CIS Azure 1.5.0 Benchmark
Lacework provides compliance policies based on CIS Microsoft Azure Foundations Benchmark v1.5.0 (or CIS Azure 1.5.0 Benchmark for short).
Once you have integrated your Microsoft Azure environment with Lacework, you can check whether your resources are compliant with the benchmark recommendations.
Revision History
- Revision 2
- Revision 1
Added
| Control ID | Lacework Policy ID | Title | Enabled by default? |
|---|---|---|---|
| 6.6 | lacework-global-816 | Ensure that Network Watcher is 'Enabled' (excludes Reserved access regions) | False |
See Adjusted Controls - 6.6 Ensure that Network Watcher is 'Enabled' for details.
Initial release.
Visibility and Usage in the Lacework Console
You can use the CIS Azure 1.5.0 Benchmark in the following ways:
- Enable or disable policies through the Policies page (see CIS Azure 1.5.0 Benchmark Policies).
- Create and manage Compliance Policy Exceptions as and when needed.
- Receive Compliance-related Alerts for enabled CIS Azure 1.5.0 Benchmark policies (when violations occur).
- The Cloud Compliance Dashboard provides assessment results for each framework, including the CIS Azure 1.5.0 Benchmark.
- The Reports page lists all reports that are configured for your environment. Create a report configuration with the CIS Azure 1.5.0 Benchmark as the template to generate a daily report that is retained for up to 90 days.
Prerequisites
Ensure you have integrated your Azure environment with the Lacework Compliance platform. Completing this will prepare your environment for the CIS Azure 1.5.0 Benchmark:
- Integrate Lacework with Azure
- A Configuration integration is the minimum requirement for your tenants/subscriptions to gain access to our Compliance platform functionality.
- Ensure that you have also assigned the appropriate Azure Key Vault permissions to the Azure application created for Lacework.
Previous Integrations using Terraform
If you have previously integrated Azure with Lacework using Terraform before this benchmark was available:
- Enter the directory containing the Terraform files used for the integration.
- Run
terraform init -upgradeto initialize the working directory (containing the Terraform files). - Run
terraform planand review the changes that will be applied. - Once satisfied with the changes that will be applied, run
terraform applyto upgrade the modules.
CIS Azure 1.5.0 Benchmark Policies
All policies in the CIS Azure 1.5.0 Benchmark are enabled by default.
You can enable or disable them using one of the following methods outlined in this section.
Enable or Disable Policies in the Lacework Console
On the Policies page, use the framework:cis-azure-1-5-0 tag to filter for CIS Azure 1.5.0 policies only.
You can enable or disable each one using the status toggle.
Alternatively, see Batch Update Policies to enable or disable multiple policies at once.
Manual policies do not have a status toggle as there is no functional check to enable. For more information about manual policies, see Automated vs Manual Policies.
Enable or Disable Policies using the Lacework CLI
If you have not set up the Lacework CLI before, see the Lacework CLI guide to get started.
Enable or disable all the CIS Azure 1.5.0 policies using the following commands in the Lacework CLI:
lacework policy enable --tag framework:cis-azure-1-5-0
lacework policy disable --tag framework:cis-azure-1-5-0
Enable or disable specific CIS Azure 1.5.0 policies using the following command examples in the Lacework CLI:
lacework policy enable lacework-global-528
lacework policy disable lacework-global-528
Policy Mapping for CIS Azure 1.5.0
The CIS Azure 1.5.0 controls are mapped to Lacework policies, as listed in the following tables.
Table key:
- Control ID - The CIS Azure 1.5.0 Benchmark security control identifier.
- Title - The policy/control title.
- Lacework Policy ID - The Lacework policy identifier.
- CIS Assessment - Whether CIS have determined that the security control can be assessed automatically or if it requires manual verification.
- Lacework Assessment - Whether Lacework have determined that the security control can be assessed automatically or if it requires manual verification.
- Severity - The severity of the policy (as determined by Lacework).
