Skip to main content

CIS Azure 1.5.0 Benchmark

Lacework provides compliance policies based on CIS Microsoft Azure Foundations Benchmark v1.5.0 (or CIS Azure 1.5.0 Benchmark for short).

Once you have integrated your Microsoft Azure environment with Lacework, you can check whether your resources are compliant with the benchmark recommendations.

Revision History

Added
Control IDLacework Policy IDTitleEnabled by default?
6.6lacework-global-816Ensure that Network Watcher is 'Enabled' (excludes Reserved access regions)False

See Adjusted Controls - 6.6 Ensure that Network Watcher is 'Enabled' for details.

Visibility and Usage in the Lacework Console

You can use the CIS Azure 1.5.0 Benchmark in the following ways:

Prerequisites

Ensure you have integrated your Azure environment with the Lacework Compliance platform. Completing this will prepare your environment for the CIS Azure 1.5.0 Benchmark:

Previous Integrations using Terraform

If you have previously integrated Azure with Lacework using Terraform before this benchmark was available:

  1. Enter the directory containing the Terraform files used for the integration.
  2. Run terraform init -upgrade to initialize the working directory (containing the Terraform files).
  3. Run terraform plan and review the changes that will be applied.
  4. Once satisfied with the changes that will be applied, run terraform apply to upgrade the modules.

CIS Azure 1.5.0 Benchmark Policies

All policies in the CIS Azure 1.5.0 Benchmark are enabled by default.

You can enable or disable them using one of the following methods outlined in this section.

Enable or Disable Policies in the Lacework Console

On the Policies page, use the framework:cis-azure-1-5-0 tag to filter for CIS Azure 1.5.0 policies only.

You can enable or disable each one using the status toggle.

Alternatively, see Batch Update Policies to enable or disable multiple policies at once.

note

Manual policies do not have a status toggle as there is no functional check to enable. For more information about manual policies, see Automated vs Manual Policies.

Enable or Disable Policies using the Lacework CLI

tip

If you have not set up the Lacework CLI before, see the Lacework CLI guide to get started.

Enable or disable all the CIS Azure 1.5.0 policies using the following commands in the Lacework CLI:

Enable all policies
lacework policy enable --tag framework:cis-azure-1-5-0
Disable all policies
lacework policy disable --tag framework:cis-azure-1-5-0

Enable or disable specific CIS Azure 1.5.0 policies using the following command examples in the Lacework CLI:

Enable lacework-global-528
lacework policy enable lacework-global-528
Disable lacework-global-528
lacework policy disable lacework-global-528

Policy Mapping for CIS Azure 1.5.0

The CIS Azure 1.5.0 controls are mapped to Lacework policies, as listed in the following tables.

Table key:

  • Control ID - The CIS Azure 1.5.0 Benchmark security control identifier.
  • Title - The policy/control title.
  • Lacework Policy ID - The Lacework policy identifier.
  • CIS Assessment - Whether CIS have determined that the security control can be assessed automatically or if it requires manual verification.
  • Lacework Assessment - Whether Lacework have determined that the security control can be assessed automatically or if it requires manual verification.
  • Severity - The severity of the policy (as determined by Lacework).
Control IDTitleLacework Policy IDCIS AssessmentLacework AssessmentSeverity
1.3Set Up Access Review for External Users in Azure AD Privileged Identity Managementlacework-global-588ManualManualLow
1.4Review Guest Users on a Regular Basislacework-global-499ManualManualMedium
1.5Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is 'Disabled'lacework-global-500ManualManualHigh
1.6Set 'Number of methods required to reset' to '2'lacework-global-501ManualManualHigh
1.7Set a Custom Bad Password List to 'Enforce' for your Organizationlacework-global-502ManualManualHigh
1.8Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0'lacework-global-503ManualManualHigh
1.9Set 'Notify users on password resets?' to 'Yes'lacework-global-504ManualManualHigh
1.10Set 'Notify all admins when other admins reset their password?' to 'Yes'lacework-global-505ManualManualHigh
1.11Set 'Users Can Consent to Apps Accessing Company Data on Their Behalf' To 'Allow for Verified Publishers'lacework-global-589ManualManualMedium
1.12Set 'Users can consent to apps accessing company data on their behalf' to 'No'lacework-global-506ManualManualMedium
1.13Set 'Users can add gallery apps to My Apps' to 'No'lacework-global-507ManualManualHigh
1.14Set 'Users Can Register Applications' to 'No'lacework-global-508ManualManualHigh
1.15Set 'Guest users access restrictions' to 'Guest user access is restricted to properties and memberships of their own directory objects'lacework-global-509ManualManualHigh
1.16Set 'Guest invite restrictions' to "Only users assigned to specific admin roles can invite guest users"lacework-global-590ManualManualCritical
1.17Set 'Restrict access to Azure AD administration portal' to 'Yes'lacework-global-510ManualManualCritical
1.18Set 'Restrict user ability to access groups features in the Access Pane' to 'Yes'lacework-global-591ManualManualHigh
1.19Set 'Users can create security groups in Azure portals, API or PowerShell' to 'No'lacework-global-592ManualManualHigh
1.20Set 'Owners can manage group membership requests in the Access Panel' to 'No'lacework-global-593ManualManualHigh
1.21Set 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' to 'No'lacework-global-594ManualManualHigh
1.22Set 'Require Multi-Factor Authentication to register or join devices with Azure AD' to 'Yes'lacework-global-511ManualManualMedium
1.23Ensure That No Custom Subscription Administrator Roles Existlacework-global-512AutomatedAutomatedMedium
1.24Assign Permissions for Administering Resource Locks to a Custom Rolelacework-global-595ManualManualMedium
1.25Set 'Subscription Entering Azure Active Directory (AAD) Directory' and 'Subscription Leaving AAD Directory' To 'Permit No One'lacework-global-596ManualManualHigh
Control IDTitleLacework Policy IDCIS AssessmentLacework AssessmentSeverity
1.1.1Enable Security Defaults on Azure Active Directorylacework-global-513ManualManualHigh
1.1.2Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Userslacework-global-514ManualManualHigh
1.1.3Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Userslacework-global-597ManualManualMedium
1.1.4Enable 'Restore multi-factor authentication on all remembered devices'lacework-global-515ManualManualMedium

