CIS 8.1 - Azure
This page lists all 104 policies in the CIS 8.1 pack for Azure.
| Policy Name | Description | Framework Reference | Framework Specification |
|---|---|---|---|
| vnet-nsg-unused | Ensure VNet network security groups are not unused to maintain asset inventory hygiene. | 1.1 | Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, enterprise asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type tools can support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise’s network infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently. |
| vnet-nsg-associated-to-nic | Ensure VNet network security groups are associated with network interfaces to maintain proper security controls. | 1.1 | Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, enterprise asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type tools can support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise’s network infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently. |
| vnet-public-ip-associated | Ensure VNet public IPs are associated with resources to maintain asset inventory hygiene. | 1.1 | Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, enterprise asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type tools can support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise’s network infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently. |
| defender-for-cloud-enabled | Ensure Microsoft Defender for Cloud is enabled for asset discovery and threat detection. | 1.2 | Ensure that a process exists to address unauthorized assets on a weekly basis. The enterprise may choose to remove the asset from the network, deny the asset from connecting remotely to the network, or quarantine the asset. |
| update-management-compliance | Ensure VMs are configured for software updates through Azure Update Management to maintain current software versions and security patches. | 2.2 | Ensure that only currently supported software is designated as authorized in the software inventory for enterprise assets. If software is unsupported, yet necessary for the fulfillment of the enterprise’s mission, document an exception detailing mitigating controls and residual risk acceptance. For any unsupported software without an exception documentation, designate as unauthorized. Review the software list to verify software support at least monthly, or more frequently. |
| app-service-managed-updates | Ensure App Service applications have managed updates enabled to maintain current software versions and security patches. | 2.2 | Ensure that only currently supported software is designated as authorized in the software inventory for enterprise assets. If software is unsupported, yet necessary for the fulfillment of the enterprise’s mission, document an exception detailing mitigating controls and residual risk acceptance. For any unsupported software without an exception documentation, designate as unauthorized. Review the software list to verify software support at least monthly, or more frequently. |
| storage-account-secure-transfer | Require Storage Accounts to enforce HTTPS-only traffic | 3.1 | Establish and maintain a documented data management process. In the process, address data sensitivity, data owner, handling of data, data retention limits, and disposal requirements, based on sensitivity and retention standards for the enterprise. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. |
| application-gateway-https-redirection | Ensure Application Gateway enforces HTTPS redirection to protect data in transit. | 3.1 | Establish and maintain a documented data management process. In the process, address data sensitivity, data owner, handling of data, data retention limits, and disposal requirements, based on sensitivity and retention standards for the enterprise. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. |
| load-balancer-https-listeners | Ensure Load Balancer uses TLS/HTTPS listeners only for secure communication. | 3.1 | Establish and maintain a documented data management process. In the process, address data sensitivity, data owner, handling of data, data retention limits, and disposal requirements, based on sensitivity and retention standards for the enterprise. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. |
| application-gateway-tls | Require Application Gateway to have secure TLS configuration | 3.1 | Establish and maintain a documented data management process. In the process, address data sensitivity, data owner, handling of data, data retention limits, and disposal requirements, based on sensitivity and retention standards for the enterprise. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. |
| vm-not-publicly-accessible | Ensure Virtual Machines are not directly accessible from the internet for data protection and access control. | 3.3 | Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. |
| vm-scale-set-public-ip | Require VM Scale Sets to have no public IP addresses | 3.3 | Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. |
| vm-in-vnet | Ensure Virtual Machines are deployed within a Virtual Network for secure network isolation. | 3.3 | Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. |
| aks-cluster-public-access | Require AKS clusters to be private clusters | 3.3 | Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. |
| sql-server-disable-public-access | Require Azure SQL Server to disable public network access | 3.3 | Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. |
| managed-disk-snapshot-restrict-public-access | Ensure Managed Disk snapshots do not allow public network access. | 3.3 | Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. |
| managed-disk-snapshot-restrict-network-access | Ensure Managed Disk snapshots use restrictive network access policies (not AllowAll). | 3.3 | Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. |
