Details of the CIS Microsoft Azure Foundations Benchmark 2.0.0 Regulatory Compliance built-in initiative

The following article details how the Azure Policy Regulatory Compliance built-in initiative definition maps to compliance domains and controls in CIS Microsoft Azure Foundations Benchmark 2.0.0. For more information about this compliance standard, see CIS Microsoft Azure Foundations Benchmark 2.0.0. To understand Ownership, review the policy type and Shared responsibility in the cloud.

The following mappings are to the CIS Microsoft Azure Foundations Benchmark 2.0.0 controls. Many of the controls are implemented with an Azure Policy initiative definition. To review the complete initiative definition, open Policy in the Azure portal and select the Definitions page. Then, find and select the CIS Microsoft Azure Foundations Benchmark v2.0.0 Regulatory Compliance built-in initiative definition.

Important

Each control below is associated with one or more Azure Policy definitions. These policies may help you assess compliance with the control; however, there often is not a one-to-one or complete match between a control and one or more policies. As such, Compliant in Azure Policy refers only to the policy definitions themselves; this doesn't ensure you're fully compliant with all requirements of a control. In addition, the compliance standard includes controls that aren't addressed by any Azure Policy definitions at this time. Therefore, compliance in Azure Policy is only a partial view of your overall compliance status. The associations between compliance domains, controls, and Azure Policy definitions for this compliance standard may change over time. To view the change history, see the GitHub Commit History.

1.1

Ensure Security Defaults is enabled on Azure Active Directory

ID: CIS Microsoft Azure Foundations Benchmark recommendation 1.1.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adopt biometric authentication mechanisms CMA_0005 - Adopt biometric authentication mechanisms Manual, Disabled 1.1.0
Authenticate to cryptographic module CMA_0021 - Authenticate to cryptographic module Manual, Disabled 1.1.0
Authorize remote access CMA_0024 - Authorize remote access Manual, Disabled 1.1.0
Document mobility training CMA_0191 - Document mobility training Manual, Disabled 1.1.0
Document remote access guidelines CMA_0196 - Document remote access guidelines Manual, Disabled 1.1.0
Identify and authenticate network devices CMA_0296 - Identify and authenticate network devices Manual, Disabled 1.1.0
Implement controls to secure alternate work sites CMA_0315 - Implement controls to secure alternate work sites Manual, Disabled 1.1.0
Provide privacy training CMA_0415 - Provide privacy training Manual, Disabled 1.1.0
Satisfy token quality requirements CMA_0487 - Satisfy token quality requirements Manual, Disabled 1.1.0

Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users

ID: CIS Microsoft Azure Foundations Benchmark recommendation 1.1.2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Accounts with owner permissions on Azure resources should be MFA enabled Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 1.0.0
Accounts with write permissions on Azure resources should be MFA enabled Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 1.0.0
Adopt biometric authentication mechanisms CMA_0005 - Adopt biometric authentication mechanisms Manual, Disabled 1.1.0

Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users

ID: CIS Microsoft Azure Foundations Benchmark recommendation 1.1.3 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Accounts with read permissions on Azure resources should be MFA enabled Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 1.0.0
Adopt biometric authentication mechanisms CMA_0005 - Adopt biometric authentication mechanisms Manual, Disabled 1.1.0

Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is Disabled

ID: CIS Microsoft Azure Foundations Benchmark recommendation 1.1.4 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adopt biometric authentication mechanisms CMA_0005 - Adopt biometric authentication mechanisms Manual, Disabled 1.1.0
Identify and authenticate network devices CMA_0296 - Identify and authenticate network devices Manual, Disabled 1.1.0
Satisfy token quality requirements CMA_0487 - Satisfy token quality requirements Manual, Disabled 1.1.0

1

Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes'

ID: CIS Microsoft Azure Foundations Benchmark recommendation 1.10 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Audit privileged functions CMA_0019 - Audit privileged functions Manual, Disabled 1.1.0
Automate account management CMA_0026 - Automate account management Manual, Disabled 1.1.0
Implement training for protecting authenticators CMA_0329 - Implement training for protecting authenticators Manual, Disabled 1.1.0
Manage system and admin accounts CMA_0368 - Manage system and admin accounts Manual, Disabled 1.1.0
Monitor access across the organization CMA_0376 - Monitor access across the organization Manual, Disabled 1.1.0
Monitor privileged role assignment CMA_0378 - Monitor privileged role assignment Manual, Disabled 1.1.0
Notify when account is not needed CMA_0383 - Notify when account is not needed Manual, Disabled 1.1.0
Restrict access to privileged accounts CMA_0446 - Restrict access to privileged accounts Manual, Disabled 1.1.0
Revoke privileged roles as appropriate CMA_0483 - Revoke privileged roles as appropriate Manual, Disabled 1.1.0
Use privileged identity management CMA_0533 - Use privileged identity management Manual, Disabled 1.1.0

ID: CIS Microsoft Azure Foundations Benchmark recommendation 1.11 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Authorize access to security functions and information CMA_0022 - Authorize access to security functions and information Manual, Disabled 1.1.0
Authorize and manage access CMA_0023 - Authorize and manage access Manual, Disabled 1.1.0
Enforce mandatory and discretionary access control policies CMA_0246 - Enforce mandatory and discretionary access control policies Manual, Disabled 1.1.0

ID: CIS Microsoft Azure Foundations Benchmark recommendation 1.13 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Authorize access to security functions and information CMA_0022 - Authorize access to security functions and information Manual, Disabled 1.1.0
Authorize and manage access CMA_0023 - Authorize and manage access Manual, Disabled 1.1.0
Enforce mandatory and discretionary access control policies CMA_0246 - Enforce mandatory and discretionary access control policies Manual, Disabled 1.1.0

Ensure That 'Users Can Register Applications' Is Set to 'No'

ID: CIS Microsoft Azure Foundations Benchmark recommendation 1.14 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Authorize access to security functions and information CMA_0022 - Authorize access to security functions and information Manual, Disabled 1.1.0
Authorize and manage access CMA_0023 - Authorize and manage access Manual, Disabled 1.1.0
Enforce mandatory and discretionary access control policies CMA_0246 - Enforce mandatory and discretionary access control policies Manual, Disabled 1.1.0

Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects'

ID: CIS Microsoft Azure Foundations Benchmark recommendation 1.15 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Authorize access to security functions and information CMA_0022 - Authorize access to security functions and information Manual, Disabled 1.1.0
Authorize and manage access CMA_0023 - Authorize and manage access Manual, Disabled 1.1.0
Design an access control model CMA_0129 - Design an access control model Manual, Disabled 1.1.0
Employ least privilege access CMA_0212 - Employ least privilege access Manual, Disabled 1.1.0
Enforce logical access CMA_0245 - Enforce logical access Manual, Disabled 1.1.0
Enforce mandatory and discretionary access control policies CMA_0246 - Enforce mandatory and discretionary access control policies Manual, Disabled 1.1.0
Require approval for account creation CMA_0431 - Require approval for account creation Manual, Disabled 1.1.0
Review user groups and applications with access to sensitive data CMA_0481 - Review user groups and applications with access to sensitive data Manual, Disabled 1.1.0

Ensure that 'Guest invite restrictions' is set to "Only users assigned to specific admin roles can invite guest users"

ID: CIS Microsoft Azure Foundations Benchmark recommendation 1.16 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Authorize access to security functions and information CMA_0022 - Authorize access to security functions and information Manual, Disabled 1.1.0
Authorize and manage access CMA_0023 - Authorize and manage access Manual, Disabled 1.1.0
Design an access control model CMA_0129 - Design an access control model Manual, Disabled 1.1.0
Employ least privilege access CMA_0212 - Employ least privilege access Manual, Disabled 1.1.0
Enforce logical access CMA_0245 - Enforce logical access Manual, Disabled 1.1.0
Enforce mandatory and discretionary access control policies CMA_0246 - Enforce mandatory and discretionary access control policies Manual, Disabled 1.1.0
Require approval for account creation CMA_0431 - Require approval for account creation Manual, Disabled 1.1.0
Review user groups and applications with access to sensitive data CMA_0481 - Review user groups and applications with access to sensitive data Manual, Disabled 1.1.0

Ensure That 'Restrict access to Azure AD administration portal' is Set to 'Yes'

ID: CIS Microsoft Azure Foundations Benchmark recommendation 1.17 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Authorize access to security functions and information CMA_0022 - Authorize access to security functions and information Manual, Disabled 1.1.0
Authorize and manage access CMA_0023 - Authorize and manage access Manual, Disabled 1.1.0
Enforce logical access CMA_0245 - Enforce logical access Manual, Disabled 1.1.0
Enforce mandatory and discretionary access control policies CMA_0246 - Enforce mandatory and discretionary access control policies Manual, Disabled 1.1.0
Require approval for account creation CMA_0431 - Require approval for account creation Manual, Disabled 1.1.0
Review user groups and applications with access to sensitive data CMA_0481 - Review user groups and applications with access to sensitive data Manual, Disabled 1.1.0

Ensure that 'Restrict user ability to access groups features in the Access Pane' is Set to 'Yes'

ID: CIS Microsoft Azure Foundations Benchmark recommendation 1.18 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Authorize access to security functions and information CMA_0022 - Authorize access to security functions and information Manual, Disabled 1.1.0
Authorize and manage access CMA_0023 - Authorize and manage access Manual, Disabled 1.1.0
Enforce mandatory and discretionary access control policies CMA_0246 - Enforce mandatory and discretionary access control policies Manual, Disabled 1.1.0
Establish and document change control processes CMA_0265 - Establish and document change control processes Manual, Disabled 1.1.0

Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No'

ID: CIS Microsoft Azure Foundations Benchmark recommendation 1.19 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Authorize access to security functions and information CMA_0022 - Authorize access to security functions and information Manual, Disabled 1.1.0
Authorize and manage access CMA_0023 - Authorize and manage access Manual, Disabled 1.1.0
Enforce mandatory and discretionary access control policies CMA_0246 - Enforce mandatory and discretionary access control policies Manual, Disabled 1.1.0
Establish and document change control processes CMA_0265 - Establish and document change control processes Manual, Disabled 1.1.0

Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No'

ID: CIS Microsoft Azure Foundations Benchmark recommendation 1.20 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Authorize access to security functions and information CMA_0022 - Authorize access to security functions and information Manual, Disabled 1.1.0
Authorize and manage access CMA_0023 - Authorize and manage access Manual, Disabled 1.1.0
Enforce mandatory and discretionary access control policies CMA_0246 - Enforce mandatory and discretionary access control policies Manual, Disabled 1.1.0
Establish and document change control processes CMA_0265 - Establish and document change control processes Manual, Disabled 1.1.0

Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No'

ID: CIS Microsoft Azure Foundations Benchmark recommendation 1.21 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Authorize access to security functions and information CMA_0022 - Authorize access to security functions and information Manual, Disabled 1.1.0
Authorize and manage access CMA_0023 - Authorize and manage access Manual, Disabled 1.1.0
Enforce mandatory and discretionary access control policies CMA_0246 - Enforce mandatory and discretionary access control policies Manual, Disabled 1.1.0
Establish and document change control processes CMA_0265 - Establish and document change control processes Manual, Disabled 1.1.0

Ensure that 'Require Multi-Factor Authentication to register or join devices with Azure AD' is set to 'Yes'

ID: CIS Microsoft Azure Foundations Benchmark recommendation 1.22 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adopt biometric authentication mechanisms CMA_0005 - Adopt biometric authentication mechanisms Manual, Disabled 1.1.0
Authorize remote access CMA_0024 - Authorize remote access Manual, Disabled 1.1.0
Document mobility training CMA_0191 - Document mobility training Manual, Disabled 1.1.0
Document remote access guidelines CMA_0196 - Document remote access guidelines Manual, Disabled 1.1.0
Identify and authenticate network devices CMA_0296 - Identify and authenticate network devices Manual, Disabled 1.1.0
Implement controls to secure alternate work sites CMA_0315 - Implement controls to secure alternate work sites Manual, Disabled 1.1.0
Provide privacy training CMA_0415 - Provide privacy training Manual, Disabled 1.1.0
Satisfy token quality requirements CMA_0487 - Satisfy token quality requirements Manual, Disabled 1.1.0

Ensure That No Custom Subscription Administrator Roles Exist

ID: CIS Microsoft Azure Foundations Benchmark recommendation 1.23 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Audit usage of custom RBAC roles Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling Audit, Disabled 1.0.1
Authorize access to security functions and information CMA_0022 - Authorize access to security functions and information Manual, Disabled 1.1.0
Authorize and manage access CMA_0023 - Authorize and manage access Manual, Disabled 1.1.0
Design an access control model CMA_0129 - Design an access control model Manual, Disabled 1.1.0
Employ least privilege access CMA_0212 - Employ least privilege access Manual, Disabled 1.1.0
Enforce mandatory and discretionary access control policies CMA_0246 - Enforce mandatory and discretionary access control policies Manual, Disabled 1.1.0
Establish and document change control processes CMA_0265 - Establish and document change control processes Manual, Disabled 1.1.0

Ensure a Custom Role is Assigned Permissions for Administering Resource Locks

ID: CIS Microsoft Azure Foundations Benchmark recommendation 1.24 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Authorize access to security functions and information CMA_0022 - Authorize access to security functions and information Manual, Disabled 1.1.0
Authorize and manage access CMA_0023 - Authorize and manage access Manual, Disabled 1.1.0
Enforce mandatory and discretionary access control policies CMA_0246 - Enforce mandatory and discretionary access control policies Manual, Disabled 1.1.0
Establish and document change control processes CMA_0265 - Establish and document change control processes Manual, Disabled 1.1.0

Ensure Guest Users Are Reviewed on a Regular Basis

ID: CIS Microsoft Azure Foundations Benchmark recommendation 1.5 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Audit user account status CMA_0020 - Audit user account status Manual, Disabled 1.1.0
Guest accounts with owner permissions on Azure resources should be removed External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. AuditIfNotExists, Disabled 1.0.0
Guest accounts with read permissions on Azure resources should be removed External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access. AuditIfNotExists, Disabled 1.0.0
Guest accounts with write permissions on Azure resources should be removed External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access. AuditIfNotExists, Disabled 1.0.0
Reassign or remove user privileges as needed CMA_C1040 - Reassign or remove user privileges as needed Manual, Disabled 1.1.0
Review account provisioning logs CMA_0460 - Review account provisioning logs Manual, Disabled 1.1.0
Review user accounts CMA_0480 - Review user accounts Manual, Disabled 1.1.0
Review user privileges CMA_C1039 - Review user privileges Manual, Disabled 1.1.0

Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0'

ID: CIS Microsoft Azure Foundations Benchmark recommendation 1.8 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Automate account management CMA_0026 - Automate account management Manual, Disabled 1.1.0
Manage system and admin accounts CMA_0368 - Manage system and admin accounts Manual, Disabled 1.1.0
Monitor access across the organization CMA_0376 - Monitor access across the organization Manual, Disabled 1.1.0
Notify when account is not needed CMA_0383 - Notify when account is not needed Manual, Disabled 1.1.0

Ensure that 'Notify users on password resets?' is set to 'Yes'

ID: CIS Microsoft Azure Foundations Benchmark recommendation 1.9 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Automate account management CMA_0026 - Automate account management Manual, Disabled 1.1.0
Implement training for protecting authenticators CMA_0329 - Implement training for protecting authenticators Manual, Disabled 1.1.0
Manage system and admin accounts CMA_0368 - Manage system and admin accounts Manual, Disabled 1.1.0
Monitor access across the organization CMA_0376 - Monitor access across the organization Manual, Disabled 1.1.0
Notify when account is not needed CMA_0383 - Notify when account is not needed Manual, Disabled 1.1.0

10

Ensure that Resource Locks are set for Mission-Critical Azure Resources

ID: CIS Microsoft Azure Foundations Benchmark recommendation 10.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Establish and document change control processes CMA_0265 - Establish and document change control processes Manual, Disabled 1.1.0

2.1

Ensure That Microsoft Defender for Servers Is Set to 'On'

ID: CIS Microsoft Azure Foundations Benchmark recommendation 2.1.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure Defender for servers should be enabled Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. AuditIfNotExists, Disabled 1.0.3
Block untrusted and unsigned processes that run from USB CMA_0050 - Block untrusted and unsigned processes that run from USB Manual, Disabled 1.1.0
Detect network services that have not been authorized or approved CMA_C1700 - Detect network services that have not been authorized or approved Manual, Disabled 1.1.0
Manage gateways CMA_0363 - Manage gateways Manual, Disabled 1.1.0
Perform a trend analysis on threats CMA_0389 - Perform a trend analysis on threats Manual, Disabled 1.1.0
Perform vulnerability scans CMA_0393 - Perform vulnerability scans Manual, Disabled 1.1.0
Review malware detections report weekly CMA_0475 - Review malware detections report weekly Manual, Disabled 1.1.0
Review threat protection status weekly CMA_0479 - Review threat protection status weekly Manual, Disabled 1.1.0
Update antivirus definitions CMA_0517 - Update antivirus definitions Manual, Disabled 1.1.0

Ensure That Microsoft Defender for Key Vault Is Set To 'On'

ID: CIS Microsoft Azure Foundations Benchmark recommendation 2.1.10 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure Defender for Key Vault should be enabled Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. AuditIfNotExists, Disabled 1.0.3
Block untrusted and unsigned processes that run from USB CMA_0050 - Block untrusted and unsigned processes that run from USB Manual, Disabled 1.1.0
Detect network services that have not been authorized or approved CMA_C1700 - Detect network services that have not been authorized or approved Manual, Disabled 1.1.0
Manage gateways CMA_0363 - Manage gateways Manual, Disabled 1.1.0
Perform a trend analysis on threats CMA_0389 - Perform a trend analysis on threats Manual, Disabled 1.1.0
Perform vulnerability scans CMA_0393 - Perform vulnerability scans Manual, Disabled 1.1.0
Review malware detections report weekly CMA_0475 - Review malware detections report weekly Manual, Disabled 1.1.0
Review threat protection status weekly CMA_0479 - Review threat protection status weekly Manual, Disabled 1.1.0
Update antivirus definitions CMA_0517 - Update antivirus definitions Manual, Disabled 1.1.0

Ensure That Microsoft Defender for DNS Is Set To 'On'

ID: CIS Microsoft Azure Foundations Benchmark recommendation 2.1.11 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
[Deprecated]: Azure Defender for DNS should be enabled This policy definition is no longer the recommended way to achieve its intent, because DNS bundle is being deprecated. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID 4da35fc9-c9e7-4960-aec9-797fe7d9051d. Learn more about policy definition deprecation at aka.ms/policydefdeprecation AuditIfNotExists, Disabled 1.1.0-deprecated

Ensure That Microsoft Defender for Resource Manager Is Set To 'On'

ID: CIS Microsoft Azure Foundations Benchmark recommendation 2.1.12 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure Defender for Resource Manager should be enabled Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . AuditIfNotExists, Disabled 1.0.0

Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed'

ID: CIS Microsoft Azure Foundations Benchmark recommendation 2.1.13 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Machines should be configured to periodically check for missing system updates To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. Audit, Deny, Disabled 3.7.0

Ensure Any of the ASC Default Policy Settings are Not Set to 'Disabled'

ID: CIS Microsoft Azure Foundations Benchmark recommendation 2.1.14 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Configure actions for noncompliant devices CMA_0062 - Configure actions for noncompliant devices Manual, Disabled 1.1.0
Develop and maintain baseline configurations CMA_0153 - Develop and maintain baseline configurations Manual, Disabled 1.1.0
Enforce security configuration settings CMA_0249 - Enforce security configuration settings Manual, Disabled 1.1.0
Establish a configuration control board CMA_0254 - Establish a configuration control board Manual, Disabled 1.1.0
Establish and document a configuration management plan CMA_0264 - Establish and document a configuration management plan Manual, Disabled 1.1.0
Implement an automated configuration management tool CMA_0311 - Implement an automated configuration management tool Manual, Disabled 1.1.0

Ensure that Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On'

ID: CIS Microsoft Azure Foundations Benchmark recommendation 2.1.15 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Document security operations CMA_0202 - Document security operations Manual, Disabled 1.1.0
Turn on sensors for endpoint security solution CMA_0514 - Turn on sensors for endpoint security solution Manual, Disabled 1.1.0

Ensure that Auto provisioning of 'Microsoft Defender for Containers components' is Set to 'On'

