Policy Templates for Azure - CIS Versions v1.0.0 to v1.5.0
For instructions on how to find Policy templates that are new or updated due to changed recommendations, see Find New and Updated Policy Templates.
For a list of Policy Templates that have been deprecated, see Policy Templates for Azure - DEPRECATED.
To find the Policy Templates for Azure CIS version v2.0.0 onwards, see Policy Templates for Azure.
Azure CIS versions v1.0.0 to v1.5.0
This table lists the Policy Templates provided for use with Azure CIS versions v1.0.0 to v1.5.0.
|
Policy Name |
Resource/ |
Skyhigh CASB Recommended |
CIS v1.0.0 Level 1 |
CIS v1.0.0 Level 2 |
CIS v1.1.0 Level 1 |
CIS v1.1.0 Level 2 |
CIS v1.2.0 Level 1 |
CIS v1.2.0 Level 2 |
CIS v1.3.0 Level 1 |
CIS v1.3.0 Level 2 |
CIS v1.4.0 Level 1 | CIS v1.5.0 Level 1 |
PCI DSS v3.2 |
HIPAA |
NIST 800-53 Rev4 |
Policy Description |
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Security alert emails should be enabled for subscription owners | Subscription | Enabling security alert emails to subscription owners ensures that they receive security alert emails from Microsoft. This ensures that they are aware of any potential security issues and can mitigate the risk in a timely fashion | |||||||||||||||
| Storage for critical data should be encrypted with customer managed keys | Storage Accounts | Enable sensitive data encryption at rest using Customer Managed Keys rather than Microsoft Managed keys. | |||||||||||||||
| Storage account should use the latest TLS version | Storage Accounts | TLS 1.0 has known vulnerabilities and has been replaced by later versions of the TLS protocol. Continued use of this legacy protocol affects the security of data in transit. | |||||||||||||||
| SQL server TDE protector should be encrypted with CMK | SQL Server | Customer-managed key support for Transparent Data Encryption (TDE) allows user control of TDE encryption keys and restricts who can access them and when. | |||||||||||||||
| SQL server audit retention should be greater than 90 days | SQL Server | SQL Server Audit Retention should be configured to be greater than 90 days. Audit Logs can be used to check for anomalies and give insight into suspected breaches or misuse of information and access. | |||||||||||||||
| Web app should use latest version of TLS encryption | AppService | The TLS (Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards such as PCI DSS. | |||||||||||||||
| Web app should enable client certificates | AppService | Client certificates (Incoming client certificates) allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. | |||||||||||||||
| Web app should use latest HTTP version | AppService | Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. | |||||||||||||||
| IAM user should have only one active access key | User | 1.13 | 164.308(a)(4) | Access keys are long-term credentials for an IAM user or the AWS account 'root' user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API. One of the best ways to protect your account is to not allow users to have multiple access keys. | |||||||||||||
| AWS IAM should not have expired SSL/TLS certificates | AWS IAM Server Certificate | 1.19 | 4.1.1, 4.2 | 164.308(a)(3) | Removing expired SSL/TLS certificates eliminates the risk that an invalid certificate will be deployed accidentally to a resource such as AWS Elastic Load Balancer (ELB), which can damage the credibility of the application/website behind the ELB. As a best practice, it is recommended to delete expired certificates. | ||||||||||||
| IAM Access Analyzer should be enabled in all regions | AWS Region | 1.20 | AWS IAM Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity. | ||||||||||||||
| S3 Bucket Policy should deny HTTP Request | S3 | By default, Amazon S3 allows both HTTP and HTTPS requests. To achieve only allowing access to Amazon S3 objects through HTTPS you also have to explicitly deny access to HTTP requests. | |||||||||||||||
| Network ACLs should not have unrestricted SSH access | AWS Network Acl | 5.1 | 1.2.1, 1.1.6, 1.3.4, 1.3.5 | 164.312(e)(1) | Public access to remote server administration port 22, increases the resource attack surface and unnecessarily raises the risk of resource compromise. | ||||||||||||
| Network ACLs should not have unrestricted Remote Desktop access | AWS Network Acl | 5.1 | 1.2.1, 1.1.6, 1.3.4, 1.3.5 | 164.312(e)(1) | Public access to remote server administration port 3389, increases the resource attack surface and unnecessarily raises the risk of resource compromise. | ||||||||||||
| Default Security Group of every VPC should restrict all traffic | Security Group | 5.3 | 1.2.1, 1.1.6, 1.3.4, 1.3.5 | 164.312(e)(1) | Configuring all VPC default security groups to restrict all traffic will encourage least privilege security group development and mindful placement of AWS resources into security groups which will in-turn reduce the exposure of those resources. | ||||||||||||
| "Monitor Disk Encryption" should be enabled in Azure Security Center | Security Center | 2.6 | 2.6 | 164.308(a)(3)(i) | Enable Disk encryption recommendations for virtual machines. When this setting is enabled, it recommends enabling disk encryption in all virtual machines to enhance data protection at rest. | ||||||||||||
| ASC Default policy setting "Monitor SQL Auditing" is not "Disabled" | Security Center | 2.14 | 2.14 | SI-4 | Enable SQL auditing & Threat detection recommendations. When this setting is enabled, it recommends that auditing of access to Azure Database be enabled for compliance and also advanced threat detection, for investigation purposes. | ||||||||||||
| SQL Encryption recommendations should be enabled in Azure Security Center | Security Center | 2.15 | 2.15 | 164.308(a)(3)(i) | Enable SQL Encryption recommendations. When this setting is enabled, it recommends that encryption at rest be enabled for your Azure SQL Database, associated backups, and transaction log files. Even if your data is breached, it will not be readable. | ||||||||||||