- 1. Identity and Access Management (IAM)
- 2. Microsoft Defender for Cloud
- 3. Storage Accounts
- 4. Database Services
- 5. Logging and Monitoring
- 6. Networking
- 7. Virtual Machines
- 8. Key Vault
- 9. AppService
- 10. Miscellaneous
| Control ID | Title | Lacework Policy ID | CIS Assessment | Lacework Assessment | Severity |
|---|---|---|---|---|---|
| 1.3 | Set Up Access Review for External Users in Azure AD Privileged Identity Management | lacework-global-588 | Manual | Manual | Low |
| 1.4 | Review Guest Users on a Regular Basis | lacework-global-499 | Manual | Manual | Medium |
| 1.5 | Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is 'Disabled' | lacework-global-500 | Manual | Manual | High |
| 1.6 | Set 'Number of methods required to reset' to '2' | lacework-global-501 | Manual | Manual | High |
| 1.7 | Set a Custom Bad Password List to 'Enforce' for your Organization | lacework-global-502 | Manual | Manual | High |
| 1.8 | Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0' | lacework-global-503 | Manual | Manual | High |
| 1.9 | Set 'Notify users on password resets?' to 'Yes' | lacework-global-504 | Manual | Manual | High |
| 1.10 | Set 'Notify all admins when other admins reset their password?' to 'Yes' | lacework-global-505 | Manual | Manual | High |
| 1.11 | Set 'Users Can Consent to Apps Accessing Company Data on Their Behalf' To 'Allow for Verified Publishers' | lacework-global-589 | Manual | Manual | Medium |
| 1.12 | Set 'Users can consent to apps accessing company data on their behalf' to 'No' | lacework-global-506 | Manual | Manual | Medium |
| 1.13 | Set 'Users can add gallery apps to My Apps' to 'No' | lacework-global-507 | Manual | Manual | High |
| 1.14 | Set 'Users Can Register Applications' to 'No' | lacework-global-508 | Manual | Manual | High |
| 1.15 | Set 'Guest users access restrictions' to 'Guest user access is restricted to properties and memberships of their own directory objects' | lacework-global-509 | Manual | Manual | High |
| 1.16 | Set 'Guest invite restrictions' to "Only users assigned to specific admin roles can invite guest users" | lacework-global-590 | Manual | Manual | Critical |
| 1.17 | Set 'Restrict access to Azure AD administration portal' to 'Yes' | lacework-global-510 | Manual | Manual | Critical |
| 1.18 | Set 'Restrict user ability to access groups features in the Access Pane' to 'Yes' | lacework-global-591 | Manual | Manual | High |
| 1.19 | Set 'Users can create security groups in Azure portals, API or PowerShell' to 'No' | lacework-global-592 | Manual | Manual | High |
| 1.20 | Set 'Owners can manage group membership requests in the Access Panel' to 'No' | lacework-global-593 | Manual | Manual | High |
| 1.21 | Set 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' to 'No' | lacework-global-594 | Manual | Manual | High |
| 1.22 | Set 'Require Multi-Factor Authentication to register or join devices with Azure AD' to 'Yes' | lacework-global-511 | Manual | Manual | Medium |
| 1.23 | Ensure That No Custom Subscription Administrator Roles Exist | lacework-global-512 | Automated | Automated | Medium |
| 1.24 | Assign Permissions for Administering Resource Locks to a Custom Role | lacework-global-595 | Manual | Manual | Medium |
| 1.25 | Set 'Subscription Entering Azure Active Directory (AAD) Directory' and 'Subscription Leaving AAD Directory' To 'Permit No One' | lacework-global-596 | Manual | Manual | High |
- 1.1 Security Defaults
- 1.2 Conditional Access
| Control ID | Title | Lacework Policy ID | CIS Assessment | Lacework Assessment | Severity |
|---|---|---|---|---|---|
| 1.1.1 | Enable Security Defaults on Azure Active Directory | lacework-global-513 | Manual | Manual | High |
| 1.1.2 | Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users | lacework-global-514 | Manual | Manual | High |
| 1.1.3 | Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users | lacework-global-597 | Manual | Manual | Medium |
| 1.1.4 | Enable 'Restore multi-factor authentication on all remembered devices' | lacework-global-515 | Manual | Manual | Medium |
| Control ID | Title | Lacework Policy ID | CIS Assessment | Lacework Assessment | Severity |
|---|---|---|---|---|---|
| 1.2.1 | Define Trusted Locations | lacework-global-516 | Manual | Manual | Medium |
| 1.2.2 | Consider an exclusionary Geographic Access Policy | lacework-global-517 | Manual | Manual | Low |
| 1.2.3 | Ensure that A Multi-factor Authentication Policy Exists for Administrative Groups | lacework-global-518 | Manual | Manual | High |
| 1.2.4 | Ensure that A Multi-factor Authentication Policy Exists for All Users | lacework-global-519 | Manual | Manual | High |
| 1.2.5 | Require Multi-factor Authentication for Risky Sign-ins | lacework-global-520 | Manual | Manual | High |
| 1.2.6 | Require Multi-factor Authentication for Azure Management | lacework-global-521 | Manual | Manual | High |
As of 16th February 2023, the following sections will remain manual:
- 2.1 - Defender Plans (moved from Manual Policies (that were deemed automated)).