ID: CIS Microsoft Azure Foundations Benchmark recommendation 2.1.17 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Block untrusted and unsigned processes that run from USB CMA_0050 - Block untrusted and unsigned processes that run from USB Manual, Disabled 1.1.0
Detect network services that have not been authorized or approved CMA_C1700 - Detect network services that have not been authorized or approved Manual, Disabled 1.1.0
Manage gateways CMA_0363 - Manage gateways Manual, Disabled 1.1.0
Microsoft Defender for Containers should be enabled Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. AuditIfNotExists, Disabled 1.0.0
Perform a trend analysis on threats CMA_0389 - Perform a trend analysis on threats Manual, Disabled 1.1.0
Perform vulnerability scans CMA_0393 - Perform vulnerability scans Manual, Disabled 1.1.0
Review malware detections report weekly CMA_0475 - Review malware detections report weekly Manual, Disabled 1.1.0
Review threat protection status weekly CMA_0479 - Review threat protection status weekly Manual, Disabled 1.1.0
Update antivirus definitions CMA_0517 - Update antivirus definitions Manual, Disabled 1.1.0

Ensure 'Additional email addresses' is Configured with a Security Contact Email

ID: CIS Microsoft Azure Foundations Benchmark recommendation 2.1.19 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Subscriptions should have a contact email address for security issues To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, set a security contact to receive email notifications from Security Center. AuditIfNotExists, Disabled 1.0.1

Ensure That Microsoft Defender for App Services Is Set To 'On'

ID: CIS Microsoft Azure Foundations Benchmark recommendation 2.1.2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure Defender for App Service should be enabled Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. AuditIfNotExists, Disabled 1.0.3
Block untrusted and unsigned processes that run from USB CMA_0050 - Block untrusted and unsigned processes that run from USB Manual, Disabled 1.1.0
Detect network services that have not been authorized or approved CMA_C1700 - Detect network services that have not been authorized or approved Manual, Disabled 1.1.0
Manage gateways CMA_0363 - Manage gateways Manual, Disabled 1.1.0
Perform a trend analysis on threats CMA_0389 - Perform a trend analysis on threats Manual, Disabled 1.1.0
Perform vulnerability scans CMA_0393 - Perform vulnerability scans Manual, Disabled 1.1.0
Review malware detections report weekly CMA_0475 - Review malware detections report weekly Manual, Disabled 1.1.0
Review threat protection status weekly CMA_0479 - Review threat protection status weekly Manual, Disabled 1.1.0
Update antivirus definitions CMA_0517 - Update antivirus definitions Manual, Disabled 1.1.0

Ensure That 'Notify about alerts with the following severity' is Set to 'High'

ID: CIS Microsoft Azure Foundations Benchmark recommendation 2.1.20 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Email notification for high severity alerts should be enabled To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Security Center. AuditIfNotExists, Disabled 1.2.0

Ensure that Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is Selected

ID: CIS Microsoft Azure Foundations Benchmark recommendation 2.1.21 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Block untrusted and unsigned processes that run from USB CMA_0050 - Block untrusted and unsigned processes that run from USB Manual, Disabled 1.1.0
Detect network services that have not been authorized or approved CMA_C1700 - Detect network services that have not been authorized or approved Manual, Disabled 1.1.0
Manage gateways CMA_0363 - Manage gateways Manual, Disabled 1.1.0
Perform a trend analysis on threats CMA_0389 - Perform a trend analysis on threats Manual, Disabled 1.1.0
Perform vulnerability scans CMA_0393 - Perform vulnerability scans Manual, Disabled 1.1.0
Review malware detections report weekly CMA_0475 - Review malware detections report weekly Manual, Disabled 1.1.0
Review threat protection status weekly CMA_0479 - Review threat protection status weekly Manual, Disabled 1.1.0
Update antivirus definitions CMA_0517 - Update antivirus definitions Manual, Disabled 1.1.0

Ensure that Microsoft Defender for Endpoint integration with Microsoft Defender for Cloud is selected

ID: CIS Microsoft Azure Foundations Benchmark recommendation 2.1.22 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Block untrusted and unsigned processes that run from USB CMA_0050 - Block untrusted and unsigned processes that run from USB Manual, Disabled 1.1.0
Detect network services that have not been authorized or approved CMA_C1700 - Detect network services that have not been authorized or approved Manual, Disabled 1.1.0
Manage gateways CMA_0363 - Manage gateways Manual, Disabled 1.1.0
Perform a trend analysis on threats CMA_0389 - Perform a trend analysis on threats Manual, Disabled 1.1.0
Perform vulnerability scans CMA_0393 - Perform vulnerability scans Manual, Disabled 1.1.0
Review malware detections report weekly CMA_0475 - Review malware detections report weekly Manual, Disabled 1.1.0
Review threat protection status weekly CMA_0479 - Review threat protection status weekly Manual, Disabled 1.1.0
Update antivirus definitions CMA_0517 - Update antivirus definitions Manual, Disabled 1.1.0

Ensure That Microsoft Defender for Databases Is Set To 'On'

ID: CIS Microsoft Azure Foundations Benchmark recommendation 2.1.3 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure Defender for Azure SQL Database servers should be enabled Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. AuditIfNotExists, Disabled 1.0.2
Azure Defender for open-source relational databases should be enabled Azure Defender for open-source relational databases detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Learn more about the capabilities of Azure Defender for open-source relational databases at https://aka.ms/AzDforOpenSourceDBsDocu. Important: Enabling this plan will result in charges for protecting your open-source relational databases. Learn about the pricing on Security Center's pricing page: https://aka.ms/pricing-security-center AuditIfNotExists, Disabled 1.0.0
Azure Defender for SQL servers on machines should be enabled Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. AuditIfNotExists, Disabled 1.0.2
Microsoft Defender for Azure Cosmos DB should be enabled Microsoft Defender for Azure Cosmos DB is an Azure-native layer of security that detects attempts to exploit databases in your Azure Cosmos DB accounts. Defender for Azure Cosmos DB detects potential SQL injections, known bad actors based on Microsoft Threat Intelligence, suspicious access patterns, and potential exploitations of your database through compromised identities or malicious insiders. AuditIfNotExists, Disabled 1.0.0

Ensure That Microsoft Defender for Azure SQL Databases Is Set To 'On'

ID: CIS Microsoft Azure Foundations Benchmark recommendation 2.1.4 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure Defender for Azure SQL Database servers should be enabled Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. AuditIfNotExists, Disabled 1.0.2
Block untrusted and unsigned processes that run from USB CMA_0050 - Block untrusted and unsigned processes that run from USB Manual, Disabled 1.1.0
Detect network services that have not been authorized or approved CMA_C1700 - Detect network services that have not been authorized or approved Manual, Disabled 1.1.0
Manage gateways CMA_0363 - Manage gateways Manual, Disabled 1.1.0
Perform a trend analysis on threats CMA_0389 - Perform a trend analysis on threats Manual, Disabled 1.1.0
Perform vulnerability scans CMA_0393 - Perform vulnerability scans Manual, Disabled 1.1.0
Review malware detections report weekly CMA_0475 - Review malware detections report weekly Manual, Disabled 1.1.0
Review threat protection status weekly CMA_0479 - Review threat protection status weekly Manual, Disabled 1.1.0
Update antivirus definitions CMA_0517 - Update antivirus definitions Manual, Disabled 1.1.0

Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On'

ID: CIS Microsoft Azure Foundations Benchmark recommendation 2.1.5 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure Defender for SQL servers on machines should be enabled Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. AuditIfNotExists, Disabled 1.0.2
Block untrusted and unsigned processes that run from USB CMA_0050 - Block untrusted and unsigned processes that run from USB Manual, Disabled 1.1.0
Detect network services that have not been authorized or approved CMA_C1700 - Detect network services that have not been authorized or approved Manual, Disabled 1.1.0
Manage gateways CMA_0363 - Manage gateways Manual, Disabled 1.1.0
Perform a trend analysis on threats CMA_0389 - Perform a trend analysis on threats Manual, Disabled 1.1.0
Perform vulnerability scans CMA_0393 - Perform vulnerability scans Manual, Disabled 1.1.0
Review malware detections report weekly CMA_0475 - Review malware detections report weekly Manual, Disabled 1.1.0
Review threat protection status weekly CMA_0479 - Review threat protection status weekly Manual, Disabled 1.1.0
Update antivirus definitions CMA_0517 - Update antivirus definitions Manual, Disabled 1.1.0

Ensure That Microsoft Defender for Open-Source Relational Databases Is Set To 'On'

ID: CIS Microsoft Azure Foundations Benchmark recommendation 2.1.6 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure Defender for open-source relational databases should be enabled Azure Defender for open-source relational databases detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Learn more about the capabilities of Azure Defender for open-source relational databases at https://aka.ms/AzDforOpenSourceDBsDocu. Important: Enabling this plan will result in charges for protecting your open-source relational databases. Learn about the pricing on Security Center's pricing page: https://aka.ms/pricing-security-center AuditIfNotExists, Disabled 1.0.0

Ensure That Microsoft Defender for Storage Is Set To 'On'

ID: CIS Microsoft Azure Foundations Benchmark recommendation 2.1.7 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Block untrusted and unsigned processes that run from USB CMA_0050 - Block untrusted and unsigned processes that run from USB Manual, Disabled 1.1.0
Detect network services that have not been authorized or approved CMA_C1700 - Detect network services that have not been authorized or approved Manual, Disabled 1.1.0
Manage gateways CMA_0363 - Manage gateways Manual, Disabled 1.1.0
Microsoft Defender for Storage should be enabled Microsoft Defender for Storage detects potential threats to your storage accounts. It helps prevent the three major impacts on your data and workload: malicious file uploads, sensitive data exfiltration, and data corruption. The new Defender for Storage plan includes Malware Scanning and Sensitive Data Threat Detection. This plan also provides a predictable pricing structure (per storage account) for control over coverage and costs. AuditIfNotExists, Disabled 1.0.0
Perform a trend analysis on threats CMA_0389 - Perform a trend analysis on threats Manual, Disabled 1.1.0
Perform vulnerability scans CMA_0393 - Perform vulnerability scans Manual, Disabled 1.1.0
Review malware detections report weekly CMA_0475 - Review malware detections report weekly Manual, Disabled 1.1.0
Review threat protection status weekly CMA_0479 - Review threat protection status weekly Manual, Disabled 1.1.0
Update antivirus definitions CMA_0517 - Update antivirus definitions Manual, Disabled 1.1.0

Ensure That Microsoft Defender for Containers Is Set To 'On'