| vm-managed-identity | Ensure Virtual Machines have managed identity attached. | 3.3 | Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. |
| function-public-access | Ensure Azure Functions restrict public access. | 3.3 | Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. |
| function-vnet-integration | Ensure Azure Functions are integrated with Virtual Networks. | 3.3 | Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. |
| hdinsight-cluster-public-access | Ensure HDInsight clusters restrict public access to master nodes. | 3.3 | Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. |
| storage-account-public-write | Ensure Storage Accounts prohibit public write access. | 3.3 | Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. |
| ml-compute-internet-access | Ensure Machine Learning compute instances do not have direct internet access. | 3.3 | Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. |
| storage-account-level-public-access | Ensure Storage Account level public access is prohibited. | 3.3 | Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. |
| storage-account-public-access | Require Storage Accounts to disable public blob access | 3.3 | Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. |
| dms-instance-public-access | Prevent public accessibility of Database Migration Service instances. | 3.3 | Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. |
| hdinsight-kerberos-enabled | Ensure HDInsight Kerberos is enabled. | 3.3 | Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. |
| search-service-vnet-only | Ensure Search Service is in VNet only. | 3.3 | Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. |
| synapse-cluster-public-access | Ensure Synapse Analytics clusters are not publicly accessible. | 3.3 | Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. |
| storage-account-policy-grantee | Ensure Storage Account policy grantee check. | 3.3 | Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. |
| subnet-auto-assign-public-ip | Ensure subnet auto-assign public IP is disabled. | 3.3 | Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. |
| container-instance-privileged-mode | Ensure Container Instances user for privileged mode check. | 3.3 | Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. |
| aad-custom-roles | Prevent Azure AD custom roles and Azure Native custom role definitions with broad permissions. | 3.3 | Establish and maintain a data management process. In the process, address data sensitivity, data owner, handling of data, data retention limits, and disposal requirements, based on sensitivity and retention standards for the enterprise. Review and update documentation annually, or when significant enterprise changes occur that could impact this safeguard. |
| aad-role-assignments | Prevent Azure AD and Azure Native role assignments with excessive privileges. | 3.3 | Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. |
| aad-direct-user-roles | Prevent Azure AD users from having direct role assignments. | 3.3 | Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. |
| vm-detailed-monitoring | Ensure Virtual Machines have detailed monitoring enabled for security and operational visibility. | 3.8 | Document data flows. Data flow documentation includes service provider data flows and should be based on the enterprise’s data management process. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. |
| log-analytics-workspace-retention | Require Log Analytics workspace to have appropriate retention policies | 3.8 | Document data flows. Data flow documentation includes service provider data flows and should be based on the enterprise’s data management process. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. |
| activity-log-monitoring | Ensure Activity Log monitoring is properly configured. | 3.8 | Document data flows. Data flow documentation includes service provider data flows and should be based on the enterprise’s data management process. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. |
| nsg-ssh-rdp-restriction | Require Network Security Groups to restrict SSH and RDP access | 3.8 | Document data flows. Data flow documentation includes service provider data flows and should be based on the enterprise’s data management process. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. |
| function-scaling-check | Ensure Functions have proper scaling configuration for monitoring and performance. | 3.8 | Document data flows. Data flow documentation includes service provider data flows and should be based on the enterprise’s data management process. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. |
| no-unrestricted-route-to-internet-gateway | Ensure route tables do not contain unrestricted routes to internet gateways for security monitoring. | 3.8 | Document data flows. Data flow documentation includes service provider data flows and should be based on the enterprise’s data management process. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. |
| storage-account-server-side-encryption | Ensure Storage Accounts have server-side encryption enabled to protect data at rest. | 3.11 | Encrypt sensitive data at rest on servers, applications, and databases. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data. |
| managed-disk-encryption | Require managed disks to use customer-managed encryption keys | 3.11 | Encrypt sensitive data at rest on servers, applications, and databases. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data. |
| cosmos-db-customer-key-encryption | Require Cosmos DB to use customer-managed keys | 3.11 | Encrypt sensitive data at rest on servers, applications, and databases. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data. |
| log-analytics-encrypted | Ensure Log Analytics workspaces use encryption for data protection at rest. | 3.11 | Encrypt sensitive data at rest on servers, applications, and databases. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data. |
