CIS Microsoft Azure Foundations v1.3.1 L2

Audit Details

Name: CIS Microsoft Azure Foundations v1.3.1 L2

Updated: 6/10/2022

Authority: CIS

Plugin: microsoft_azure

Revision: 1.3

Estimated Item Count: 50

File Details

Filename: CIS_Microsoft_Azure_Foundations_L2_v1.3.1.audit

Size: 179 kB

MD5: b985421dc71294358e0a08afa331e6f5
SHA256: 03ab6df33ab935c3dc010420d27f06ca60e2054a207fe116ae73cecabd7675fe

Audit Items

DescriptionCategories
1.2 Ensure that multi-factor authentication is enabled for all non-privileged users - List Users

IDENTIFICATION AND AUTHENTICATION

1.2 Ensure that multi-factor authentication is enabled for all non-privileged users - Role Assignments

IDENTIFICATION AND AUTHENTICATION

1.2 Ensure that multi-factor authentication is enabled for all non-privileged users - Role Definitions

IDENTIFICATION AND AUTHENTICATION

1.4 Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is 'Disabled'

IDENTIFICATION AND AUTHENTICATION

1.8 Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes'

ACCESS CONTROL

1.9 Ensure that 'Users can consent to apps accessing company data on their behalf' is set to 'No'

ACCESS CONTROL

1.10 Ensure that 'Users can add gallery apps to their Access Panel' is set to 'No'

CONFIGURATION MANAGEMENT

1.11 Ensure that 'Users can register applications' is set to 'No'

CONFIGURATION MANAGEMENT

1.12 Ensure that 'Guest user permissions are limited' is set to 'Yes'

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION

1.13 Ensure that 'Members can invite' is set to 'No'

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION

1.14 Ensure that 'Guests can invite' is set to 'No'

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION

1.16 Ensure that 'Restrict user ability to access groups features in the Access Pane' is set to 'No'

ACCESS CONTROL

1.17 Ensure that 'Users can create security groups in Azure Portals' is set to 'No'

ACCESS CONTROL

1.18 Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No'

ACCESS CONTROL

1.19 Ensure that 'Users can create Microsoft 365 groups in Azure Portals' is set to 'No'

ACCESS CONTROL

1.21 Ensure that no custom subscription owner roles are created - Action Types

ACCESS CONTROL

1.21 Ensure that no custom subscription owner roles are created - Assignable Scope

ACCESS CONTROL

1.23 Ensure Custom Role is assigned for Administering Resource Locks - Permissions

ACCESS CONTROL, MEDIA PROTECTION

1.23 Ensure Custom Role is assigned for Administering Resource Locks - Role

ACCESS CONTROL, MEDIA PROTECTION

2.1 Ensure that Azure Defender is set to On for Servers

SYSTEM AND INFORMATION INTEGRITY

2.2 Ensure that Azure Defender is set to On for App Service

SYSTEM AND INFORMATION INTEGRITY

2.3 Ensure that Azure Defender is set to On for Azure SQL database servers

SYSTEM AND INFORMATION INTEGRITY

2.4 Ensure that Azure Defender is set to On for SQL servers on machines

SYSTEM AND INFORMATION INTEGRITY

2.5 Ensure that Azure Defender is set to On for Storage

SYSTEM AND INFORMATION INTEGRITY

2.6 Ensure that Azure Defender is set to On for Kubernetes

SYSTEM AND INFORMATION INTEGRITY

2.7 Ensure that Azure Defender is set to On for Container Registries

SYSTEM AND INFORMATION INTEGRITY

2.8 Ensure that Azure Defender is set to On for Key Vault

SYSTEM AND INFORMATION INTEGRITY

2.9 Ensure that Windows Defender ATP (WDATP) integration with Security Center is selected

SYSTEM AND INFORMATION INTEGRITY

2.10 Ensure that Microsoft Cloud App Security (MCAS) integration with Security Center is selected

SYSTEM AND INFORMATION INTEGRITY

3.3 Ensure Storage logging is enabled for Queue service for read, write, and delete requests

AUDIT AND ACCOUNTABILITY

3.6 Ensure default network access rule for Storage Accounts is set to deny

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

3.7 Ensure 'Trusted Microsoft Services' is enabled for Storage Account access

SECURITY ASSESSMENT AND AUTHORIZATION

3.9 Ensure storage for critical data are encrypted with Customer Managed Key

IDENTIFICATION AND AUTHENTICATION

3.10 Ensure Storage logging is enabled for Blob service for read, write, and delete requests

AUDIT AND ACCOUNTABILITY

3.11 Ensure Storage logging is enabled for Table service for read, write, and delete requests

AUDIT AND ACCOUNTABILITY

4.2.1 Ensure that Advanced Threat Protection (ATP) on a SQL server is set to 'Enabled'

RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY

4.2.2 Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account

RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY

4.2.3 Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server

RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY

4.2.4 Ensure that VA setting Send scan reports to is configured for a SQL server

RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY

4.2.5 Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server

RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY

4.5 Ensure SQL server's TDE protector is encrypted with Customer-managed key

IDENTIFICATION AND AUTHENTICATION

5.1.4 Ensure the storage account containing the container with activity logs is encrypted with BYOK (Use Your Own Key)

AUDIT AND ACCOUNTABILITY, IDENTIFICATION AND AUTHENTICATION

6.4 Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'

AUDIT AND ACCOUNTABILITY

7.2 Ensure that 'OS and Data' disks are encrypted with CMK

IDENTIFICATION AND AUTHENTICATION

7.3 Ensure that 'Unattached disks' are encrypted with CMK

IDENTIFICATION AND AUTHENTICATION

7.7 Ensure that VHD's are encrypted

IDENTIFICATION AND AUTHENTICATION

8.3 Ensure that Resource Locks are set for mission critical Azure resources

ACCESS CONTROL, MEDIA PROTECTION

9.1 Ensure App Service Authentication is set on Azure App Service

ACCESS CONTROL, MEDIA PROTECTION

9.4 Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On'

ACCESS CONTROL, MEDIA PROTECTION

9.11 Ensure Azure Keyvaults are used to store secrets

SYSTEM AND COMMUNICATIONS PROTECTION