ID: CIS Microsoft Azure Foundations Benchmark recommendation 2.1.8 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Block untrusted and unsigned processes that run from USB CMA_0050 - Block untrusted and unsigned processes that run from USB Manual, Disabled 1.1.0
Detect network services that have not been authorized or approved CMA_C1700 - Detect network services that have not been authorized or approved Manual, Disabled 1.1.0
Manage gateways CMA_0363 - Manage gateways Manual, Disabled 1.1.0
Microsoft Defender for Containers should be enabled Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. AuditIfNotExists, Disabled 1.0.0
Perform a trend analysis on threats CMA_0389 - Perform a trend analysis on threats Manual, Disabled 1.1.0
Perform vulnerability scans CMA_0393 - Perform vulnerability scans Manual, Disabled 1.1.0
Review malware detections report weekly CMA_0475 - Review malware detections report weekly Manual, Disabled 1.1.0
Review threat protection status weekly CMA_0479 - Review threat protection status weekly Manual, Disabled 1.1.0
Update antivirus definitions CMA_0517 - Update antivirus definitions Manual, Disabled 1.1.0

Ensure That Microsoft Defender for Azure Cosmos DB Is Set To 'On'

ID: CIS Microsoft Azure Foundations Benchmark recommendation 2.1.9 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Defender for Azure Cosmos DB should be enabled Microsoft Defender for Azure Cosmos DB is an Azure-native layer of security that detects attempts to exploit databases in your Azure Cosmos DB accounts. Defender for Azure Cosmos DB detects potential SQL injections, known bad actors based on Microsoft Threat Intelligence, suspicious access patterns, and potential exploitations of your database through compromised identities or malicious insiders. AuditIfNotExists, Disabled 1.0.0

3

Ensure that 'Secure transfer required' is set to 'Enabled'

ID: CIS Microsoft Azure Foundations Benchmark recommendation 3.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Configure workstations to check for digital certificates CMA_0073 - Configure workstations to check for digital certificates Manual, Disabled 1.1.0
Protect data in transit using encryption CMA_0403 - Protect data in transit using encryption Manual, Disabled 1.1.0
Protect passwords with encryption CMA_0408 - Protect passwords with encryption Manual, Disabled 1.1.0
Secure transfer to storage accounts should be enabled Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking Audit, Deny, Disabled 2.0.0

Ensure Private Endpoints are used to access Storage Accounts

ID: CIS Microsoft Azure Foundations Benchmark recommendation 3.10 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Storage accounts should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview AuditIfNotExists, Disabled 2.0.0

Ensure Storage for Critical Data are Encrypted with Customer Managed Keys

ID: CIS Microsoft Azure Foundations Benchmark recommendation 3.12 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Establish a data leakage management procedure CMA_0255 - Establish a data leakage management procedure Manual, Disabled 1.1.0
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0
Protect data in transit using encryption CMA_0403 - Protect data in transit using encryption Manual, Disabled 1.1.0
Protect special information CMA_0409 - Protect special information Manual, Disabled 1.1.0
Storage accounts should use customer-managed key for encryption Secure your blob and file storage account with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data. Audit, Disabled 1.0.3

Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests

ID: CIS Microsoft Azure Foundations Benchmark recommendation 3.13 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Audit privileged functions CMA_0019 - Audit privileged functions Manual, Disabled 1.1.0
Audit user account status CMA_0020 - Audit user account status Manual, Disabled 1.1.0
Configure Azure Audit capabilities CMA_C1108 - Configure Azure Audit capabilities Manual, Disabled 1.1.1
Determine auditable events CMA_0137 - Determine auditable events Manual, Disabled 1.1.0
Review audit data CMA_0466 - Review audit data Manual, Disabled 1.1.0

Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' Requests

ID: CIS Microsoft Azure Foundations Benchmark recommendation 3.14 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Audit privileged functions CMA_0019 - Audit privileged functions Manual, Disabled 1.1.0
Audit user account status CMA_0020 - Audit user account status Manual, Disabled 1.1.0
Configure Azure Audit capabilities CMA_C1108 - Configure Azure Audit capabilities Manual, Disabled 1.1.1
Determine auditable events CMA_0137 - Determine auditable events Manual, Disabled 1.1.0
Review audit data CMA_0466 - Review audit data Manual, Disabled 1.1.0

Ensure the "Minimum TLS version" for storage accounts is set to "Version 1.2"

ID: CIS Microsoft Azure Foundations Benchmark recommendation 3.15 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Configure workstations to check for digital certificates CMA_0073 - Configure workstations to check for digital certificates Manual, Disabled 1.1.0
Protect data in transit using encryption CMA_0403 - Protect data in transit using encryption Manual, Disabled 1.1.0
Protect passwords with encryption CMA_0408 - Protect passwords with encryption Manual, Disabled 1.1.0
Storage accounts should have the specified minimum TLS version Configure a minimum TLS version for secure communication between the client application and the storage account. To minimize security risk, the recommended minimum TLS version is the latest released version, which is currently TLS 1.2. Audit, Deny, Disabled 1.0.0

Ensure that ‘Enable Infrastructure Encryption' for Each Storage Account in Azure Storage is Set to ‘enabled'

ID: CIS Microsoft Azure Foundations Benchmark recommendation 3.2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Storage accounts should have infrastructure encryption Enable infrastructure encryption for higher level of assurance that the data is secure. When infrastructure encryption is enabled, data in a storage account is encrypted twice. Audit, Deny, Disabled 1.0.0

Ensure that Storage Account Access Keys are Periodically Regenerated

ID: CIS Microsoft Azure Foundations Benchmark recommendation 3.4 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define a physical key management process CMA_0115 - Define a physical key management process Manual, Disabled 1.1.0
Define cryptographic use CMA_0120 - Define cryptographic use Manual, Disabled 1.1.0
Define organizational requirements for cryptographic key management CMA_0123 - Define organizational requirements for cryptographic key management Manual, Disabled 1.1.0
Determine assertion requirements CMA_0136 - Determine assertion requirements Manual, Disabled 1.1.0
Issue public key certificates CMA_0347 - Issue public key certificates Manual, Disabled 1.1.0
Manage symmetric cryptographic keys CMA_0367 - Manage symmetric cryptographic keys Manual, Disabled 1.1.0
Restrict access to private keys CMA_0445 - Restrict access to private keys Manual, Disabled 1.1.0

Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests

ID: CIS Microsoft Azure Foundations Benchmark recommendation 3.5 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Audit privileged functions CMA_0019 - Audit privileged functions Manual, Disabled 1.1.0
Audit user account status CMA_0020 - Audit user account status Manual, Disabled 1.1.0
Configure Azure Audit capabilities CMA_C1108 - Configure Azure Audit capabilities Manual, Disabled 1.1.1
Determine auditable events CMA_0137 - Determine auditable events Manual, Disabled 1.1.0
Review audit data CMA_0466 - Review audit data Manual, Disabled 1.1.0

Ensure that Shared Access Signature Tokens Expire Within an Hour

ID: CIS Microsoft Azure Foundations Benchmark recommendation 3.6 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Disable authenticators upon termination CMA_0169 - Disable authenticators upon termination Manual, Disabled 1.1.0
Revoke privileged roles as appropriate CMA_0483 - Revoke privileged roles as appropriate Manual, Disabled 1.1.0
Terminate user session automatically CMA_C1054 - Terminate user session automatically Manual, Disabled 1.1.0

Ensure that 'Public access level' is disabled for storage accounts with blob containers

ID: CIS Microsoft Azure Foundations Benchmark recommendation 3.7 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
[Preview]: Storage account public access should be disallowed Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. audit, Audit, deny, Deny, disabled, Disabled 3.1.0-preview
Authorize access to security functions and information CMA_0022 - Authorize access to security functions and information Manual, Disabled 1.1.0
Authorize and manage access CMA_0023 - Authorize and manage access Manual, Disabled 1.1.0
Enforce logical access CMA_0245 - Enforce logical access Manual, Disabled 1.1.0
Enforce mandatory and discretionary access control policies CMA_0246 - Enforce mandatory and discretionary access control policies Manual, Disabled 1.1.0
Require approval for account creation CMA_0431 - Require approval for account creation Manual, Disabled 1.1.0
Review user groups and applications with access to sensitive data CMA_0481 - Review user groups and applications with access to sensitive data Manual, Disabled 1.1.0

Ensure Default Network Access Rule for Storage Accounts is Set to Deny

ID: CIS Microsoft Azure Foundations Benchmark recommendation 3.8 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Storage accounts should restrict network access Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges Audit, Deny, Disabled 1.1.1
Storage accounts should restrict network access using virtual network rules Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. Audit, Deny, Disabled 1.0.1

Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access

ID: CIS Microsoft Azure Foundations Benchmark recommendation 3.9 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Control information flow CMA_0079 - Control information flow Manual, Disabled 1.1.0
Employ flow control mechanisms of encrypted information CMA_0211 - Employ flow control mechanisms of encrypted information Manual, Disabled 1.1.0
Establish firewall and router configuration standards CMA_0272 - Establish firewall and router configuration standards Manual, Disabled 1.1.0
Establish network segmentation for card holder data environment CMA_0273 - Establish network segmentation for card holder data environment Manual, Disabled 1.1.0
Identify and manage downstream information exchanges CMA_0298 - Identify and manage downstream information exchanges Manual, Disabled 1.1.0
Storage accounts should allow access from trusted Microsoft services Some Microsoft services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules. These services will then use strong authentication to access the storage account. Audit, Deny, Disabled 1.0.0

4.1

Ensure that 'Auditing' is set to 'On'

ID: CIS Microsoft Azure Foundations Benchmark recommendation 4.1.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Audit privileged functions CMA_0019 - Audit privileged functions Manual, Disabled 1.1.0
Audit user account status CMA_0020 - Audit user account status Manual, Disabled 1.1.0
Auditing on SQL server should be enabled Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. AuditIfNotExists, Disabled 2.0.0
Determine auditable events CMA_0137 - Determine auditable events Manual, Disabled 1.1.0
Review audit data CMA_0466 - Review audit data Manual, Disabled 1.1.0

Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)

ID: CIS Microsoft Azure Foundations Benchmark recommendation 4.1.2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Control information flow CMA_0079 - Control information flow Manual, Disabled 1.1.0
Employ flow control mechanisms of encrypted information CMA_0211 - Employ flow control mechanisms of encrypted information Manual, Disabled 1.1.0
Public network access on Azure SQL Database should be disabled Disabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules. Audit, Deny, Disabled 1.1.0

Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key

ID: CIS Microsoft Azure Foundations Benchmark recommendation 4.1.3 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Establish a data leakage management procedure CMA_0255 - Establish a data leakage management procedure Manual, Disabled 1.1.0
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0
Protect data in transit using encryption CMA_0403 - Protect data in transit using encryption Manual, Disabled 1.1.0
Protect special information CMA_0409 - Protect special information Manual, Disabled 1.1.0
SQL managed instances should use customer-managed keys to encrypt data at rest Implementing Transparent Data Encryption (TDE) with your own key provides you with increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement. Audit, Deny, Disabled 2.0.0
SQL servers should use customer-managed keys to encrypt data at rest Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement. Audit, Deny, Disabled 2.0.1

Ensure that Azure Active Directory Admin is Configured for SQL Servers

ID: CIS Microsoft Azure Foundations Benchmark recommendation 4.1.4 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
An Azure Active Directory administrator should be provisioned for SQL servers Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services AuditIfNotExists, Disabled 1.0.0
Automate account management CMA_0026 - Automate account management Manual, Disabled 1.1.0
Manage system and admin accounts CMA_0368 - Manage system and admin accounts Manual, Disabled 1.1.0
Monitor access across the organization CMA_0376 - Monitor access across the organization Manual, Disabled 1.1.0
Notify when account is not needed CMA_0383 - Notify when account is not needed Manual, Disabled 1.1.0

Ensure that 'Data encryption' is set to 'On' on a SQL Database

ID: CIS Microsoft Azure Foundations Benchmark recommendation 4.1.5 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Establish a data leakage management procedure CMA_0255 - Establish a data leakage management procedure Manual, Disabled 1.1.0
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0
Protect data in transit using encryption CMA_0403 - Protect data in transit using encryption Manual, Disabled 1.1.0
Protect special information CMA_0409 - Protect special information Manual, Disabled 1.1.0
Transparent Data Encryption on SQL databases should be enabled Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements AuditIfNotExists, Disabled 2.0.0

Ensure that 'Auditing' Retention is 'greater than 90 days'

ID: CIS Microsoft Azure Foundations Benchmark recommendation 4.1.6 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adhere to retention periods defined CMA_0004 - Adhere to retention periods defined Manual, Disabled 1.1.0
Govern and monitor audit processing activities CMA_0289 - Govern and monitor audit processing activities Manual, Disabled 1.1.0
Retain security policies and procedures CMA_0454 - Retain security policies and procedures Manual, Disabled 1.1.0
Retain terminated user data CMA_0455 - Retain terminated user data Manual, Disabled 1.1.0
SQL servers with auditing to storage account destination should be configured with 90 days retention or higher For incident investigation purposes, we recommend setting the data retention for your SQL Server' auditing to storage account destination to at least 90 days. Confirm that you are meeting the necessary retention rules for the regions in which you are operating. This is sometimes required for compliance with regulatory standards. AuditIfNotExists, Disabled 3.0.0

4.2

Ensure that Microsoft Defender for SQL is set to 'On' for critical SQL Servers

ID: CIS Microsoft Azure Foundations Benchmark recommendation 4.2.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure Defender for SQL should be enabled for unprotected Azure SQL servers Audit SQL servers without Advanced Data Security AuditIfNotExists, Disabled 2.0.1
Azure Defender for SQL should be enabled for unprotected SQL Managed Instances Audit each SQL Managed Instance without advanced data security. AuditIfNotExists, Disabled 1.0.2
Perform a trend analysis on threats CMA_0389 - Perform a trend analysis on threats Manual, Disabled 1.1.0

Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account

ID: CIS Microsoft Azure Foundations Benchmark recommendation 4.2.2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Perform vulnerability scans CMA_0393 - Perform vulnerability scans Manual, Disabled 1.1.0
Remediate information system flaws CMA_0427 - Remediate information system flaws Manual, Disabled 1.1.0
Vulnerability assessment should be enabled on SQL Managed Instance Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. AuditIfNotExists, Disabled 1.0.1
Vulnerability assessment should be enabled on your SQL servers Audit Azure SQL servers which do not have vulnerability assessment properly configured. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. AuditIfNotExists, Disabled 3.0.0

Ensure that Vulnerability Assessment (VA) setting 'Periodic recurring scans' is set to 'on' for each SQL server

ID: CIS Microsoft Azure Foundations Benchmark recommendation 4.2.3 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Perform vulnerability scans CMA_0393 - Perform vulnerability scans Manual, Disabled 1.1.0
Remediate information system flaws CMA_0427 - Remediate information system flaws Manual, Disabled 1.1.0
Vulnerability assessment should be enabled on SQL Managed Instance Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. AuditIfNotExists, Disabled 1.0.1

Ensure that Vulnerability Assessment (VA) setting 'Send scan reports to' is configured for a SQL server

ID: CIS Microsoft Azure Foundations Benchmark recommendation 4.2.4 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Correlate Vulnerability scan information CMA_C1558 - Correlate Vulnerability scan information Manual, Disabled 1.1.1
Perform vulnerability scans CMA_0393 - Perform vulnerability scans Manual, Disabled 1.1.0
Remediate information system flaws CMA_0427 - Remediate information system flaws Manual, Disabled 1.1.0
Vulnerability assessment should be enabled on your SQL servers Audit Azure SQL servers which do not have vulnerability assessment properly configured. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. AuditIfNotExists, Disabled 3.0.0

Ensure that Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners' is set for each SQL Server

ID: CIS Microsoft Azure Foundations Benchmark recommendation 4.2.5 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Correlate Vulnerability scan information CMA_C1558 - Correlate Vulnerability scan information Manual, Disabled 1.1.1
Perform vulnerability scans CMA_0393 - Perform vulnerability scans Manual, Disabled 1.1.0
Remediate information system flaws CMA_0427 - Remediate information system flaws Manual, Disabled 1.1.0
SQL databases should have vulnerability findings resolved Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. AuditIfNotExists, Disabled 4.1.0
Vulnerability assessment should be enabled on your SQL servers Audit Azure SQL servers which do not have vulnerability assessment properly configured. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. AuditIfNotExists, Disabled 3.0.0

4.3

Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server

ID: CIS Microsoft Azure Foundations Benchmark recommendation 4.3.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Configure workstations to check for digital certificates CMA_0073 - Configure workstations to check for digital certificates Manual, Disabled 1.1.0
Enforce SSL connection should be enabled for PostgreSQL database servers Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. Audit, Disabled 1.0.1
Protect data in transit using encryption CMA_0403 - Protect data in transit using encryption Manual, Disabled 1.1.0
Protect passwords with encryption CMA_0408 - Protect passwords with encryption Manual, Disabled 1.1.0

Ensure Server Parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server

ID: CIS Microsoft Azure Foundations Benchmark recommendation 4.3.2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Audit privileged functions CMA_0019 - Audit privileged functions Manual, Disabled 1.1.0
Audit user account status CMA_0020 - Audit user account status Manual, Disabled 1.1.0
Determine auditable events CMA_0137 - Determine auditable events Manual, Disabled 1.1.0
Log checkpoints should be enabled for PostgreSQL database servers This policy helps audit any PostgreSQL databases in your environment without log_checkpoints setting enabled. AuditIfNotExists, Disabled 1.0.0
Review audit data CMA_0466 - Review audit data Manual, Disabled 1.1.0

Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server

ID: CIS Microsoft Azure Foundations Benchmark recommendation 4.3.3 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Audit privileged functions CMA_0019 - Audit privileged functions Manual, Disabled 1.1.0
Audit user account status CMA_0020 - Audit user account status Manual, Disabled 1.1.0
Determine auditable events CMA_0137 - Determine auditable events Manual, Disabled 1.1.0
Log connections should be enabled for PostgreSQL database servers This policy helps audit any PostgreSQL databases in your environment without log_connections setting enabled. AuditIfNotExists, Disabled 1.0.0
Review audit data CMA_0466 - Review audit data Manual, Disabled 1.1.0

Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server

ID: CIS Microsoft Azure Foundations Benchmark recommendation 4.3.4 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Audit privileged functions CMA_0019 - Audit privileged functions Manual, Disabled 1.1.0
Audit user account status CMA_0020 - Audit user account status Manual, Disabled 1.1.0
Determine auditable events CMA_0137 - Determine auditable events Manual, Disabled 1.1.0
Disconnections should be logged for PostgreSQL database servers. This policy helps audit any PostgreSQL databases in your environment without log_disconnections enabled. AuditIfNotExists, Disabled 1.0.0
Review audit data CMA_0466 - Review audit data Manual, Disabled 1.1.0

Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server

ID: CIS Microsoft Azure Foundations Benchmark recommendation 4.3.5 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Audit privileged functions CMA_0019 - Audit privileged functions Manual, Disabled 1.1.0
Audit user account status CMA_0020 - Audit user account status Manual, Disabled 1.1.0
Connection throttling should be enabled for PostgreSQL database servers This policy helps audit any PostgreSQL databases in your environment without Connection throttling enabled. This setting enables temporary connection throttling per IP for too many invalid password login failures. AuditIfNotExists, Disabled 1.0.0
Determine auditable events CMA_0137 - Determine auditable events Manual, Disabled 1.1.0
Review audit data CMA_0466 - Review audit data Manual, Disabled 1.1.0

Ensure Server Parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server

ID: CIS Microsoft Azure Foundations Benchmark recommendation 4.3.6 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adhere to retention periods defined CMA_0004 - Adhere to retention periods defined Manual, Disabled 1.1.0
Govern and monitor audit processing activities CMA_0289 - Govern and monitor audit processing activities Manual, Disabled 1.1.0
Retain security policies and procedures CMA_0454 - Retain security policies and procedures Manual, Disabled 1.1.0
Retain terminated user data CMA_0455 - Retain terminated user data Manual, Disabled 1.1.0

Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled

ID: CIS Microsoft Azure Foundations Benchmark recommendation 4.3.7 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Control information flow CMA_0079 - Control information flow Manual, Disabled 1.1.0
Employ flow control mechanisms of encrypted information CMA_0211 - Employ flow control mechanisms of encrypted information Manual, Disabled 1.1.0
Establish firewall and router configuration standards CMA_0272 - Establish firewall and router configuration standards Manual, Disabled 1.1.0
Establish network segmentation for card holder data environment CMA_0273 - Establish network segmentation for card holder data environment Manual, Disabled 1.1.0
Identify and manage downstream information exchanges CMA_0298 - Identify and manage downstream information exchanges Manual, Disabled 1.1.0
Public network access should be disabled for PostgreSQL flexible servers Disabling the public network access property improves security by ensuring your Azure Database for PostgreSQL flexible servers can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range and denies all logins that match IP based firewall rules. Audit, Deny, Disabled 3.1.0
Public network access should be disabled for PostgreSQL servers Disable the public network access property to improve security and ensure your Azure Database for PostgreSQL can only be accessed from a private endpoint. This configuration disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. Audit, Deny, Disabled 2.0.1