- 2.2 - Auto Provisioning (moved from Unimplemented Policies).
- 2.3 - Email Notifications (moved from Manual Policies (that were deemed automated))
The CIS Azure 1.5.0 Benchmark recommends that if you have existing products (such as Lacework) that provide the same utility as some Microsoft Defender for Cloud products, you can ignore the recommendations in Section 2. Lacework has included all controls for 2 - Microsoft Defender for Cloud as manual Lacework policies so that you can read and understand the scope of CIS recommendations.
Lacework recommends that you analyze the scope of all the policies in subsection 2.1 and make a decision that is suitable for the needs of your environment. Note that enabling Microsoft Defender will incur extra costs to provide functionality already covered by the Lacework platform.
In a future release, the LQL datasource for Microsoft Defender settings will be made available. This will allow you to write your own custom LQL-based policies against Microsoft Defender settings, to match your own security posture program needs.
| Control ID | Title | Lacework Policy ID | CIS Assessment | Lacework Assessment | Severity |
|---|---|---|---|---|---|
| 2.5 | Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed' | lacework-global-522 | Manual | Manual | High |
| 2.6 | Ensure Any of the Azure Security Center (ASC) Default Policy Settings are Not Set to 'Disabled' | lacework-global-523 | Manual | Manual | High |
- 2.1 Defender Plans
- 2.2 Auto Provisioning
- 2.3 Email Notifications
- 2.4 Integrations
| Control ID | Title | Lacework Policy ID | CIS Assessment | Lacework Assessment | Severity |
|---|---|---|---|---|---|
| 2.1.1 | Set Microsoft Defender for Servers to 'On' | lacework-global-598 | Manual | Manual | Medium |
| 2.1.2 | Set Microsoft Defender for App Services To 'On' | lacework-global-599 | Manual | Manual | Medium |
| 2.1.3 | Set Microsoft Defender for Databases To 'On' | lacework-global-600 | Manual | Manual | Medium |
| 2.1.4 | Set Microsoft Defender for Azure SQL Databases To 'On' | lacework-global-601 | Manual | Manual | Medium |
| 2.1.5 | Set Microsoft Defender for SQL Servers on Machines To 'On' | lacework-global-602 | Manual | Manual | Medium |
| 2.1.6 | Set Microsoft Defender for Open-Source Relational Databases To 'On' | lacework-global-603 | Manual | Manual | Medium |
| 2.1.7 | Set Microsoft Defender for Storage To 'On' | lacework-global-604 | Manual | Manual | Medium |
| 2.1.8 | Set Microsoft Defender for Containers To 'On' | lacework-global-605 | Manual | Manual | Medium |
| 2.1.9 | Set Microsoft Defender for Cosmos DB To 'On' | lacework-global-606 | Manual | Manual | Medium |
| 2.1.10 | Set Microsoft Defender for Key Vault To 'On' | lacework-global-607 | Manual | Manual | Medium |
| 2.1.11 | Set Microsoft Defender for Domain Name System (DNS) To 'On' | lacework-global-608 | Manual | Manual | Medium |
| 2.1.12 | Set Microsoft Defender for IoT To 'On' | lacework-global-609 | Manual | Manual | Medium |
| 2.1.13 | Set Microsoft Defender for Resource Manager To 'On' | lacework-global-610 | Manual | Manual | Medium |
| Control ID | Title | Lacework Policy ID | CIS Assessment | Lacework Assessment | Severity |
|---|---|---|---|---|---|
| 2.2.1 | Set Auto provisioning of 'Log Analytics agent for Azure VMs' to 'On' | lacework-global-524 | Automated | Manual | High |
| 2.2.2 | Set Auto provisioning of 'Vulnerability assessment for machines' to 'On' | lacework-global-611 | Automated | Manual | Medium |
| 2.2.3 | Set Auto provisioning of 'Microsoft Defender for Containers components' to 'On' | lacework-global-612 | Automated | Manual | Medium |
| Control ID | Title | Lacework Policy ID | CIS Assessment | Lacework Assessment | Severity |
|---|---|---|---|---|---|
| 2.3.1 | Set 'All users with the following roles' to 'Owner' | lacework-global-525 | Automated | Manual | High |
| 2.3.2 | Configure 'Additional email addresses' with a Security Contact Email | lacework-global-526 | Automated | Manual | High |
| 2.3.3 | Set 'Notify about alerts with the following severity' to 'High' | lacework-global-527 | Automated | Manual | High |
| Control ID | Title | Lacework Policy ID | CIS Assessment | Lacework Assessment | Severity |
|---|---|---|---|---|---|
| 2.4.1 | Select Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud | lacework-global-613 | Manual | Manual | Medium |
| 2.4.2 | Select Microsoft Defender for Endpoint integration with Microsoft Defender for Cloud | lacework-global-614 | Manual | Manual | Medium |
| Control ID | Title | Lacework Policy ID | CIS Assessment | Lacework Assessment | Severity |
|---|---|---|---|---|---|
