Skip to main content

CIS Azure 1.5.0 Benchmark

Lacework provides compliance policies based on CIS Microsoft Azure Foundations Benchmark v1.5.0 (or CIS Azure 1.5.0 Benchmark for short).

Once you have integrated your Microsoft Azure environment with Lacework, you can check whether your resources are compliant with the benchmark recommendations.

Revision History

Added
Control IDLacework Policy IDTitleEnabled by default?
6.6lacework-global-816Ensure that Network Watcher is 'Enabled' (excludes Reserved access regions)False

See Adjusted Controls - 6.6 Ensure that Network Watcher is 'Enabled' for details.

Visibility and Usage in the Lacework Console

You can use the CIS Azure 1.5.0 Benchmark in the following ways:

Prerequisites

Ensure you have integrated your Azure environment with the Lacework Compliance platform. Completing this will prepare your environment for the CIS Azure 1.5.0 Benchmark:

Previous Integrations using Terraform

If you have previously integrated Azure with Lacework using Terraform before this benchmark was available:

  1. Enter the directory containing the Terraform files used for the integration.
  2. Run terraform init -upgrade to initialize the working directory (containing the Terraform files).
  3. Run terraform plan and review the changes that will be applied.
  4. Once satisfied with the changes that will be applied, run terraform apply to upgrade the modules.

CIS Azure 1.5.0 Benchmark Policies

All policies in the CIS Azure 1.5.0 Benchmark are enabled by default.

You can enable or disable them using one of the following methods outlined in this section.

Enable or Disable Policies in the Lacework Console

On the Policies page, use the framework:cis-azure-1-5-0 tag to filter for CIS Azure 1.5.0 policies only.

You can enable or disable each one using the status toggle.

Alternatively, see Batch Update Policies to enable or disable multiple policies at once.

note

Manual policies do not have a status toggle as there is no functional check to enable. For more information about manual policies, see Automated vs Manual Policies.

Enable or Disable Policies using the Lacework CLI

tip

If you have not set up the Lacework CLI before, see the Lacework CLI guide to get started.

Enable or disable all the CIS Azure 1.5.0 policies using the following commands in the Lacework CLI:

Enable all policies
lacework policy enable --tag framework:cis-azure-1-5-0
Disable all policies
lacework policy disable --tag framework:cis-azure-1-5-0

Enable or disable specific CIS Azure 1.5.0 policies using the following command examples in the Lacework CLI:

Enable lacework-global-528
lacework policy enable lacework-global-528
Disable lacework-global-528
lacework policy disable lacework-global-528

Policy Mapping for CIS Azure 1.5.0

The CIS Azure 1.5.0 controls are mapped to Lacework policies, as listed in the following tables.

Table key:

  • Control ID - The CIS Azure 1.5.0 Benchmark security control identifier.
  • Title - The policy/control title.
  • Lacework Policy ID - The Lacework policy identifier.
  • CIS Assessment - Whether CIS have determined that the security control can be assessed automatically or if it requires manual verification.
  • Lacework Assessment - Whether Lacework have determined that the security control can be assessed automatically or if it requires manual verification.
  • Severity - The severity of the policy (as determined by Lacework).
Control IDTitleLacework Policy IDCIS AssessmentLacework AssessmentSeverity
1.3Ensure Access Review is Set Up for External Users in Azure AD Privileged Identity Managementlacework-global-588ManualManualLow
1.4Ensure Guest Users Are Reviewed on a Regular Basislacework-global-499ManualManualMedium
1.5Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is 'Disabled'lacework-global-500ManualManualHigh
1.6Ensure That 'Number of methods required to reset' is set to '2'lacework-global-501ManualManualHigh
1.7Ensure that a Custom Bad Password List is set to 'Enforce' for your Organizationlacework-global-502ManualManualHigh
1.8Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0'lacework-global-503ManualManualHigh
1.9Ensure that 'Notify users on password resets?' is set to 'Yes'lacework-global-504ManualManualHigh
1.10Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes'lacework-global-505ManualManualHigh
1.11Ensure That ‘Users Can Consent to Apps Accessing Company Data on Their Behalf’ Is Set To ‘Allow for Verified Publishers’lacework-global-589ManualManualMedium
1.12Ensure that 'Users can consent to apps accessing company data on their behalf' is set to 'No'lacework-global-506ManualManualMedium
1.13Ensure that 'Users can add gallery apps to My Apps' is set to 'No'lacework-global-507ManualManualHigh
1.14Ensure That ‘Users Can Register Applications’ Is Set to ‘No’lacework-global-508ManualManualHigh
1.15Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects'lacework-global-509ManualManualHigh
1.16Ensure that 'Guest invite restrictions' is set to "Only users assigned to specific admin roles can invite guest users"lacework-global-590ManualManualCritical
1.17Ensure That 'Restrict access to Azure AD administration portal' is Set to 'Yes'lacework-global-510ManualManualCritical
1.18Ensure that 'Restrict user ability to access groups features in the Access Pane' is Set to 'Yes'lacework-global-591ManualManualHigh
1.19Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No'lacework-global-592ManualManualHigh
1.20Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No'lacework-global-593ManualManualHigh
1.21Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No'lacework-global-594ManualManualHigh
1.22Ensure that 'Require Multi-Factor Authentication to register or join devices with Azure AD' is set to 'Yes'lacework-global-511ManualManualMedium
1.23Ensure That No Custom Subscription Owner Roles Are Createdlacework-global-512AutomatedAutomatedMedium
1.24Ensure a Custom Role is Assigned Permissions for Administering Resource Lockslacework-global-595ManualManualMedium
1.25Ensure That ‘Subscription Entering AAD Directory’ and ‘Subscription Leaving AAD Directory’ Is Set To ‘Permit No One’lacework-global-596ManualManualHigh
Control IDTitleLacework Policy IDCIS AssessmentLacework AssessmentSeverity
1.1.1Ensure Security Defaults is enabled on Azure Active Directorylacework-global-513ManualManualHigh
1.1.2Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Userslacework-global-514ManualManualHigh
1.1.3Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Userslacework-global-597ManualManualMedium
1.1.4Ensure that 'Restore multi-factor authentication on all remembered devices' is Enabledlacework-global-515ManualManualMedium

