Default policy setting "Monitor Vulnerability Assessment" is not "Disabled" | Enable vulnerability assessment recommendations for virtual machines. |
| 2.11 Ensure ASC Default policy setting "Monitor Storage Blob Encryption" is not "Disabled" | Enable storage encryption recommendations. |
| 2.13 Ensure ASC Default policy setting "Monitor Adaptive Application Whitelisting" is not "Disabled" | Enable adaptive application controls. |
| 2.14 Ensure ASC Default policy setting "Monitor SQL Auditing" is not "Disabled" | Enable SQL auditing recommendations. |
| 2.15 Ensure ASC Default policy setting "Monitor SQL Encryption" is not "Disabled" | Enable SQL encryption recommendations. |
| 2.16 Ensure that 'Security contact emails' is set | Provide a security contact email address. |
| 2.17 Ensure that security contact 'Phone number' is set | Provide a security contact phone number. |
| 2.18 Ensure that 'Send email notification for high severity alerts' is set to 'On' | Enable emailing security alerts to the security contact. |
| 2.19 Ensure that 'Send email also to subscription owners' is set to 'On' | Enable security alert emails to subscription owners. |
| 3.1 Ensure that 'Secure transfer required' is set to 'Enabled' | Enable data encryption in transit. |
| 3.6 Ensure that 'Public access level' is set to Private for blob containers | Disable anonymous access to blob containers. |
| 4.1 Ensure that 'Auditing' is set to 'On' | Enable auditing on SQL Servers. |
| 4.2 Ensure that 'AuditActionGroups' in 'auditing' policy for a SQL server is set properly | Configure the 'AuditActionGroups' property to appropriate groups to capture all the critical activities on the SQL Server and all the SQL databases hosted on the SQL server. |
| 4.3 Ensure that 'Auditing' Retention is 'greater than 90 days' | SQL Server Audit Retention should be configured to be greater than 90 days. |
| 4.8 Ensure that Azure Active Directory Admin is configured | Use Azure Active Directory Authentication for authentication with SQL Database. |
| 4.9 Ensure that 'Data encryption' is set to 'On' on a SQL Database | Enable Transparent Data Encryption on every SQL server. |
| 4.11 Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server | Enable `SSL connection` on `MYSQL` Servers. |
| 4.12 Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | Enable `log_checkpoints` on `PostgreSQL Servers`. |
| 4.13 Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server | Enable `SSL connection` on `PostgreSQL` Servers. |
| 4.14 Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server | Enable `log_connections` on `PostgreSQL Servers`. |
| 4.15 Enable `log_connections` on `PostgreSQL Servers`. | Enable `log_disconnections` on `PostgreSQL Servers`. |
| 4.16 Ensure server parameter 'log_duration' is set to 'ON' for PostgreSQL Database Server | Enable `log_duration` on `PostgreSQL Servers`. |
| 4.17 Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | Enable `connection_throttling` on `PostgreSQL Servers`. |
| 4.18 Ensure server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server | Enable `log_retention_days` on `PostgreSQL Servers`. |
| 4.19 Ensure that Azure Active Directory Admin is configured | Use Azure Active Directory Authentication for authentication with SQL Database. |
| 5.1.1 Ensure that a Log Profile exists | Enable log profile for exporting activity logs. |
| 5.1.2 Ensure that Activity Log Retention is set 365 days or greater | Ensure activity log retention is set for 365 days or greater. |
| 5.1.3 Ensure audit profile captures all the activities | The log profile should be configured to export all activities from the control/management plane. |
| 5.1.4 Ensure the log profile captures activity logs for all regions including global | Configure the log profile to export activities from all Azure supported regions/locations including global. |
| 5.1.5 Ensure the storage container storing the activity logs is not publicly accessible | The storage account container containing the activity log export should not be publicly accessible. |
| 5.1.7 Ensure that logging for Azure KeyVault is 'Enabled' | Enable AuditEvent logging for key vault instances to ensure interactions with key vaults are logged and available. |
| 5.2.1 Ensure that Activity Log Alert exists for Create Policy Assignment | Create an activity log alert for the Create Policy Assignment event. |
| 5.2.2 Ensure that Activity Log Alert exists for Create or Update Network Security Group | Create an Activity Log Alert for the "Create" or "Update Network Security Group" event. |
| 5.2.3 Ensure that Activity Log Alert exists for Delete Network Security Group | Create an activity log alert for the Delete Network Security Group event. |
| 5.2.4 Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule | Create an activity log alert for the Create or Update Network Security Group Rule event. |
| 5.2.5 Ensure that activity log alert exists for the Delete Network Security Group Rule | Create an activity log alert for the Delete Network Security Group Rule event. |
| 5.2.6 Ensure that Activity Log Alert exists for Create or Update Security Solution | Create an activity log alert for the Create or Update Security Solution event. |
| 5.2.7 Ensure that Activity Log Alert exists for Delete Security Solution | Create an activity log alert for the Delete Security Solution event. |
| 5.2.8 Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule | Create an activity log alert for the Create or Update or Delete SQL Server Firewall Rule event. |
| 5.2.9 Ensure that Activity Log Alert exists for Update Security Policy | Create an activity log alert for the Update Security Policy event. |
| 6.1 Ensure that RDP access is restricted from the internet | Disable RDP access on network security groups from the Internet. |
| 6.2 Ensure that SSH access is restricted from the internet | Disable SSH access on network security groups from the Internet. |
