1 Identity and Access Management
1.1 Ensure that multi-factor authentication is enabled for all privileged users
1.2 Ensure that multi-factor authentication is enabled for all non- privileged users
1.3 Ensure guest users are reviewed on a monthly basis
1.4 Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is 'Disabled'
1.5 Ensure that 'Number of methods required to reset' is set to '2'
1.6 Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to "0"
1.7 Ensure that 'Notify users on password resets?' is set to 'Yes'
1.8 Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes'
1.9 Ensure that 'Users can consent to apps accessing company data on their behalf' is set to 'No'
1.10 Ensure that 'Users can add gallery apps to their Access Panel' is set to 'No'
1.11 Ensure that 'Users can register applications' is set to 'No'
1.12 Ensure that 'Guest user permissions are limited' is set to 'Yes'
1.13 Ensure that 'Members can invite' is set to 'No'
1.14 Ensure that 'Guests can invite' is set to 'No'
1.15 Ensure that 'Restrict access to Azure AD administration portal' is set to 'Yes'
1.16 Ensure that 'Restrict user ability to access groups features in the Access Pane' is set to 'No'
1.17 Ensure that 'Users can create security groups in Azure Portals' is set to 'No'
1.18 Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No'
1.19 Ensure that 'Users can create Microsoft 365 groups in Azure Portals' is set to 'No'
1.20 Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes'
1.21 Ensure that no custom subscription owner roles are created
1.22 Ensure Security Defaults is enabled on Azure Active Directory
1.23 Ensure Custom Role is assigned for Administering Resource Locks
2 Security Center
2.1 Ensure that Azure Defender is set to On for Servers
2.2 Ensure that Azure Defender is set to On for App Service
2.3 Ensure that Azure Defender is set to On for Azure SQL database servers
2.4 Ensure that Azure Defender is set to On for SQL servers on machines
2.5 Ensure that Azure Defender is set to On for Storage
2.6 Ensure that Azure Defender is set to On for Kubernetes
2.7 Ensure that Azure Defender is set to On for Container Registries
2.8 Ensure that Azure Defender is set to On for Key Vault
2.9 Ensure that Windows Defender ATP (WDATP) integration with Security Center is selected
2.10 Ensure that Microsoft Cloud App Security (MCAS) integration with Security Center is selected
2.11 Ensure that 'Automatic provisioning of monitoring agent' is set to 'On'
2.12 Ensure any of the ASC Default policy setting is not set to "Disabled"
2.13 Ensure 'Additional email addresses' is configured with a security contact email
2.14 Ensure that 'Notify about alerts with the following severity' is set to 'High'
2.15 Ensure that 'All users with the following roles' is set to 'Owner'
3 Storage Accounts
3.1 Ensure that 'Secure transfer required' is set to 'Enabled'
3.2 Ensure that storage account access keys are periodically regenerated
3.3 Ensure Storage logging is enabled for Queue service for read, write, and delete requests
3.4 Ensure that shared access signature tokens expire within an hour
3.5 Ensure that 'Public access level' is set to Private for blob containers
3.6 Ensure default network access rule for Storage Accounts is set to deny
3.7 Ensure 'Trusted Microsoft Services' is enabled for Storage Account access
3.8 Ensure soft delete is enabled for Azure Storage
3.9 Ensure storage for critical data are encrypted with Customer Managed Key
3.10 Ensure Storage logging is enabled for Blob service for read, write, and delete requests
3.11 Ensure Storage logging is enabled for Table service for read, write, and delete requests
4 Database Services
4.1 SQL Server - Auditing
4.1.1 Ensure that 'Auditing' is set to 'On'
4.1.2 Ensure that 'Data encryption' is set to 'On' on a SQL Database
4.1.3 Ensure that 'Auditing' Retention is 'greater than 90 days'
4.2 SQL Server - Azure Defender for SQL
4.2.1 Ensure that Advanced Threat Protection (ATP) on a SQL server is set to 'Enabled'
4.2.2 Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account
4.2.3 Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server
4.2.4 Ensure that VA setting Send scan reports to is configured for a SQL server
4.2.5 Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server
4.3 PostgreSQL Database Server
4.3.1 Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server
4.3.2 Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server
4.3.3 Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server
4.3.4 Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server
4.3.5 Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server
4.3.6 Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server
4.3.7 Ensure server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server
4.3.8 Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled
4.4 Ensure that Azure Active Directory Admin is configured
4.5 Ensure SQL server's TDE protector is encrypted with Customer-managed key
5 Logging and Monitoring
5.1 Configuring Diagnostic Settings
5.1.1 Ensure that a 'Diagnostics Setting' exists
5.1.2 Ensure Diagnostic Setting captures appropriate categories
5.1.3 Ensure the storage container storing the activity logs is not publicly accessible
5.1.4 Ensure the storage account containing the container with activity logs is encrypted with BYOK (Use Your Own Key)
5.1.5 Ensure that logging for Azure KeyVault is 'Enabled'
5.2 Monitoring using Activity Log Alerts
5.2.1 Ensure that Activity Log Alert exists for Create Policy Assignment
5.2.2 Ensure that Activity Log Alert exists for Delete Policy Assignment
5.2.3 Ensure that Activity Log Alert exists for Create or Update Network Security Group
5.2.4 Ensure that Activity Log Alert exists for Delete Network Security Group
5.2.5 Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule
5.2.6 Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule
5.2.7 Ensure that Activity Log Alert exists for Create or Update Security Solution
5.2.8 Ensure that Activity Log Alert exists for Delete Security Solution
5.2.9 Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule
5.3 Ensure that Diagnostic Logs are enabled for all services which support it
6.1 Ensure that RDP access is restricted from the internet
6.2 Ensure that SSH access is restricted from the internet
6.3 Ensure no SQL Databases allow ingress 0.0.0.0/0 (ANY IP)
6.4 Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'
6.5 Ensure that Network Watcher is 'Enabled'
6.6 Ensure that UDP Services are restricted from the Internet
7 Virtual Machines
7.1 Ensure Virtual Machines are utilizing Managed Disks
7.2 Ensure that 'OS and Data' disks are encrypted with CMK
7.3 Ensure that 'Unattached disks' are encrypted with CMK
7.4 Ensure that only approved extensions are installed
7.5 Ensure that the latest OS Patches for all Virtual Machines are applied
7.6 Ensure that the endpoint protection for all Virtual Machines is installed
7.7 Ensure that VHD's are encrypted
8 Other Security Considerations
8.1 Ensure that the expiration date is set on all keys
8.2 Ensure that the expiration date is set on all Secrets
8.3 Ensure that Resource Locks are set for mission critical Azure resources
8.4 Ensure the key vault is recoverable
8.5 Enable role-based access control (RBAC) within Azure Kubernetes Services
9.1 Ensure App Service Authentication is set on Azure App Service
9.2 Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service
9.3 Ensure web app is using the latest version of TLS encryption
9.4 Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On'
9.5 Ensure that Register with Azure Active Directory is enabled on App Service
9.6 Ensure that 'PHP version' is the latest, if used to run the web app
9.7 Ensure that 'Python version' is the latest, if used to run the web app
9.8 Ensure that 'Java version' is the latest, if used to run the web app
9.9 Ensure that 'HTTP Version' is the latest, if used to run the web app
9.10 Ensure FTP deployments are disabled
9.11 Ensure Azure Keyvaults are used to store secrets
Benchmarks & Controls in Azure Compliance
The Azure Compliance mod includes 1 benchmark & 111 controls.
steampipe check azure_compliance