Automated vs Manual Policies

Lacework automates compliance policies where possible. This allows the Lacework platform to monitor your environment resources to check whether they are compliant with the benchmark recommendations.

For some benchmark recommendations, it is not possible to automate the policy checks in an Azure environment. These policies are manual, and you must verify such policies manually. Lacework provides the manual remediation steps for these policies (when available).

Automated Policies (that were deemed manual)

In some cases, Lacework is able to automate certain CIS benchmark controls that were deemed as manual by CIS.

The following table outlines the CIS Azure 1.5.0 Benchmark policies that fall within this category:

Click to expand
Control IDLacework Policy IDTitle
3.2lacework-global-615Ensure that ‘Enable Infrastructure Encryption’ for Each Storage Account in Azure Storage is Set to ‘enabled’
3.10lacework-global-534Use Private Endpoints to access Storage Accounts
4.3.7lacework-global-549Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled
4.5.1lacework-global-628Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks
4.5.2lacework-global-629Ensure That Private Endpoints Are Used Where Possible
6.6lacework-global-634
lacework-global-816
Ensure that Network Watcher is 'Enabled'
7.1lacework-global-573Ensure Virtual Machines are utilizing Managed Disks
8.6lacework-global-639Enable Role Based Access Control for Azure Key Vault
8.7lacework-global-640Use Private Endpoints for Azure Key Vault

Policies that are pending automation

Lacework intends to automate the policies listed below in a future release. All of these controls were deemed as manual by CIS.

Click to expand
Control IDLacework Policy IDTitle
5.1.6lacework-global-631Ensure that Network Security Group Flow logs are captured and sent to Log Analytics
8.8lacework-global-641Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services

Manual Policies (that were deemed automated)

In some cases, Lacework cannot automate certain CIS benchmark controls that were deemed as automated by CIS.

This is often due to one of the following reasons:

  • Scope is defined by the user.
  • It requires configuring other products or API permissions that are out of scope.
  • Known issues for audit procedure described by the CIS control.

The following table outlines the CIS Azure 1.5.0 Benchmark policies that fall within this category:

info

Lacework intends to automate these policies in a future release.

Click to expand
Control IDLacework Policy IDTitle
4.1.1lacework-global-537Ensure that 'Auditing' is set to 'On'
4.1.6lacework-global-541Ensure that 'Auditing' Retention is 'greater than 90 days'

Permanently Manual Policies (that were deemed automated)

The following table outlines controls that were deemed automated by CIS, but will remain as manual policies:

note

For sections 2.2 and 2.3, see 2 - Microsoft Defender for Cloud for additional details.

