CIS Microsoft Azure Foundations v2.1.0 L2

Audit Details

Name: CIS Microsoft Azure Foundations v2.1.0 L2

Updated: 6/17/2024

Authority: CIS

Plugin: microsoft_azure

Revision: 1.1

Estimated Item Count: 56

File Details

Filename: CIS_Microsoft_Azure_Foundations_v2.1.0_L2.audit

Size: 254 kB

MD5: 8a45cb6a028887393daeeecd48b9587c
SHA256: 187b7a327987a9be6ce7d45e683f36c2ea9a8d07ed96e013b098537eb08ec085

Audit Items

DescriptionCategories
1.1.3 Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users

IDENTIFICATION AND AUTHENTICATION

1.11 Ensure 'User consent for applications' Is Set To 'Allow for Verified Publishers'

ACCESS CONTROL, CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION

1.15 Ensure that 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles can invite guest users'

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, IDENTIFICATION AND AUTHENTICATION

1.17 Ensure that 'Restrict user ability to access groups features in the Access Pane' is Set to 'Yes'

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

1.18 Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No'

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

1.19 Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No'

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

1.20 Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No'

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

1.23 Ensure a Custom Role is Assigned Permissions for Administering Resource Locks

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, MEDIA PROTECTION

1.24 Ensure That 'Subscription leaving Microsoft Entra ID directory' and 'Subscription entering Microsoft Entra ID directory' Is Set To 'Permit No One'

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION

2.1.1 Ensure That Microsoft Defender for Servers Is Set to 'On'

RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY

2.1.2 Ensure That Microsoft Defender for App Services Is Set To 'On'

RISK ASSESSMENT, SYSTEM AND SERVICES ACQUISITION

2.1.3 Ensure That Microsoft Defender for (Managed Instance) Azure SQL Databases Is Set To 'On'

RISK ASSESSMENT, SYSTEM AND SERVICES ACQUISITION

2.1.4 Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On'

RISK ASSESSMENT, SYSTEM AND SERVICES ACQUISITION

2.1.5 Ensure That Microsoft Defender for Open-Source Relational Databases Is Set To 'On'

RISK ASSESSMENT, SYSTEM AND SERVICES ACQUISITION

2.1.6 Ensure That Microsoft Defender for Azure Cosmos DB Is Set To 'On'

RISK ASSESSMENT, SYSTEM AND SERVICES ACQUISITION

2.1.7 Ensure That Microsoft Defender for Storage Is Set To 'On'

RISK ASSESSMENT

2.1.8 Ensure That Microsoft Defender for Containers Is Set To 'On'

RISK ASSESSMENT

2.1.9 Ensure That Microsoft Defender for Key Vault Is Set To 'On'

RISK ASSESSMENT

2.1.10 [LEGACY] Ensure That Microsoft Defender for DNS Is Set To 'On'

RISK ASSESSMENT, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY

2.1.11 Ensure That Microsoft Defender for Resource Manager Is Set To 'On'

ACCESS CONTROL, RISK ASSESSMENT

2.1.15 Ensure that Auto provisioning of 'Vulnerability assessment for machines' is Set to 'On'

RISK ASSESSMENT

2.1.16 Ensure that Auto provisioning of 'Microsoft Defender for Containers components' is Set to 'On'

RISK ASSESSMENT

2.1.20 Ensure that Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is Selected

RISK ASSESSMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION

2.1.21 Ensure that Microsoft Defender for Endpoint integration with Microsoft Defender for Cloud is selected

RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY

2.1.22 Ensure that Microsoft Defender External Attack Surface Monitoring (EASM) is enabled

RISK ASSESSMENT

2.2.1 Ensure That Microsoft Defender for IoT Hub Is Set To 'On'

RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY

3.2 Ensure that 'Enable Infrastructure Encryption' for Each Storage Account in Azure Storage is Set to 'enabled'

IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

3.5 Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests

AUDIT AND ACCOUNTABILITY

3.9 Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access

ACCESS CONTROL, MEDIA PROTECTION, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY

3.12 Ensure Storage for Critical Data are Encrypted with Customer Managed Keys (CMK)

IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

3.13 Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests

AUDIT AND ACCOUNTABILITY

3.14 Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' Requests

AUDIT AND ACCOUNTABILITY

4.1.3 Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key

IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

4.4.3 Ensure server parameter 'audit_log_enabled' is set to 'ON' for MySQL Database Server

AUDIT AND ACCOUNTABILITY

4.4.4 Ensure server parameter 'audit_log_events' has 'CONNECTION' set for MySQL Database Server

AUDIT AND ACCOUNTABILITY

4.5.1 Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks

SECURITY ASSESSMENT AND AUTHORIZATION, CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION

4.5.2 Ensure That Private Endpoints Are Used Where Possible

CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION

5.1.3 Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key (CMK)

IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

5.1.5 Ensure that Network Security Group Flow logs are captured and sent to Log Analytics

SYSTEM AND INFORMATION INTEGRITY

5.1.6 Ensure that logging for Azure AppService 'HTTP logs' is enabled

AUDIT AND ACCOUNTABILITY

5.3.1 Ensure Application Insights are Configured

AUDIT AND ACCOUNTABILITY

5.5 Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads)

SYSTEM AND SERVICES ACQUISITION

6.5 Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'

AUDIT AND ACCOUNTABILITY

6.6 Ensure that Network Watcher is 'Enabled'

CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION

7.1 Ensure an Azure Bastion Host Exists

SECURITY ASSESSMENT AND AUTHORIZATION, CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

7.3 Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK)

IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

7.4 Ensure that 'Unattached disks' are encrypted with 'Customer Managed Key' (CMK)

IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

7.6 Ensure that Endpoint Protection for all Virtual Machines is installed

SYSTEM AND INFORMATION INTEGRITY

7.7 [Legacy] Ensure that VHDs are Encrypted

IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

7.8 Ensure only MFA enabled identities can access privileged Virtual Machine

IDENTIFICATION AND AUTHENTICATION