| storage-file-encrypted-check | Ensure Azure Storage Files have encryption enabled for data protection. | 3.11 | Encrypt sensitive data at rest on servers, applications, and databases. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data. |
| storage-account-default-encryption-cmk | Require Storage Accounts to use customer-managed keys for encryption | 3.11 | Encrypt sensitive data at rest on servers, applications, and databases. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data. |
| key-vault-using-cmk | Ensure Key Vault uses customer-managed keys for enhanced encryption security. | 3.11 | Encrypt sensitive data at rest on servers, applications, and databases. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data. |
| search-service-encrypted-at-rest | Ensure Search Services use encryption at rest with customer-managed keys for data protection. | 3.11 | Encrypt sensitive data at rest on servers, applications, and databases. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data. |
| sql-database-tde-enabled | Require Azure SQL databases to have Transparent Data Encryption (TDE) enabled | 3.11 | Encrypt sensitive data at rest on servers, applications, and databases. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data. |
| ml-workspace-cmk-configured | Ensure Machine Learning workspaces use customer-managed keys for encryption at rest. | 3.11 | Encrypt sensitive data at rest on servers, applications, and databases. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data. |
| ml-compute-instance-cmk-configured | Ensure Machine Learning compute instances use customer-managed keys for disk encryption. | 3.11 | Encrypt sensitive data at rest on servers, applications, and databases. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data. |
| service-bus-encrypted-cmk | Require Service Bus namespace to use customer-managed keys for encryption | 3.11 | Encrypt sensitive data at rest on servers, applications, and databases. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data. |
| key-vault-key-not-scheduled-for-deletion | Ensure Key Vault keys are not scheduled for deletion and have proper lifecycle management. | 3.11 | Encrypt sensitive data at rest on servers, applications, and databases. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data. |
| waf-logging-enabled | Ensure Web Application Firewall logging is enabled for security analysis. | 3.14 | Log sensitive data access, including modification and disposal. |
| activity-log-storage-dataevents | Ensure Activity Log captures Storage Account data events for comprehensive log analysis. | 3.14 | Log sensitive data access, including modification and disposal. |
| search-service-logs-monitor | Ensure Search Service sends logs to monitoring solutions for comprehensive log analysis. | 3.14 | Log sensitive data access, including modification and disposal. |
| load-balancer-logging | Ensure Load Balancer has logging enabled for comprehensive security and performance analysis. | 3.14 | Log sensitive data access, including modification and disposal. |
| api-management-diagnostic-settings-exist | Ensure API Management has diagnostic settings configured (existence check). | 3.14 | Log sensitive data access, including modification and disposal. |
| diagnostic-setting-configuration | Ensure diagnostic settings are properly configured with required destinations, log categories, and retention policies. | 3.14 | Log sensitive data access, including modification and disposal. |
| activity-log-monitor-integration | Ensure Activity Log is integrated with advanced monitoring solutions for comprehensive log analysis. | 3.14 | Log sensitive data access, including modification and disposal. |
| synapse-configuration-logging | Ensure Synapse Analytics has comprehensive configuration logging enabled for advanced log analysis. | 3.14 | Log sensitive data access, including modification and disposal. |
| managed-disk-unused | Ensure Managed Disks are not unused to maintain proper asset inventory. | 4.1 | Establish and maintain a documented secure configuration process for enterprise assets (end-user devices, including portable and mobile, non-computing/IoT devices, and servers) and software (operating systems and applications). Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. |
| activity-log-security-trail-enabled | Ensure Activity Log security trail is enabled for security monitoring and compliance. | 4.1 | Establish and maintain a documented secure configuration process for enterprise assets (end-user devices, including portable and mobile, non-computing/IoT devices, and servers) and software (operating systems and applications). Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. |
| subscription-part-of-management-groups | Ensure subscription is part of Management Groups for proper governance hierarchy. | 4.1 | Establish and maintain a documented secure configuration process for enterprise assets (end-user devices, including portable and mobile, non-computing/IoT devices, and servers) and software (operating systems and applications). Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. |
| activity-log-encryption-enabled | Ensure Activity Log encryption is enabled for data protection. | 4.6 | Securely manage enterprise assets and software. Example implementations include managing configuration through version-controlled Infrastructure-as-Code (IaC) and accessing administrative interfaces over secure network protocols, such as Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use insecure management protocols, such as Telnet (Teletype Network) and HTTP, unless operationally essential. |
| managed-disk-attached-encryption-enabled | Ensure Managed Disks are encrypted when attached to virtual machines. | 4.6 | Securely manage enterprise assets and software. Example implementations include managing configuration through version-controlled Infrastructure as Code, and accessing administrative interfaces over secure network protocols, such as Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use insecure management protocols, such as Telnet (Teletype Network) and HTTP, unless operationally essential. |