Click to expand
Control IDLacework Policy IDTitle
2.2.1lacework-global-524Ensure that Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On'
2.2.2lacework-global-611Ensure that Auto provisioning of 'Vulnerability assessment for machines' is Set to 'On'
2.2.3lacework-global-612Ensure that Auto provisioning of 'Microsoft Defender for Containers components' is Set to 'On'
2.3.1lacework-global-525Ensure That 'All users with the following roles' is set to 'Owner'
2.3.2lacework-global-526Ensure 'Additional email addresses' is Configured with a Security Contact Email
2.3.3lacework-global-527Ensure That 'Notify about alerts with the following severity' is Set to 'High'
3.5lacework-global-616Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests
3.11lacework-global-535Ensure Soft Delete is Enabled for Azure Containers and Blob Storage
3.13lacework-global-619Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests
3.14lacework-global-620Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' Requests
5.1.3lacework-global-556Ensure the Storage Container Storing the Activity Logs is not Publicly Accessible
5.1.4lacework-global-630Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key

Unimplemented Policies

The following policies are not yet implemented into our Compliance platform. Lacework will be adding these policies soon.

All policies listed in the table below are intended to be automated once released:

Click to expand
Control IDLacework Policy IDTitle
8.1lacework-global-575Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults
8.2lacework-global-576Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults.
8.3lacework-global-577Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults
8.4lacework-global-578Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults

Adjusted Controls

6.6 Ensure that Network Watcher is 'Enabled'

This control has been split into two policies in order to monitor either:

  • All regions including Reserved access regions (lacework-global-634).
  • All regions excluding Reserved access regions (lacework-global-816).

The table below outlines each policy and their title:

Control IDLacework Policy IDTitleEnabled by default?
6.6lacework-global-634Ensure that Network Watcher is 'Enabled' (includes Reserved access regions)True
6.6lacework-global-816Ensure that Network Watcher is 'Enabled' (excludes Reserved access regions)False

If you do not use the Reserved access regions, please disable lacework-global-634, and enable lacework-global-816 in its place.

FAQs

Why are there so many manual policies in CIS Azure 1.5.0?
  • The Azure v1.5.0 benchmark (published by CIS) has 147 policies: 69 automated and 78 manual.
  • In comparison, the Azure v1.3.1 benchmark had 111 policies: 61 automated and 50 manual.

Due to the policies yet to be implemented, and those temporarily released as manual, Lacework's v1.5.0 benchmark may appear to have an imbalance of manual policies. As noted though, more than 50% of the CIS Azure 1.5.0 policies are manual.

Why were some policies in v1.3.1 automated but now moved to manual in v1.5.0?

There were a set of five policies in v1.3.1 that were automated, and are still marked as automated by CIS in v1.5.0. Lacework has temporarily released these five policies as manual, with a plan to automate them in the future. See Manual Policies (that were deemed automated).

A further set of six policies in v1.3.1 were automated, and have been marked as automated by CIS in v1.5.0. Lacework has delivered manual policies for these in v1.5.0. See Permanently Manual Policies (that were deemed automated).

Why were some policies in v1.3.1 manual but now moved to automated in v1.5.0?

Lacework is sometimes able to monitor the required resources for a given policy (even when deemed as manual by CIS). These policies are then automated in the Lacework Compliance Platform.

Three policies that were manual in v1.3.1 have been automated by Lacework for v1.5.0:

  1. Azure_CIS_131_6_5
  2. Azure_CIS_131_7_1
  3. Azure_CIS_131_9_9

Also, an additional four policies that are new in v1.5.0 have been automated (where CIS specified them as manual).

Do I have improved coverage with v1.5.0 versus what I had with v1.3.1?

When Lacework delivers on remaining unimplemented policies and planned automation for manual policies (including Policies that are pending automation), coverage for v1.5.0 will be an improvement over v1.3.1.

Which policies are yet to be updated/released within the v1.5.0 benchmark?

As of 1st March 2023, there are 4 unimplemented policies. Work is in progress to complete automation of these policies.

There are also 4 policies that have been marked as manual by CIS for v1.5.0, but Lacework intends to automate these policies in a future release. See Policies that are pending automation.

Why do control IDs 8.6 and 8.7 show as "Could Not Assess" in policy assessments and reports?

Policy assessments and reports for control ID 8.6 and 8.7 may show "Could Not Assess" if you do have the Key Vault Reader role assigned to the Lacework application used for the integration.

This applies to Azure Key Vaults in your subscription/tenant that do not have RBAC enabled.

See Assign Azure Key Vault permissions in the Azure integration prerequisites for help in assigning this role.