Automated vs Manual Policies

Lacework automates compliance policies where possible. This allows the Lacework platform to monitor your environment resources to check whether they are compliant with the benchmark recommendations.

For some benchmark recommendations, it is not possible to automate the policy checks in an Azure environment. These policies are manual, and you must verify such policies manually. Lacework provides the manual remediation steps for these policies (when available).

Automated Policies (that were deemed manual)

In some cases, Lacework is able to automate certain CIS benchmark controls that were deemed as manual by CIS.

The following table outlines the CIS Azure 1.5.0 Benchmark policies that fall within this category:

Click to expand
Control IDLacework Policy IDTitle
3.2lacework-global-615Set 'Enable Infrastructure Encryption' for Each Storage Account in Azure Storage to 'enabled'
3.10lacework-global-534Use Private Endpoints to access Storage Accounts
4.3.7lacework-global-549Disable 'Allow access to Azure services' for PostgreSQL Database Server
4.5.1lacework-global-628Limit 'Firewalls & Networks' to Use Selected Networks Instead of All Networks
4.5.2lacework-global-629Use Private Endpoints Where Possible
6.6lacework-global-634Ensure that Network Watcher is 'Enabled' (includes Reserved access regions)
7.1lacework-global-573Ensure Virtual Machines are utilizing Managed Disks
8.6lacework-global-639Enable Role Based Access Control for Azure Key Vault
8.7lacework-global-640Use Private Endpoints for Azure Key Vault

Policies that are pending automation

Lacework intends to automate the policies listed below in a future release. All of these controls were deemed as manual by CIS.

Click to expand
Control IDLacework Policy IDTitle
5.1.6lacework-global-631Capture Network Security Group (NSG) Flow logs and send to Log Analytics
8.8lacework-global-641Enable Automatic Key Rotation Within Azure Key Vault for the Supported Services

Manual Policies (that were deemed automated)

In some cases, Lacework cannot automate certain CIS benchmark controls that were deemed as automated by CIS.

This is often due to one of the following reasons:

  • Scope is defined by the user.
  • It requires configuring other products or API permissions that are out of scope.
  • Known issues for audit procedure described by the CIS control.

The following table outlines the CIS Azure 1.5.0 Benchmark policies that fall within this category:

info

Lacework intends to automate these policies in a future release.

Click to expand
Control IDLacework Policy IDTitle
4.1.1lacework-global-537Set 'Auditing' to 'On'
4.1.6lacework-global-541Ensure that 'Auditing' Retention is 'greater than 90 days'

Permanently Manual Policies (that were deemed automated)

The following table outlines controls that were deemed automated by CIS, but will remain as manual policies:

note

For sections 2.2 and 2.3, see 2 - Microsoft Defender for Cloud for additional details.

