CIS Microsoft Azure Foundations v3.0.0 L1

Audit Details

Name: CIS Microsoft Azure Foundations v3.0.0 L1

Updated: 11/6/2024

Authority: CIS

Plugin: microsoft_azure

Revision: 1.0

Estimated Item Count: 91

File Details

Filename: CIS_Microsoft_Azure_Foundations_v3.0.0_L1.audit

Size: 298 kB

MD5: b979879e322e371738443f5ef9b37736
SHA256: 3d6f0ecbd26204379807700ab17b334ab2187445e686fb08f4a29ffd86ded863

Audit Items

DescriptionCategories
2.1.1 Ensure Security Defaults is enabled on Microsoft Entra ID

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

2.1.2 Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users

IDENTIFICATION AND AUTHENTICATION

2.1.4 Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is Disabled

IDENTIFICATION AND AUTHENTICATION

2.3 Ensure that 'Restrict non-admin users from creating tenants' is set to 'Yes'

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

2.4 Ensure Guest Users Are Reviewed on a Regular Basis

ACCESS CONTROL

2.5 Ensure That 'Number of methods required to reset' is set to '2'

IDENTIFICATION AND AUTHENTICATION

2.6 Ensure that account 'Lockout Threshold' is less than or equal to '10'

ACCESS CONTROL

2.7 Ensure that account 'Lockout duration in seconds' is greater than or equal to '60'

ACCESS CONTROL

2.8 Ensure that a Custom Bad Password List is set to 'Enforce' for your Organization

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION

2.9 Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0'

ACCESS CONTROL

2.10 Ensure that 'Notify users on password resets?' is set to 'Yes'

ACCESS CONTROL

2.11 Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes'

ACCESS CONTROL

2.12 Ensure 'User consent for applications' is set to 'Do not allow user consent'

ACCESS CONTROL, CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION

2.14 Ensure That 'Users Can Register Applications' Is Set to 'No'

ACCESS CONTROL, CONFIGURATION MANAGEMENT

2.15 Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects'

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, MEDIA PROTECTION

2.17 Ensure That 'Restrict access to Microsoft Entra admin center' is Set to 'Yes'

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

2.22 Ensure that 'Require Multifactor Authentication to register or join devices with Microsoft Entra' is set to 'Yes'

IDENTIFICATION AND AUTHENTICATION

2.23 Ensure That No Custom Subscription Administrator Roles Exist

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

2.26 Ensure fewer than 5 users have global administrator assignment

ACCESS CONTROL

3.1.1.1 Ensure that Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On'

RISK ASSESSMENT

3.1.10 Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed'

RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY

3.1.11 Ensure that Microsoft Cloud Security Benchmark policies are not set to 'Disabled'

ACCESS CONTROL, CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

3.1.12 Ensure That 'All users with the following roles' is set to 'Owner'

INCIDENT RESPONSE

3.1.13 Ensure 'Additional email addresses' is Configured with a Security Contact Email

INCIDENT RESPONSE

3.1.14 Ensure That 'Notify about alerts with the following severity' is Set to 'High'

SYSTEM AND INFORMATION INTEGRITY

3.3.1 Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, SYSTEM AND INFORMATION INTEGRITY

3.3.2 Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults.

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, SYSTEM AND INFORMATION INTEGRITY

3.3.3 Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, SYSTEM AND INFORMATION INTEGRITY

3.3.4 Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, SYSTEM AND INFORMATION INTEGRITY

3.3.5 Ensure the Key Vault is Recoverable

CONTINGENCY PLANNING

4.1 Ensure that 'Secure transfer required' is set to 'Enabled'

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

4.3 Ensure that 'Enable key rotation reminders' is enabled for each Storage Account

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND INFORMATION INTEGRITY

4.4 Ensure that Storage Account Access Keys are Periodically Regenerated

ACCESS CONTROL, CONFIGURATION MANAGEMENT, MAINTENANCE

4.5 Ensure that Shared Access Signature Tokens Expire Within an Hour

ACCESS CONTROL

4.6 Ensure that 'Public Network Access' is 'Disabled' for storage accounts

ACCESS CONTROL, MEDIA PROTECTION

4.7 Ensure Default Network Access Rule for Storage Accounts is Set to Deny

CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION

4.10 Ensure Soft Delete is Enabled for Azure Containers and Blob Storage

CONTINGENCY PLANNING

4.15 Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2'

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

4.16 Ensure 'Cross Tenant Replication' is not enabled

ACCESS CONTROL, MEDIA PROTECTION

4.17 Ensure that 'Allow Blob Anonymous Access' is set to 'Disabled'

ACCESS CONTROL, MEDIA PROTECTION

5.1.1 Ensure that 'Auditing' is set to 'On'

AUDIT AND ACCOUNTABILITY

5.1.2 Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)

ACCESS CONTROL, MEDIA PROTECTION

5.1.4 Ensure that Microsoft Entra authentication is Configured for SQL Servers

ACCESS CONTROL

5.1.5 Ensure that 'Data encryption' is set to 'On' on a SQL Database

IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

5.1.6 Ensure that 'Auditing' Retention is 'greater than 90 days'

AUDIT AND ACCOUNTABILITY

5.1.7 Ensure Public Network Access is Disabled

SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

5.2.1 Ensure server parameter 'require_secure_transport' is set to 'ON' for PostgreSQL flexible server

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

5.2.2 Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL flexible server

AUDIT AND ACCOUNTABILITY

5.2.3 Ensure server parameter 'connection_throttle.enable' is set to 'ON' for PostgreSQL flexible server

AUDIT AND ACCOUNTABILITY

5.2.4 Ensure server parameter 'logfiles.retention_days' is greater than 3 days for PostgreSQL flexible server

AUDIT AND ACCOUNTABILITY