| "Monitor Storage Blob Encryption" should be enabled in Azure Security Center | Security Center | 2.11 | 2.11 | 164.308(a)(3)(i) | Enable Storage Encryption recommendations. When this setting is enabled, any new data in Azure Blobs and Files will be encrypted. | ||||||||||||
| Storage Service Encryption should be enabled for Storage Accounts | Storage Accounts | 3.2 | 164.308(a)(3)(i) | Enable data encryption at rest for blobs. Storage service encryption protects your data at rest. Azure Storage encrypts your data as it is written in its data centers, and automatically decrypts it for you as you access it. | |||||||||||||
| Threat detection types should be set to "All" for SQL databases | Database Services | 4.2.3 | 4.5 | Enable all types of threat detection on SQL databases. Enabling all threat detection types, you are protected against SQL injection, database vulnerabilities and any other anomalous activities. | |||||||||||||
| Adaptive Application controls should be enabled in Azure Security Center | Security Center | CM-7(2),CM-7(5),CM-11 | Security Center recommends that you enable adaptive applications controls on all the virtual machines. Application control helps you deal with malicious and/or unauthorized software, by allowing only specific applications to run on your VMs | ||||||||||||||
| Azure resources should be tagged | A tag is a label that you assign to a resource. Each tag consists of a key and an optional value, both of which you define. Tags enable you to categorize your resources in different ways, for example, by purpose, owner, or environment. Ensure that user-defined tags (metadata) are being used for labelling, collecting and organizing resources available within your environment. | ||||||||||||||||
| Deprecated accounts should be removed from the subscription | Security Center | AC-2 | Security Center recommends that you remove deprecated accounts from your subscriptions. | ||||||||||||||
| Deprecated accounts with owner permissions should be removed from your subscription | Security Center | AC-2 | Security Center recommends that you remove deprecated accounts with owner permissions from your subscriptions. | ||||||||||||||
| External accounts with owner permissions should be removed from your subscription | Security Center | AC-2 | Security Center recommends that you remove external accounts with owner permissions from your subscription in order to prevent unmonitored access. | ||||||||||||||
| Network traffic should be routed through NGFW only | Security Center | Security Center recommends that you configure network security group (NSG) rules that force inbound traffic to your VM through your NGFW. | |||||||||||||||
| Network security group with non HTTP/HTTPS ports should not have unrestricted access | Networking | 1.2.1 | 164.308(a), 164.308(a)(1)(ii)(B) | SC-7 | Ensure that only ports 80 and 443 can be accessed publicly. Unrestricted access could lead to unauthorized access to data or lead to an accidental breach. | ||||||||||||
| Network security groups should not have unrestricted CIFS access | Networking | 1.2.1 | 164.308(a), 164.308(a)(1)(ii)(B) | SC-7 | Ensure that access through port 445 (CIFS) is restricted to required entities only. CIFS is a commonly used protocol for communication and sharing data. Unrestricted access could lead to unauthorized access to data. | ||||||||||||
| Network security groups should not have unrestricted DNS access | Networking | 1.2.1 | 164.308(a), 164.308(a)(1)(ii)(B) | SC-7 | If you are using DNS, ensure that access through port 53 is restricted to required entities only. | ||||||||||||
| Network security groups should not have unrestricted FTP access | Networking | 1.2.1 | 164.308(a), 164.308(a)(1)(ii)(B) | SC-7 | Ensure that access through port 20/21 (FTP) is restricted to required entities only. FTP is a commonly used protocol for sharing data. Unrestricted access could lead to unauthorized access to data or lead to an accidental breach. | ||||||||||||
| Network security groups should not have unrestricted MongoDB access | Networking | 1.2.1 | 164.308(a), 164.308(a)(1)(ii)(B) | SC-7 | If you are using MongoDB, ensure that access through port 27017, used for MongoDB, is restricted to required entities only. | ||||||||||||
| Network security groups should not have unrestricted MSSQL access | Networking | 1.2.1 | 164.308(a), 164.308(a)(1)(ii)(B) | SC-7 | If you are using MSSQL, ensure that access through port 1433, used for MSSQL, is restricted to required entities only. | ||||||||||||
| Network security groups should not have unrestricted MSSQL (UDP) access | Networking | 1.2.1 | 164.308(a), 164.308(a)(1)(ii)(B) | SC-7 | Check your security groups for inbound rules that allow unrestricted access to UDP port 1434 and restrict access to required IP addresses only. UDP port 1434 is used by the Microsoft SQL Server. | ||||||||||||
| Network security groups should not have unrestricted MySQL access | Networking | 1.2.1 | 164.308(a), 164.308(a)(1)(ii)(B) | SC-7 | If you are using MySQL, ensure that access through port 3306, used for MySQL, is restricted to required entities only. | ||||||||||||
| Network security groups should not have unrestricted NetBIOS (UDP) access | Networking | 1.2.1 | 164.308(a), 164.308(a)(1)(ii)(B) | SC-7 | If you are using NetBIOS, ensure that access through 137/138 (UDP) are restricted to required entities only. | ||||||||||||
| Network security groups should not have unrestricted NetBIOS access | Networking | 1.2.1 | 164.308(a), 164.308(a)(1)(ii)(B) | SC-7 | If you are using NetBIOS, ensure that access through port 139 (TCP) are restricted to required entities only. | ||||||||||||
