CIS Microsoft Azure Foundations v1.3.1 L1

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: CIS Microsoft Azure Foundations v1.3.1 L1

Updated: 1/4/2023

Authority: Cloud Services

Plugin: microsoft_azure

Revision: 1.6

Estimated Item Count: 66

Audit Items

DescriptionCategories
1.1 Ensure that multi-factor authentication is enabled for all privileged users
1.3 Ensure guest users are reviewed on a monthly basis
1.5 Ensure that 'Number of methods required to reset' is set to '2'
1.6 Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0' - 0
1.7 Ensure that 'Notify users on password resets?' is set to 'Yes'
1.15 Ensure that 'Restrict access to Azure AD administration portal' is set to 'Yes'
1.20 Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes'
1.22 Ensure Security Defaults is enabled on Azure Active Directory
2.11 Ensure that 'Automatic provisioning of monitoring agent' is set to 'On'
2.12 Ensure any of the ASC Default policy setting is not set to 'Disabled' - Disabled
2.13 Ensure 'Additional email addresses' is configured with a security contact email
2.14 Ensure that 'Notify about alerts with the following severity' is set to 'High'
2.15 Ensure that 'All users with the following roles' is set to 'Owner'
3.1 Ensure that 'Secure transfer required' is set to 'Enabled'
3.2 Ensure that storage account access keys are periodically regenerated
3.4 Ensure that shared access signature tokens expire within an hour
3.5 Ensure that 'Public access level' is set to Private for blob containers
3.8 Ensure soft delete is enabled for Azure Storage
4.1.1 Ensure that 'Auditing' is set to 'On'
4.1.2 Ensure that 'Data encryption' is set to 'On' on a SQL Database
4.1.3 Ensure that 'Auditing' Retention is 'greater than 90 days'
4.3.1 Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server
4.3.2 Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server
4.3.3 Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server
4.3.4 Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server
4.3.5 Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server
4.3.6 Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server
4.3.7 Ensure server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server
4.3.8 Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled
4.4 Ensure that Azure Active Directory Admin is configured
5.1.1 Ensure that a 'Diagnostics Setting' exists
5.1.2 Ensure Diagnostic Setting captures appropriate categories
5.1.3 Ensure the storage container storing the activity logs is not publicly accessible
5.1.5 Ensure that logging for Azure KeyVault is 'Enabled'
5.2.1 Ensure that Activity Log Alert exists for Create Policy Assignment
5.2.2 Ensure that Activity Log Alert exists for Delete Policy Assignment
5.2.3 Ensure that Activity Log Alert exists for Create or Update Network Security Group
5.2.4 Ensure that Activity Log Alert exists for Delete Network Security Group
5.2.5 Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule
5.2.6 Ensure that activity log alert exists for the Delete Network Security Group Rule
5.2.7 Ensure that Activity Log Alert exists for Create or Update Security Solution
5.2.8 Ensure that Activity Log Alert exists for Delete Security Solution
5.2.9 Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule - create/update
5.2.9 Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule - delete
5.3 Ensure that Diagnostic Logs are enabled for all services which support it.
6.1 Ensure that RDP access is restricted from the internet
6.2 Ensure that SSH access is restricted from the internet
6.3 Ensure no SQL Databases allow ingress 0.0.0.0/0 (ANY IP)
6.5 Ensure that Network Watcher is 'Enabled'
6.6 Ensure that UDP Services are restricted from the Internet