Ensure 'Infrastructure double encryption' for PostgreSQL Database Server is 'Enabled'

ID: CIS Microsoft Azure Foundations Benchmark recommendation 4.3.8 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Establish a data leakage management procedure CMA_0255 - Establish a data leakage management procedure Manual, Disabled 1.1.0
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0
Infrastructure encryption should be enabled for Azure Database for PostgreSQL servers Enable infrastructure encryption for Azure Database for PostgreSQL servers to have higher level of assurance that the data is secure. When infrastructure encryption is enabled, the data at rest is encrypted twice using FIPS 140-2 compliant Microsoft managed keys Audit, Deny, Disabled 1.0.0
Protect data in transit using encryption CMA_0403 - Protect data in transit using encryption Manual, Disabled 1.1.0
Protect special information CMA_0409 - Protect special information Manual, Disabled 1.1.0

4.4

Ensure 'Enforce SSL connection' is set to 'Enabled' for Standard MySQL Database Server

ID: CIS Microsoft Azure Foundations Benchmark recommendation 4.4.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Configure workstations to check for digital certificates CMA_0073 - Configure workstations to check for digital certificates Manual, Disabled 1.1.0
Enforce SSL connection should be enabled for MySQL database servers Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. Audit, Disabled 1.0.1
Protect data in transit using encryption CMA_0403 - Protect data in transit using encryption Manual, Disabled 1.1.0
Protect passwords with encryption CMA_0408 - Protect passwords with encryption Manual, Disabled 1.1.0

Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server

ID: CIS Microsoft Azure Foundations Benchmark recommendation 4.4.2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Configure workstations to check for digital certificates CMA_0073 - Configure workstations to check for digital certificates Manual, Disabled 1.1.0
Protect data in transit using encryption CMA_0403 - Protect data in transit using encryption Manual, Disabled 1.1.0
Protect passwords with encryption CMA_0408 - Protect passwords with encryption Manual, Disabled 1.1.0

4.5

Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks

ID: CIS Microsoft Azure Foundations Benchmark recommendation 4.5.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure Cosmos DB accounts should have firewall rules Firewall rules should be defined on your Azure Cosmos DB accounts to prevent traffic from unauthorized sources. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant. Audit, Deny, Disabled 2.1.0

Ensure That Private Endpoints Are Used Where Possible

ID: CIS Microsoft Azure Foundations Benchmark recommendation 4.5.2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
CosmosDB accounts should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints. Audit, Disabled 1.0.0

Use Azure Active Directory (AAD) Client Authentication and Azure RBAC where possible.

ID: CIS Microsoft Azure Foundations Benchmark recommendation 4.5.3 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Cosmos DB database accounts should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Cosmos DB database accounts exclusively require Azure Active Directory identities for authentication. Learn more at: https://docs.microsoft.com/azure/cosmos-db/how-to-setup-rbac#disable-local-auth. Audit, Deny, Disabled 1.1.0

5.1

Ensure that a 'Diagnostic Setting' exists

ID: CIS Microsoft Azure Foundations Benchmark recommendation 5.1.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Determine auditable events CMA_0137 - Determine auditable events Manual, Disabled 1.1.0

Ensure Diagnostic Setting captures appropriate categories

ID: CIS Microsoft Azure Foundations Benchmark recommendation 5.1.2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
An activity log alert should exist for specific Administrative operations This policy audits specific Administrative operations with no activity log alerts configured. AuditIfNotExists, Disabled 1.0.0
An activity log alert should exist for specific Policy operations This policy audits specific Policy operations with no activity log alerts configured. AuditIfNotExists, Disabled 3.0.0
An activity log alert should exist for specific Security operations This policy audits specific Security operations with no activity log alerts configured. AuditIfNotExists, Disabled 1.0.0
Audit privileged functions CMA_0019 - Audit privileged functions Manual, Disabled 1.1.0
Audit user account status CMA_0020 - Audit user account status Manual, Disabled 1.1.0
Configure Azure Audit capabilities CMA_C1108 - Configure Azure Audit capabilities Manual, Disabled 1.1.1
Determine auditable events CMA_0137 - Determine auditable events Manual, Disabled 1.1.0
Review audit data CMA_0466 - Review audit data Manual, Disabled 1.1.0

Ensure the Storage Container Storing the Activity Logs is not Publicly Accessible

ID: CIS Microsoft Azure Foundations Benchmark recommendation 5.1.3 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
[Preview]: Storage account public access should be disallowed Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. audit, Audit, deny, Deny, disabled, Disabled 3.1.0-preview
Enable dual or joint authorization CMA_0226 - Enable dual or joint authorization Manual, Disabled 1.1.0
Protect audit information CMA_0401 - Protect audit information Manual, Disabled 1.1.0

Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key

ID: CIS Microsoft Azure Foundations Benchmark recommendation 5.1.4 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Enable dual or joint authorization CMA_0226 - Enable dual or joint authorization Manual, Disabled 1.1.0
Maintain integrity of audit system CMA_C1133 - Maintain integrity of audit system Manual, Disabled 1.1.0
Protect audit information CMA_0401 - Protect audit information Manual, Disabled 1.1.0
Storage account containing the container with activity logs must be encrypted with BYOK This policy audits if the Storage account containing the container with activity logs is encrypted with BYOK. The policy works only if the storage account lies on the same subscription as activity logs by design. More information on Azure Storage encryption at rest can be found here https://aka.ms/azurestoragebyok. AuditIfNotExists, Disabled 1.0.0

Ensure that logging for Azure Key Vault is 'Enabled'

ID: CIS Microsoft Azure Foundations Benchmark recommendation 5.1.5 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Audit privileged functions CMA_0019 - Audit privileged functions Manual, Disabled 1.1.0
Audit user account status CMA_0020 - Audit user account status Manual, Disabled 1.1.0
Determine auditable events CMA_0137 - Determine auditable events Manual, Disabled 1.1.0
Resource logs in Key Vault should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Review audit data CMA_0466 - Review audit data Manual, Disabled 1.1.0

Ensure that Network Security Group Flow logs are captured and sent to Log Analytics

ID: CIS Microsoft Azure Foundations Benchmark recommendation 5.1.6 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
All flow log resources should be in enabled state Audit for flow log resources to verify if flow log status is enabled. Enabling flow logs allows to log information about IP traffic flowing. It can be used for optimizing network flows, monitoring throughput, verifying compliance, detecting intrusions and more. Audit, Disabled 1.0.1
Audit flow logs configuration for every virtual network Audit for virtual network to verify if flow logs are configured. Enabling flow logs allows to log information about IP traffic flowing through virtual network. It can be used for optimizing network flows, monitoring throughput, verifying compliance, detecting intrusions and more. Audit, Disabled 1.0.1
Flow logs should be configured for every network security group Audit for network security groups to verify if flow logs are configured. Enabling flow logs allows to log information about IP traffic flowing through network security group. It can be used for optimizing network flows, monitoring throughput, verifying compliance, detecting intrusions and more. Audit, Disabled 1.1.0

5.2

Ensure that Activity Log Alert exists for Create Policy Assignment

ID: CIS Microsoft Azure Foundations Benchmark recommendation 5.2.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Alert personnel of information spillage CMA_0007 - Alert personnel of information spillage Manual, Disabled 1.1.0
An activity log alert should exist for specific Policy operations This policy audits specific Policy operations with no activity log alerts configured. AuditIfNotExists, Disabled 3.0.0
Develop an incident response plan CMA_0145 - Develop an incident response plan Manual, Disabled 1.1.0
Set automated notifications for new and trending cloud applications in your organization CMA_0495 - Set automated notifications for new and trending cloud applications in your organization Manual, Disabled 1.1.0

Ensure that Activity Log Alert exists for Delete Policy Assignment

ID: CIS Microsoft Azure Foundations Benchmark recommendation 5.2.2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Alert personnel of information spillage CMA_0007 - Alert personnel of information spillage Manual, Disabled 1.1.0
An activity log alert should exist for specific Policy operations This policy audits specific Policy operations with no activity log alerts configured. AuditIfNotExists, Disabled 3.0.0
Develop an incident response plan CMA_0145 - Develop an incident response plan Manual, Disabled 1.1.0
Set automated notifications for new and trending cloud applications in your organization CMA_0495 - Set automated notifications for new and trending cloud applications in your organization Manual, Disabled 1.1.0

Ensure that Activity Log Alert exists for Create or Update Network Security Group

ID: CIS Microsoft Azure Foundations Benchmark recommendation 5.2.3 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Alert personnel of information spillage CMA_0007 - Alert personnel of information spillage Manual, Disabled 1.1.0
An activity log alert should exist for specific Administrative operations This policy audits specific Administrative operations with no activity log alerts configured. AuditIfNotExists, Disabled 1.0.0
Develop an incident response plan CMA_0145 - Develop an incident response plan Manual, Disabled 1.1.0
Set automated notifications for new and trending cloud applications in your organization CMA_0495 - Set automated notifications for new and trending cloud applications in your organization Manual, Disabled 1.1.0

Ensure that Activity Log Alert exists for Delete Network Security Group

ID: CIS Microsoft Azure Foundations Benchmark recommendation 5.2.4 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Alert personnel of information spillage CMA_0007 - Alert personnel of information spillage Manual, Disabled 1.1.0
An activity log alert should exist for specific Administrative operations This policy audits specific Administrative operations with no activity log alerts configured. AuditIfNotExists, Disabled 1.0.0
Develop an incident response plan CMA_0145 - Develop an incident response plan Manual, Disabled 1.1.0
Set automated notifications for new and trending cloud applications in your organization CMA_0495 - Set automated notifications for new and trending cloud applications in your organization Manual, Disabled 1.1.0

Ensure that Activity Log Alert exists for Create or Update Security Solution

ID: CIS Microsoft Azure Foundations Benchmark recommendation 5.2.5 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Alert personnel of information spillage CMA_0007 - Alert personnel of information spillage Manual, Disabled 1.1.0
An activity log alert should exist for specific Administrative operations This policy audits specific Administrative operations with no activity log alerts configured. AuditIfNotExists, Disabled 1.0.0
Develop an incident response plan CMA_0145 - Develop an incident response plan Manual, Disabled 1.1.0
Set automated notifications for new and trending cloud applications in your organization CMA_0495 - Set automated notifications for new and trending cloud applications in your organization Manual, Disabled 1.1.0