| 3.1 | Set 'Secure transfer required' to 'Enabled' | lacework-global-528 | Automated | Automated | High |
| 3.2 | Set 'Enable Infrastructure Encryption' for Each Storage Account in Azure Storage to 'enabled' | lacework-global-615 | Manual | Automated | Low |
| 3.3 | Enable 'Enable key rotation reminders' for each Storage Account | lacework-global-529 | Manual | Manual | Medium |
| 3.4 | Ensure that Storage Account Access Keys are Periodically Regenerated | lacework-global-530 | Manual | Manual | High |
| 3.5 | Enable Storage Logging for Queue Service for 'Read', 'Write', and 'Delete' requests | lacework-global-616 | Automated | Manual | High |
| 3.6 | Ensure that Shared Access Signature Tokens Expire Within an Hour | lacework-global-531 | Manual | Manual | High |
| 3.7 | Disable 'Public access level' for storage accounts with blob containers | lacework-global-532 | Automated | Automated | Critical |
| 3.8 | Set Default Network Access Rule for Storage Accounts to Deny | lacework-global-533 | Automated | Automated | High |
| 3.9 | Enable 'Allow Azure services on the trusted services list to access this storage account' for Storage Account Access | lacework-global-617 | Automated | Automated | High |
| 3.10 | Use Private Endpoints to access Storage Accounts | lacework-global-534 | Manual | Automated | Medium |
| 3.11 | Enable Soft Delete for Azure Containers and Blob Storage | lacework-global-535 | Automated | Manual | High |
| 3.12 | Encrypt Storage for Critical Data with Customer Managed Keys | lacework-global-618 | Manual | Manual | High |
| 3.13 | Enable Storage logging for Blob Service for 'Read', 'Write', and 'Delete' requests | lacework-global-619 | Automated | Manual | High |
| 3.14 | Enable Storage Logging for Table Service for 'Read', 'Write', and 'Delete' Requests | lacework-global-620 | Automated | Manual | High |
| 3.15 | Set the "Minimum Transport Layer Security (TLS) version" for storage accounts to "Version 1.2" | lacework-global-536 | Automated | Automated | Medium |
- 4.1 SQL Server - Auditing
- 4.2 SQL Server - Microsoft Defender for SQL
- 4.3 PostgreSQL Database Server
- 4.4 MySQL Database
- 4.5 Cosmos DB
| Control ID | Title | Lacework Policy ID | CIS Assessment | Lacework Assessment | Severity |
|---|---|---|---|---|---|
| 4.1.1 | Set 'Auditing' to 'On' | lacework-global-537 | Automated | Manual | High |
| 4.1.2 | Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (any IP) | lacework-global-538 | Automated | Automated | High |
| 4.1.3 | Encrypt SQL server's Transparent Data Encryption (TDE) protector with Customer-managed key | lacework-global-621 | Automated | Automated | High |
| 4.1.4 | Configure Azure Active Directory Admin for SQL Servers | lacework-global-539 | Automated | Automated | High |
| 4.1.5 | Set 'Data encryption' to 'On' on a SQL Database | lacework-global-540 | Automated | Automated | High |
| 4.1.6 | Ensure that 'Auditing' Retention is 'greater than 90 days' | lacework-global-541 | Automated | Manual | High |
| Control ID | Title | Lacework Policy ID | CIS Assessment | Lacework Assessment | Severity |
|---|---|---|---|---|---|
| 4.2.1 | Set Microsoft Defender for SQL to 'On' for critical SQL Servers | lacework-global-622 | Automated | Automated | High |
| 4.2.2 | Enable Vulnerability Assessment (VA) on a SQL server by setting a Storage Account | lacework-global-623 | Automated | Automated | Medium |
| 4.2.3 | Set Vulnerability Assessment (VA) setting 'Periodic recurring scans' to 'on' for each SQL server | lacework-global-624 | Automated | Automated | Medium |
| 4.2.4 | Configure Vulnerability Assessment (VA) setting 'Send scan reports to' for a SQL server | lacework-global-625 | Automated | Automated | Medium |
| 4.2.5 | Set Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners' for each SQL Server | lacework-global-542 | Automated | Automated | Medium |
| Control ID | Title | Lacework Policy ID | CIS Assessment | Lacework Assessment | Severity |
|---|---|---|---|---|---|
| 4.3.1 | Set 'Enforce SSL connection' to 'ENABLED' for PostgreSQL Database Server | lacework-global-543 | Automated | Automated | High |
| 4.3.2 | Set Server Parameter 'log_checkpoints' to 'ON' for PostgreSQL Database Server | lacework-global-544 | Automated | Automated | High |
| 4.3.3 | Set server parameter 'log_connections' to 'ON' for PostgreSQL Database Server | lacework-global-545 | Automated | Automated | High |
| 4.3.4 | Set server parameter 'log_disconnections' to 'ON' for PostgreSQL Database Server | lacework-global-546 | Automated | Automated | High |