| Network security groups should not have unrestricted Oracle DB access | Networking | 1.2.1 | 164.308(a), 164.308(a)(1)(ii)(B) | SC-7 | If you are using Oracle DB, ensure that access through port 1521, used for Oracle DB, is restricted to required entities only. | ||||||||||||
| Network security groups should not have unrestricted PostgreSQL access | Networking | 1.2.1 | 164.308(a), 164.308(a)(1)(ii)(B) | SC-7 | If you are using PostgreSQL, ensure that access through port 5432, used for PostgreSQL, is restricted to required entities only. | ||||||||||||
| Network security groups should not have unrestricted RPC access | Networking | 1.2.1 | 164.308(a), 164.308(a)(1)(ii)(B) | SC-7 | If you are using RPC, ensure that access through port 135, used for RPC, is restricted to required entities only. | ||||||||||||
| Network security groups should not have unrestricted SMTP access | Networking | 1.2.1 | 164.308(a), 164.308(a)(1)(ii)(B) | SC-7 | If you are using SMTP, ensure that access through port 25, used for SMTP, is restricted to required entities only. Unrestricted SMTP access can be misused to spam your enterprise, DDOS, etc. | ||||||||||||
| Network security groups should not have unrestricted VNC Listener access | Networking | 1.2.1 | 164.308(a), 164.308(a)(1)(ii)(B) | SC-7 | Check your security groups for inbound rules that allow unrestricted access to TCP port 5500 and restrict access to required IP addresses only. TCP port 5500 is used by the VNC Listener | ||||||||||||
| Network security groups should not have unrestricted VNC Server access | Networking | 1.2.1 | 164.308(a), 164.308(a)(1)(ii)(B) | SC-7 | Check your security groups for inbound rules that allow unrestricted access to TCP port 5900 and restrict access to required IP addresses only. TCP port 5900 is used by the VNC Server | ||||||||||||
| Network security groups should not have unrestricted RDP access | Networking | 6.1 | 6.1 | 6.1 | 6.1 | 1.2.1 | 164.308(a), 164.308(a)(1)(ii)(B) | SC-7 | Disable RDP access on Network Security Groups from Internet. The potential security problem with using RDP over the Internet is that attackers can use various brute force techniques to gain access to Azure Virtual Machines. Once the attackers gain access, they can use your virtual machine as a launch point for compromising other machines on your Azure Virtual Network or even attack networked devices outside of Azure. | ||||||||
| Network security groups should not have unrestricted SSH access | Networking | 6.2 | 6.2 | 6.2 | 6.2 | 1.2.1 | 164.308(a), 164.308(a)(1)(ii)(B) | SC-7 | Disable SSH access on Network Security Groups from Internet. The potential security problem with using SSH over the Internet is that attackers can use various brute force techniques to gain access to Azure Virtual Machines. Once the attackers gain access, they can use your virtual machine as a launch point for compromising other machines on your Azure Virtual Network or even attack networked devices outside of Azure. | ||||||||
| Network security groups should not have unrestricted Telnet access | Networking | 1.2.1 | 164.308(a), 164.308(a)(1)(ii)(B) | SC-7 | Disable unrestricted access on Network Security Groups (i.e. 0.0.0.0/0) on TCP port 23 and restrict access to only those IP addresses that require it in order to implement the principle of least privilege and reduce the possibility of a breach. TCP port 23 is used by the Telnet server application (telnetd). Telnet is usually used to check whether a client is able to make TCP/IP connections to a particular service. | ||||||||||||
| Azure blob storage containers should not be world readable | Storage Accounts | Risk of unauthorized access or loss of customer data increases with an Azure Blob Storage container that grants READ permissions access to everyone or Azure signed users. Malicious users can exploit the information acquired through the listing process to find objects with misconfigured Access Control Lists (ACLs) permissions and access these compromised objects. This is a Skyhigh recommended best practice. | |||||||||||||||
| VM agents should be installed on Virtual Machines | Virtual Machines | 7.1 | Deprecated | Install VM agent on Virtual Machines. The VM agent must be installed on Azure virtual machines (VMs) in order to enable Azure Security center for data collection. Security Center collects data from your virtual machines (VMs) to assess their security state, provide security recommendations, and alert you to threats. | |||||||||||||
| A maximum of 3 owners should be designated for your subscription | Security Center | AC-5, AC-6(7) | Security Center recommends that you designate less than 3 subscription owners in order to reduce the potential for breach by a compromised owner. | ||||||||||||||
| Auditing on SQL server should be enabled | Database Services | 4.1 | 4.1 | 4.1.1 | 4.1.1 | 164.308(a)(1)(ii)(D) | Security Center recommends that you enabled auditing on SQL servers to track database activities across all databases on the server and save them in an audit log. | ||||||||||
| User defined tags should be used for labeling Azure resources | Ensure that user-defined tags (metadata) are being used for labeling, collecting and organizing resources available within your Azure environment. | ||||||||||||||||
| Endpoint protection health issues should be resolved on your machines | Security Center | Security Center recommends that you resolve health issues of VMs. | |||||||||||||||
| External accounts with read permissions should be removed from your subscription | Security Center | AC-2 | Security Center recommends that you remove external accounts with read privileges from your subscription in order to prevent unmonitored access. | ||||||||||||||
| External accounts with write permissions should be removed from your subscription | Security Center | AC-2 | Security Center recommends that you remove external accounts with write privileges from your subscription in order to prevent unmonitored access. | ||||||||||||||