Ensure that Activity Log Alert exists for Delete Security Solution

ID: CIS Microsoft Azure Foundations Benchmark recommendation 5.2.6 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Alert personnel of information spillage CMA_0007 - Alert personnel of information spillage Manual, Disabled 1.1.0
An activity log alert should exist for specific Administrative operations This policy audits specific Administrative operations with no activity log alerts configured. AuditIfNotExists, Disabled 1.0.0
Develop an incident response plan CMA_0145 - Develop an incident response plan Manual, Disabled 1.1.0
Set automated notifications for new and trending cloud applications in your organization CMA_0495 - Set automated notifications for new and trending cloud applications in your organization Manual, Disabled 1.1.0

Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule

ID: CIS Microsoft Azure Foundations Benchmark recommendation 5.2.7 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Alert personnel of information spillage CMA_0007 - Alert personnel of information spillage Manual, Disabled 1.1.0
An activity log alert should exist for specific Administrative operations This policy audits specific Administrative operations with no activity log alerts configured. AuditIfNotExists, Disabled 1.0.0
Develop an incident response plan CMA_0145 - Develop an incident response plan Manual, Disabled 1.1.0
Set automated notifications for new and trending cloud applications in your organization CMA_0495 - Set automated notifications for new and trending cloud applications in your organization Manual, Disabled 1.1.0

Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule

ID: CIS Microsoft Azure Foundations Benchmark recommendation 5.2.8 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Alert personnel of information spillage CMA_0007 - Alert personnel of information spillage Manual, Disabled 1.1.0
An activity log alert should exist for specific Administrative operations This policy audits specific Administrative operations with no activity log alerts configured. AuditIfNotExists, Disabled 1.0.0
Develop an incident response plan CMA_0145 - Develop an incident response plan Manual, Disabled 1.1.0
Set automated notifications for new and trending cloud applications in your organization CMA_0495 - Set automated notifications for new and trending cloud applications in your organization Manual, Disabled 1.1.0

5

Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it

ID: CIS Microsoft Azure Foundations Benchmark recommendation 5.4 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adhere to retention periods defined CMA_0004 - Adhere to retention periods defined Manual, Disabled 1.1.0
App Service apps should have resource logs enabled Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. AuditIfNotExists, Disabled 2.0.1
Audit privileged functions CMA_0019 - Audit privileged functions Manual, Disabled 1.1.0
Audit user account status CMA_0020 - Audit user account status Manual, Disabled 1.1.0
Configure Azure Audit capabilities CMA_C1108 - Configure Azure Audit capabilities Manual, Disabled 1.1.1
Determine auditable events CMA_0137 - Determine auditable events Manual, Disabled 1.1.0
Govern and monitor audit processing activities CMA_0289 - Govern and monitor audit processing activities Manual, Disabled 1.1.0
Resource logs in Azure Data Lake Store should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Azure Stream Analytics should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Batch accounts should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Data Lake Analytics should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Event Hub should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in IoT Hub should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 3.1.0
Resource logs in Key Vault should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Logic Apps should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.1.0
Resource logs in Search services should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Service Bus should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Retain security policies and procedures CMA_0454 - Retain security policies and procedures Manual, Disabled 1.1.0
Retain terminated user data CMA_0455 - Retain terminated user data Manual, Disabled 1.1.0
Review audit data CMA_0466 - Review audit data Manual, Disabled 1.1.0

6

Ensure that RDP access from the Internet is evaluated and restricted

ID: CIS Microsoft Azure Foundations Benchmark recommendation 6.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Management ports should be closed on your virtual machines Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. AuditIfNotExists, Disabled 3.0.0

Ensure that SSH access from the Internet is evaluated and restricted

ID: CIS Microsoft Azure Foundations Benchmark recommendation 6.2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Management ports should be closed on your virtual machines Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. AuditIfNotExists, Disabled 3.0.0

Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'

ID: CIS Microsoft Azure Foundations Benchmark recommendation 6.5 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adhere to retention periods defined CMA_0004 - Adhere to retention periods defined Manual, Disabled 1.1.0
Retain security policies and procedures CMA_0454 - Retain security policies and procedures Manual, Disabled 1.1.0
Retain terminated user data CMA_0455 - Retain terminated user data Manual, Disabled 1.1.0

Ensure that Network Watcher is 'Enabled'

ID: CIS Microsoft Azure Foundations Benchmark recommendation 6.6 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Network Watcher should be enabled Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. AuditIfNotExists, Disabled 3.0.0
Verify security functions CMA_C1708 - Verify security functions Manual, Disabled 1.1.0

7

Ensure Virtual Machines are utilizing Managed Disks

ID: CIS Microsoft Azure Foundations Benchmark recommendation 7.2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Audit VMs that do not use managed disks This policy audits VMs that do not use managed disks audit 1.0.0
Control physical access CMA_0081 - Control physical access Manual, Disabled 1.1.0
Manage the input, output, processing, and storage of data CMA_0369 - Manage the input, output, processing, and storage of data Manual, Disabled 1.1.0
Review label activity and analytics CMA_0474 - Review label activity and analytics Manual, Disabled 1.1.0

Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK)

ID: CIS Microsoft Azure Foundations Benchmark recommendation 7.3 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Establish a data leakage management procedure CMA_0255 - Establish a data leakage management procedure Manual, Disabled 1.1.0
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0
Protect data in transit using encryption CMA_0403 - Protect data in transit using encryption Manual, Disabled 1.1.0
Protect special information CMA_0409 - Protect special information Manual, Disabled 1.1.0

Ensure that 'Unattached disks' are encrypted with 'Customer Managed Key' (CMK)

ID: CIS Microsoft Azure Foundations Benchmark recommendation 7.4 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Establish a data leakage management procedure CMA_0255 - Establish a data leakage management procedure Manual, Disabled 1.1.0
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0
Managed disks should be double encrypted with both platform-managed and customer-managed keys High security sensitive customers who are concerned of the risk associated with any particular encryption algorithm, implementation, or key being compromised can opt for additional layer of encryption using a different encryption algorithm/mode at the infrastructure layer using platform managed encryption keys. The disk encryption sets are required to use double encryption. Learn more at https://aka.ms/disks-doubleEncryption. Audit, Deny, Disabled 1.0.0
Protect data in transit using encryption CMA_0403 - Protect data in transit using encryption Manual, Disabled 1.1.0
Protect special information CMA_0409 - Protect special information Manual, Disabled 1.1.0

Ensure that Only Approved Extensions Are Installed

ID: CIS Microsoft Azure Foundations Benchmark recommendation 7.5 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Only approved VM extensions should be installed This policy governs the virtual machine extensions that are not approved. Audit, Deny, Disabled 1.0.0

Ensure that Endpoint Protection for all Virtual Machines is installed

ID: CIS Microsoft Azure Foundations Benchmark recommendation 7.6 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Block untrusted and unsigned processes that run from USB CMA_0050 - Block untrusted and unsigned processes that run from USB Manual, Disabled 1.1.0
Document security operations CMA_0202 - Document security operations Manual, Disabled 1.1.0
Manage gateways CMA_0363 - Manage gateways Manual, Disabled 1.1.0
Perform a trend analysis on threats CMA_0389 - Perform a trend analysis on threats Manual, Disabled 1.1.0
Perform vulnerability scans CMA_0393 - Perform vulnerability scans Manual, Disabled 1.1.0
Review malware detections report weekly CMA_0475 - Review malware detections report weekly Manual, Disabled 1.1.0
Review threat protection status weekly CMA_0479 - Review threat protection status weekly Manual, Disabled 1.1.0
Turn on sensors for endpoint security solution CMA_0514 - Turn on sensors for endpoint security solution Manual, Disabled 1.1.0
Update antivirus definitions CMA_0517 - Update antivirus definitions Manual, Disabled 1.1.0
Verify software, firmware and information integrity CMA_0542 - Verify software, firmware and information integrity Manual, Disabled 1.1.0

[Legacy] Ensure that VHDs are Encrypted

ID: CIS Microsoft Azure Foundations Benchmark recommendation 7.7 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Establish a data leakage management procedure CMA_0255 - Establish a data leakage management procedure Manual, Disabled 1.1.0
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0
Protect data in transit using encryption CMA_0403 - Protect data in transit using encryption Manual, Disabled 1.1.0
Protect special information CMA_0409 - Protect special information Manual, Disabled 1.1.0

8

Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults

ID: CIS Microsoft Azure Foundations Benchmark recommendation 8.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define a physical key management process CMA_0115 - Define a physical key management process Manual, Disabled 1.1.0
Define cryptographic use CMA_0120 - Define cryptographic use Manual, Disabled 1.1.0
Define organizational requirements for cryptographic key management CMA_0123 - Define organizational requirements for cryptographic key management Manual, Disabled 1.1.0
Determine assertion requirements CMA_0136 - Determine assertion requirements Manual, Disabled 1.1.0
Issue public key certificates CMA_0347 - Issue public key certificates Manual, Disabled 1.1.0
Key Vault keys should have an expiration date Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. Audit, Deny, Disabled 1.0.2
Manage symmetric cryptographic keys CMA_0367 - Manage symmetric cryptographic keys Manual, Disabled 1.1.0
Restrict access to private keys CMA_0445 - Restrict access to private keys Manual, Disabled 1.1.0

Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults.