| 4.3.5 | Set server parameter 'connection_throttling' to 'ON' for PostgreSQL Database Server | lacework-global-547 | Automated | Automated | High |
| 4.3.6 | Ensure Server Parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server | lacework-global-548 | Automated | Automated | High |
| 4.3.7 | Disable 'Allow access to Azure services' for PostgreSQL Database Server | lacework-global-549 | Manual | Automated | High |
| 4.3.8 | Ensure 'Infrastructure double encryption' for PostgreSQL Database Server is 'Enabled' | lacework-global-550 | Automated | Automated | Medium |
| Control ID | Title | Lacework Policy ID | CIS Assessment | Lacework Assessment | Severity |
|---|---|---|---|---|---|
| 4.4.1 | Set 'Enforce SSL connection' to 'Enabled' for Standard MySQL Database Server | lacework-global-551 | Automated | Automated | High |
| 4.4.2 | Set 'Transport Layer Security (TLS) Version' to at least 'TLSV1.2' for Azure Database for MySQL Flexible Server | lacework-global-552 | Automated | Automated | Medium |
| 4.4.3 | Set server parameter 'audit_log_enabled' to 'ON' for MySQL Database Server | lacework-global-626 | Manual | Manual | Medium |
| 4.4.4 | Ensure server parameter 'audit_log_events' has 'CONNECTION' set for MySQL Database Server | lacework-global-627 | Manual | Manual | Medium |
| Control ID | Title | Lacework Policy ID | CIS Assessment | Lacework Assessment | Severity |
|---|---|---|---|---|---|
| 4.5.1 | Limit 'Firewalls & Networks' to Use Selected Networks Instead of All Networks | lacework-global-628 | Manual | Automated | Medium |
| 4.5.2 | Use Private Endpoints Where Possible | lacework-global-629 | Manual | Automated | Medium |
| Control ID | Title | Lacework Policy ID | CIS Assessment | Lacework Assessment | Severity |
|---|---|---|---|---|---|
| 5.3 | Enable Azure Monitor Resource Logging for All Services that Support it | lacework-global-553 | Manual | Manual | High |
- 5.1 Configuring Diagnostic Settings
- 5.2 Monitoring using Activity Log Alerts
| Control ID | Title | Lacework Policy ID | CIS Assessment | Lacework Assessment | Severity |
|---|---|---|---|---|---|
| 5.1.1 | Ensure that a 'Diagnostic Setting' exists | lacework-global-554 | Manual | Manual | Low |
| 5.1.2 | Ensure Diagnostic Setting captures appropriate categories | lacework-global-555 | Automated | Automated | Low |
| 5.1.3 | Ensure the Storage Container Storing the Activity Logs is not Publicly Accessible | lacework-global-556 | Automated | Manual | High |
| 5.1.4 | Encrypt the storage account containing the container with activity logs with Customer Managed Key | lacework-global-630 | Automated | Manual | Medium |
| 5.1.5 | Ensure that logging for Azure Key Vault is 'Enabled' | lacework-global-557 | Automated | Automated | High |
| 5.1.6 | Capture Network Security Group (NSG) Flow logs and send to Log Analytics | lacework-global-631 | Manual | Manual | Low |
| 5.1.7 | Enable logging for Azure AppService 'HTTP logs' | lacework-global-632 | Manual | Manual | Medium |
| Control ID | Title | Lacework Policy ID | CIS Assessment | Lacework Assessment | Severity |
|---|---|---|---|---|---|
| 5.2.1 | Ensure that Activity Log Alert exists for Create Policy Assignment | lacework-global-558 | Automated | Automated | Medium |
| 5.2.2 | Ensure that Activity Log Alert exists for Delete Policy Assignment | lacework-global-559 | Automated | Automated | Medium |
| 5.2.3 | Ensure that Activity Log Alert exists for Create or Update Network Security Group | lacework-global-560 | Automated | Automated | High |
| 5.2.4 | Ensure that Activity Log Alert exists for Delete Network Security Group | lacework-global-561 | Automated | Automated | High |
| 5.2.5 | Ensure that Activity Log Alert exists for Create or Update Security Solution | lacework-global-562 | Automated | Automated | High |
| 5.2.6 | Ensure that Activity Log Alert exists for Delete Security Solution | lacework-global-563 | Automated | Automated | High |
| 5.2.7 | Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule | lacework-global-564 | Automated | Automated | High |
| 5.2.8 | Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule | lacework-global-565 | Automated | Automated | High |
| 5.2.9 | Ensure that Activity Log Alert exists for Create or Update Public IP Address rule | lacework-global-566 | Automated | Automated | High |
| 5.2.10 | Ensure that Activity Log Alert exists for Delete Public IP Address rule | lacework-global-567 | Automated | Automated | High |
| Control ID | Title | Lacework Policy ID | CIS Assessment | Lacework Assessment | Severity |
|---|---|---|---|---|---|
| 6.1 | Evaluate and restrict Remote Desktop Protocol (RDP) access from the Internet | lacework-global-568 | Automated | Automated | High |
