CIS Azure 1.5.0 | Lacework Documentation

📄️ 1.1.1

Enable Security Defaults on Azure Active Directory (Manual)

📄️ 1.1.2

Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users (Manual)

📄️ 1.1.3

Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users (Manual)

📄️ 1.1.4

Enable 'Restore multi-factor authentication on all remembered devices' (Manual)

📄️ 1.2.1

Define Trusted Locations (Manual)

📄️ 1.2.2

Consider an exclusionary Geographic Access Policy (Manual)

📄️ 1.2.3

Ensure that A Multi-factor Authentication Policy Exists for Administrative Groups (Manual)

📄️ 1.2.4

Ensure that A Multi-factor Authentication Policy Exists for All Users (Manual)

📄️ 1.2.5

Require Multi-factor Authentication for Risky Sign-ins (Manual)

📄️ 1.2.6

Require Multi-factor Authentication for Azure Management (Manual)

📄️ 1.3

Set Up Access Review for External Users in Azure AD Privileged Identity Management (Manual)

📄️ 1.4

Review Guest Users on a Regular Basis (Manual)

📄️ 1.5

Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is 'Disabled' (Manual)

📄️ 1.6

Set 'Number of methods required to reset' to '2' (Manual)

📄️ 1.7

Set a Custom Bad Password List to 'Enforce' for your Organization (Manual)

📄️ 1.8

Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0' (Manual)

📄️ 1.9

Set 'Notify users on password resets?' to 'Yes' (Manual)

📄️ 1.10

Set 'Notify all admins when other admins reset their password?' to 'Yes' (Manual)

📄️ 1.11

Set 'Users Can Consent to Apps Accessing Company Data on Their Behalf' To 'Allow for Verified Publishers' (Manual)

📄️ 1.12

Set 'Users can consent to apps accessing company data on their behalf' to 'No' (Manual)

📄️ 1.13

Set 'Users can add gallery apps to My Apps' to 'No' (Manual)

📄️ 1.14

Set 'Users Can Register Applications' to 'No' (Manual)

📄️ 1.15

Set 'Guest users access restrictions' to 'Guest user access is restricted to properties and memberships of their own directory objects' (Manual)

📄️ 1.16

Set 'Guest invite restrictions' to "Only users assigned to specific admin roles can invite guest users" (Manual)

📄️ 1.17

Set 'Restrict access to Azure AD administration portal' to 'Yes' (Manual)

📄️ 1.18

Set 'Restrict user ability to access groups features in the Access Pane' to 'Yes' (Manual)

📄️ 1.19

Set 'Users can create security groups in Azure portals, API or PowerShell' to 'No' (Manual)

📄️ 1.20

Set 'Owners can manage group membership requests in the Access Panel' to 'No' (Manual)

📄️ 1.21

Set 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' to 'No' (Manual)

📄️ 1.22

Set 'Require Multi-Factor Authentication to register or join devices with Azure AD' to 'Yes' (Manual)

📄️ 1.23

Ensure That No Custom Subscription Administrator Roles Exist (Automated)

📄️ 1.24

Assign Permissions for Administering Resource Locks to a Custom Role (Manual)

📄️ 1.25

Set 'Subscription Entering Azure Active Directory (AAD) Directory' and 'Subscription Leaving AAD Directory' To 'Permit No One' (Manual)

📄️ 2.1.1

Set Microsoft Defender for Servers to 'On' (Manual)

📄️ 2.1.2

Set Microsoft Defender for App Services To 'On' (Manual)

📄️ 2.1.3

Set Microsoft Defender for Databases To 'On' (Manual)

📄️ 2.1.4

Set Microsoft Defender for Azure SQL Databases To 'On' (Manual)

📄️ 2.1.5

Set Microsoft Defender for SQL Servers on Machines To 'On' (Manual)

📄️ 2.1.6

Set Microsoft Defender for Open-Source Relational Databases To 'On' (Manual)

📄️ 2.1.7

Set Microsoft Defender for Storage To 'On' (Manual)

📄️ 2.1.8

Set Microsoft Defender for Containers To 'On' (Manual)

📄️ 2.1.9

Set Microsoft Defender for Cosmos DB To 'On' (Manual)

📄️ 2.1.10

Set Microsoft Defender for Key Vault To 'On' (Manual)

📄️ 2.1.11

Set Microsoft Defender for Domain Name System (DNS) To 'On' (Manual)

📄️ 2.1.12

Set Microsoft Defender for IoT To 'On' (Manual)

📄️ 2.1.13

Set Microsoft Defender for Resource Manager To 'On' (Manual)

📄️ 2.2.1

Set Auto provisioning of 'Log Analytics agent for Azure VMs' to 'On' (Manual)

📄️ 2.2.2

Set Auto provisioning of 'Vulnerability assessment for machines' to 'On' (Manual)

📄️ 2.2.3

Set Auto provisioning of 'Microsoft Defender for Containers components' to 'On' (Manual)

📄️ 2.3.1

Set 'All users with the following roles' to 'Owner' (Manual)