Click to expand
Control IDLacework Policy IDTitle
2.2.1lacework-global-524Set Auto provisioning of 'Log Analytics agent for Azure VMs' to 'On'
2.2.2lacework-global-611Set Auto provisioning of 'Vulnerability assessment for machines' to 'On'
2.2.3lacework-global-612Set Auto provisioning of 'Microsoft Defender for Containers components' to 'On'
2.3.1lacework-global-525Set 'All users with the following roles' to 'Owner'
2.3.2lacework-global-526Configure 'Additional email addresses' with a Security Contact Email
2.3.3lacework-global-527Set 'Notify about alerts with the following severity' to 'High'
3.5lacework-global-616Enable Storage Logging for Queue Service for 'Read', 'Write', and 'Delete' requests
3.11lacework-global-535Enable Soft Delete for Azure Containers and Blob Storage
3.13lacework-global-619Enable Storage logging for Blob Service for 'Read', 'Write', and 'Delete' requests
3.14lacework-global-620Enable Storage Logging for Table Service for 'Read', 'Write', and 'Delete' Requests
5.1.3lacework-global-556Ensure the Storage Container Storing the Activity Logs is not Publicly Accessible
5.1.4lacework-global-630Encrypt the storage account containing the container with activity logs with Customer Managed Key

Unimplemented Policies

The following policies are not yet implemented into our Compliance platform. Lacework will be adding these policies soon.

All policies listed in the table below are intended to be automated once released:

Click to expand
Control IDLacework Policy IDTitle
8.1lacework-global-575Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults
8.2lacework-global-576Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults.
8.3lacework-global-577Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults
8.4lacework-global-578Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults

Adjusted Controls

6.6 Ensure that Network Watcher is 'Enabled'

This control has been split into two policies in order to monitor either:

  • All regions including Reserved access regions (lacework-global-634).
  • All regions excluding Reserved access regions (lacework-global-816).

The table below outlines each policy and their title:

Control IDLacework Policy IDTitleEnabled by default?
6.6lacework-global-634Ensure that Network Watcher is 'Enabled' (includes Reserved access regions)True
6.6lacework-global-816Ensure that Network Watcher is 'Enabled' (excludes Reserved access regions)False

If you do not use the Reserved access regions, please disable lacework-global-634, and enable lacework-global-816 in its place.

FAQs

Why are there so many manual policies in CIS Azure 1.5.0?
  • The Azure v1.5.0 benchmark (published by CIS) has 147 policies: 69 automated and 78 manual.
  • In comparison, the Azure v1.3.1 benchmark had 111 policies: 61 automated and 50 manual.

Due to the policies yet to be implemented, and those temporarily released as manual, Lacework's v1.5.0 benchmark may appear to have an imbalance of manual policies. As noted though, more than 50% of the CIS Azure 1.5.0 policies are manual.

Why were some policies in v1.3.1 automated but now moved to manual in v1.5.0?

There were a set of five policies in v1.3.1 that were automated, and are still marked as automated by CIS in v1.5.0. Lacework has temporarily released these five policies as manual, with a plan to automate them in the future. See Manual Policies (that were deemed automated).

A further set of six policies in v1.3.1 were automated, and have been marked as automated by CIS in v1.5.0. Lacework has delivered manual policies for these in v1.5.0. See Permanently Manual Policies (that were deemed automated).

Why were some policies in v1.3.1 manual but now moved to automated in v1.5.0?

Lacework is sometimes able to monitor the required resources for a given policy (even when deemed as manual by CIS). These policies are then automated in the Lacework Compliance Platform.

Three policies that were manual in v1.3.1 have been automated by Lacework for v1.5.0:

  1. Azure_CIS_131_6_5
  2. Azure_CIS_131_7_1
  3. Azure_CIS_131_9_9

Also, an additional four policies that are new in v1.5.0 have been automated (where CIS specified them as manual).

Do I have improved coverage with v1.5.0 versus what I had with v1.3.1?

When Lacework delivers on remaining unimplemented policies and planned automation for manual policies (including Policies that are pending automation), coverage for v1.5.0 will be an improvement over v1.3.1.

Which policies are yet to be updated/released within the v1.5.0 benchmark?

As of 1st March 2023, there are 4 unimplemented policies. Work is in progress to complete automation of these policies.

There are also 4 policies that have been marked as manual by CIS for v1.5.0, but Lacework intends to automate these policies in a future release. See Policies that are pending automation.

Why do control IDs 8.6 and 8.7 show as "Could Not Assess" in policy assessments and reports?

Policy assessments and reports for control ID 8.6 and 8.7 may show "Could Not Assess" if you do have the Key Vault Reader role assigned to the Lacework application used for the integration.

This applies to Azure Key Vaults in your subscription/tenant that do not have RBAC enabled.

See Assign Azure Key Vault permissions in the Azure integration prerequisites for help in assigning this role.