| 6.2 | Evaluate and restrict SSH access from the Internet | lacework-global-569 | Automated | Automated | High |
| 6.3 | Evaluate and restrict User Datagram Protocol (UDP) access from the Internet | lacework-global-570 | Automated | Automated | Medium |
| 6.4 | Evaluate and restrict HTTP(S) access from the Internet | lacework-global-571 | Automated | Automated | High |
| 6.5 | Ensure that Network Security Group (NSG) Flow Log retention period is 'greater than 90 days' | lacework-global-633 | Automated | Automated | Medium |
| 6.6 | Ensure that Network Watcher is 'Enabled' (includes Reserved access regions) | lacework-global-634 | Manual | Automated | High |
| 6.7 | Evaluate Public IP addresses on a Periodic Basis | lacework-global-572 | Manual | Manual | Medium |
| Control ID | Title | Lacework Policy ID | CIS Assessment | Lacework Assessment | Severity |
|---|---|---|---|---|---|
| 7.1 | Ensure Virtual Machines are utilizing Managed Disks | lacework-global-573 | Manual | Automated | Info |
| 7.2 | Encrypt 'OS and Data' disks with Customer Managed Key (CMK) | lacework-global-635 | Automated | Automated | High |
| 7.3 | Encrypt 'Unattached disks' with Customer Managed Key (CMK) | lacework-global-636 | Automated | Automated | High |
| 7.4 | Install Only Approved Extensions | lacework-global-574 | Manual | Manual | High |
| 7.5 | Install Endpoint Protection for all Virtual Machines | lacework-global-637 | Manual | Manual | Medium |
| 7.6 | (Legacy) Encrypt Virtual Hard Disks (VHD) | lacework-global-638 | Manual | Manual | Medium |
| Control ID | Title | Lacework Policy ID | CIS Assessment | Lacework Assessment | Severity |
|---|---|---|---|---|---|
| 8.1 | Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults | lacework-global-575 | Automated | Manual | High |
| 8.2 | Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults. | lacework-global-576 | Automated | Manual | High |
| 8.3 | Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults | lacework-global-577 | Automated | Manual | High |
| 8.4 | Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults | lacework-global-578 | Automated | Manual | High |
| 8.5 | Ensure the Key Vault is Recoverable | lacework-global-579 | Automated | Automated | High |
| 8.6 | Enable Role Based Access Control for Azure Key Vault | lacework-global-639 | Manual | Automated | High |
| 8.7 | Use Private Endpoints for Azure Key Vault | lacework-global-640 | Manual | Automated | Medium |
| 8.8 | Enable Automatic Key Rotation Within Azure Key Vault for the Supported Services | lacework-global-641 | Manual | Manual | High |
| Control ID | Title | Lacework Policy ID | CIS Assessment | Lacework Assessment | Severity |
|---|---|---|---|---|---|
| 9.1 | Set up App Service Authentication for apps in Azure App Service | lacework-global-642 | Automated | Automated | Medium |
| 9.2 | Ensure Web App Redirects All HTTP traffic to HTTPS in Azure App Service | lacework-global-580 | Automated | Automated | High |
| 9.3 | Ensure Web App is using the latest version of Transport Layer Security (TLS) encryption | lacework-global-581 | Automated | Automated | Medium |
| 9.4 | Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On' | lacework-global-643 | Automated | Automated | High |
| 9.5 | Enable Register with Azure Active Directory on App Service | lacework-global-582 | Automated | Automated | Medium |
| 9.6 | Ensure That 'PHP version' is the Latest, If Used to Run the Web App | lacework-global-583 | Manual | Manual | Medium |
| 9.7 | Ensure that 'Python version' is the Latest Stable Version, if Used to Run the Web App | lacework-global-584 | Manual | Manual | Medium |
| 9.8 | Ensure that 'Java version' is the latest, if used to run the Web App | lacework-global-585 | Manual | Manual | Medium |
| 9.9 | Ensure that 'HTTP Version' is the Latest, if Used to Run the Web App | lacework-global-586 | Automated | Automated | Medium |
| 9.10 | Disable File Transfer Protocol (FTP) deployments | lacework-global-587 | Automated | Automated | Medium |
| 9.11 | Use Azure Key Vaults to Store Secrets | lacework-global-644 | Manual | Manual | Medium |
| Control ID | Title | Lacework Policy ID | CIS Assessment | Lacework Assessment | Severity |
|---|---|---|---|---|---|
| 10.1 | Set Resource Locks for Mission-Critical Azure Resources | lacework-global-645 | Manual | Manual | Critical |
Automated vs Manual Policies
Lacework automates compliance policies where possible. This allows the Lacework platform to monitor your environment resources to check whether they are compliant with the benchmark recommendations.
For some benchmark recommendations, it is not possible to automate the policy checks in an Azure environment. These policies are manual, and you must verify such policies manually. Lacework provides the manual remediation steps for these policies (when available).
Automated Policies (that were deemed manual)
In some cases, Lacework is able to automate certain CIS benchmark controls that were deemed as manual by CIS.
The following table outlines the CIS Azure 1.5.0 Benchmark policies that fall within this category:
Click to expand
| Control ID | Lacework Policy ID | Title |
|---|---|---|
| 3.2 | lacework-global-615 | Set 'Enable Infrastructure Encryption' for Each Storage Account in Azure Storage to 'enabled' |
| 3.10 | lacework-global-534 | Use Private Endpoints to access Storage Accounts |
| 4.3.7 | lacework-global-549 | Disable 'Allow access to Azure services' for PostgreSQL Database Server |
| 4.5.1 | lacework-global-628 | Limit 'Firewalls & Networks' to Use Selected Networks Instead of All Networks |
| 4.5.2 | lacework-global-629 | Use Private Endpoints Where Possible |
| 6.6 | lacework-global-634 | Ensure that Network Watcher is 'Enabled' (includes Reserved access regions) |
| 7.1 | lacework-global-573 | Ensure Virtual Machines are utilizing Managed Disks |
| 8.6 | lacework-global-639 | Enable Role Based Access Control for Azure Key Vault |
| 8.7 | lacework-global-640 | Use Private Endpoints for Azure Key Vault |
Policies that are pending automation
Lacework intends to automate the policies listed below in a future release. All of these controls were deemed as manual by CIS.
Click to expand
| Control ID | Lacework Policy ID | Title |
|---|---|---|
| 5.1.6 | lacework-global-631 | Capture Network Security Group (NSG) Flow logs and send to Log Analytics |
| 8.8 | lacework-global-641 | Enable Automatic Key Rotation Within Azure Key Vault for the Supported Services |
Manual Policies (that were deemed automated)
In some cases, Lacework cannot automate certain CIS benchmark controls that were deemed as automated by CIS.
This is often due to one of the following reasons:
- Scope is defined by the user.
- It requires configuring other products or API permissions that are out of scope.
- Known issues for audit procedure described by the CIS control.
The following table outlines the CIS Azure 1.5.0 Benchmark policies that fall within this category:
Lacework intends to automate these policies in a future release.
Click to expand
| Control ID | Lacework Policy ID | Title |
|---|---|---|
| 4.1.1 | lacework-global-537 | Set 'Auditing' to 'On' |
| 4.1.6 | lacework-global-541 | Ensure that 'Auditing' Retention is 'greater than 90 days' |
Permanently Manual Policies (that were deemed automated)
The following table outlines controls that were deemed automated by CIS, but will remain as manual policies:
For sections 2.2 and 2.3, see 2 - Microsoft Defender for Cloud for additional details.