| 6.3 Ensure no SQL Databases allow ingress 0.0.0.0/0 (ANY IP) | Ensure that no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP). |
| 6.5 Ensure that Network Watcher is 'Enabled' | Enable Network Watcher for Azure subscriptions. |
| 7.1 Ensure that 'OS disk' are encrypted | Ensure that OS disks (boot volumes) are encrypted, where possible. |
| 7.2 Ensure that 'Data disks' are encrypted | Ensure that data disks (non-boot volumes) are encrypted, where possible. |
| 7.3 Ensure that 'Unattached disks' are encrypted | Ensure that unattached disks in a subscription are encrypted. |
| 7.6 Ensure that the endpoint protection for all Virtual Machines is installed | Install endpoint protection for all virtual machines. |
| 8.1 Ensure that the expiration date is set on all keys | Ensure that all keys in Azure Key Vault have an expiration time set. |
| 8.2 Ensure that the expiration date is set on all Secrets | Ensure that all Secrets in the Azure Key Vault have an expiration time set. |
| 8.4 Ensure the key vault is recoverable | The key vault contains object keys, secrets, and certificates. Accidental unavailability of a key vault can cause immediate data loss or loss of security functions supported by the key vault objects. |
| 8.5 Enable role-based access control (RBAC) within Azure Kubernetes Services | Ensure that RBAC is enabled on all Azure Kubernetes Services Instances |
| 9.1 Ensure App Service Authentication is set on Azure App Service | Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the API app, or authenticate those that have tokens before they reach the API app. |
| 9.2 Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service | Azure Web Apps allows sites to run under both HTTP and HTTPS by default. Web apps can be accessed by anyone using non-secure HTTP links by default. Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. |
| 9.3 Ensure web app is using the latest version of TLS encryption | The TLS(Transport Layer Security) protocol secures the transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. |
| 9.4 Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On' | Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. |
| 9.5 Ensure that Register with Azure Active Directory is enabled on App Service | Managed service identity in App Service makes the app more secure by eliminating secrets from the app, such as credentials in the connection strings. |
| 9.6 Ensure that '.Net Framework' version is the latest if used as a part of the web app | Periodically, newer versions are released for .Net Framework software either due to security flaws or to include additional functionality. |
| 9.7 Ensure that 'PHP version' is the latest if used to run the web app | Periodically newer versions are released for PHP software either due to security flaws or to include additional functionality. |
| 9.8 Ensure that 'Python version' is the latest if used to run the web app | Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. |
| 9.9 Ensure that 'Java version' is the latest if used to run the web app | Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. |
| 9.10 Ensure that 'HTTP Version' is the latest if used to run the web app | Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. |
| 1.23 Ensure that no custom subscription owner roles are created | Subscription ownership should not include permission to create custom owner roles. The principle of least privilege should be followed and only necessary privileges should be assigned instead of allowing full administrative access. |
| 2.1 Ensure that standard pricing tier is selected | The standard pricing tier enables threat detection for networks and virtual machines, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center. |
| 2.12 Ensure ASC Default policy setting "Monitor JIT Network Access" is not "Disabled" | Enable JIT Network Access for virtual machines. |
| 3.3 Ensure Storage logging is enabled for Queue service for reading, write, and delete requests | The Storage Queue service stores messages that may be read by any client who has access to the storage account. A queue can contain an unlimited number of messages, each of which can be up to 64KB in size using version 2011-08-18 or newer. |
| 3.7 Ensure default network access rule for Storage Accounts is set to deny | Restricting default network access helps to provide a new layer of security since storage accounts accept connections from clients on any network. To limit access to selected networks, the default action must be changed. |
| 3.8 Ensure 'Trusted Microsoft Services' is enabled for Storage Account access | Some Microsoft services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules. |
| 4.4 Ensure that 'Advanced Data Security' on a SQL server is set to 'On' | Enable "Advanced Data Security" on critical SQL Servers. |
| 4.6 Ensure that 'Send alerts to' is set | Provide the email address where alerts will be sent when anomalous activities are detected on SQL servers. |
| 4.7 Ensure that 'Email service and co-administrators' is 'Enabled' | Enable service and co-administrators to receive security alerts from the SQL server. |
| 4.10 Ensure SQL server's TDE protector is encrypted with BYOK (Use your own key) | TDE with BYOK support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. |
| 5.1.6 Ensure the storage account containing the container with activity logs is encrypted with BYOK (Use Your Own Key) | Ensure the storage account containing the container with activity logs is encrypted with BYOK (Use Your Own Key) |
To View the Compliance Programs available visit Compliance in your Aqua CSPM Console, and select Defaults or Custom to filter the programs displayed, you can also expand the program control details using the Expand Settings toggle.
Did you find it helpful? Yes No
Send feedbackSorry we couldn't be helpful. Help us improve this article with your feedback.