📄️ 2.3.2

Configure 'Additional email addresses' with a Security Contact Email (Manual)

📄️ 2.3.3

Set 'Notify about alerts with the following severity' to 'High' (Manual)

📄️ 2.4.1

Select Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud (Manual)

📄️ 2.4.2

Select Microsoft Defender for Endpoint integration with Microsoft Defender for Cloud (Manual)

📄️ 2.5

Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed' (Manual)

📄️ 2.6

Ensure Any of the Azure Security Center (ASC) Default Policy Settings are Not Set to 'Disabled' (Manual)

📄️ 3.1

Set 'Secure transfer required' to 'Enabled' (Automated)

📄️ 3.2

Set 'Enable Infrastructure Encryption' for Each Storage Account in Azure Storage to 'enabled' (Automated)

📄️ 3.3

Enable 'Enable key rotation reminders' for each Storage Account (Manual)

📄️ 3.4

Ensure that Storage Account Access Keys are Periodically Regenerated (Manual)

📄️ 3.5

Enable Storage Logging for Queue Service for 'Read', 'Write', and 'Delete' requests (Manual)

📄️ 3.6

Ensure that Shared Access Signature Tokens Expire Within an Hour (Manual)

📄️ 3.7

Disable 'Public access level' for storage accounts with blob containers (Automated)

📄️ 3.8

Set Default Network Access Rule for Storage Accounts to Deny (Automated)

📄️ 3.9

Enable 'Allow Azure services on the trusted services list to access this storage account' for Storage Account Access (Automated)

📄️ 3.10

Use Private Endpoints to access Storage Accounts (Automated)

📄️ 3.11

Enable Soft Delete for Azure Containers and Blob Storage (Manual)

📄️ 3.12

Encrypt Storage for Critical Data with Customer Managed Keys (Manual)

📄️ 3.13

Enable Storage logging for Blob Service for 'Read', 'Write', and 'Delete' requests (Manual)

📄️ 3.14

Enable Storage Logging for Table Service for 'Read', 'Write', and 'Delete' Requests (Manual)

📄️ 3.15

Set the "Minimum Transport Layer Security (TLS) version" for storage accounts to "Version 1.2" (Automated)

📄️ 4.1.1

Set 'Auditing' to 'On' (Manual)

📄️ 4.1.2

Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (any IP) (Automated)

📄️ 4.1.3

Encrypt SQL server's Transparent Data Encryption (TDE) protector with Customer-managed key (Automated)

📄️ 4.1.4

Configure Azure Active Directory Admin for SQL Servers (Automated)

📄️ 4.1.5

Set 'Data encryption' to 'On' on a SQL Database (Automated)

📄️ 4.1.6

Ensure that 'Auditing' Retention is 'greater than 90 days' (Manual)

📄️ 4.2.1

Set Microsoft Defender for SQL to 'On' for critical SQL Servers (Automated)

📄️ 4.2.2

Enable Vulnerability Assessment (VA) on a SQL server by setting a Storage Account (Automated)

📄️ 4.2.3

Set Vulnerability Assessment (VA) setting 'Periodic recurring scans' to 'on' for each SQL server (Automated)

📄️ 4.2.4

Configure Vulnerability Assessment (VA) setting 'Send scan reports to' for a SQL server (Automated)

📄️ 4.2.5

Set Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners' for each SQL Server (Automated)

📄️ 4.3.1

Set 'Enforce SSL connection' to 'ENABLED' for PostgreSQL Database Server (Automated)

📄️ 4.3.2

Set Server Parameter 'log_checkpoints' to 'ON' for PostgreSQL Database Server (Automated)

📄️ 4.3.3

Set server parameter 'log_connections' to 'ON' for PostgreSQL Database Server (Automated)

📄️ 4.3.4

Set server parameter 'log_disconnections' to 'ON' for PostgreSQL Database Server (Automated)

📄️ 4.3.5

Set server parameter 'connection_throttling' to 'ON' for PostgreSQL Database Server (Automated)

📄️ 4.3.6

Ensure Server Parameter 'logretentiondays' is greater than 3 days for PostgreSQL Database Server (Automated)

📄️ 4.3.7

Disable 'Allow access to Azure services' for PostgreSQL Database Server (Automated)

📄️ 4.3.8

Ensure 'Infrastructure double encryption' for PostgreSQL Database Server is 'Enabled' (Automated)

📄️ 4.4.1

Set 'Enforce SSL connection' to 'Enabled' for Standard MySQL Database Server (Automated)

📄️ 4.4.2

Set 'Transport Layer Security (TLS) Version' to at least 'TLSV1.2' for Azure Database for MySQL Flexible Server (Automated)

📄️ 4.4.3

Set server parameter 'auditlogenabled' to 'ON' for MySQL Database Server (Manual)

📄️ 4.4.4

Ensure server parameter 'auditlogevents' has 'CONNECTION' set for MySQL Database Server (Manual)

📄️ 4.5.1

Limit 'Firewalls & Networks' to Use Selected Networks Instead of All Networks (Automated)

📄️ 4.5.2

Use Private Endpoints Where Possible (Automated)

📄️ 5.1.1

Ensure that a 'Diagnostic Setting' exists (Manual)

📄️ 5.1.2

Ensure Diagnostic Setting captures appropriate categories (Automated)

📄️ 5.1.3

Ensure the Storage Container Storing the Activity Logs is not Publicly Accessible (Manual)

📄️ 5.1.4

Encrypt the storage account containing the container with activity logs with Customer Managed Key (Manual)

📄️ 5.1.5

Ensure that logging for Azure Key Vault is 'Enabled' (Automated)

📄️ 5.1.6

Capture Network Security Group (NSG) Flow logs and send to Log Analytics (Manual)

📄️ 5.1.7

Enable logging for Azure AppService 'HTTP logs' (Manual)

📄️ 5.2.1

Ensure that Activity Log Alert exists for Create Policy Assignment (Automated)

📄️ 5.2.2

Ensure that Activity Log Alert exists for Delete Policy Assignment (Automated)

📄️ 5.2.3

Ensure that Activity Log Alert exists for Create or Update Network Security Group (Automated)

📄️ 5.2.4

Ensure that Activity Log Alert exists for Delete Network Security Group (Automated)

📄️ 5.2.5

Ensure that Activity Log Alert exists for Create or Update Security Solution (Automated)

📄️ 5.2.6

Ensure that Activity Log Alert exists for Delete Security Solution (Automated)

📄️ 5.2.7

Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule (Automated)

📄️ 5.2.8

Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule (Automated)

📄️ 5.2.9

Ensure that Activity Log Alert exists for Create or Update Public IP Address rule (Automated)

📄️ 5.2.10

Ensure that Activity Log Alert exists for Delete Public IP Address rule (Automated)

📄️ 5.3

Enable Azure Monitor Resource Logging for All Services that Support it (Manual)

📄️ 6.1

Evaluate and restrict Remote Desktop Protocol (RDP) access from the Internet (Automated)

📄️ 6.2

Evaluate and restrict SSH access from the Internet (Automated)

📄️ 6.3

Evaluate and restrict User Datagram Protocol (UDP) access from the Internet (Automated)

📄️ 6.4

Evaluate and restrict HTTP(S) access from the Internet (Automated)

📄️ 6.5

Ensure that Network Security Group (NSG) Flow Log retention period is 'greater than 90 days' (Automated)

📄️ 6.6

This policy exists in addition to lacework-global-816. See Adjusted Controls - 6.6 Ensure that Network Watcher is 'Enabled' for details.

📄️ 6.6

This policy exists in addition to lacework-global-634. See Adjusted Controls - 6.6 Ensure that Network Watcher is 'Enabled' for details.

📄️ 6.7

Evaluate Public IP addresses on a Periodic Basis (Manual)

📄️ 7.1

Ensure Virtual Machines are utilizing Managed Disks (Automated)

📄️ 7.2

Encrypt 'OS and Data' disks with Customer Managed Key (CMK) (Automated)

📄️ 7.3

Encrypt 'Unattached disks' with Customer Managed Key (CMK) (Automated)

📄️ 7.4

Install Only Approved Extensions (Manual)

📄️ 7.5

Install Endpoint Protection for all Virtual Machines (Manual)

📄️ 7.6

(Legacy) Encrypt Virtual Hard Disks (VHD) (Manual)

📄️ 8.1

Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults (Automated)

📄️ 8.2

Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults. (Automated)

📄️ 8.3

Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults (Automated)

📄️ 8.4

Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults (Automated)

📄️ 8.5

Ensure the Key Vault is Recoverable (Automated)

📄️ 8.6

Enable Role Based Access Control for Azure Key Vault (Automated)

📄️ 8.7

Use Private Endpoints for Azure Key Vault (Automated)

📄️ 8.8

Enable Automatic Key Rotation Within Azure Key Vault for the Supported Services (Manual)

📄️ 9.1

Set up App Service Authentication for apps in Azure App Service (Automated)

📄️ 9.2

Ensure Web App Redirects All HTTP traffic to HTTPS in Azure App Service (Automated)

📄️ 9.3

Ensure Web App is using the latest version of Transport Layer Security (TLS) encryption (Automated)

📄️ 9.4

Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On' (Automated)

📄️ 9.5

Enable Register with Azure Active Directory on App Service (Automated)

📄️ 9.6

Ensure That 'PHP version' is the Latest, If Used to Run the Web App (Manual)

📄️ 9.7

Ensure that 'Python version' is the Latest Stable Version, if Used to Run the Web App (Manual)

📄️ 9.8

Ensure that 'Java version' is the latest, if used to run the Web App (Manual)

📄️ 9.9

Ensure that 'HTTP Version' is the Latest, if Used to Run the Web App (Automated)

📄️ 9.10

Disable File Transfer Protocol (FTP) deployments (Automated)

📄️ 9.11

Use Azure Key Vaults to Store Secrets (Manual)

📄️ 10.1

Set Resource Locks for Mission-Critical Azure Resources (Manual)