How to Achieve CIS Compliance for Azure Virtual Machines

  1. Compliance
  2. How to Achieve CIS Compliance for Azure Virtual Machines

How to Achieve CIS Compliance for Azure Virtual Machines

CIS compliance is crucial for establishing strong security controls and safeguarding your cloud infrastructure against cyber threats. Pulumi can help you identify existing cloud resources that are not in compliance, and it can also enforce compliance policies proactively before infrastructure is deployed. Get started with Pulumi to use these compliance tools or speak with a Solutions Architect to get an expert consultation.

Speak with a Solutions Architect Get Started with Pulumi

What is CIS Compliance?

CIS (Center for Internet Security) Compliance refers to the adherence to security best practices outlined by the CIS, a nonprofit organization that develops globally recognized security standards. These best practices are known as CIS Controls and CIS Benchmarks, which provide guidelines for securing various technologies and systems, including operating systems, cloud services, network devices, and software.

Key Aspects of CIS Compliance

  • Implementation of Controls: Start by implementing the CIS Controls relevant to your organization's size and risk profile.
  • Use CIS Benchmarks: Configure your systems and applications according to CIS Benchmarks.
  • Regular Audits: Continuously monitor and audit your systems to ensure ongoing compliance with CIS recommendations.
  • Automation Tools: Consider using CIS-CAT (CIS Configuration Assessment Tool) or other automation tools to assess and enforce compliance across your infrastructure.

Benefits of CIS Compliance

  • Standardized Security: Ensures that your organization follows industry-recognized security best practices.
  • Risk Reduction: Helps in reducing the attack surface by implementing critical security controls.
  • Compliance with Other Standards: CIS Controls and Benchmarks often overlap with other compliance frameworks like PCI-DSS, NIST, and ISO, making it easier to achieve multiple compliance goals simultaneously.
  • Improved Incident Response: By implementing CIS Controls, organizations are better equipped to detect, respond to, and recover from security incidents.

Pulumi Insights

Use Pulumi Insights to gain visibility into your cloud infrastructure's configuration to assess CIS compliance. Pulumi Insights is Intelligent Cloud Management. It helps you gain security, compliance, and cost insights into the entirety of your organization's cloud assets and automatically remediate issues.

Pulumi Copilot

Use Pulumi Copilot to assist configuring your infrastructure to make it compliance ready. You can tap into the Pulumi Copilot's deep understanding of your organization's context to gain visibility into the configuration of resources and assess their compliance.

Compliance Ready Policies

With comprehensive coverage of Azure, Pulumi Compliance Ready Policies provide an enhanced level of control and governance over your cloud resources. Pulumi Compliance Ready Policies empower you to enforce best practices, security standards, cost controls, and compliance requirements seamlessly within your infrastructure-as-code workflows.

What is Azure Virtual Machines?

Azure Virtual Machines provide scalable, on-demand compute resources in the cloud, enabling users to run applications, deploy workloads, and manage operating systems without maintaining physical hardware. With support for various operating systems like Windows and Linux, users can configure and scale VMs to meet their performance and cost requirements. Azure Virtual Machines offer features like auto-scaling, high availability, and seamless integration with other Azure services for enhanced cloud-based computing.

What controls can I put in place to evaluate Azure Virtual Machines resources?

  • Azure Managed Disks snapshots should not be publicly restorable
  • Azure Virtual Network (VNet) default network security groups (NSGs) should not allow inbound or outbound traffic
  • Attached Azure Managed Disks should be encrypted at rest
  • Stopped Azure Virtual Machines (VMs) should be removed after a specified time period
  • Network security logging should be enabled for all Azure VNets
  • Default encryption for Azure Managed Disks should be enabled
  • Azure VMs should use Instance Metadata Service Version 2 (IMDSv2)
  • Azure Virtual Machines should not have a public IP address
  • Azure Virtual Machines should be configured to use private link or VNet service endpoints
  • Unused Azure Public IPs should be removed
  • Network security groups should not allow ingress from 0.0.0.0/0 to SSH port (22)
  • Network security groups should not allow ingress from 0.0.0.0/0 to RDP port (3389)
  • Azure Virtual Networks should not automatically assign public IP addresses
  • Unused Network Security Groups should be removed
  • Azure Virtual Machines should not use multiple network interfaces (NICs)
  • Network security groups should only allow unrestricted incoming traffic for authorized ports
  • Network security groups should not allow unrestricted access to high-risk ports
  • Both VPN tunnels for an Azure VPN Gateway connection should be up
  • Network security groups should not allow ingress from 0.0.0.0/0 to port 22 or port 3389
  • Azure Virtual Network (VNet) peering connections should not automatically accept peering requests
  • Azure VM instances should not use legacy VM types
  • Azure VM scale sets should not assign public IPs to NICs
  • Azure Managed Disks should be covered by a backup policy
  • Azure Virtual Network Gateway connections should be tagged
  • Azure Virtual Network route tables should be tagged
  • Azure Network Interfaces (NICs) should be tagged
  • Azure Virtual Network Gateways should be tagged
  • Azure Public IPs should be tagged
  • Azure Virtual Machines should be tagged
  • Azure Virtual Network Gateways should be tagged
  • Azure NAT Gateways should be tagged
  • Azure Network Security Groups should be tagged
  • Azure Virtual Networks should be tagged
  • Azure Virtual Network endpoint services should be tagged
  • Azure VNet flow logs should be tagged
  • Azure VNet peering connections should be tagged
  • Azure VPN Gateways should be tagged
  • Azure Client VPN endpoints should have client connection logging enabled
  • Azure Virtual Network Gateways should be tagged

Speak to a Solutions Architect to implement policy as code to manage Virtual Machines resources for CIS compliance.

Speak with a Solutions Architect

Talk to a Solutions Architect

Get in touch with our Solutions Architects to get all your resources in use with Pulumi Insights

Learn more

Discover the getting started guides, and learn about Pulumi concepts.

Explore Docs

Talk to a human

Have questions about Pulumi? We're happy to help.

Talk to a human