| vmss-load-balancer-healthcheck-required | Ensure VM Scale Sets have Load Balancer health check required for availability monitoring. | 4.6 | Securely manage enterprise assets and software. Example implementations include managing configuration through version-controlled Infrastructure as Code, and accessing administrative interfaces over secure network protocols, such as Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use insecure management protocols, such as Telnet (Teletype Network) and HTTP, unless operationally essential. |
| storage-account-default-encryption-enabled | Ensure Storage Accounts have default encryption enabled for data protection. | 4.6 | Securely manage enterprise assets and software. Example implementations include managing configuration through version-controlled Infrastructure-as-Code (IaC) and accessing administrative interfaces over secure network protocols, such as Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use insecure management protocols, such as Telnet (Teletype Network) and HTTP, unless operationally essential. |
| storage-account-public-read-prohibited | Ensure Storage Account public read is prohibited for data security. | 4.6 | Securely manage enterprise assets and software. Example implementations include managing configuration through version-controlled Infrastructure-as-Code (IaC) and accessing administrative interfaces over secure network protocols, such as Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use insecure management protocols, such as Telnet (Teletype Network) and HTTP, unless operationally essential. |
| storage-account-public-write-prohibited | Ensure Storage Account public write is prohibited for data security. | 4.6 | Securely manage enterprise assets and software. Example implementations include managing configuration through version-controlled Infrastructure-as-Code (IaC) and accessing administrative interfaces over secure network protocols, such as Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use insecure management protocols, such as Telnet (Teletype Network) and HTTP, unless operationally essential. |
| storage-account-replication-enabled | Ensure Storage Account replication is enabled for data availability and disaster recovery. | 4.6 | Securely manage enterprise assets and software. Example implementations include managing configuration through version-controlled Infrastructure-as-Code (IaC) and accessing administrative interfaces over secure network protocols, such as Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use insecure management protocols, such as Telnet (Teletype Network) and HTTP, unless operationally essential. |
| activity-log-file-integrity-enabled | Ensure Activity Log file integrity monitoring is enabled for security monitoring. | 4.6 | Securely manage enterprise assets and software. Example implementations include managing configuration through version-controlled Infrastructure-as-Code (IaC) and accessing administrative interfaces over secure network protocols, such as Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use insecure management protocols, such as Telnet (Teletype Network) and HTTP, unless operationally essential. |
| activity-log-multi-region-trail-enabled | Ensure Activity Log multi-region trail is enabled for resilience and compliance. | 4.6 | Securely manage enterprise assets and software. Example implementations include managing configuration through version-controlled Infrastructure-as-Code (IaC) and accessing administrative interfaces over secure network protocols, such as Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use insecure management protocols, such as Telnet (Teletype Network) and HTTP, unless operationally essential. |
| key-vault-key-rotation-enabled | Require Key Vault keys to have rotation policies configured | 4.6 | Securely manage enterprise assets and software. Example implementations include managing configuration through version-controlled Infrastructure-as-Code (IaC) and accessing administrative interfaces over secure network protocols, such as Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use insecure management protocols, such as Telnet (Teletype Network) and HTTP, unless operationally essential. |
| nsg-restrict-ingress-ssh-all | Restrict SSH access from all IPs in network security groups. | 4.6 | Securely manage enterprise assets and software. Example implementations include managing configuration through version-controlled Infrastructure-as-Code (IaC) and accessing administrative interfaces over secure network protocols, such as Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use insecure management protocols, such as Telnet (Teletype Network) and HTTP, unless operationally essential. |
| aad-global-admin-no-permanent-access | Manage default global administrator accounts to prevent permanent privileged access. | 4.7 | Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable. |
| aad-role-no-wildcard-assignments | Restrict administrator privileges - no wildcard role assignments. | 5.4 | Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account. |
| update-management-patch-compliant | Ensure Update Management managed instances have patch compliance. | 7.1 | Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. |
| security-center-enabled | Ensure Security Center is enabled for vulnerability management. | 7.1 | Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. |
| update-management-automated-patch-compliant | Ensure Update Management managed instances have automated patch compliance. | 7.3 | Perform operating system updates on enterprise assets through automated patch management on a monthly, or more frequent, basis. |
| sql-server-audit-logging | Require Azure SQL Server to have audit logging enabled | 8.2 | Collect audit logs. Ensure that logging, per the enterprise’s audit log management process, has been enabled across enterprise assets. |
| activity-log-trail-enabled | Collect audit logs from Activity Log trails. | 8.2 | Collect audit logs. Ensure that logging, per the enterprise’s audit log management process, has been enabled across enterprise assets. |
| wafv2-logging-enabled | Collect audit logs from Web Application Firewall v2 for security monitoring. | 8.2 | Collect audit logs. Ensure that logging, per the enterprise’s audit log management process, has been enabled across enterprise assets. |
| vnet-flow-logs-enabled | Collect audit logs from VNet flow logs for network monitoring. | 8.2 | Collect audit logs. Ensure that logging, per the enterprise’s audit log management process, has been enabled across enterprise assets. |
| cdn-distribution-logging-enabled | Collect audit logs from CDN distributions for security monitoring. | 8.2 | Collect audit logs. Ensure that logging, per the enterprise’s audit log management process, has been enabled across enterprise assets. |
| managed-disk-backup-protection-exists | Ensure Managed Disks have backup protection (existence check). | 11.2 | Perform automated backups of in-scope enterprise assets. Run backups weekly, or more frequently, based on the sensitivity of the data. |
| backup-instance-configuration | Ensure backup instances are properly configured with backup policies and cross-region replication. | 11.2 | Perform automated backups of in-scope enterprise assets. Run backups weekly, or more frequently, based on the sensitivity of the data. |
| snapshot-configuration | Ensure snapshots are properly configured for backup and recovery purposes. | 11.2 | Perform automated backups of in-scope enterprise assets. Run backups weekly, or more frequently, based on the sensitivity of the data. |
| storage-account-cross-region-replication-enabled | Require Storage Accounts to have geo-replication enabled for business continuity | 11.2 | Perform automated backups of in-scope enterprise assets. Run backups weekly, or more frequently, based on the sensitivity of the data. |
| storage-account-versioning-enabled | Perform automated backups for Storage Accounts with versioning. | 11.2 | Perform automated backups of in-scope enterprise assets. Run backups weekly, or more frequently, based on the sensitivity of the data. |
| synapse-backup-enabled | Ensure Synapse Analytics backup is enabled. | 11.2 | Perform automated backups of in-scope enterprise assets. Run backups weekly, or more frequently, based on the sensitivity of the data. |
| azure-database-backup-enabled | Perform automated backups for Azure Database instances. | 11.2 | Perform automated backups of in-scope enterprise assets. Run backups weekly, or more frequently, based on the sensitivity of the data. |
| cosmos-db-in-backup-plan | Require Cosmos DB account to have backup policies configured | 11.2 | Perform automated backups of in-scope enterprise assets. Run backups weekly, or more frequently, based on the sensitivity of the data. |
| cosmos-db-pitr-enabled | Ensure Cosmos DB point-in-time recovery is enabled for data protection. | 11.2 | Perform automated backups of in-scope enterprise assets. Run backups weekly, or more frequently, based on the sensitivity of the data. |
| vm-no-public-ip | Ensure Virtual Machines have no public IP. | 12.2 | Design and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum. Example implementations may include documentation, policy, and design components. |
| synapse-enhanced-vnet-routing-enabled | Ensure Synapse Analytics enhanced VNet routing is enabled. | 12.2 | Establish and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum. Example implementations may include documentation, policy, and design components. |
| azure-database-deletion-protection-enabled | Ensure Azure Database deletion protection is enabled. | 12.2 | Establish and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum. Example implementations may include documentation, policy, and design components. |
| azure-database-multi-region-support | Ensure Azure Database multi-region support is enabled. | 12.2 | Establish and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum. Example implementations may include documentation, policy, and design components. |
| cosmos-db-autoscaling-enabled | Ensure Cosmos DB autoscaling is enabled. | 12.2 | Establish and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum. Example implementations may include documentation, policy, and design components. |
| load-balancer-cross-zone-enabled | Ensure Load Balancer cross-zone load balancing is enabled. | 12.2 | Design and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum. Example implementations may include documentation, policy, and design components. |
| load-balancer-deletion-protection | Ensure critical Load Balancers have resource locks to prevent accidental deletion. | 12.2 | Design and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum. |
| key-vault-certificate-expiration-check | Ensure Key Vault certificate expiration check. | 12.2 | Design and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum. Example implementations may include documentation, policy, and design components. |
| application-gateway-waf | Require Application Gateway to have Web Application Firewall enabled | 13.1 | Centralize security event alerting across enterprise assets for log correlation and analysis. Best practice implementation requires the use of a SIEM, which includes vendor-defined event correlation alerts. A log analytics platform configured with security-relevant correlation alerts also satisfies this Safeguard. |
Thank you for your feedback!
If you have a question about how to use Pulumi, reach out in Community Slack.
Open an issue on GitHub to report a problem or suggest an improvement.
