CIS Microsoft Azure Foundations v6.0.0 L2

Audit Details

Name: CIS Microsoft Azure Foundations v6.0.0 L2

Updated: 6/3/2026

Authority: CIS

Plugin: microsoft_azure

Revision: 1.0

Estimated Item Count: 53

File Details

Filename: CIS_Microsoft_Azure_Foundations_v6.0.0_L2.audit

Size: 188 kB

MD5: 4331c8f2adc75bbe8b777126bbf995a4
SHA256: d776332d9ad9478853cce74e94c979414b60583ed87eeb1c56647eda3963660e

Audit Items

DescriptionCategories
2.1.3 Ensure that Traffic is Encrypted Between Cluster Worker Nodes

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

2.1.8 Ensure Critical Data in Azure Databricks is Encrypted with Customer-managed Keys (CMK)

IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

2.1.11 Ensure Private Endpoints are used to access Azure Databricks workspaces

CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION

3.1.1 Ensure only MFA Enabled Identities can Access Privileged Virtual Machine

IDENTIFICATION AND AUTHENTICATION

5.5 Ensure that a Custom Role is Assigned Permissions for Administering Resource Locks

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, MEDIA PROTECTION

5.6 Ensure that 'Subscription leaving Microsoft Entra tenant' and 'Subscription entering Microsoft Entra tenant' is set to 'Permit no one'

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION

6.1.1.3 Ensure the Storage Account Containing the Container with Activity Logs is Encrypted with Customer-managed Key (CMK)

IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

6.1.1.5 Ensure that Network Security Group Flow Logs are Captured and Sent to Log Analytics

SYSTEM AND INFORMATION INTEGRITY

6.1.1.6 Ensure that Virtual Network Flow Logs are Captured and Sent to Log Analytics

SYSTEM AND INFORMATION INTEGRITY

6.1.1.7 Ensure that a Microsoft Entra Diagnostic Setting Exists to Send Microsoft Graph Activity Logs to an Appropriate Destination

AUDIT AND ACCOUNTABILITY

6.1.1.8 Ensure that a Microsoft Entra Diagnostic Setting Exists to Send Microsoft Entra Activity Logs to an Appropriate Destination

AUDIT AND ACCOUNTABILITY

6.1.1.9 Ensure that Intune Logs are Captured and Sent to Log Analytics

AUDIT AND ACCOUNTABILITY

6.1.3.1 Ensure Application Insights are Configured

AUDIT AND ACCOUNTABILITY

6.1.5 Ensure Basic, Free, and Consumption SKUs are not used on Production artifacts requiring monitoring and SLA

SYSTEM AND SERVICES ACQUISITION

6.2 Ensure that Resource Locks are set for Mission-Critical Azure Resources

ACCESS CONTROL, MEDIA PROTECTION

7.5 Ensure that Network Security Group Flow Log Retention Days is Set to Greater than or equal to 90

AUDIT AND ACCOUNTABILITY

7.6 Ensure that Network Watcher is 'Enabled' for Azure Regions That are in Use

CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION

7.8 Ensure that Virtual Network Flow Log Retention Days is Set to Greater than or Equal to 90

AUDIT AND ACCOUNTABILITY

7.9 Ensure 'Authentication type' is Set to 'Azure Active Directory' only for Azure VPN Gateway Point-to-Site Configuration

ACCESS CONTROL

7.10 Ensure Azure Web Application Firewall (WAF) is Enabled on Azure Application Gateway

SYSTEM AND COMMUNICATIONS PROTECTION

7.14 Ensure Request Body Inspection is Enabled in Azure Web Application Firewall policy on Azure Application Gateway

SYSTEM AND COMMUNICATIONS PROTECTION

7.15 Ensure Bot Protection is Enabled in Azure Web Application Firewall Policy on Azure Application Gateway

SYSTEM AND COMMUNICATIONS PROTECTION

7.16 Ensure Azure Network Security Perimeter is Used to Secure Azure Platform-as-a-service Resources

SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

8.1.1.1 Ensure Microsoft Defender CSPM is Set to 'On'

RISK ASSESSMENT

8.1.2.1 Ensure Microsoft Defender for APIs is Set to 'On'

SECURITY ASSESSMENT AND AUTHORIZATION, RISK ASSESSMENT

8.1.3.1 Ensure that Defender for Servers is Set to 'On'

RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY

8.1.3.2 Ensure that 'Vulnerability assessment for machines' Component Status is set to 'On'

RISK ASSESSMENT

8.1.3.3 Ensure that 'Endpoint protection' Component Status is set to 'On'

RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY

8.1.3.4 Ensure that 'Agentless scanning for machines' Component Status is Set to 'On'

RISK ASSESSMENT

8.1.3.5 Ensure that 'File Integrity Monitoring' Component Status is Set to 'On'

RISK ASSESSMENT

8.1.4.1 Ensure That Microsoft Defender for Containers Is Set To 'On'

RISK ASSESSMENT

8.1.5.1 Ensure That Microsoft Defender for Storage Is Set To 'On'

RISK ASSESSMENT

8.1.5.2 Ensure Advanced Threat Protection Alerts for Storage Accounts Are Monitored

AUDIT AND ACCOUNTABILITY

8.1.6.1 Ensure That Microsoft Defender for App Services Is Set To 'On'

RISK ASSESSMENT, SYSTEM AND SERVICES ACQUISITION

8.1.7.1 Ensure That Microsoft Defender for Azure Cosmos DB Is Set To 'On'

RISK ASSESSMENT, SYSTEM AND SERVICES ACQUISITION

8.1.7.2 Ensure That Microsoft Defender for Open-Source Relational Databases Is Set To 'On'

RISK ASSESSMENT, SYSTEM AND SERVICES ACQUISITION

8.1.7.3 Ensure That Microsoft Defender for (Managed Instance) Azure SQL Databases Is Set To 'On'

RISK ASSESSMENT, SYSTEM AND SERVICES ACQUISITION

8.1.7.4 Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On'

RISK ASSESSMENT, SYSTEM AND SERVICES ACQUISITION

8.1.8.1 Ensure That Microsoft Defender for Key Vault Is Set To 'On'

RISK ASSESSMENT

8.1.9.1 Ensure That Microsoft Defender for Resource Manager Is Set To 'On'

ACCESS CONTROL, RISK ASSESSMENT

8.1.16 Ensure that Microsoft Defender External Attack Surface Monitoring (EASM) is Enabled

RISK ASSESSMENT

8.2.1 Ensure That Microsoft Defender for IoT Hub Is Set To 'On'

RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY

8.3.6 Ensure that Role Based Access Control for Azure Key Vault is Enabled

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, MEDIA PROTECTION

8.3.8 Ensure Private Endpoints are Used to Access Azure Key Vault

CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION

8.3.9 Ensure Automatic Key Rotation is Enabled within Azure Key Vault

ACCESS CONTROL

8.3.10 Ensure that Azure Key Vault Managed HSM is Used when Required

SYSTEM AND COMMUNICATIONS PROTECTION

8.4.1 Ensure an Azure Bastion Host Exists

SECURITY ASSESSMENT AND AUTHORIZATION, CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

8.5 Ensure Azure DDoS Network Protection is Enabled on Virtual Networks

SYSTEM AND INFORMATION INTEGRITY

9.2.3 Ensure 'Versioning' is Set to 'Enabled' on Azure Blob Storage Storage Accounts

CONTINGENCY PLANNING

9.3.2.1 Ensure Private Endpoints are Used to Access Storage Accounts

CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION