CIS 1.1.0 security controls for Azure

CIS 1.1.0 security controls for Azure

CIS Microsoft Azure Foundations Benchmark security controls are listed below (please note that although this is the complete list of all the controls specified by the CIS standard, only 48 of them have been enabled for automatic auditing in Azure and very few of them have any automated remediation available, most of them require manual steps and need a regular review to make sure any changes done to existing resources and the new resources added to the environment still comply with them- our Managed Azure Security Service solves all those problems!):

CIS 1.1.0 security controls for Azure
Domain Nr Security Control Name
Identity and Access Management 1.1 Ensure that multi-factor authentication is enabled for all privileged users
1.2Ensure that multi-factor authentication is enabled for all non-privileged users
1.3Ensure that there are no guest users
1.4Ensure that ‘Allow users to remember multi-factor authentication on devices they trust’ is ‘Disabled’
1.5Ensure that ‘Number of methods required to reset’ is set to ‘2’
1.6Ensure that ‘Number of days before users are asked to re-confirm their authentication information’ is not set to “0”
1.7Ensure that ‘Notify users on password resets?’ is set to ‘Yes’
1.8Ensure that ‘Notify all admins when other admins reset their password?’ is set to ‘Yes’
1.9Ensure that ‘Users can consent to apps accessing company data on their behalf’ is set to ‘No’
1.1Ensure that ‘Users can add gallery apps to their Access Panel’ is set to ‘No’
1.11Ensure that ‘Users can register applications’ is set to ‘No’
1.12Ensure that ‘Guest user permissions are limited’ is set to ‘Yes’
1.13Ensure that ‘Members can invite’ is set to ‘No’
1.14Ensure that ‘Guests can invite’ is set to ‘No’
1.15Ensure that ‘Restrict access to Azure AD administration portal’ is set to ‘Yes’
1.16Ensure that ‘Self-service group management enabled’ is set to ‘No’
1.17Ensure that ‘Users can create security groups’ is set to ‘No’
1.18Ensure that ‘Users who can manage security groups’ is set to ‘None’
1.19Ensure that ‘Users can create Office 365 groups’ is set to ‘No’
1.20Ensure that ‘Users who can manage Office 365 groups’ is set to ‘None’
1.21Ensure that ‘Enable “All Users” group’ is set to ‘Yes’
1.22Ensure that ‘Require Multi-Factor Auth to join devices’ is set to ‘Yes’
1.23Ensure that no custom subscription owner roles are created
DomainNr Security Control Name
Security Center2.1 Ensure that standard pricing tier is selected
2.2Ensure that ‘Automatic provisioning of monitoring agent’ is set to ‘On’
2.3Ensure ASC Default policy setting “Monitor System Updates” is not “Disabled”
2.4Ensure ASC Default policy setting “Monitor OS Vulnerabilities” is not “Disabled”
2.5Ensure ASC Default policy setting “Monitor Endpoint Protection” is not “Disabled”
2.6Ensure ASC Default policy setting “Monitor Disk Encryption” is not “Disabled”
2.7Ensure ASC Default policy setting “Monitor Network Security Groups” is not “Disabled”
2.8Ensure ASC Default policy setting “Monitor Web Application Firewall” is not “Disabled”
2.9Ensure ASC Default policy setting “Enable Next Generation Firewall(NGFW) Monitoring” is not “Disabled”
2.10Ensure ASC Default policy setting “Monitor Vulnerability Assessment” is not “Disabled”
2.11Ensure ASC Default policy setting “Monitor Storage Blob Encryption” is not “Disabled”
2.12Ensure ASC Default policy setting “Monitor JIT Network Access” is not “Disabled”
2.13Ensure ASC Default policy setting “Monitor Adaptive Application Whitelisting” is not “Disabled”
2.14Ensure ASC Default policy setting “Monitor SQL Auditing” is not “Disabled”
2.15Ensure ASC Default policy setting “Monitor SQL Encryption” is not “Disabled”
2.16Ensure that ‘Security contact emails’ is set
2.17Ensure that security contact ‘Phone number’ is set
2.18Ensure that ‘Send email notification for high severity alerts’ is set to ‘On’
2.19Ensure that ‘Send email also to subscription owners’ is set to ‘On’
DomainNr Security Control Name
Storage Accounts3.1 Ensure that ‘Secure transfer required’ is set to ‘Enabled’
3.2Ensure that storage account access keys are periodically regenerated
3.3Ensure Storage logging is enabled for Queue service for read, write, and delete requests
3.4Ensure that shared access signature tokens expire within an hour
3.5Ensure that shared access signature tokens are allowed only over https
3.6Ensure that ‘Public access level’ is set to Private for blob containers
3.7Ensure default network access rule for Storage Accounts is set to deny