| Latest supported PHP version should be used for Web Application | AppService | 9.7 | 9.7 | 9.7 | 9.6 | Security Center recommends that you use the latest PHP version for the latest security classes. Using older classes and types can make your application vulnerable. | |||||||||||
| Latest supported Python version should be used for Web Application | AppService | 9.8 | 9.8 | 9.8 | 9.7 | Security Center recommends that you use the latest Python version for the latest security classes. Using older classes and types can make your application vulnerable. | |||||||||||
| MFA for accounts with owner permissions on the subscription should be enabled | Security Center | IA-2(1) | Security Center recommends that you enable Multi-Factor Authentication (MFA) for all subscription accounts with administrator privileges to prevent a breach of accounts or resources. | ||||||||||||||
| MFA for accounts with read permissions on subscription not enabled | Security Center | IA-2(2) | Security Center recommends that you enable Multi-Factor Authentication (MFA) for all subscription accounts with read privileges to prevent a breach of accounts or resources. | ||||||||||||||
| MFA for accounts with write permissions on the subscription should be enabled | Security Center | IA-2(1) | Security Center recommends that you enable Multi-Factor Authentication (MFA) for all subscription accounts with write privileges to prevent a breach of accounts or resources. | ||||||||||||||
| Monitoring agent should be installed on virtual machine scale sets | Security Center | Security Center recommends to install the Microsoft Monitoring Agent on VMs to complete their security coverage, VMs should be covered by Security Center's monitoring, assessments and threat detections. | |||||||||||||||
| There should be more than one owner assigned to your subscription | Security Center | AC-5, AC-6(7) | Security Center recommends that you designate more than one subscription owner in order to have administrator access redundancy. | ||||||||||||||
| Vulnerabilities in security configuration on the machines should be remediated | Security Center | Security Center recommends that you align your OS configurations with the recommended security configuration rules, for example, do not allow passwords to be saved. | |||||||||||||||
| Unrestricted network access should be disabled in storage account | Security Center | 1.2.1 | AC-17(1), SC-7 | Security Center recommends to configure network rules and disable unrestricted network access in your storage account firewall settings. So that only applications from allowed networks can access the storage account | |||||||||||||
| Auditing on SQL databases should be enabled | SQL Database | 4.1 | 4.1 | 4.1.1 | 4.1.1 | 10.1, 10.2, 10.3, 10.5, 1.1.1 | 164.308(a)(1)(ii)(D), 164.312(b) | Enable auditing on SQL databases. Auditing tracks database events and writes them to an audit log in your Azure storage account. | |||||||||
| Log Profile should be enabled | Logging and Monitoring | 5.1.1 | 5.1.1 | Enable log profile for exporting activity logs. A Log Profile controls how your Activity Log is exported. By default, activity logs are retained only for 90 days. It is thus recommended to define a log profile using which you could export the logs and store them for a longer duration for analyzing security activities within your Azure subscription. | |||||||||||||
| Data collection should be enabled in Security Center | Security Center | 2.2 | 2.9 | 2.11 | Enable Automatic provisioning of monitoring agent to collect security data. When Automatic provisioning of monitoring agent is turned on, Azure Security Center provisions the Microsoft Monitoring Agent on all existing supported Azure virtual machines and any new ones that are created. The Microsoft Monitoring agent scans for various security-related configurations and events such as system updates, OS vulnerabilities, and endpoint protection and provides alerts. | ||||||||||||
| "Monitor Endpoint protection" should be enabled in Azure Security Center | Security Center | 2.5 | 2.5 | SI-3, SI-3(1) | Enable Endpoint protection recommendations for virtual machines. When this setting is enabled, it recommends endpoint protection be provisioned for all Windows virtual machines to help identify and remove viruses, spyware, and other malicious software. | ||||||||||||
| "Monitor Network Security groups" should be enabled in Azure Security Center | Security Center | 2.7 | 2.7 | Enable Network security groups recommendations for virtual machines. When this setting is enabled, it recommends that network security groups be configured to control inbound and outbound traffic to VMs that have public endpoints. Network security groups that are configured for a subnet is inherited by all virtual machine network interfaces unless otherwise specified. In addition to checking that a network security group has been configured, this policy assesses inbound security rules to identify rules that allow incoming traffic. | |||||||||||||
| "Enable Next Generation Firewall monitoring" should be enabled in Azure Security Center | Security Center | 2.9 | 2.9 | Enable Next generation firewall recommendations for virtual machines. When this setting is enabled, it extends network protections beyond network security groups, which are built into Azure. Security Center will discover deployments for which a next generation firewall is recommended and enable you to provision a virtual appliance. | |||||||||||||
| "Monitor OS vulnerabilities" should be enabled in Azure Security Center | Security Center | 2.4 | 2.4 | Enable OS vulnerabilities recommendations for virtual machines. When this setting is enabled, it analyzes operating system configurations daily to determine issues that could make the virtual machine vulnerable to attack. The policy also recommends configuration changes to address these vulnerabilities. | |||||||||||||
| "Secure Transfer required" should be set to 'Enabled' | Storage Accounts | 3.1 | 3.1 | 3.1 | 3.1 | 4.1 | 164.308(a)(3)(i), 164.312(a)(2)(iv), 164.312 (e)(1) , 164.312 (e)(2)(ii) | SC-8(1) | Enable data encryption is transit. The secure transfer option enhances the security of your storage account by only allowing requests to the storage account by a secure connection. For example, when calling REST APIs to access your storage accounts, you must connect using HTTPs. Any requests using HTTP will be rejected when secure transfer required is enabled. When you are using the Azure files service, connection without encryption will fail, including scenarios using SMB 2.1, SMB 3.0 without encryption, and some flavors of the Linux SMB client. | ||||||||
| 'Security Contact Emails' should be set in Security Center | Security Center | 2.16 | 2.16 | Provide a security contact email address. This ensures that you are aware of any potential compromise and you can timely mitigate the risk. | |||||||||||||
| Security Contact Phone number should be set in Security Center | Security Center | 2.17 | 2.17 | Provide a security contact phone number. This ensures that you are aware of any potential compromise and you can timely mitigate the risk. | |||||||||||||
| Transparent Data encryption should be enabled on SQL databases | Security Center | 2.3 | Enable system updates recommendations for virtual machines. When this setting is enabled, it retrieves a daily list of available security and critical updates from Windows Update or Windows Server Update Services. The retrieved list depends on the service that is configured for that virtual machine and recommends that the missing updates be applied. For Linux systems, the policy uses the distro-provided package management system to determine packages that have available updates. It also checks for security and critical updates from Azure Cloud Services virtual machines. | ||||||||||||||
| Transparent Data Encryption on SQL databases | Database Services | 4.2.6 | 4.9 | 4.1.2 | 4.1.2 | 164.308(a)(3)(i), 164.312(a)(2)(iv), 164.312 (e)(1), 164.312 (e)(2)(ii) | SC-28(1) | Encrypt database. Azure SQL Database transparent data encryption helps protect against the threat of malicious activity by performing real-time encryption and decryption of the database, associated backups, and transaction log files at rest without requiring changes to the application. | |||||||||
| Vulnerability Assessment should be enabled in Azure Security Center | Security Center | 2.1 | 2.10 | RA-5, SI-2 | Enable Vulnerability assessment recommendations for virtual machines. When this setting is enabled, it recommends that you install a vulnerability assessment solution on your VM. | ||||||||||||
| Vulnerability Assessment setting 'Also send email notification to admins and subscription owners' should be set for SQL servers | SQL Server | Enable admins and subscription owners to receive VA scan reports and security alerts from SQL servers. Providing the email address to receive alerts ensures that any detection of anomalous activities is reported as soon as possible, making it more likely to mitigate any potential risk sooner. | |||||||||||||||
| "Monitor Web Application Firewall" should be enabled in Azure Security Center | Security Center | 2.8 | 2.8 | Enable Web application firewall recommendations for virtual machines. When this setting is enabled, it recommends that a web application firewall is provisioned on virtual machines when either of the following is true: Instance-level public IP (ILPIP) is used and the inbound security rules for the associated network security group are configured to allow access to port 80/443.Load-balanced IP is used and the associated load balancing and inbound network address translation (NAT) rules are configured to allow access to port 80/443. | |||||||||||||
| "Monitor Adaptive Application Whitelisting" should be enabled in Azure Security Center | Security Center | 2.13 | 2.13 | Monitor Adaptive Application Controls is recommended to be enabled in Security Center. | |||||||||||||
| An Azure Active Directory administrator should be provisioned for SQL servers | Database Services | 4.19 | 4.19 | 4.4 | 4.4 | Security Center recommends to enable Azure AD authentication for your SQL server. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services. | |||||||||||
| CORS should not allow every resource to access your Function App | Security Center | Security Center recommends that you allow only required domains to interact with your function. Cross origin resource sharing (CORS) should not allow all domains to access your function application. | |||||||||||||||
| CORS should not allow every resource to access your Web App | Security Center | AC-4 | Security Center recommends that you allow only required domains to interact with your web application. Cross origin resource sharing (CORS) should not allow all domains to access your web application. | ||||||||||||||
| Diagnostic logs in Event Hub should be enabled | Security Center | AU-12 | Security Center recommends that logs be enabled and retained for up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised. | ||||||||||||||
| Function App should only be accessible over HTTPS | Security Center | Security Center recommends that you limit access of Function apps over HTTPS only. | |||||||||||||||
| Latest supported Java version should be used for Web Application | AppService | 9.9 | 9.9 | 9.9 | 9.8 | Security Center recommends that you use the latest Java version for the latest security classes. Using older classes and types can make your application vulnerable. | |||||||||||
| Monitor access rules in Event Hubs should be enabled in Security Center | Security Center | Monitor access rules in Event Hubs is recommended to be enabled in Security Center. | |||||||||||||||
| Monitor Azure Active Directory Authentication in Service Fabric should be enabled in Security Center | Security Center | AC-2(7) | Monitor Azure Active Directory Authentication in Service Fabric is recommended to be enabled in Security Center. | ||||||||||||||
| Monitor classic compute VMs should be enabled in Security Center | Security Center | Monitor classic compute VMs is recommended to be enabled in Security Center. | |||||||||||||||
| Monitor classic storage accounts should be enabled in Security Center | Security Center | Monitor classic storage accounts is recommended to be enabled in Security Center. | |||||||||||||||
| ClusterProtectionLevel property to EncryptAndSign in Service Fabric should be set | Security Center | Monitor cluster protection level in Service Fabric is recommended to be enabled in Security Center. | |||||||||||||||
| Monitor diagnostic logs in Azure App Services should be enabled in Security Center | Security Center | AU-12 | Monitor diagnostic logs in Azure App Services is recommended to be enabled in Security Center. | ||||||||||||||
| Monitor diagnostic logs in Azure Redis Cache should be enabled in Security Center | Security Center | AU-12 | Monitor diagnostic logs in Azure Redis Cache is recommended to be enabled in Security Center. | ||||||||||||||
| Diagnostic logs in Azure Search service should be enabled in Security Center | Security Center | AU-12 | Monitor diagnostic logs in Azure Search service is recommended to be enabled in Security Center. | ||||||||||||||
| Diagnostic logs in Batch accounts should be enabled in Security Center | Security Center | AU-12 | Monitor diagnostic logs in Batch accounts is recommended to be enabled in Security Center. | ||||||||||||||
| Diagnostic logs in Data Lake Analytics accounts should be enabled in Security Center | Security Center | AU-12 | Monitor diagnostic logs in Data Lake Analytics accounts is recommended to be enabled in Security Center. | ||||||||||||||
| Diagnostic logs in Data Lake Store accounts should be enabled in Security Center | Security Center | AU-12 | Monitor diagnostic logs in Data Lake Store accounts is recommended to be enabled in Security Center. | ||||||||||||||
| Diagnostic logs in Event Hub accounts should be enabled in Security Center | Security Center | AU-12 | Monitor diagnostic logs in Event Hub accounts is recommended to be enabled in Security Center. | ||||||||||||||
| Diagnostic logs in Key Vault should be enabled in Security Center | Security Center | AU-12 | Monitor diagnostic logs in Key Vault vaults is recommended to be enabled in Security Center. | ||||||||||||||
| Diagnostic logs in Logic Apps should be enabled in Security Center | Security Center | AU-12 | Monitor diagnostic logs in Logic Apps workflows is recommended to be enabled in Security Center. | ||||||||||||||
| Diagnostic logs in Service Bus should be enabled in Security Center | Security Center | AU-12 | Monitor diagnostic logs in Service Bus is recommended to be enabled in Security Center. | ||||||||||||||
| Diagnostic logs in Service Fabric should be enabled in Security Center | Security Center | AU-12 | Monitor diagnostic logs in Service Fabric is recommended to be enabled in Security Center. | ||||||||||||||
| Diagnostic logs in Service Analytics should be enabled in Security Center | Security Center | AU-12 | Monitor diagnostic logs in Stream Analytics is recommended to be enabled in Security Center. | ||||||||||||||
| Remote debugging should be disabled for API App in Security Center | Security Center | AC-17(1) | Monitor disable remote debugging for API App is recommended to be enabled in Security Center. | ||||||||||||||
| Remote debugging should be disabled for Function Application | Security Center | AC-17(1) | Remote debugging requires inbound ports to be opened on an Azure Function application. Remote debugging should be turned off. | ||||||||||||||
| Remote debugging should be disabled for Web Application | Security Center | AC-17(1) | Remote debugging requires inbound ports to be opened on a web application. Remote debugging is currently enabled. If you no longer need to use remote debugging, it should be turned off. | ||||||||||||||
| Unrestricted network access to storage account should be disabled in Security Center | Security Center | Monitor disabling of unrestricted network access to storage account is recommended to be enabled in Security Center. | |||||||||||||||
| Encryption should be enabled on Automation account variables in Security Center | Security Center | Monitor encryption of automation accounts is recommended to be enabled in Security Center. | |||||||||||||||
| "Monitor maximum number of owners" should be enabled in Security Center | Security Center | Monitor maximum number of owners is recommended to be enabled in Security Center. | |||||||||||||||
| Metric alerts in Batch accounts should be enabled in Security Center | Security Center | Monitor metric alerts in Batch accounts is recommended to be enabled in Security Center. | |||||||||||||||
| MFA on accounts with owner permissions on the subscription should be enabled in Security Center | Security Center | Monitor MFA for accounts with owner permissions is recommended to be enabled in Security Center. | |||||||||||||||
| MFA for accounts with read permissions should be enabled in Security Center | Security Center | Monitor MFA for accounts with read permissions is recommended to be enabled in Security Center. | |||||||||||||||
| MFA for accounts with write permissions should be enabled in Security Center | Security Center | Monitor MFA for accounts with write permissions is recommended to be enabled in Security Center. | |||||||||||||||
