Detections
Analytics

CIS Microsoft Azure Foundations v1.3.1 L2

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: CIS Microsoft Azure Foundations v1.3.1 L2

Updated: 1/4/2023

Authority: Cloud Services

Plugin: microsoft_azure

Revision: 1.4

Estimated Item Count: 50

Audit Items

DescriptionCategories
1.2 Ensure that multi-factor authentication is enabled for all non-privileged users - List Users
1.2 Ensure that multi-factor authentication is enabled for all non-privileged users - Role Assignments
1.2 Ensure that multi-factor authentication is enabled for all non-privileged users - Role Definitions
1.4 Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is 'Disabled'
1.8 Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes'
1.9 Ensure that 'Users can consent to apps accessing company data on their behalf' is set to 'No'
1.10 Ensure that 'Users can add gallery apps to their Access Panel' is set to 'No'
1.11 Ensure that 'Users can register applications' is set to 'No'
1.12 Ensure that 'Guest user permissions are limited' is set to 'Yes'
1.13 Ensure that 'Members can invite' is set to 'No'
1.14 Ensure that 'Guests can invite' is set to 'No'
1.16 Ensure that 'Restrict user ability to access groups features in the Access Pane' is set to 'No'
1.17 Ensure that 'Users can create security groups in Azure Portals' is set to 'No'
1.18 Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No'
1.19 Ensure that 'Users can create Microsoft 365 groups in Azure Portals' is set to 'No'
1.21 Ensure that no custom subscription owner roles are created - Action Types
1.21 Ensure that no custom subscription owner roles are created - Assignable Scope
1.23 Ensure Custom Role is assigned for Administering Resource Locks - Permissions
1.23 Ensure Custom Role is assigned for Administering Resource Locks - Role
2.1 Ensure that Azure Defender is set to On for Servers
2.2 Ensure that Azure Defender is set to On for App Service
2.3 Ensure that Azure Defender is set to On for Azure SQL database servers
2.4 Ensure that Azure Defender is set to On for SQL servers on machines
2.5 Ensure that Azure Defender is set to On for Storage
2.6 Ensure that Azure Defender is set to On for Kubernetes
2.7 Ensure that Azure Defender is set to On for Container Registries
2.8 Ensure that Azure Defender is set to On for Key Vault
2.9 Ensure that Windows Defender ATP (WDATP) integration with Security Center is selected
2.10 Ensure that Microsoft Cloud App Security (MCAS) integration with Security Center is selected
3.3 Ensure Storage logging is enabled for Queue service for read, write, and delete requests
3.6 Ensure default network access rule for Storage Accounts is set to deny
3.7 Ensure 'Trusted Microsoft Services' is enabled for Storage Account access
3.9 Ensure storage for critical data are encrypted with Customer Managed Key
3.10 Ensure Storage logging is enabled for Blob service for read, write, and delete requests
3.11 Ensure Storage logging is enabled for Table service for read, write, and delete requests
4.2.1 Ensure that Advanced Threat Protection (ATP) on a SQL server is set to 'Enabled'
4.2.2 Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account
4.2.3 Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server
4.2.4 Ensure that VA setting Send scan reports to is configured for a SQL server
4.2.5 Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server
4.5 Ensure SQL server's TDE protector is encrypted with Customer-managed key
5.1.4 Ensure the storage account containing the container with activity logs is encrypted with BYOK (Use Your Own Key)
6.4 Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'
7.2 Ensure that 'OS and Data' disks are encrypted with CMK
7.3 Ensure that 'Unattached disks' are encrypted with CMK
7.7 Ensure that VHD's are encrypted
8.3 Ensure that Resource Locks are set for mission critical Azure resources
9.1 Ensure App Service Authentication is set on Azure App Service
9.4 Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On'
9.11 Ensure Azure Keyvaults are used to store secrets