3.8Ensure ‘Trusted Microsoft Services’ is enabled for Storage Account access
DomainNr Security Control Name
Database Services4.1 Ensure that ‘Auditing’ is set to ‘On’
4.2Ensure that ‘AuditActionGroups’ in ‘auditing’ policy for a SQL server is set properly
4.3Ensure that ‘Auditing’ Retention is ‘greater than 90 days’
4.4Ensure that ‘Advanced Data Security’ on a SQL server is set to ‘On’
4.5Ensure that ‘Threat Detection types’ is set to ‘All’
4.6Ensure that ‘Send alerts to’ is set
4.7Ensure that ‘Email service and co-administrators’ is ‘Enabled’
4.8Ensure that Azure Active Directory Admin is configured
4.9Ensure that ‘Data encryption’ is set to ‘On’ on a SQL Database
4.1Ensure SQL server’s TDE protector is encrypted with BYOK (Use your own key)
4.11Ensure ‘Enforce SSL connection’ is set to ‘ENABLED’ for MySQL Database Server
4.12Ensure server parameter ‘log_checkpoints’ is set to ‘ON’ for PostgreSQL Database Server
4.13Ensure ‘Enforce SSL connection’ is set to ‘ENABLED’ for PostgreSQL Database Server
4.14Ensure server parameter ‘log_connections’ is set to ‘ON’ for PostgreSQL Database Server
4.15Ensure server parameter ‘log_disconnections’ is set to ‘ON’ for PostgreSQL Database Server
4.16Ensure server parameter ‘log_duration’ is set to ‘ON’ for PostgreSQL Database Server
4.17Ensure server parameter ‘connection_throttling’ is set to ‘ON’ for PostgreSQL Database Server
4.18Ensure server parameter ‘log_retention_days’ is greater than 3 days for PostgreSQL Database Server
4.19Ensure that Azure Active Directory Admin is configured
DomainNr Security Control Name
Configuring Log Profile 5.1.1 Ensure that a Log Profile exists
5.1.2Ensure that Activity Log Retention is set 365 days or greater
5.1.3Ensure audit profile captures all the activities
5.1.4Ensure the log profile captures activity logs for all regions including global
5.1.5Ensure the storage container storing the activity logs is not publicly accessible
5.1.6Ensure the storage account containing the container with activity logs is encrypted with BYOK (Use Your Own Key)
5.1.7Ensure that logging for Azure KeyVault is ‘Enabled’
Monitoring using Activity Log Alerts 5.2.1 Ensure that Activity Log Alert exists for Create Policy Assignment
5.2.2Ensure that Activity Log Alert exists for Create or Update Network Security Group
5.2.3Ensure that Activity Log Alert exists for Delete Network Security Group
5.2.4Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule
5.2.5Ensure that activity log alert exists for the Delete Network Security Group Rule
5.2.6Ensure that Activity Log Alert exists for Create or Update Security Solution
5.2.7Ensure that Activity Log Alert exists for Delete Security Solution
5.2.8Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule
5.2.9Ensure that Activity Log Alert exists for Update Security Policy
DomainNr Security Control Name
Networking 6.1 Ensure that RDP access is restricted from the internet
6.2Ensure that SSH access is restricted from the internet
6.3Ensure no SQL Databases allow ingress 0.0.0.0/0 (ANY IP)
6.4Ensure that Network Security Group Flow Log retention period is ‘greater than 90 days’
6.5Ensure that Network Watcher is ‘Enabled’
Virtual Machines 7.1 Ensure that ‘OS disk’ are encrypted
7.2Ensure that ‘Data disks’ are encrypted
7.3Ensure that ‘Unattached disks’ are encrypted
7.4Ensure that only approved extensions are installed
7.5Ensure that the latest OS Patches for all Virtual Machines are applied
7.6Ensure that the endpoint protection for all Virtual Machines is installed
Other Security Considerations 8.1 Ensure that the expiration date is set on all keys
8.2Ensure that the expiration date is set on all Secrets
8.3Ensure that Resource Locks are set for mission critical Azure resources
8.4Ensure the key vault is recoverable
8.5Enable role-based access control (RBAC) within Azure Kubernetes Services
AppService 9.1 Ensure App Service Authentication is set on Azure App Service
9.2Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service
9.3Ensure web app is using the latest version of TLS encryption
9.4Ensure the web app has ‘Client Certificates (Incoming client certificates)’ set to ‘On’
9.5Ensure that Register with Azure Active Directory is enabled on App Service
9.6Ensure that ‘.Net Framework’ version is the latest, if used as a part of the web app
9.7Ensure that ‘PHP version’ is the latest, if used to run the web app
9.8Ensure that ‘Python version’ is the latest, if used to run the web app
9.9Ensure that ‘Java version’ is the latest, if used to run the web app
9.10Ensure that ‘HTTP Version’ is the latest, if used to run the web app