Click to expand
| Control ID | Lacework Policy ID | Title |
|---|---|---|
| 2.2.1 | lacework-global-524 | Set Auto provisioning of 'Log Analytics agent for Azure VMs' to 'On' |
| 2.2.2 | lacework-global-611 | Set Auto provisioning of 'Vulnerability assessment for machines' to 'On' |
| 2.2.3 | lacework-global-612 | Set Auto provisioning of 'Microsoft Defender for Containers components' to 'On' |
| 2.3.1 | lacework-global-525 | Set 'All users with the following roles' to 'Owner' |
| 2.3.2 | lacework-global-526 | Configure 'Additional email addresses' with a Security Contact Email |
| 2.3.3 | lacework-global-527 | Set 'Notify about alerts with the following severity' to 'High' |
| 3.5 | lacework-global-616 | Enable Storage Logging for Queue Service for 'Read', 'Write', and 'Delete' requests |
| 3.11 | lacework-global-535 | Enable Soft Delete for Azure Containers and Blob Storage |
| 3.13 | lacework-global-619 | Enable Storage logging for Blob Service for 'Read', 'Write', and 'Delete' requests |
| 3.14 | lacework-global-620 | Enable Storage Logging for Table Service for 'Read', 'Write', and 'Delete' Requests |
| 5.1.3 | lacework-global-556 | Ensure the Storage Container Storing the Activity Logs is not Publicly Accessible |
| 5.1.4 | lacework-global-630 | Encrypt the storage account containing the container with activity logs with Customer Managed Key |
Unimplemented Policies
The following policies are not yet implemented into our Compliance platform. Lacework will be adding these policies soon.
All policies listed in the table below are intended to be automated once released:
Click to expand
| Control ID | Lacework Policy ID | Title |
|---|---|---|
| 8.1 | lacework-global-575 | Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults |
| 8.2 | lacework-global-576 | Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults. |
| 8.3 | lacework-global-577 | Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults |
| 8.4 | lacework-global-578 | Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults |
Adjusted Controls
6.6 Ensure that Network Watcher is 'Enabled'
This control has been split into two policies in order to monitor either:
- All regions including Reserved access regions (lacework-global-634).
- All regions excluding Reserved access regions (lacework-global-816).
The table below outlines each policy and their title:
| Control ID | Lacework Policy ID | Title | Enabled by default? |
|---|---|---|---|
| 6.6 | lacework-global-634 | Ensure that Network Watcher is 'Enabled' (includes Reserved access regions) | True |
| 6.6 | lacework-global-816 | Ensure that Network Watcher is 'Enabled' (excludes Reserved access regions) | False |
If you do not use the Reserved access regions, please disable lacework-global-634, and enable lacework-global-816 in its place.
FAQs
Why are there so many manual policies in CIS Azure 1.5.0?
- The Azure v1.5.0 benchmark (published by CIS) has 147 policies: 69 automated and 78 manual.
- In comparison, the Azure v1.3.1 benchmark had 111 policies: 61 automated and 50 manual.
Due to the policies yet to be implemented, and those temporarily released as manual, Lacework's v1.5.0 benchmark may appear to have an imbalance of manual policies. As noted though, more than 50% of the CIS Azure 1.5.0 policies are manual.
Why were some policies in v1.3.1 automated but now moved to manual in v1.5.0?
There were a set of five policies in v1.3.1 that were automated, and are still marked as automated by CIS in v1.5.0. Lacework has temporarily released these five policies as manual, with a plan to automate them in the future. See Manual Policies (that were deemed automated).
A further set of six policies in v1.3.1 were automated, and have been marked as automated by CIS in v1.5.0. Lacework has delivered manual policies for these in v1.5.0. See Permanently Manual Policies (that were deemed automated).
Why were some policies in v1.3.1 manual but now moved to automated in v1.5.0?
Lacework is sometimes able to monitor the required resources for a given policy (even when deemed as manual by CIS). These policies are then automated in the Lacework Compliance Platform.
Three policies that were manual in v1.3.1 have been automated by Lacework for v1.5.0:
- Azure_CIS_131_6_5
- Azure_CIS_131_7_1
- Azure_CIS_131_9_9
Also, an additional four policies that are new in v1.5.0 have been automated (where CIS specified them as manual).
Do I have improved coverage with v1.5.0 versus what I had with v1.3.1?
When Lacework delivers on remaining unimplemented policies and planned automation for manual policies (including Policies that are pending automation), coverage for v1.5.0 will be an improvement over v1.3.1.
Which policies are yet to be updated/released within the v1.5.0 benchmark?
As of 1st March 2023, there are 4 unimplemented policies. Work is in progress to complete automation of these policies.
There are also 4 policies that have been marked as manual by CIS for v1.5.0, but Lacework intends to automate these policies in a future release. See Policies that are pending automation.
Why do control IDs 8.6 and 8.7 show as "Could Not Assess" in policy assessments and reports?
Policy assessments and reports for control ID 8.6 and 8.7 may show "Could Not Assess" if you do have the Key Vault Reader role assigned to the Lacework application used for the integration.
This applies to Azure Key Vaults in your subscription/tenant that do not have RBAC enabled.
See Assign Azure Key Vault permissions in the Azure integration prerequisites for help in assigning this role.