CIS Azure 1.5.0 Benchmark
Lacework provides compliance policies based on CIS Microsoft Azure Foundations Benchmark v1.5.0 (or CIS Azure 1.5.0 Benchmark for short).
Once you have integrated your Microsoft Azure environment with Lacework, you can check whether your resources are compliant with the benchmark recommendations.
Revision History
- Revision 2
- Revision 1
Added
Control ID | Lacework Policy ID | Title | Enabled by default? |
---|---|---|---|
6.6 | lacework-global-816 | Ensure that Network Watcher is 'Enabled' (excludes Reserved access regions) | False |
See Adjusted Controls - 6.6 Ensure that Network Watcher is 'Enabled' for details.
Initial release.
Visibility and Usage in the Lacework Console
You can use the CIS Azure 1.5.0 Benchmark in the following ways:
- Enable or disable policies through the Policies page (see CIS Azure 1.5.0 Benchmark Policies).
- Create and manage Compliance Policy Exceptions as and when needed.
- Receive Compliance-related Alerts for enabled CIS Azure 1.5.0 Benchmark policies (when violations occur).
- The Cloud Compliance Dashboard provides assessment results for each framework, including the CIS Azure 1.5.0 Benchmark.
- The Reports page lists all reports that are configured for your environment. Create a report configuration with the CIS Azure 1.5.0 Benchmark as the template to generate a daily report that is retained for up to 90 days.
Prerequisites
Ensure you have integrated your Azure environment with the Lacework Compliance platform. Completing this will prepare your environment for the CIS Azure 1.5.0 Benchmark:
- Integrate Lacework with Azure
- A Configuration integration is the minimum requirement for your tenants/subscriptions to gain access to our Compliance platform functionality.
- Ensure that you have also assigned the appropriate Azure Key Vault permissions to the Azure application created for Lacework.
Previous Integrations using Terraform
If you have previously integrated Azure with Lacework using Terraform before this benchmark was available:
- Enter the directory containing the Terraform files used for the integration.
- Run
terraform init -upgrade
to initialize the working directory (containing the Terraform files). - Run
terraform plan
and review the changes that will be applied. - Once satisfied with the changes that will be applied, run
terraform apply
to upgrade the modules.
CIS Azure 1.5.0 Benchmark Policies
All policies in the CIS Azure 1.5.0 Benchmark are enabled by default.
You can enable or disable them using one of the following methods outlined in this section.
Enable or Disable Policies in the Lacework Console
On the Policies page, use the framework:cis-azure-1-5-0 tag to filter for CIS Azure 1.5.0 policies only.
You can enable or disable each one using the status toggle.
Alternatively, see Batch Update Policies to enable or disable multiple policies at once.
Manual policies do not have a status toggle as there is no functional check to enable. For more information about manual policies, see Automated vs Manual Policies.
Enable or Disable Policies using the Lacework CLI
If you have not set up the Lacework CLI before, see the Lacework CLI guide to get started.
Enable or disable all the CIS Azure 1.5.0 policies using the following commands in the Lacework CLI:
lacework policy enable --tag framework:cis-azure-1-5-0
lacework policy disable --tag framework:cis-azure-1-5-0
Enable or disable specific CIS Azure 1.5.0 policies using the following command examples in the Lacework CLI:
lacework policy enable lacework-global-528
lacework policy disable lacework-global-528
Policy Mapping for CIS Azure 1.5.0
The CIS Azure 1.5.0 controls are mapped to Lacework policies, as listed in the following tables.
Table key:
- Control ID - The CIS Azure 1.5.0 Benchmark security control identifier.
- Title - The policy/control title.
- Lacework Policy ID - The Lacework policy identifier.
- CIS Assessment - Whether CIS have determined that the security control can be assessed automatically or if it requires manual verification.
- Lacework Assessment - Whether Lacework have determined that the security control can be assessed automatically or if it requires manual verification.
- Severity - The severity of the policy (as determined by Lacework).
- 1. Identity and Access Management (IAM)
- 2. Microsoft Defender for Cloud
- 3. Storage Accounts
- 4. Database Services
- 5. Logging and Monitoring
- 6. Networking
- 7. Virtual Machines
- 8. Key Vault
- 9. AppService
- 10. Miscellaneous
Control ID | Title | Lacework Policy ID | CIS Assessment | Lacework Assessment | Severity |
---|---|---|---|---|---|
1.3 | Ensure Access Review is Set Up for External Users in Azure AD Privileged Identity Management | lacework-global-588 | Manual | Manual | Low |
1.4 | Ensure Guest Users Are Reviewed on a Regular Basis | lacework-global-499 | Manual | Manual | Medium |
1.5 | Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is 'Disabled' | lacework-global-500 | Manual | Manual | High |
1.6 | Ensure That 'Number of methods required to reset' is set to '2' | lacework-global-501 | Manual | Manual | High |
1.7 | Ensure that a Custom Bad Password List is set to 'Enforce' for your Organization | lacework-global-502 | Manual | Manual | High |
1.8 | Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0' | lacework-global-503 | Manual | Manual | High |
1.9 | Ensure that 'Notify users on password resets?' is set to 'Yes' | lacework-global-504 | Manual | Manual | High |
1.10 | Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes' | lacework-global-505 | Manual | Manual | High |
1.11 | Ensure That ‘Users Can Consent to Apps Accessing Company Data on Their Behalf’ Is Set To ‘Allow for Verified Publishers’ | lacework-global-589 | Manual | Manual | Medium |
1.12 | Ensure that 'Users can consent to apps accessing company data on their behalf' is set to 'No' | lacework-global-506 | Manual | Manual | Medium |
1.13 | Ensure that 'Users can add gallery apps to My Apps' is set to 'No' | lacework-global-507 | Manual | Manual | High |
1.14 | Ensure That ‘Users Can Register Applications’ Is Set to ‘No’ | lacework-global-508 | Manual | Manual | High |
1.15 | Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects' | lacework-global-509 | Manual | Manual | High |
1.16 | Ensure that 'Guest invite restrictions' is set to "Only users assigned to specific admin roles can invite guest users" | lacework-global-590 | Manual | Manual | Critical |
1.17 | Ensure That 'Restrict access to Azure AD administration portal' is Set to 'Yes' | lacework-global-510 | Manual | Manual | Critical |
1.18 | Ensure that 'Restrict user ability to access groups features in the Access Pane' is Set to 'Yes' | lacework-global-591 | Manual | Manual | High |
1.19 | Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No' | lacework-global-592 | Manual | Manual | High |
1.20 | Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No' | lacework-global-593 | Manual | Manual | High |
1.21 | Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No' | lacework-global-594 | Manual | Manual | High |
1.22 | Ensure that 'Require Multi-Factor Authentication to register or join devices with Azure AD' is set to 'Yes' | lacework-global-511 | Manual | Manual | Medium |
1.23 | Ensure That No Custom Subscription Owner Roles Are Created | lacework-global-512 | Automated | Automated | Medium |
1.24 | Ensure a Custom Role is Assigned Permissions for Administering Resource Locks | lacework-global-595 | Manual | Manual | Medium |
1.25 | Ensure That ‘Subscription Entering AAD Directory’ and ‘Subscription Leaving AAD Directory’ Is Set To ‘Permit No One’ | lacework-global-596 | Manual | Manual | High |
- 1.1 Security Defaults
- 1.2 Conditional Access
Control ID | Title | Lacework Policy ID | CIS Assessment | Lacework Assessment | Severity |
---|---|---|---|---|---|
1.1.1 | Ensure Security Defaults is enabled on Azure Active Directory | lacework-global-513 | Manual | Manual | High |
1.1.2 | Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users | lacework-global-514 | Manual | Manual | High |
1.1.3 | Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users | lacework-global-597 | Manual | Manual | Medium |
1.1.4 | Ensure that 'Restore multi-factor authentication on all remembered devices' is Enabled | lacework-global-515 | Manual | Manual | Medium |
Control ID | Title | Lacework Policy ID | CIS Assessment | Lacework Assessment | Severity |
---|---|---|---|---|---|
1.2.1 | Ensure Trusted Locations Are Defined | lacework-global-516 | Manual | Manual | Medium |
1.2.2 | Ensure that an exclusionary Geographic Access Policy is considered | lacework-global-517 | Manual | Manual | Low |
1.2.3 | Ensure that A Multi-factor Authentication Policy Exists for Administrative Groups | lacework-global-518 | Manual | Manual | High |
1.2.4 | Ensure that A Multi-factor Authentication Policy Exists for All Users | lacework-global-519 | Manual | Manual | High |
1.2.5 | Ensure Multi-factor Authentication is Required for Risky Sign-ins | lacework-global-520 | Manual | Manual | High |
1.2.6 | Ensure Multi-factor Authentication is Required for Azure Management | lacework-global-521 | Manual | Manual | High |
As of 16th February 2023, the following sections will remain manual:
- 2.1 - Defender Plans (moved from Manual Policies (that were deemed automated)).
- 2.2 - Auto Provisioning (moved from Unimplemented Policies).
- 2.3 - Email Notifications (moved from Manual Policies (that were deemed automated))
The CIS Azure 1.5.0 Benchmark recommends that if you have existing products (such as Lacework) that provide the same utility as some Microsoft Defender for Cloud products, you can ignore the recommendations in Section 2. Lacework has included all controls for 2 - Microsoft Defender for Cloud as manual Lacework policies so that you can read and understand the scope of CIS recommendations.
Lacework recommends that you analyze the scope of all the policies in subsection 2.1 and make a decision that is suitable for the needs of your environment. Note that enabling Microsoft Defender will incur extra costs to provide functionality already covered by the Lacework platform.
In a future release, the LQL datasource for Microsoft Defender settings will be made available. This will allow you to write your own custom LQL-based policies against Microsoft Defender settings, to match your own security posture program needs.
Control ID | Title | Lacework Policy ID | CIS Assessment | Lacework Assessment | Severity |
---|---|---|---|---|---|
2.5 | Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed' | lacework-global-522 | Manual | Manual | High |
2.6 | Ensure Any of the ASC Default Policy Settings are Not Set to 'Disabled' | lacework-global-523 | Manual | Manual | High |
- 2.1 Defender Plans
- 2.2 Auto Provisioning
- 2.3 Email Notifications
- 2.4 Integrations
Control ID | Title | Lacework Policy ID | CIS Assessment | Lacework Assessment | Severity |
---|---|---|---|---|---|
2.1.1 | Ensure That Microsoft Defender for Servers Is Set to 'On' | lacework-global-598 | Manual | Manual | Medium |
2.1.2 | Ensure That Microsoft Defender for App Services Is Set To 'On' | lacework-global-599 | Manual | Manual | Medium |
2.1.3 | Ensure That Microsoft Defender for Databases Is Set To 'On' | lacework-global-600 | Manual | Manual | Medium |
2.1.4 | Ensure That Microsoft Defender for Azure SQL Databases Is Set To 'On' | lacework-global-601 | Manual | Manual | Medium |
2.1.5 | Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On' | lacework-global-602 | Manual | Manual | Medium |
2.1.6 | Ensure That Microsoft Defender for Open-Source Relational Databases Is Set To 'On' | lacework-global-603 | Manual | Manual | Medium |
2.1.7 | Ensure That Microsoft Defender for Storage Is Set To 'On' | lacework-global-604 | Manual | Manual | Medium |
2.1.8 | Ensure That Microsoft Defender for Containers Is Set To 'On' | lacework-global-605 | Manual | Manual | Medium |
2.1.9 | Ensure That Microsoft Defender for Cosmos DB Is Set To 'On' | lacework-global-606 | Manual | Manual | Medium |
2.1.10 | Ensure That Microsoft Defender for Key Vault Is Set To 'On' | lacework-global-607 | Manual | Manual | Medium |
2.1.11 | Ensure That Microsoft Defender for DNS Is Set To 'On' | lacework-global-608 | Manual | Manual | Medium |
2.1.12 | Ensure That Microsoft Defender for IoT Is Set To 'On' | lacework-global-609 | Manual | Manual | Medium |
2.1.13 | Ensure That Microsoft Defender for Resource Manager Is Set To 'On' | lacework-global-610 | Manual | Manual | Medium |
Control ID | Title | Lacework Policy ID | CIS Assessment | Lacework Assessment | Severity |
---|---|---|---|---|---|
2.2.1 | Ensure that Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On' | lacework-global-524 | Automated | Manual | High |
2.2.2 | Ensure that Auto provisioning of 'Vulnerability assessment for machines' is Set to 'On' | lacework-global-611 | Automated | Manual | Medium |
2.2.3 | Ensure that Auto provisioning of 'Microsoft Defender for Containers components' is Set to 'On' | lacework-global-612 | Automated | Manual | Medium |
Control ID | Title | Lacework Policy ID | CIS Assessment | Lacework Assessment | Severity |
---|---|---|---|---|---|
2.3.1 | Ensure That 'All users with the following roles' is set to 'Owner' | lacework-global-525 | Automated | Manual | High |
2.3.2 | Ensure 'Additional email addresses' is Configured with a Security Contact Email | lacework-global-526 | Automated | Manual | High |
2.3.3 | Ensure That 'Notify about alerts with the following severity' is Set to 'High' | lacework-global-527 | Automated | Manual | High |
Control ID | Title | Lacework Policy ID | CIS Assessment | Lacework Assessment | Severity |
---|---|---|---|---|---|
2.4.1 | Ensure that Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is Selected | lacework-global-613 | Manual | Manual | Medium |
2.4.2 | Ensure that Microsoft Defender for Endpoint integration with Microsoft Defender for Cloud is selected | lacework-global-614 | Manual | Manual | Medium |
Control ID | Title | Lacework Policy ID | CIS Assessment | Lacework Assessment | Severity |
---|---|---|---|---|---|
3.1 | Ensure that 'Secure transfer required' is set to 'Enabled' | lacework-global-528 | Automated | Automated | High |
3.2 | Ensure that ‘Enable Infrastructure Encryption’ for Each Storage Account in Azure Storage is Set to ‘enabled’ | lacework-global-615 | Manual | Automated | Low |
3.3 | Ensure that 'Enable key rotation reminders' is enabled for each Storage Account | lacework-global-529 | Manual | Manual | Medium |
3.4 | Ensure that Storage Account Access Keys are Periodically Regenerated | lacework-global-530 | Manual | Manual | High |
3.5 | Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests | lacework-global-616 | Automated | Manual | High |
3.6 | Ensure that Shared Access Signature Tokens Expire Within an Hour | lacework-global-531 | Manual | Manual | High |
3.7 | Ensure that 'Public access level' is disabled for storage accounts with blob containers | lacework-global-532 | Automated | Automated | Critical |
3.8 | Ensure Default Network Access Rule for Storage Accounts is Set to Deny | lacework-global-533 | Automated | Automated | High |
3.9 | Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access | lacework-global-617 | Automated | Automated | High |
3.10 | Use Private Endpoints to access Storage Accounts | lacework-global-534 | Manual | Automated | Medium |
3.11 | Ensure Soft Delete is Enabled for Azure Containers and Blob Storage | lacework-global-535 | Automated | Manual | High |
3.12 | Ensure Storage for Critical Data are Encrypted with Customer Managed Keys | lacework-global-618 | Manual | Manual | High |
3.13 | Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests | lacework-global-619 | Automated | Manual | High |
3.14 | Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' Requests | lacework-global-620 | Automated | Manual | High |
3.15 | Ensure the "Minimum TLS version" for storage accounts is set to "Version 1.2" | lacework-global-536 | Automated | Automated | Medium |
- 4.1 SQL Server - Auditing
- 4.2 SQL Server - Microsoft Defender for SQL
- 4.3 PostgreSQL Database Server
- 4.4 MySQL Database
- 4.5 Cosmos DB
Control ID | Title | Lacework Policy ID | CIS Assessment | Lacework Assessment | Severity |
---|---|---|---|---|---|
4.1.1 | Ensure that 'Auditing' is set to 'On' | lacework-global-537 | Automated | Manual | High |
4.1.2 | Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | lacework-global-538 | Automated | Automated | High |
4.1.3 | Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key | lacework-global-621 | Automated | Automated | High |
4.1.4 | Ensure that Azure Active Directory Admin is Configured for SQL Servers | lacework-global-539 | Automated | Automated | High |
4.1.5 | Ensure that 'Data encryption' is set to 'On' on a SQL Database | lacework-global-540 | Automated | Automated | High |
4.1.6 | Ensure that 'Auditing' Retention is 'greater than 90 days' | lacework-global-541 | Automated | Manual | High |
Control ID | Title | Lacework Policy ID | CIS Assessment | Lacework Assessment | Severity |
---|---|---|---|---|---|
4.2.1 | Set Microsoft Defender for SQL to 'On' for critical SQL Servers | lacework-global-622 | Automated | Automated | High |
4.2.2 | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | lacework-global-623 | Automated | Automated | Medium |
4.2.3 | Ensure that Vulnerability Assessment (VA) setting 'Periodic recurring scans' is set to 'on' for each SQL server | lacework-global-624 | Automated | Automated | Medium |
4.2.4 | Ensure that Vulnerability Assessment (VA) setting 'Send scan reports to' is configured for a SQL server | lacework-global-625 | Automated | Automated | Medium |
4.2.5 | Ensure that Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners' is set for each SQL Server | lacework-global-542 | Automated | Automated | Medium |
Control ID | Title | Lacework Policy ID | CIS Assessment | Lacework Assessment | Severity |
---|---|---|---|---|---|
4.3.1 | Set 'Enforce SSL connection' to 'ENABLED' for PostgreSQL Database Server | lacework-global-543 | Automated | Automated | High |
4.3.2 | Ensure Server Parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | lacework-global-544 | Automated | Automated | High |
4.3.3 | Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server | lacework-global-545 | Automated | Automated | High |
4.3.4 | Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server | lacework-global-546 | Automated | Automated | High |
4.3.5 | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | lacework-global-547 | Automated | Automated | High |
4.3.6 | Ensure Server Parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server | lacework-global-548 | Automated | Automated | High |
4.3.7 | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | lacework-global-549 | Manual | Automated | High |
4.3.8 | Ensure 'Infrastructure double encryption' for PostgreSQL Database Server is 'Enabled' | lacework-global-550 | Automated | Automated | Medium |
Control ID | Title | Lacework Policy ID | CIS Assessment | Lacework Assessment | Severity |
---|---|---|---|---|---|
4.4.1 | Ensure 'Enforce SSL connection' is set to 'Enabled' for Standard MySQL Database Server | lacework-global-551 | Automated | Automated | High |
4.4.2 | Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server | lacework-global-552 | Automated | Automated | Medium |
4.4.3 | Ensure server parameter 'audit_log_enabled' is set to 'ON' for MySQL Database Server | lacework-global-626 | Manual | Manual | Medium |
4.4.4 | Ensure server parameter 'audit_log_events' has 'CONNECTION' set for MySQL Database Server | lacework-global-627 | Manual | Manual | Medium |
Control ID | Title | Lacework Policy ID | CIS Assessment | Lacework Assessment | Severity |
---|---|---|---|---|---|
4.5.1 | Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks | lacework-global-628 | Manual | Automated | Medium |
4.5.2 | Ensure That Private Endpoints Are Used Where Possible | lacework-global-629 | Manual | Automated | Medium |
Control ID | Title | Lacework Policy ID | CIS Assessment | Lacework Assessment | Severity |
---|---|---|---|---|---|
5.3 | Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it | lacework-global-553 | Manual | Manual | High |
- 5.1 Configuring Diagnostic Settings
- 5.2 Monitoring using Activity Log Alerts
Control ID | Title | Lacework Policy ID | CIS Assessment | Lacework Assessment | Severity |
---|---|---|---|---|---|
5.1.1 | Ensure that a 'Diagnostic Setting' exists | lacework-global-554 | Manual | Manual | Low |
5.1.2 | Ensure Diagnostic Setting captures appropriate categories | lacework-global-555 | Automated | Automated | Low |
5.1.3 | Ensure the Storage Container Storing the Activity Logs is not Publicly Accessible | lacework-global-556 | Automated | Manual | High |
5.1.4 | Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key | lacework-global-630 | Automated | Manual | Medium |
5.1.5 | Ensure that logging for Azure Key Vault is 'Enabled' | lacework-global-557 | Automated | Automated | High |
5.1.6 | Ensure that Network Security Group Flow logs are captured and sent to Log Analytics | lacework-global-631 | Manual | Manual | Low |
5.1.7 | Ensure that logging for Azure AppService 'AppServiceHTTPLogs' is enabled. | lacework-global-632 | Manual | Manual | Medium |
Control ID | Title | Lacework Policy ID | CIS Assessment | Lacework Assessment | Severity |
---|---|---|---|---|---|
5.2.1 | Ensure that Activity Log Alert exists for Create Policy Assignment | lacework-global-558 | Automated | Automated | Medium |
5.2.2 | Ensure that Activity Log Alert exists for Delete Policy Assignment | lacework-global-559 | Automated | Automated | Medium |
5.2.3 | Ensure that Activity Log Alert exists for Create or Update Network Security Group | lacework-global-560 | Automated | Automated | High |
5.2.4 | Ensure that Activity Log Alert exists for Delete Network Security Group | lacework-global-561 | Automated | Automated | High |
5.2.5 | Ensure that Activity Log Alert exists for Create or Update Security Solution | lacework-global-562 | Automated | Automated | High |
5.2.6 | Ensure that Activity Log Alert exists for Delete Security Solution | lacework-global-563 | Automated | Automated | High |
5.2.7 | Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule | lacework-global-564 | Automated | Automated | High |
5.2.8 | Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule | lacework-global-565 | Automated | Automated | High |
5.2.9 | Ensure that Activity Log Alert exists for Create or Update Public IP Address rule | lacework-global-566 | Automated | Automated | High |
5.2.10 | Ensure that Activity Log Alert exists for Delete Public IP Address rule | lacework-global-567 | Automated | Automated | High |
Control ID | Title | Lacework Policy ID | CIS Assessment | Lacework Assessment | Severity |
---|---|---|---|---|---|
6.1 | Ensure that RDP access from the Internet is evaluated and restricted | lacework-global-568 | Automated | Automated | High |
6.2 | Evaluate and restrict SSH access from the Internet | lacework-global-569 | Automated | Automated | High |
6.3 | Ensure that UDP access from the Internet is evaluated and restricted | lacework-global-570 | Automated | Automated | Medium |
6.4 | Ensure that HTTP(S) access from the Internet is evaluated and restricted | lacework-global-571 | Automated | Automated | High |
6.5 | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | lacework-global-633 | Automated | Automated | Medium |
6.6 | Ensure that Network Watcher is 'Enabled' | lacework-global-634 lacework-global-816 | Manual | Automated | High |
6.7 | Ensure that Public IP addresses are Evaluated on a Periodic Basis | lacework-global-572 | Manual | Manual | Medium |
Control ID | Title | Lacework Policy ID | CIS Assessment | Lacework Assessment | Severity |
---|---|---|---|---|---|
7.1 | Ensure Virtual Machines are utilizing Managed Disks | lacework-global-573 | Manual | Automated | Info |
7.2 | Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK) | lacework-global-635 | Automated | Automated | High |
7.3 | Ensure that 'Unattached disks' are encrypted with 'Customer Managed Key' (CMK) | lacework-global-636 | Automated | Automated | High |
7.4 | Ensure that Only Approved Extensions Are Installed | lacework-global-574 | Manual | Manual | High |
7.5 | Ensure that Endpoint Protection for all Virtual Machines is installed | lacework-global-637 | Manual | Manual | Medium |
7.6 | [Legacy] Ensure that VHDs are Encrypted | lacework-global-638 | Manual | Manual | Medium |
Control ID | Title | Lacework Policy ID | CIS Assessment | Lacework Assessment | Severity |
---|---|---|---|---|---|
8.1 | Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults | lacework-global-575 | Automated | Manual | High |
8.2 | Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults. | lacework-global-576 | Automated | Manual | High |
8.3 | Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults | lacework-global-577 | Automated | Manual | High |
8.4 | Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults | lacework-global-578 | Automated | Manual | High |
8.5 | Ensure the Key Vault is Recoverable | lacework-global-579 | Automated | Automated | High |
8.6 | Enable Role Based Access Control for Azure Key Vault | lacework-global-639 | Manual | Automated | High |
8.7 | Use Private Endpoints for Azure Key Vault | lacework-global-640 | Manual | Automated | Medium |
8.8 | Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services | lacework-global-641 | Manual | Manual | High |
Control ID | Title | Lacework Policy ID | CIS Assessment | Lacework Assessment | Severity |
---|---|---|---|---|---|
9.1 | Ensure App Service Authentication is set up for apps in Azure App Service | lacework-global-642 | Automated | Automated | Medium |
9.2 | Ensure Web App Redirects All HTTP traffic to HTTPS in Azure App Service | lacework-global-580 | Automated | Automated | High |
9.3 | Ensure Web App is using the latest version of TLS encryption | lacework-global-581 | Automated | Automated | Medium |
9.4 | Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On' | lacework-global-643 | Automated | Automated | High |
9.5 | Ensure that Register with Azure Active Directory is enabled on App Service | lacework-global-582 | Automated | Automated | Medium |
9.6 | Ensure That 'PHP version' is the Latest, If Used to Run the Web App | lacework-global-583 | Manual | Manual | Medium |
9.7 | Ensure that 'Python version' is the Latest Stable Version, if Used to Run the Web App | lacework-global-584 | Manual | Manual | Medium |
9.8 | Ensure that 'Java version' is the latest, if used to run the Web App | lacework-global-585 | Manual | Manual | Medium |
9.9 | Ensure that 'HTTP Version' is the Latest, if Used to Run the Web App | lacework-global-586 | Automated | Automated | Medium |
9.10 | Ensure FTP deployments are Disabled | lacework-global-587 | Automated | Automated | Medium |
9.11 | Ensure Azure Key Vaults are Used to Store Secrets | lacework-global-644 | Manual | Manual | Medium |
Control ID | Title | Lacework Policy ID | CIS Assessment | Lacework Assessment | Severity |
---|---|---|---|---|---|
10.1 | Ensure that Resource Locks are set for Mission-Critical Azure Resources | lacework-global-645 | Manual | Manual | Critical |
Automated vs Manual Policies
Lacework automates compliance policies where possible. This allows the Lacework platform to monitor your environment resources to check whether they are compliant with the benchmark recommendations.
For some benchmark recommendations, it is not possible to automate the policy checks in an Azure environment. These policies are manual, and you must verify such policies manually. Lacework provides the manual remediation steps for these policies (when available).
Automated Policies (that were deemed manual)
In some cases, Lacework is able to automate certain CIS benchmark controls that were deemed as manual by CIS.
The following table outlines the CIS Azure 1.5.0 Benchmark policies that fall within this category:
Click to expand
Control ID | Lacework Policy ID | Title |
---|---|---|
3.2 | lacework-global-615 | Ensure that ‘Enable Infrastructure Encryption’ for Each Storage Account in Azure Storage is Set to ‘enabled’ |
3.10 | lacework-global-534 | Use Private Endpoints to access Storage Accounts |
4.3.7 | lacework-global-549 | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled |
4.5.1 | lacework-global-628 | Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks |
4.5.2 | lacework-global-629 | Ensure That Private Endpoints Are Used Where Possible |
6.6 | lacework-global-634 lacework-global-816 | Ensure that Network Watcher is 'Enabled' |
7.1 | lacework-global-573 | Ensure Virtual Machines are utilizing Managed Disks |
8.6 | lacework-global-639 | Enable Role Based Access Control for Azure Key Vault |
8.7 | lacework-global-640 | Use Private Endpoints for Azure Key Vault |
Policies that are pending automation
Lacework intends to automate the policies listed below in a future release. All of these controls were deemed as manual by CIS.
Click to expand
Control ID | Lacework Policy ID | Title |
---|---|---|
5.1.6 | lacework-global-631 | Ensure that Network Security Group Flow logs are captured and sent to Log Analytics |
8.8 | lacework-global-641 | Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services |
Manual Policies (that were deemed automated)
In some cases, Lacework cannot automate certain CIS benchmark controls that were deemed as automated by CIS.
This is often due to one of the following reasons:
- Scope is defined by the user.
- It requires configuring other products or API permissions that are out of scope.
- Known issues for audit procedure described by the CIS control.
The following table outlines the CIS Azure 1.5.0 Benchmark policies that fall within this category:
Lacework intends to automate these policies in a future release.
Click to expand
Control ID | Lacework Policy ID | Title |
---|---|---|
4.1.1 | lacework-global-537 | Ensure that 'Auditing' is set to 'On' |
4.1.6 | lacework-global-541 | Ensure that 'Auditing' Retention is 'greater than 90 days' |
Permanently Manual Policies (that were deemed automated)
The following table outlines controls that were deemed automated by CIS, but will remain as manual policies:
For sections 2.2 and 2.3, see 2 - Microsoft Defender for Cloud for additional details.
Click to expand
Control ID | Lacework Policy ID | Title |
---|---|---|
2.2.1 | lacework-global-524 | Ensure that Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On' |
2.2.2 | lacework-global-611 | Ensure that Auto provisioning of 'Vulnerability assessment for machines' is Set to 'On' |
2.2.3 | lacework-global-612 | Ensure that Auto provisioning of 'Microsoft Defender for Containers components' is Set to 'On' |
2.3.1 | lacework-global-525 | Ensure That 'All users with the following roles' is set to 'Owner' |
2.3.2 | lacework-global-526 | Ensure 'Additional email addresses' is Configured with a Security Contact Email |
2.3.3 | lacework-global-527 | Ensure That 'Notify about alerts with the following severity' is Set to 'High' |
3.5 | lacework-global-616 | Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests |
3.11 | lacework-global-535 | Ensure Soft Delete is Enabled for Azure Containers and Blob Storage |
3.13 | lacework-global-619 | Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests |
3.14 | lacework-global-620 | Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' Requests |
5.1.3 | lacework-global-556 | Ensure the Storage Container Storing the Activity Logs is not Publicly Accessible |
5.1.4 | lacework-global-630 | Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key |
Unimplemented Policies
The following policies are not yet implemented into our Compliance platform. Lacework will be adding these policies soon.
All policies listed in the table below are intended to be automated once released:
Click to expand
Control ID | Lacework Policy ID | Title |
---|---|---|
8.1 | lacework-global-575 | Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults |
8.2 | lacework-global-576 | Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults. |
8.3 | lacework-global-577 | Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults |
8.4 | lacework-global-578 | Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults |
Adjusted Controls
6.6 Ensure that Network Watcher is 'Enabled'
This control has been split into two policies in order to monitor either:
- All regions including Reserved access regions (lacework-global-634).
- All regions excluding Reserved access regions (lacework-global-816).
The table below outlines each policy and their title:
Control ID | Lacework Policy ID | Title | Enabled by default? |
---|---|---|---|
6.6 | lacework-global-634 | Ensure that Network Watcher is 'Enabled' (includes Reserved access regions) | True |
6.6 | lacework-global-816 | Ensure that Network Watcher is 'Enabled' (excludes Reserved access regions) | False |
If you do not use the Reserved access regions, please disable lacework-global-634, and enable lacework-global-816 in its place.
FAQs
Why are there so many manual policies in CIS Azure 1.5.0?
- The Azure v1.5.0 benchmark (published by CIS) has 147 policies: 69 automated and 78 manual.
- In comparison, the Azure v1.3.1 benchmark had 111 policies: 61 automated and 50 manual.
Due to the policies yet to be implemented, and those temporarily released as manual, Lacework's v1.5.0 benchmark may appear to have an imbalance of manual policies. As noted though, more than 50% of the CIS Azure 1.5.0 policies are manual.
Why were some policies in v1.3.1 automated but now moved to manual in v1.5.0?
There were a set of five policies in v1.3.1 that were automated, and are still marked as automated by CIS in v1.5.0. Lacework has temporarily released these five policies as manual, with a plan to automate them in the future. See Manual Policies (that were deemed automated).
A further set of six policies in v1.3.1 were automated, and have been marked as automated by CIS in v1.5.0. Lacework has delivered manual policies for these in v1.5.0. See Permanently Manual Policies (that were deemed automated).
Why were some policies in v1.3.1 manual but now moved to automated in v1.5.0?
Lacework is sometimes able to monitor the required resources for a given policy (even when deemed as manual by CIS). These policies are then automated in the Lacework Compliance Platform.
Three policies that were manual in v1.3.1 have been automated by Lacework for v1.5.0:
- Azure_CIS_131_6_5
- Azure_CIS_131_7_1
- Azure_CIS_131_9_9
Also, an additional four policies that are new in v1.5.0 have been automated (where CIS specified them as manual).
Do I have improved coverage with v1.5.0 versus what I had with v1.3.1?
When Lacework delivers on remaining unimplemented policies and planned automation for manual policies (including Policies that are pending automation), coverage for v1.5.0 will be an improvement over v1.3.1.
Which policies are yet to be updated/released within the v1.5.0 benchmark?
As of 1st March 2023, there are 4 unimplemented policies. Work is in progress to complete automation of these policies.
There are also 4 policies that have been marked as manual by CIS for v1.5.0, but Lacework intends to automate these policies in a future release. See Policies that are pending automation.
Why do control IDs 8.6 and 8.7 show as "Could Not Assess" in policy assessments and reports?
Policy assessments and reports for control ID 8.6 and 8.7 may show "Could Not Assess" if you do have the Key Vault Reader role assigned to the Lacework application used for the integration.
This applies to Azure Key Vaults in your subscription/tenant that do not have RBAC enabled.
See Assign Azure Key Vault permissions in the Azure integration prerequisites for help in assigning this role.