| Minimum number of owners should be enabled in Security Center | Security Center | Monitor minimus number of owners is recommended to be enabled in Security Center. | |||||||||||||||
| Built-in RBAC rules should be enabled in Security Center | Security Center | Monitor of using built-in RBAC rules is recommended to be enabled in Security Center. | |||||||||||||||
| Remove deprecated accounts should be enabled in Security Center | Security Center | Monitor remove deprecated accounts is recommended to be enabled in Security Center. | |||||||||||||||
| Remove deprecated accounts with owner permissions should be enabled in Security Center | Security Center | Monitor remove deprecated accounts with owner permissions is recommended to be enabled in Security Center. | |||||||||||||||
| Remove external accounts with owner permissions should be enabled in Security Center | Security Center | Monitor remove external accounts with owner permissions is recommended to be enabled in Security Center. | |||||||||||||||
| Remove external accounts with read permissions enabled in Security Center | Security Center | Monitor remove external accounts with read permissions is recommended to be enabled in Security Center. | |||||||||||||||
| Remove external accounts with write permissions should be enabled in Security Center | Security Center | Monitor remove external accounts with write permissions is recommended to be enabled in Security Center. | |||||||||||||||
| Service Bus namespace authorization rules should be enabled in Security Center | Security Center | Monitor Service Bus namespace authorization rules is recommended to be enabled in Security Center. | |||||||||||||||
| "Monitor SQL Encryption" should be enabled in Azure Security Center | Security Center | 164.308(a)(3)(i) | Monitor SQL Db encryption is recommended to be enabled in Security Center. | ||||||||||||||
| "Monitor SQL Auditing" should be enabled in Azure Security Center | Security Center | 2.14 | 2.14 | AU-12 | Monitor SQL Servers auditing is recommended to be enabled in Security Center. | ||||||||||||
| "Monitor SQL Vulnerability Assessment results" should be enabled in Azure Security Center | Security Center | 2.10 | 2.1 | Monitor SQL vulnerability assessment results is recommended to be enabled in Security Center. | |||||||||||||
| CORS restrictions for API App should be enabled in Security Center | Security Center | Monitor the CORS restrictions for API App is recommended to be enabled in Security Center. | |||||||||||||||
| CORS restrictions for API Function should be enabled in Security Center | Security Center | Monitor the CORS restrictions for API Function is recommended to be enabled in Security Center. | |||||||||||||||
| CORS restrictions for API Web should be enabled in Security Center | Security Center | Monitor the CORS restrictions for API Web is recommended to be enabled in Security Center. | |||||||||||||||
| Provisioning of an Azure AD administrator for SQL server should be enabled in Security Center | Security Center | AC-2(7) | Monitor the provisioning of an Azure AD administrator for SQL server is recommended to be enabled in Security Center. | ||||||||||||||
| Secure transfer to storage accounts should be enabled | Security Center | Monitor the secure transfer to storage account is recommended to be enabled in Security Center. | |||||||||||||||
| Use of HTTPS in API App should be enabled in Security Center | Security Center | SC-8(1) | Monitor the use of HTTPS in API App is recommended to be enabled in Security Center. | ||||||||||||||
| Use of HTTPS in Function App should be enabled in Security Center | Security Center | SC-8(1) | Monitor the use of HTTPS in function App is recommended to be enabled in Security Center. | ||||||||||||||
| Use of HTTPS in Web App should be enabled in Security Center | Security Center | SC-8(1) | Monitor the use of HTTPS in Web App is recommended to be enabled in Security Center. | ||||||||||||||
| Use latest Java version in Web App should be enabled in Security Center | Security Center | Monitor use latest Java in Web App is recommended to be enabled in Security Center. | |||||||||||||||
| Use latest PHP version in Web App should be enabled in Security Center | Security Center | Monitor use latest PHP in Web App is recommended to be enabled in Security Center. | |||||||||||||||
| Use latest Python version in Web App should be enabled in Security Center | Security Center | Monitor use latest Python in Web App is recommended to be enabled in Security Center. | |||||||||||||||
| DDoS Protection Standard should be enabled in Security Center | Security Center | SC-5 | Monitor use of DDoS protection for virtual network is recommended to be enabled in Security Center. | ||||||||||||||
| Remote debugging should be turned off for Function App | Security Center | AC-17(1) | Security Center recommends that you turn off debugging for Function App if you no longer need to use it. Remote debugging requires inbound ports to be opened on a Function App. | ||||||||||||||
| Remote debugging should be turned off for Web Application | Security Center | AC-17(1) | Security Center recommends that you turn off debugging for Web Application if you no longer need to use it. Remote debugging requires inbound ports to be opened on a Web Application App. | ||||||||||||||
| System Configurations should be enabled in Security Center | Security Center | Monitor System Configurations is recommended to be enabled in Security Center. | |||||||||||||||
| Vulnerability assessment solution should be installed on your virtual machines | Security Center | RA-5, SI-2 | Security Center recommends that you install a vulnerability assessment solution on your VM. | ||||||||||||||
| Web app should redirect all HTTP traffic to HTTPS in Azure App Service | AppService | 9.2 | 9.2 | 9.2 | 9.2 | SC-7 | Security Center recommends that you limit access of Web Application over HTTPS only. | ||||||||||
| Latest OS Patches updates should be enabled for Virtual Machines | Virtual Machines | 7.5 | 7.5 | 7.5 | 7.5 | SI-2 | Ensure Latest OS Patches for Virtual Machines. Windows and Linux virtual machines should be kept updated to Address a specific bug or flaw,Improve an OS or application’s general stability and Fix a security vulnerability | ||||||||||
| Activity Logs should be integrated with Azure Monitor | Logging and Monitoring | Azure Activity Log provides insight into subscription-level events that have occurred in your Azure subscription.Monitoring solutions typically collect log data and provide queries and views to analyze collected data. Activity log alerts using Azure Monitor can be used to create, view, and manage activity log alerts. | |||||||||||||||
| "Monitor maximum number of owners" should be enabled in Security Center | Security Policy | Monitor maximum number of owners is recommended to be enabled in Security Center. | |||||||||||||||
| Network Security Group should not have excessive inbound access | Networking | Ensure that excessive permissions to access network security groups is not specified, such as using RFC 1918 to white-list large ranges of IP Addresses. Only specific Private IP Addresses must have in-bound access. | |||||||||||||||
| Network security group should have specific ports configured | Networking | Ensure that ranges of ports are not open on your network security groups. Leaving large ranges of ports open leads to vulnerabilities potentially being exposed. In addition, attackers can scan ports and expose vulnerabilities of applications hosted without easy trace ability due to large port ranges being open. | |||||||||||||||
| NSG Flow logs should be enabled | Networking | Network security group (NSG) flow logs allows you to view information about ingress and egress IP traffic through an NSG. Enabling Flow logs on all NSGs will ensure that all traffic is recorded. | |||||||||||||||
| Send email also to subscription owners' should be 'ON' | Security Center | 2.19 | 2.19 | Enable security alerts emailing to security contact. This ensures that you are aware of any potential security issues and you can timely mitigate the risk. | |||||||||||||
| Send email notification for high severity alerts' should be 'ON' | Security Center | 2.18 | 2.18 | 2.12 | 2.14 | Enable security alerts emailing to subscription owners. This ensures that they are aware of any potential security issues and can timely mitigate the risk. | |||||||||||
| The storage account used to store activity logs should not be unencrypted | Logging and Monitoring | Archiving the Activity Log to a storage account is useful if you would like to retain your log data longer than 90 days. Storage service encryption protects your data at rest. Azure Storage encrypts your data as it is written in its data centers, and automatically decrypts it for you as you access it. | |||||||||||||||
| Data disks should not be unencrypted | Disk | 7.3 | 7.2 | 7.2 | 7.2 | Encrypting your IaaS VM's Data disks (non-boot volume) ensures that its entire content is fully unrecoverable without a key and thus protects the volume from unwarranted reads. | |||||||||||
| OS disks should not be unencrypted | Disk | 7.2 | 7.1, 7.3 | 7.2, 7.3 | 7.2,7.3 | ||||||||||||
| The storage account should not have unrestricted access to wide network | Storage Accounts | Storage accounts accept connections from clients on any network. Configure storage accounts to deny access to traffic from wide networks and add firewall rules to access specified set of networks for accessing a storage account. | |||||||||||||||
| The storage account used to store activity logs should not have unrestricted access | Logging and Monitoring | Archiving the Activity Log to a storage account is useful if you would like to retain your log data longer than 90 days. Storage accounts accept connections from clients on any network. Configure storage accounts to deny access to traffic from all networks and add firewall rules to access specified set of networks for accessing a storage account. | |||||||||||||||
| SQL servers should not have unrestricted access | Networking | Risk of unauthorized access or loss of customer data increases with unrestricted access to SQL Server instances | |||||||||||||||
| Storage account should not have unrestricted access | Storage Accounts | Storage accounts accept connections from clients on any network. Configure storage accounts to deny access to traffic from all networks and add firewall rules to access specified set of networks for accessing a storage account. | |||||||||||||||
| Network Security Groups should not have unrestricted inbound access | Networking | Allowing unrestricted inbound access to uncommon ports can increase opportunities for malicious activity such as hacking, data loss and all multiple types of attacks (brute-force attacks, Denial of Service (DoS) attacks, etc). | |||||||||||||||
| "Monitor JIT Network Access" should be enabled in Azure Security Center | Security Center | 2.12 | 2.12 | AC-2(12), SC-7(4) | Enable JIT Network Access for virtual machines. When this setting is enabled, it Security Center locks down inbound traffic to your Azure VMs by creating an NSG rule. You select the ports on the VM to which inbound traffic should be locked down. Just in time virtual machine (VM) access can be used to lock down inbound traffic to your Azure VMs, reducing exposure to attacks while providing easy access to connect to VMs when needed. | ||||||||||||
| Additional email addresses for Microsoft Defender notifications should be configured | Subscription | Microsoft Defender emails the subscription owners whenever a high-severity alert is triggered for their subscription. You should provide a security contact email address as an additional email address. |