ID: CIS Microsoft Azure Foundations Benchmark recommendation 8.2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define a physical key management process CMA_0115 - Define a physical key management process Manual, Disabled 1.1.0
Define cryptographic use CMA_0120 - Define cryptographic use Manual, Disabled 1.1.0
Define organizational requirements for cryptographic key management CMA_0123 - Define organizational requirements for cryptographic key management Manual, Disabled 1.1.0
Determine assertion requirements CMA_0136 - Determine assertion requirements Manual, Disabled 1.1.0
Issue public key certificates CMA_0347 - Issue public key certificates Manual, Disabled 1.1.0
Key Vault keys should have an expiration date Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. Audit, Deny, Disabled 1.0.2
Manage symmetric cryptographic keys CMA_0367 - Manage symmetric cryptographic keys Manual, Disabled 1.1.0
Restrict access to private keys CMA_0445 - Restrict access to private keys Manual, Disabled 1.1.0

Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults

ID: CIS Microsoft Azure Foundations Benchmark recommendation 8.3 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define a physical key management process CMA_0115 - Define a physical key management process Manual, Disabled 1.1.0
Define cryptographic use CMA_0120 - Define cryptographic use Manual, Disabled 1.1.0
Define organizational requirements for cryptographic key management CMA_0123 - Define organizational requirements for cryptographic key management Manual, Disabled 1.1.0
Determine assertion requirements CMA_0136 - Determine assertion requirements Manual, Disabled 1.1.0
Issue public key certificates CMA_0347 - Issue public key certificates Manual, Disabled 1.1.0
Key Vault secrets should have an expiration date Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. Audit, Deny, Disabled 1.0.2
Manage symmetric cryptographic keys CMA_0367 - Manage symmetric cryptographic keys Manual, Disabled 1.1.0
Restrict access to private keys CMA_0445 - Restrict access to private keys Manual, Disabled 1.1.0

Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults

ID: CIS Microsoft Azure Foundations Benchmark recommendation 8.4 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define a physical key management process CMA_0115 - Define a physical key management process Manual, Disabled 1.1.0
Define cryptographic use CMA_0120 - Define cryptographic use Manual, Disabled 1.1.0
Define organizational requirements for cryptographic key management CMA_0123 - Define organizational requirements for cryptographic key management Manual, Disabled 1.1.0
Determine assertion requirements CMA_0136 - Determine assertion requirements Manual, Disabled 1.1.0
Issue public key certificates CMA_0347 - Issue public key certificates Manual, Disabled 1.1.0
Key Vault secrets should have an expiration date Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. Audit, Deny, Disabled 1.0.2
Manage symmetric cryptographic keys CMA_0367 - Manage symmetric cryptographic keys Manual, Disabled 1.1.0
Restrict access to private keys CMA_0445 - Restrict access to private keys Manual, Disabled 1.1.0

Ensure the Key Vault is Recoverable

ID: CIS Microsoft Azure Foundations Benchmark recommendation 8.5 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Key vaults should have deletion protection enabled Malicious deletion of a key vault can lead to permanent data loss. You can prevent permanent data loss by enabling purge protection and soft delete. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. Keep in mind that key vaults created after September 1st 2019 have soft-delete enabled by default. Audit, Deny, Disabled 2.1.0
Key vaults should have soft delete enabled Deleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period. Audit, Deny, Disabled 3.0.0

Enable Role Based Access Control for Azure Key Vault

ID: CIS Microsoft Azure Foundations Benchmark recommendation 8.6 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure Key Vault should use RBAC permission model Enable RBAC permission model across Key Vaults. Learn more at: https://zcusa.951200.xyz/en-us/azure/key-vault/general/rbac-migration Audit, Deny, Disabled 1.0.1

Ensure that Private Endpoints are Used for Azure Key Vault

ID: CIS Microsoft Azure Foundations Benchmark recommendation 8.7 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure Key Vaults should use private link Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to key vault, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/akvprivatelink. [parameters('audit_effect')] 1.2.1

Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services

ID: CIS Microsoft Azure Foundations Benchmark recommendation 8.8 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Keys should have a rotation policy ensuring that their rotation is scheduled within the specified number of days after creation. Manage your organizational compliance requirements by specifying the maximum number of days after key creation until it must be rotated. Audit, Disabled 1.0.0

9

Ensure App Service Authentication is set up for apps in Azure App Service

ID: CIS Microsoft Azure Foundations Benchmark recommendation 9.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
App Service apps should have authentication enabled Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the web app, or authenticate those that have tokens before they reach the web app. AuditIfNotExists, Disabled 2.0.1
Authenticate to cryptographic module CMA_0021 - Authenticate to cryptographic module Manual, Disabled 1.1.0
Enforce user uniqueness CMA_0250 - Enforce user uniqueness Manual, Disabled 1.1.0
Function apps should have authentication enabled Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the Function app, or authenticate those that have tokens before they reach the Function app. AuditIfNotExists, Disabled 3.0.0
Support personal verification credentials issued by legal authorities CMA_0507 - Support personal verification credentials issued by legal authorities Manual, Disabled 1.1.0

Ensure FTP deployments are Disabled

ID: CIS Microsoft Azure Foundations Benchmark recommendation 9.10 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
App Service apps should require FTPS only Enable FTPS enforcement for enhanced security. AuditIfNotExists, Disabled 3.0.0
Configure workstations to check for digital certificates CMA_0073 - Configure workstations to check for digital certificates Manual, Disabled 1.1.0
Function apps should require FTPS only Enable FTPS enforcement for enhanced security. AuditIfNotExists, Disabled 3.0.0
Protect data in transit using encryption CMA_0403 - Protect data in transit using encryption Manual, Disabled 1.1.0
Protect passwords with encryption CMA_0408 - Protect passwords with encryption Manual, Disabled 1.1.0

Ensure Azure Key Vaults are Used to Store Secrets

ID: CIS Microsoft Azure Foundations Benchmark recommendation 9.11 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define a physical key management process CMA_0115 - Define a physical key management process Manual, Disabled 1.1.0
Define cryptographic use CMA_0120 - Define cryptographic use Manual, Disabled 1.1.0
Define organizational requirements for cryptographic key management CMA_0123 - Define organizational requirements for cryptographic key management Manual, Disabled 1.1.0
Determine assertion requirements CMA_0136 - Determine assertion requirements Manual, Disabled 1.1.0
Ensure cryptographic mechanisms are under configuration management CMA_C1199 - Ensure cryptographic mechanisms are under configuration management Manual, Disabled 1.1.0
Issue public key certificates CMA_0347 - Issue public key certificates Manual, Disabled 1.1.0
Maintain availability of information CMA_C1644 - Maintain availability of information Manual, Disabled 1.1.0
Manage symmetric cryptographic keys CMA_0367 - Manage symmetric cryptographic keys Manual, Disabled 1.1.0
Restrict access to private keys CMA_0445 - Restrict access to private keys Manual, Disabled 1.1.0

Ensure Web App Redirects All HTTP traffic to HTTPS in Azure App Service

ID: CIS Microsoft Azure Foundations Benchmark recommendation 9.2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
App Service apps should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Audit, Disabled, Deny 4.0.0
Configure workstations to check for digital certificates CMA_0073 - Configure workstations to check for digital certificates Manual, Disabled 1.1.0
Protect data in transit using encryption CMA_0403 - Protect data in transit using encryption Manual, Disabled 1.1.0
Protect passwords with encryption CMA_0408 - Protect passwords with encryption Manual, Disabled 1.1.0

Ensure Web App is using the latest version of TLS encryption

ID: CIS Microsoft Azure Foundations Benchmark recommendation 9.3 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
App Service apps should use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists, Disabled 2.1.0
Configure workstations to check for digital certificates CMA_0073 - Configure workstations to check for digital certificates Manual, Disabled 1.1.0
Function apps should use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists, Disabled 2.1.0
Protect data in transit using encryption CMA_0403 - Protect data in transit using encryption Manual, Disabled 1.1.0
Protect passwords with encryption CMA_0408 - Protect passwords with encryption Manual, Disabled 1.1.0

Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On'

ID: CIS Microsoft Azure Foundations Benchmark recommendation 9.4 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
[Deprecated]: App Service apps should have 'Client Certificates (Incoming client certificates)' enabled Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. This policy has been replaced by a new policy with the same name because Http 2.0 doesn't support client certificates. Audit, Disabled 3.1.0-deprecated
[Deprecated]: Function apps should have 'Client Certificates (Incoming client certificates)' enabled Client certificates allow for the app to request a certificate for incoming requests. Only clients with valid certificates will be able to reach the app. This policy has been replaced by a new policy with the same name because Http 2.0 doesn't support client certificates. Audit, Disabled 3.1.0-deprecated
Authenticate to cryptographic module CMA_0021 - Authenticate to cryptographic module Manual, Disabled 1.1.0

Ensure that Register with Azure Active Directory is enabled on App Service

ID: CIS Microsoft Azure Foundations Benchmark recommendation 9.5 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
App Service apps should use managed identity Use a managed identity for enhanced authentication security AuditIfNotExists, Disabled 3.0.0
Automate account management CMA_0026 - Automate account management Manual, Disabled 1.1.0
Function apps should use managed identity Use a managed identity for enhanced authentication security AuditIfNotExists, Disabled 3.0.0
Manage system and admin accounts CMA_0368 - Manage system and admin accounts Manual, Disabled 1.1.0
Monitor access across the organization CMA_0376 - Monitor access across the organization Manual, Disabled 1.1.0
Notify when account is not needed CMA_0383 - Notify when account is not needed Manual, Disabled 1.1.0

Ensure That 'PHP version' is the Latest, If Used to Run the Web App

ID: CIS Microsoft Azure Foundations Benchmark recommendation 9.6 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
App Service app slots that use PHP should use a specified 'PHP version' Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for App Service apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a PHP version that meets your requirements. AuditIfNotExists, Disabled 1.0.0
App Service apps that use PHP should use a specified 'PHP version' Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for App Service apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a PHP version that meets your requirements. AuditIfNotExists, Disabled 3.2.0
Remediate information system flaws CMA_0427 - Remediate information system flaws Manual, Disabled 1.1.0

Ensure that 'Python version' is the Latest Stable Version, if Used to Run the Web App

ID: CIS Microsoft Azure Foundations Benchmark recommendation 9.7 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
App Service app slots that use Python should use a specified 'Python version' Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for App Service apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Python version that meets your requirements. AuditIfNotExists, Disabled 1.0.0
App Service apps that use Python should use a specified 'Python version' Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for App Service apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Python version that meets your requirements. AuditIfNotExists, Disabled 4.1.0
Remediate information system flaws CMA_0427 - Remediate information system flaws Manual, Disabled 1.1.0

Ensure that 'Java version' is the latest, if used to run the Web App

ID: CIS Microsoft Azure Foundations Benchmark recommendation 9.8 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Function app slots that use Java should use a specified 'Java version' Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Java version that meets your requirements. AuditIfNotExists, Disabled 1.0.0
Function apps that use Java should use a specified 'Java version' Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Java version that meets your requirements. AuditIfNotExists, Disabled 3.1.0
Remediate information system flaws CMA_0427 - Remediate information system flaws Manual, Disabled 1.1.0

Ensure that 'HTTP Version' is the Latest, if Used to Run the Web App

ID: CIS Microsoft Azure Foundations Benchmark recommendation 9.9 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
App Service apps should use latest 'HTTP Version' Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. AuditIfNotExists, Disabled 4.0.0
Function apps should use latest 'HTTP Version' Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. AuditIfNotExists, Disabled 4.0.0
Remediate information system flaws CMA_0427 - Remediate information system flaws Manual, Disabled 1.1.0

Next steps

Additional articles about Azure Policy: