azure_ad_groupazure_ad_service_principalazure_ad_userazure_alert_managementazure_api_managementazure_api_management_backendazure_app_configurationazure_app_service_environmentazure_app_service_function_appazure_app_service_planazure_app_service_web_appazure_app_service_web_app_slotazure_application_gatewayazure_application_insightazure_application_security_groupazure_automation_accountazure_automation_variableazure_backup_policyazure_bastion_hostazure_batch_accountazure_cdn_frontdoor_profileazure_cognitive_accountazure_compute_availability_setazure_compute_diskazure_compute_disk_accessazure_compute_disk_encryption_setazure_compute_disk_metric_read_opsazure_compute_disk_metric_read_ops_dailyazure_compute_disk_metric_read_ops_hourlyazure_compute_disk_metric_write_opsazure_compute_disk_metric_write_ops_dailyazure_compute_disk_metric_write_ops_hourlyazure_compute_imageazure_compute_resource_skuazure_compute_snapshotazure_compute_ssh_keyazure_compute_virtual_machineazure_compute_virtual_machine_metric_available_memoryazure_compute_virtual_machine_metric_available_memory_dailyazure_compute_virtual_machine_metric_available_memory_hourlyazure_compute_virtual_machine_metric_cpu_utilizationazure_compute_virtual_machine_metric_cpu_utilization_dailyazure_compute_virtual_machine_metric_cpu_utilization_hourlyazure_compute_virtual_machine_scale_setazure_compute_virtual_machine_scale_set_network_interfaceazure_compute_virtual_machine_scale_set_vmazure_consumption_usageazure_container_groupazure_container_registryazure_cosmosdb_accountazure_cosmosdb_mongo_collectionazure_cosmosdb_mongo_databaseazure_cosmosdb_restorable_database_accountazure_cosmosdb_sql_databaseazure_data_factoryazure_data_factory_datasetazure_data_factory_pipelineazure_data_lake_analytics_accountazure_data_lake_storeazure_data_protection_backup_jobazure_data_protection_backup_vaultazure_databox_edge_deviceazure_databricks_workspaceazure_diagnostic_settingazure_dns_zoneazure_eventgrid_domainazure_eventgrid_topicazure_eventhub_namespaceazure_express_route_circuitazure_firewallazure_firewall_policyazure_frontdoorazure_hdinsight_clusterazure_healthcare_serviceazure_hpc_cacheazure_hybrid_compute_machineazure_hybrid_kubernetes_connected_clusterazure_iothubazure_iothub_dpsazure_key_vaultazure_key_vault_certificateazure_key_vault_deleted_vaultazure_key_vault_keyazure_key_vault_key_versionazure_key_vault_managed_hardware_security_moduleazure_key_vault_secretazure_kubernetes_clusterazure_kubernetes_service_versionazure_kusto_clusterazure_lbazure_lb_backend_address_poolazure_lb_nat_ruleazure_lb_outbound_ruleazure_lb_probeazure_lb_ruleazure_lighthouse_assignmentazure_lighthouse_definitionazure_locationazure_log_alertazure_log_analytics_workspaceazure_log_profileazure_logic_app_workflowazure_machine_learning_workspaceazure_maintenance_configurationazure_management_groupazure_management_lockazure_mariadb_serverazure_monitor_activity_log_eventazure_monitor_log_profileazure_mssql_elasticpoolazure_mssql_managed_instanceazure_mssql_virtual_machineazure_mysql_flexible_serverazure_mysql_serverazure_nat_gatewayazure_network_interfaceazure_network_security_groupazure_network_watcherazure_network_watcher_flow_logazure_policy_assignmentazure_policy_definitionazure_postgresql_flexible_serverazure_postgresql_serverazure_private_dns_zoneazure_private_endpointazure_providerazure_public_ipazure_recovery_services_backup_jobazure_recovery_services_vaultazure_redis_cacheazure_resourceazure_resource_groupazure_resource_linkazure_role_assignmentazure_role_definitionazure_route_tableazure_search_serviceazure_security_center_auto_provisioningazure_security_center_automationazure_security_center_contactazure_security_center_jit_network_access_policyazure_security_center_settingazure_security_center_sub_assessmentazure_security_center_subscription_pricingazure_service_fabric_clusterazure_servicebus_namespaceazure_signalr_serviceazure_spring_cloud_serviceazure_sql_databaseazure_sql_serverazure_storage_accountazure_storage_blobazure_storage_blob_serviceazure_storage_containerazure_storage_queueazure_storage_share_fileazure_storage_syncazure_storage_tableazure_storage_table_serviceazure_stream_analytics_jobazure_subnetazure_subscriptionazure_synapse_workspaceazure_tenantazure_virtual_networkazure_virtual_network_gatewayazure_web_application_firewall_policy
Table: azure_subscription - Query Azure Subscriptions using SQL
Azure Subscriptions act as a logical container for resources deployed on Microsoft Azure. They provide a mechanism to organize access to Azure resources, manage costs, and track billing. Each Azure Subscription can have a different billing and payment setup, allowing flexibility in how users and organizations pay for the usage of Azure Services.
Table Usage Guide
The azure_subscription table provides insights into Azure Subscriptions within Microsoft Azure. As a cloud architect or administrator, explore subscription-specific details through this table, including subscription IDs, names, states, and tenants. Utilize it to manage and organize access to Azure resources, track billing, and understand the cost management setup across different subscriptions.
Examples
Basic info
Explore the status and policies of your Azure subscriptions to understand their current state and source of authorization. This can help in managing and optimizing your cloud resources effectively.
select id, subscription_id, display_name, tenant_id, state, authorization_source, subscription_policiesfrom azure_subscription;select id, subscription_id, display_name, tenant_id, state, authorization_source, subscription_policiesfrom azure_subscription;Query examples
- app_service_web_app_by_subscription
- compute_disk_by_subscription
- compute_disk_storage_by_subscription
- compute_snapshot_by_subscription
- compute_virtual_machine_by_subscription
- compute_virtual_machine_scale_set_by_subscription
- cosmosdb_account_by_subscription
- key_vault_by_subscription
- key_vault_key_by_subscription
- kubernetes_cluster_by_subscription
- network_express_route_circuit_by_subscription
- network_security_group_by_subscription
- sql_database_by_subscription
- sql_server_by_subscription
- subscription_count
- subscription_table
- torage_account_by_subscription
- virtual_network_by_subscription
Control examples
- A maximum of 3 owners should be designated for your subscription
- A vulnerability assessment solution should be enabled on your virtual machines
- Accounts with owner permissions on Azure resources should be MFA enabled
- Accounts with read permissions on Azure resources should be MFA enabled
- Accounts with write permissions on Azure resources should be MFA enabled
- Adaptive application controls for defining safe applications should be enabled on your machines
- Adaptive network hardening recommendations should be applied on internet facing virtual machines
- Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
- Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
- All Controls > Active Directory > Ensure that no Custom Subscription Administrator roles exist
- All Controls > Active Directory > Subscriptions with custom roles should not be overly permissive
- All Controls > API Management > API Management client certificate should be enabled
- All Controls > App Configuration > App Configuration should use standard SKU
- All Controls > App Service > App Service function apps public access should be restricted
- All Controls > App Service > Appservice plan should not use free, shared or basic SKU
- All Controls > App Service > Ensure App Service authentication is set up for apps in Azure App Service
- All Controls > App Service > Ensure App Service authentication is set up for function apps in Azure App Service
- All Controls > App Service > Ensure FTP deployments are Disabled
- All Controls > App Service > Ensure that 'Java version' is the latest, if used as a part of the Function app
- All Controls > App Service > Ensure that 'Java version' is the latest, if used as a part of the Web app
- All Controls > App Service > Ensure that 'PHP version' is the latest, if used as a part of the WEB app
- All Controls > App Service > Ensure that 'Python version' is the latest, if used as a part of the Function app
- All Controls > App Service > Ensure that 'Python version' is the latest, if used as a part of the Web app
- All Controls > App Service > Ensure that Register with Azure Active Directory is enabled on App Service
- All Controls > App Service > Latest TLS version should be used in your Web App
- All Controls > App Service > Managed identity should be used in your API App
- All Controls > App Service > Remote debugging should be turned off for Web Applications
- All Controls > App Service > Web app failed request tracing should be enabled
- All Controls > App Service > Web app HTTP logs should be enabled
- All Controls > App Service > Web app should have more than one worker
- All Controls > App Service > Web app should use the latest 'Net Framework' version
- All Controls > App Service > Web app slot should only be accessible over HTTPS
- All Controls > App Service > Web apps should be configured to always be on
- All Controls > App Service > Web apps should have health check enabled
- All Controls > Batch > Batch accounts identity provider should be enabled
- All Controls > Cognitive Search > Cognitive Search services should maintain SLA for index updates
- All Controls > Cognitive Search > Cognitive Search services should use managed identity
- All Controls > Compute > Compute virtual machine scale sets should have automatic OS image patching enabled
- All Controls > Compute > Compute virtual machine scale sets with linux OS should have SSH key authentication enabled
- All Controls > Compute > Compute virtual machines should use managed disk for OS and data disk
- All Controls > Compute > Ensure that 'Unattached disks' are encrypted with 'Customer Managed Key' (CMK)
- All Controls > Compute > Ensure Virtual Machines are utilizing Managed Disks
- All Controls > Compute > Resource logs in Virtual Machine Scale Sets should be enabled
- All Controls > Compute > Unattached Compute disks should be encrypted with ADE/CMK
- All Controls > Compute > Virtual Machine scale sets boot diagnostics should be enabled
- All Controls > Compute > Virtual machine scale sets should use managed disks
- All Controls > Container Instance > Container instance container groups identity provider should be enabled
- All Controls > Container Instance > Container instance container groups should be in virtual network
- All Controls > Container Instance > Container instance container groups should use secured environment variable
- All Controls > Container Registry > Container registries admin user should be disabled
- All Controls > Container Registry > Container registries public network access should be disabled
- All Controls > Container Registry > Container registries quarantine policy should be enabled
- All Controls > Container Registry > Container registries retention policy should be enabled
- All Controls > Container Registry > Container registries should be geo-replicated
- All Controls > Container Registry > Container registries trust policy should be enabled
- All Controls > Cosmos DB > Cosmos DB account 'Access Control' should be configured to use Azure Active Directory (AAD) and Role-Based Access Control (RBAC)
- All Controls > Cosmos DB > Cosmos DB accounts should disable key based metadata write access
- All Controls > Cosmos DB > Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks
- All Controls > Data Explorer > Kusto clusters should use SKU with an SLA
- All Controls > Data Factory > Data factories should disable public network access
- All Controls > Data Factory > Data factories should use GitHub repository
- All Controls > Event Grid > Event Grid domains identity provider should be enabled
- All Controls > Event Grid > Event Grid domains should restrict public network access
- All Controls > Event Grid > Event Grid topics identity provider should be enabled
- All Controls > Event Grid > Event Grid topics should have local authentication enabled
- All Controls > Key Vault > Azure Key Vault should disable public network access
- All Controls > Key Vault > Enable Role Based Access Control for Azure Key Vault
- All Controls > Key Vault > Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults
- All Controls > Key Vault > Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults
- All Controls > Key Vault > Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults
- All Controls > Key Vault > Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults
- All Controls > Key Vault > Ensure the key vault is recoverable
- All Controls > Kubernetes Service > Kubernetes cluster addon Azure policy should be enabled
- All Controls > Kubernetes Service > Kubernetes cluster nodes should prohibit public access
- All Controls > Kubernetes Service > Kubernetes cluster should restrict public access
- All Controls > Kubernetes Service > Kubernetes clusters HTTP application routing should be disabled
- All Controls > Kubernetes Service > Kubernetes clusters key vault secret rotation should be enabled
- All Controls > Kubernetes Service > Kubernetes clusters should have Azure network plugin
- All Controls > Kubernetes Service > Kubernetes clusters should have logging enabled
- All Controls > Kubernetes Service > Kubernetes clusters should have network policy enabled
- All Controls > Kubernetes Service > Kubernetes clusters should use a minimum number of 50 pods
- All Controls > Kubernetes Service > Kubernetes clusters should use standard SKU
- All Controls > Kubernetes Service > Kubernetes clusters upgrade channel should be configured
- All Controls > MariaDB > MariaDB servers should have 'Enforce SSL connection' set to 'ENABLED'
- All Controls > Monitor > Ensure Diagnostic Setting captures appropriate categories
- All Controls > Monitor > Ensure that Activity Log Alert exists for Create or Update Network Security Group
- All Controls > Monitor > Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule
- All Controls > Monitor > Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule
- All Controls > Monitor > Ensure that Activity Log Alert exists for Create or Update Public IP Address rule
- All Controls > Monitor > Ensure that Activity Log Alert exists for Create or Update Security Solution
- All Controls > Monitor > Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule
- All Controls > Monitor > Ensure that Activity Log Alert exists for Create Policy Assignment
- All Controls > Monitor > Ensure that Activity Log Alert exists for Delete Network Security Group
- All Controls > Monitor > Ensure that Activity Log Alert exists for Delete Network Security Group Rule
- All Controls > Monitor > Ensure that Activity Log Alert exists for Delete Policy Assignment
- All Controls > Monitor > Ensure that Activity Log Alert exists for Delete Public IP Address rule
- All Controls > Monitor > Ensure that Activity Log Alert exists for Delete Security Solution
- All Controls > Monitor > Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule
- All Controls > Monitor > Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key
- All Controls > Monitor > Ensure the Storage Container Storing the Activity Logs is not Publicly Accessible
- All Controls > Monitor > Ensure the storage container storing the operational logs is not publicly accessible
- All Controls > MySQL > Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server
- All Controls > MySQL > Ensure server parameter 'audit_log_enabled' is set to 'ON' for MySQL Database Server
- All Controls > MySQL > Ensure server parameter 'audit_log_events' has 'CONNECTION' set for MySQL Database Server
- All Controls > Network > Ensure an Azure Bastion Host exists
- All Controls > Network > Ensure that HTTP(S) access from the Internet is evaluated and restricted
- All Controls > Network > Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'
- All Controls > Network > Ensure that SSH access is restricted from the internet
- All Controls > Network > Ensure that UDP Services are restricted from the Internet
- All Controls > Network > Network security groups should restrict inbound ICMP port access from internet
- All Controls > Network > Network security groups should restrict inbound TCP port 135 access from internet
- All Controls > Network > Network security groups should restrict inbound TCP port 1433 access from internet
- All Controls > Network > Network security groups should restrict inbound TCP port 20 access from internet
- All Controls > Network > Network security groups should restrict inbound TCP port 21 access from internet
- All Controls > Network > Network security groups should restrict inbound TCP port 23 access from internet
- All Controls > Network > Network security groups should restrict inbound TCP port 25 access from internet
- All Controls > Network > Network security groups should restrict inbound TCP port 3306 access from internet
- All Controls > Network > Network security groups should restrict inbound TCP port 4333 access from internet
- All Controls > Network > Network security groups should restrict inbound TCP port 445 access from internet
- All Controls > Network > Network security groups should restrict inbound TCP port 53 access from internet
- All Controls > Network > Network security groups should restrict inbound TCP port 5432 access from internet
- All Controls > Network > Network security groups should restrict inbound TCP port 5500 access from internet
- All Controls > Network > Network security groups should restrict inbound TCP port 5900 access from internet
- All Controls > Network > Network security groups should restrict inbound UDP port 137 access from internet
- All Controls > Network > Network security groups should restrict inbound UDP port 137 access from internet
- All Controls > Network > Network security groups should restrict inbound UDP port 1434 access from internet
- All Controls > Network > Network security groups should restrict inbound UDP port 445 access from internet
- All Controls > Network > Network security groups should restrict inbound UDP port 53 access from internet
- All Controls > Network > Network security groups should restrict outbound access from internet
- All Controls > Network > Virtual network network peering should be in connected state
- All Controls > PostgreSQL > Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled
- All Controls > PostgreSQL > Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server
- All Controls > PostgreSQL > Ensure server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server
- All Controls > PostgreSQL > PostgreSQL servers should have the latest TLS version
- All Controls > Recovery Service > Recovery Services vaults should use managed identity
- All Controls > Redis > Azure Cache for Redis should reside within a virtual network
- All Controls > Redis > Redis Caches 'Minimum TLS version' should be set to 'Version 1.2'
- All Controls > Security Center > Azure Defender for container registries should be enabled
- All Controls > Security Center > Azure Defender for Kubernetes should be enabled
- All Controls > Security Center > Ensure 'Additional email addresses' is configured with a security contact email
- All Controls > Security Center > Ensure any of the ASC Default policy setting is not set to "Disabled"
- All Controls > Security Center > Ensure That Microsoft Defender for Azure Cosmos DB is set to 'On'
- All Controls > Security Center > Ensure that Microsoft Defender for Cloud Apps (MCAS) Integration with Microsoft Defender for Cloud is selected
- All Controls > Security Center > Ensure that Windows Defender ATP (WDATP) integration with Security Center is selected
- All Controls > Security Center > Security Center container image scan should be enabled
- All Controls > Security Center > Security center pricing should be set to standard
- All Controls > Service Bus > Service bus namespace should be configured with Azure Active Directory (Azure AD) authentication
- All Controls > Service Bus > Service bus namespace should not be configured with overly permissive network access
- All Controls > Service Bus > Service Bus should use virtual service endpoint
- All Controls > SignalR Service > SignalR Service should not use free tier SKU
- All Controls > SQL > Ensure no SQL Databases allow ingress 0.0.0.0/0 (ANY IP)
- All Controls > SQL > Ensure that 'Auditing' Retention is 'greater than 90 days'
- All Controls > SQL > Ensure that Azure Active Directory Admin is configured
- All Controls > SQL > Ensure that Microsoft Defender for SQL is set to 'On' for critical SQL Servers
- All Controls > SQL > Ensure that VA setting 'Send scan reports to' is configured for a SQL server
- All Controls > SQL > Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server
- All Controls > SQL > Ensure that Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners' is set for each SQL Server
- All Controls > SQL > SQL server threat detection should be enabled for all
- All Controls > Storage > Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access
- All Controls > Storage > Ensure soft delete is enabled for Azure Storage
- All Controls > Storage > Ensure Storage logging is enabled for Blob service for read, write, and delete requests
- All Controls > Storage > Ensure Storage logging is enabled for Queue service for read, write, and delete requests
- All Controls > Storage > Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' requests
- All Controls > Storage > Ensure that 'Public access level' is set to Private for blob containers
- All Controls > Storage > Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2'
- All Controls > Storage > Storage account containing VHD OS disk not encrypted with CMK
- All Controls > Storage > Storage account logging (Classic Diagnostic Setting) for blobs should be enabled
- All Controls > Storage > Storage account logging (Classic Diagnostic Setting) for queues should be enabled
- All Controls > Storage > Storage account logging (Classic Diagnostic Setting) for tables should be enabled
- All Controls > Synapse Analytics > Synapse workspaces should have data exfiltration protection enabled
- All flow log resources should be in enabled state
- All Internet traffic should be routed via your deployed Azure Firewall
- All network ports should be restricted on network security groups associated to your virtual machine
- Allowlist rules in your adaptive application control policy should be updated
- An activity log alert should exist for specific Administrative operations
- An Azure Active Directory administrator should be provisioned for SQL servers
- API Management services should use a virtual network
- App Configuration encryption should be enabled
- App Configuration should use private link
- App Service API apps should only be accessible over HTTPS
- App Service apps should have 'Client Certificates (Incoming client certificates)' enabled
- App Service apps should have Client Certificates (Incoming client certificates) enabled
- App Service apps should have remote debugging turned off
- App Service apps should have resource logs enabled
- App Service apps should not have CORS configured to allow every resource to access your apps
- App Service apps should not have CORS configured to allow every resource to access your apps
- App Service apps should use a virtual network service endpoint
- App Service apps should use managed identity
- App Service apps should use the latest TLS version
- App Service Environment should enable internal encryption
- Application Insights components should block log ingestion and querying from public networks
- Audit diagnostic setting for selected resource types
- Audit Linux machines that allow remote connections from accounts without passwords
- Audit Linux machines that do not have the passwd file permissions set to 0644
- Audit Linux machines that have accounts without passwords
- Audit usage of custom RBAC roles
- Audit virtual machines without disaster recovery configured
- Audit Windows machines missing any of specified members in the Administrators group
- Audit Windows machines on which the Log Analytics agent is not connected as expected
- Audit Windows machines that allow re-use of the previous 24 passwords
- Audit Windows machines that do not have a maximum password age of 70 days
- Audit Windows machines that do not have a minimum password age of 1 day
- Audit Windows machines that do not have the password complexity setting enabled
- Audit Windows machines that do not restrict the minimum password length to 14 characters
- Audit Windows machines that do not store passwords using reversible encryption
- Audit Windows machines that have the specified members in the Administrators group
- Auditing on SQL server should be enabled
- Authentication to Linux machines should require SSH keys
- Authorized IP ranges should be defined on Kubernetes Services
- Auto provisioning of the Log Analytics agent should be enabled on your subscription
- Automation account variables should be encrypted
- Azure API for FHIR should use a customer-managed key to encrypt data at rest
- Azure API for FHIR should use private link
- Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed
- Azure Backup should be enabled for Virtual Machines
- Azure Batch account should use customer-managed keys to encrypt data
- Azure Cache for Redis should use private link
- Azure Cache for Redis should use standard SKUs as a minimum
- Azure Cognitive Search service should use a SKU that supports private link
- Azure Cognitive Search services should disable public network access
- Azure Cognitive Search services should use private link
- Azure Cosmos DB accounts should have firewall rules
- Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest
- Azure Data Box jobs should enable double encryption for data at rest on the device
- Azure Data Explorer encryption at rest should use a customer-managed key
- Azure data factories should be encrypted with a customer-managed key
- Azure Data Factory should use private link
- Azure DDoS Protection Standard should be enabled
- Azure Defender for App Service should be enabled
- Azure Defender for Azure SQL Database servers should be enabled
- Azure Defender for DNS should be enabled
- Azure Defender for Key Vault should be enabled
- Azure Defender for Resource Manager should be enabled
- Azure Defender for servers should be enabled
- Azure Defender for SQL should be enabled for unprotected Azure SQL servers
- Azure Defender for SQL should be enabled for unprotected SQL Managed Instances
- Azure Event Grid domains should use private link
- Azure Event Grid topics should use private link
- Azure File Sync should use private link
- Azure HDInsight clusters should use customer-managed keys to encrypt data at rest
- Azure HDInsight clusters should use encryption at host to encrypt data at rest
- Azure HDInsight clusters should use encryption in transit to encrypt communication between Azure HDInsight cluster nodes
- Azure Key Vault Managed HSM should have purge protection enabled
- Azure Key Vault should have firewall enabled
- Azure Key Vaults should use private link
- Azure Machine Learning workspaces should be encrypted with a customer-managed key
- Azure Machine Learning workspaces should use private link
- Azure Monitor log profile should collect logs for categories 'write,' 'delete,' and 'action'
- Azure Monitor Logs clusters should be created with infrastructure-encryption enabled (double encryption)
- Azure Monitor Logs for Application Insights should be linked to a Log Analytics workspace
- Azure Monitor should collect activity logs from all regions
- Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters
- Azure Recovery Services vaults should use private link for backup
- Azure Service Bus namespaces should use private link
- Azure SignalR Service should use private link
- Azure Spring Cloud should use network injection
- Azure Stack Edge devices should use double-encryption
- Azure subscriptions should have a log profile for Activity Log
- Azure Synapse workspaces should use customer-managed keys to encrypt data at rest
- Azure Synapse workspaces should use private link
- Azure Web PubSub Service should use private link
- Both operating systems and data disks in Azure Kubernetes Service clusters should be encrypted by customer-managed keys
- CIS v1.3.0 > 1 Identity and Access Management > 1.21 Ensure that no custom subscription owner roles are created
- CIS v1.3.0 > 2 Security Center > 2.1 Ensure that Azure Defender is set to On for Servers
- CIS v1.3.0 > 2 Security Center > 2.10 Ensure that Microsoft Cloud App Security (MCAS) integration with Security Center is selected
- CIS v1.3.0 > 2 Security Center > 2.11 Ensure that 'Automatic provisioning of monitoring agent' is set to 'On'
- CIS v1.3.0 > 2 Security Center > 2.12 Ensure any of the ASC Default policy setting is not set to "Disabled"
- CIS v1.3.0 > 2 Security Center > 2.13 Ensure 'Additional email addresses' is configured with a security contact email
- CIS v1.3.0 > 2 Security Center > 2.14 Ensure that 'Notify about alerts with the following severity' is set to 'High'
- CIS v1.3.0 > 2 Security Center > 2.15 Ensure that 'All users with the following roles' is set to 'Owner'
- CIS v1.3.0 > 2 Security Center > 2.2 Ensure that Azure Defender is set to On for App Service
- CIS v1.3.0 > 2 Security Center > 2.3 Ensure that Azure Defender is set to On for Azure SQL database servers
- CIS v1.3.0 > 2 Security Center > 2.4 Ensure that Azure Defender is set to On for SQL servers on machines
- CIS v1.3.0 > 2 Security Center > 2.5 Ensure that Azure Defender is set to On for Storage
- CIS v1.3.0 > 2 Security Center > 2.6 Ensure that Azure Defender is set to On for Kubernetes
- CIS v1.3.0 > 2 Security Center > 2.7 Ensure that Azure Defender is set to On for Container Registries
- CIS v1.3.0 > 2 Security Center > 2.8 Ensure that Azure Defender is set to On for Key Vault
- CIS v1.3.0 > 2 Security Center > 2.9 Ensure that Windows Defender ATP (WDATP) integration with Security Center is selected
- CIS v1.3.0 > 3 Storage Accounts > 3.1 Ensure that 'Secure transfer required' is set to 'Enabled'
- CIS v1.3.0 > 3 Storage Accounts > 3.10 Ensure Storage logging is enabled for Blob service for read, write, and delete requests
- CIS v1.3.0 > 3 Storage Accounts > 3.11 Ensure Storage logging is enabled for Table service for read, write, and delete requests
- CIS v1.3.0 > 3 Storage Accounts > 3.2 Ensure that storage account access keys are periodically regenerated
- CIS v1.3.0 > 3 Storage Accounts > 3.3 Ensure Storage logging is enabled for Queue service for read, write, and delete requests
- CIS v1.3.0 > 3 Storage Accounts > 3.4 Ensure that shared access signature tokens expire within an hour
- CIS v1.3.0 > 3 Storage Accounts > 3.5 Ensure that 'Public access level' is set to Private for blob containers
- CIS v1.3.0 > 3 Storage Accounts > 3.6 Ensure default network access rule for Storage Accounts is set to deny
- CIS v1.3.0 > 3 Storage Accounts > 3.7 Ensure 'Trusted Microsoft Services' is enabled for Storage Account access
- CIS v1.3.0 > 3 Storage Accounts > 3.8 Ensure soft delete is enabled for Azure Storage
- CIS v1.3.0 > 3 Storage Accounts > 3.9 Ensure storage for critical data are encrypted with Customer Managed Key
- CIS v1.3.0 > 4 Database Services > 4.1 SQL Server - Auditing > 4.1.1 Ensure that 'Auditing' is set to 'On'
- CIS v1.3.0 > 4 Database Services > 4.1 SQL Server - Auditing > 4.1.2 Ensure that 'Data encryption' is set to 'On' on a SQL Database
- CIS v1.3.0 > 4 Database Services > 4.1 SQL Server - Auditing > 4.1.3 Ensure that 'Auditing' Retention is 'greater than 90 days'
- CIS v1.3.0 > 4 Database Services > 4.2 SQL Server - Azure Defender for SQL > 4.2.1 Ensure that Advanced Threat Protection (ATP) on a SQL server is set to 'Enabled'
- CIS v1.3.0 > 4 Database Services > 4.2 SQL Server - Azure Defender for SQL > 4.2.2 Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account
- CIS v1.3.0 > 4 Database Services > 4.2 SQL Server - Azure Defender for SQL > 4.2.3 Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server
- CIS v1.3.0 > 4 Database Services > 4.2 SQL Server - Azure Defender for SQL > 4.2.4 Ensure that VA setting Send scan reports to is configured for a SQL server
- CIS v1.3.0 > 4 Database Services > 4.2 SQL Server - Azure Defender for SQL > 4.2.5 Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server
- CIS v1.3.0 > 4 Database Services > 4.3 PostgreSQL Database Server > 4.3.1 Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server
- CIS v1.3.0 > 4 Database Services > 4.3 PostgreSQL Database Server > 4.3.2 Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server
- CIS v1.3.0 > 4 Database Services > 4.3 PostgreSQL Database Server > 4.3.3 Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server
- CIS v1.3.0 > 4 Database Services > 4.3 PostgreSQL Database Server > 4.3.4 Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server
- CIS v1.3.0 > 4 Database Services > 4.3 PostgreSQL Database Server > 4.3.5 Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server
- CIS v1.3.0 > 4 Database Services > 4.3 PostgreSQL Database Server > 4.3.6 Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server
- CIS v1.3.0 > 4 Database Services > 4.3 PostgreSQL Database Server > 4.3.7 Ensure server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server
- CIS v1.3.0 > 4 Database Services > 4.3 PostgreSQL Database Server > 4.3.8 Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled
- CIS v1.3.0 > 4 Database Services > 4.4 Ensure that Azure Active Directory Admin is configured
- CIS v1.3.0 > 4 Database Services > 4.5 Ensure SQL server's TDE protector is encrypted with Customer-managed key
- CIS v1.3.0 > 5 Logging and Monitoring > 5.1 Configuring Diagnostic Settings > 5.1.1 Ensure that a 'Diagnostics Setting' exists
- CIS v1.3.0 > 5 Logging and Monitoring > 5.1 Configuring Diagnostic Settings > 5.1.2 Ensure Diagnostic Setting captures appropriate categories
- CIS v1.3.0 > 5 Logging and Monitoring > 5.1 Configuring Diagnostic Settings > 5.1.3 Ensure the storage container storing the activity logs is not publicly accessible
- CIS v1.3.0 > 5 Logging and Monitoring > 5.1 Configuring Diagnostic Settings > 5.1.4 Ensure the storage account containing the container with activity logs is encrypted with BYOK (Use Your Own Key)
- CIS v1.3.0 > 5 Logging and Monitoring > 5.1 Configuring Diagnostic Settings > 5.1.5 Ensure that logging for Azure KeyVault is 'Enabled'
- CIS v1.3.0 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log Alerts > 5.2.1 Ensure that Activity Log Alert exists for Create Policy Assignment
- CIS v1.3.0 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log Alerts > 5.2.2 Ensure that Activity Log Alert exists for Delete Policy Assignment
- CIS v1.3.0 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log Alerts > 5.2.3 Ensure that Activity Log Alert exists for Create or Update Network Security Group
- CIS v1.3.0 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log Alerts > 5.2.4 Ensure that Activity Log Alert exists for Delete Network Security Group
- CIS v1.3.0 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log Alerts > 5.2.5 Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule
- CIS v1.3.0 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log Alerts > 5.2.6 Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule
- CIS v1.3.0 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log Alerts > 5.2.7 Ensure that Activity Log Alert exists for Create or Update Security Solution
- CIS v1.3.0 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log Alerts > 5.2.8 Ensure that Activity Log Alert exists for Delete Security Solution
- CIS v1.3.0 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log Alerts > 5.2.9 Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule
- CIS v1.3.0 > 5 Logging and Monitoring > 5.3 Ensure that Diagnostic Logs are enabled for all services which support it
- CIS v1.3.0 > 6 Networking > 6.1 Ensure that RDP access is restricted from the internet
- CIS v1.3.0 > 6 Networking > 6.2 Ensure that SSH access is restricted from the internet
- CIS v1.3.0 > 6 Networking > 6.3 Ensure no SQL Databases allow ingress 0.0.0.0/0 (ANY IP)
- CIS v1.3.0 > 6 Networking > 6.4 Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'
- CIS v1.3.0 > 6 Networking > 6.5 Ensure that Network Watcher is 'Enabled'
- CIS v1.3.0 > 6 Networking > 6.6 Ensure that UDP Services are restricted from the Internet
- CIS v1.3.0 > 7 Virtual Machines > 7.1 Ensure Virtual Machines are utilizing Managed Disks
- CIS v1.3.0 > 7 Virtual Machines > 7.2 Ensure that 'OS and Data' disks are encrypted with CMK
- CIS v1.3.0 > 7 Virtual Machines > 7.3 Ensure that 'Unattached disks' are encrypted with CMK
- CIS v1.3.0 > 7 Virtual Machines > 7.4 Ensure that only approved extensions are installed
- CIS v1.3.0 > 7 Virtual Machines > 7.5 Ensure that the latest OS Patches for all Virtual Machines are applied
- CIS v1.3.0 > 7 Virtual Machines > 7.6 Ensure that the endpoint protection for all Virtual Machines is installed
- CIS v1.3.0 > 7 Virtual Machines > 7.7 Ensure that VHD's are encrypted
- CIS v1.3.0 > 8 Other Security Considerations > 8.1 Ensure that the expiration date is set on all keys
- CIS v1.3.0 > 8 Other Security Considerations > 8.2 Ensure that the expiration date is set on all Secrets
- CIS v1.3.0 > 8 Other Security Considerations > 8.3 Ensure that Resource Locks are set for mission critical Azure resources
- CIS v1.3.0 > 8 Other Security Considerations > 8.4 Ensure the key vault is recoverable
- CIS v1.3.0 > 8 Other Security Considerations > 8.5 Enable role-based access control (RBAC) within Azure Kubernetes Services
- CIS v1.3.0 > 9 AppService > 9.1 Ensure App Service Authentication is set on Azure App Service
- CIS v1.3.0 > 9 AppService > 9.10 Ensure FTP deployments are disabled
- CIS v1.3.0 > 9 AppService > 9.11 Ensure Azure Keyvaults are used to store secrets
- CIS v1.3.0 > 9 AppService > 9.2 Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service
- CIS v1.3.0 > 9 AppService > 9.3 Ensure web app is using the latest version of TLS encryption
- CIS v1.3.0 > 9 AppService > 9.4 Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On'
- CIS v1.3.0 > 9 AppService > 9.5 Ensure that Register with Azure Active Directory is enabled on App Service
- CIS v1.3.0 > 9 AppService > 9.6 Ensure that 'PHP version' is the latest, if used to run the web app
- CIS v1.3.0 > 9 AppService > 9.7 Ensure that 'Python version' is the latest, if used to run the web app
- CIS v1.3.0 > 9 AppService > 9.8 Ensure that 'Java version' is the latest, if used to run the web app
- CIS v1.3.0 > 9 AppService > 9.9 Ensure that 'HTTP Version' is the latest, if used to run the web app
- CIS v1.4.0 > 1 Identity and Access Management > 1.20 Ensure that no custom subscription owner roles are created
- CIS v1.4.0 > 2 Microsoft Defender for Cloud > 2.1 Ensure that Microsoft Defender for Servers is set to 'On'
- CIS v1.4.0 > 2 Microsoft Defender for Cloud > 2.10 Ensure that Microsoft Defender for Cloud Apps (MCAS) Integration with Microsoft Defender for Cloud is Selected
- CIS v1.4.0 > 2 Microsoft Defender for Cloud > 2.11 Ensure That Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On'
- CIS v1.4.0 > 2 Microsoft Defender for Cloud > 2.12 Ensure Any of the ASC Default Policy Setting is Not Set to 'Disabled'
- CIS v1.4.0 > 2 Microsoft Defender for Cloud > 2.13 Ensure 'Additional email addresses' is Configured with a Security Contact Email
- CIS v1.4.0 > 2 Microsoft Defender for Cloud > 2.14 Ensure that 'Notify about alerts with the following severity' is set to 'High'
- CIS v1.4.0 > 2 Microsoft Defender for Cloud > 2.15 Ensure that 'All users with the following roles' is set to 'Owner'
- CIS v1.4.0 > 2 Microsoft Defender for Cloud > 2.2 Ensure that Microsoft Defender for App Service is set to 'On'
- CIS v1.4.0 > 2 Microsoft Defender for Cloud > 2.3 Ensure that Microsoft Defender for Azure SQL Databases is set to 'On'
- CIS v1.4.0 > 2 Microsoft Defender for Cloud > 2.4 Ensure that Microsoft Defender for SQL servers on machines is set to 'On'
- CIS v1.4.0 > 2 Microsoft Defender for Cloud > 2.5 Ensure that Microsoft Defender for Storage is set to 'On'
- CIS v1.4.0 > 2 Microsoft Defender for Cloud > 2.6 Ensure that Microsoft Defender for Kubernetes is set to 'On'
- CIS v1.4.0 > 2 Microsoft Defender for Cloud > 2.7 Ensure that Microsoft Defender for Container Registries is set to 'On'
- CIS v1.4.0 > 2 Microsoft Defender for Cloud > 2.8 Ensure that Microsoft Defender for Key Vault is set to 'On'
- CIS v1.4.0 > 2 Microsoft Defender for Cloud > 2.9 Ensure that Microsoft Defender for Endpoint (WDATP) integration with Microsoft Defender for Cloud is selected
- CIS v1.4.0 > 3 Storage Accounts > 3.1 Ensure that 'Secure transfer required' is set to 'Enabled'
- CIS v1.4.0 > 3 Storage Accounts > 3.10 Ensure Storage logging is enabled for Blob service for 'Read', 'Write', and 'Delete' requests
- CIS v1.4.0 > 3 Storage Accounts > 3.11 Ensure Storage logging is enabled for Table service for 'Read', 'Write', and 'Delete' requests
- CIS v1.4.0 > 3 Storage Accounts > 3.12 Ensure the 'Minimum TLS version' is set to 'Version 1.2'
- CIS v1.4.0 > 3 Storage Accounts > 3.2 Ensure that storage account access keys are periodically regenerated
- CIS v1.4.0 > 3 Storage Accounts > 3.3 Ensure Storage logging is enabled for Queue service for 'Read', 'Write', and 'Delete' requests
- CIS v1.4.0 > 3 Storage Accounts > 3.4 Ensure that shared access signature tokens expire within an hour
- CIS v1.4.0 > 3 Storage Accounts > 3.5 Ensure that 'Public access level' is set to Private for blob containers
- CIS v1.4.0 > 3 Storage Accounts > 3.6 Ensure default network access rule for Storage Accounts is set to deny
- CIS v1.4.0 > 3 Storage Accounts > 3.7 Ensure 'Trusted Microsoft Services' is enabled for Storage Account access
- CIS v1.4.0 > 3 Storage Accounts > 3.8 Ensure soft delete is enabled for Azure Storage
- CIS v1.4.0 > 3 Storage Accounts > 3.9 Ensure storage for critical data are encrypted with Customer Managed Key
- CIS v1.4.0 > 4 Database Services > 4.1 SQL Server - Auditing > 4.1.1 Ensure that 'Auditing' is set to 'On'
- CIS v1.4.0 > 4 Database Services > 4.1 SQL Server - Auditing > 4.1.2 Ensure that 'Data encryption' is set to 'On' on a SQL Database
- CIS v1.4.0 > 4 Database Services > 4.1 SQL Server - Auditing > 4.1.3 Ensure that 'Auditing' Retention is 'greater than 90 days'
- CIS v1.4.0 > 4 Database Services > 4.2 SQL Server - Azure Defender for SQL > 4.2.1 Ensure that Advanced Threat Protection (ATP) on a SQL server is set to 'Enabled'
- CIS v1.4.0 > 4 Database Services > 4.2 SQL Server - Azure Defender for SQL > 4.2.2 Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account
- CIS v1.4.0 > 4 Database Services > 4.2 SQL Server - Azure Defender for SQL > 4.2.3 Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server
- CIS v1.4.0 > 4 Database Services > 4.2 SQL Server - Azure Defender for SQL > 4.2.4 Ensure that VA setting 'Send scan reports to' is configured for a SQL server
- CIS v1.4.0 > 4 Database Services > 4.2 SQL Server - Azure Defender for SQL > 4.2.5 Ensure that Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners' is set for each SQL server
- CIS v1.4.0 > 4 Database Services > 4.3 PostgreSQL Database Server > 4.3.1 Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server
- CIS v1.4.0 > 4 Database Services > 4.3 PostgreSQL Database Server > 4.3.2 Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server
- CIS v1.4.0 > 4 Database Services > 4.3 PostgreSQL Database Server > 4.3.3 Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server
- CIS v1.4.0 > 4 Database Services > 4.3 PostgreSQL Database Server > 4.3.4 Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server
- CIS v1.4.0 > 4 Database Services > 4.3 PostgreSQL Database Server > 4.3.5 Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server
- CIS v1.4.0 > 4 Database Services > 4.3 PostgreSQL Database Server > 4.3.6 Ensure server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server
- CIS v1.4.0 > 4 Database Services > 4.3 PostgreSQL Database Server > 4.3.7 Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled
- CIS v1.4.0 > 4 Database Services > 4.3 PostgreSQL Database Server > 4.3.8 Ensure 'Infrastructure double encryption' for PostgreSQL Database Server is 'Enabled'
- CIS v1.4.0 > 4 Database Services > 4.4 MySQL Database > 4.4.1 Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server
- CIS v1.4.0 > 4 Database Services > 4.4 MySQL Database > 4.4.2 Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server
- CIS v1.4.0 > 4 Database Services > 4.5 Ensure that Azure Active Directory Admin is configured
- CIS v1.4.0 > 4 Database Services > 4.6 Ensure SQL server's TDE protector is encrypted with Customer-managed key
- CIS v1.4.0 > 5 Logging and Monitoring > 5.1 Configuring Diagnostic Settings > 5.1.1 Ensure that a 'Diagnostics Setting' exists
- CIS v1.4.0 > 5 Logging and Monitoring > 5.1 Configuring Diagnostic Settings > 5.1.2 Ensure Diagnostic Setting captures appropriate categories
- CIS v1.4.0 > 5 Logging and Monitoring > 5.1 Configuring Diagnostic Settings > 5.1.3 Ensure the storage container storing the activity logs is not publicly accessible
- CIS v1.4.0 > 5 Logging and Monitoring > 5.1 Configuring Diagnostic Settings > 5.1.4 Ensure the storage account containing the container with activity logs is encrypted with BYOK (Use Your Own Key)
- CIS v1.4.0 > 5 Logging and Monitoring > 5.1 Configuring Diagnostic Settings > 5.1.5 Ensure that logging for Azure KeyVault is 'Enabled'
- CIS v1.4.0 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log Alerts > 5.2.1 Ensure that Activity Log Alert exists for Create Policy Assignment
- CIS v1.4.0 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log Alerts > 5.2.2 Ensure that Activity Log Alert exists for Delete Policy Assignment
- CIS v1.4.0 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log Alerts > 5.2.3 Ensure that Activity Log Alert exists for Create or Update Network Security Group
- CIS v1.4.0 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log Alerts > 5.2.4 Ensure that Activity Log Alert exists for Delete Network Security Group
- CIS v1.4.0 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log Alerts > 5.2.5 Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule
- CIS v1.4.0 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log Alerts > 5.2.6 Ensure that Activity Log Alert exists for Delete Network Security Group Rule
- CIS v1.4.0 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log Alerts > 5.2.7 Ensure that Activity Log Alert exists for Create or Update Security Solution
- CIS v1.4.0 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log Alerts > 5.2.8 Ensure that Activity Log Alert exists for Delete Security Solution
- CIS v1.4.0 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log Alerts > 5.2.9 Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule
- CIS v1.4.0 > 5 Logging and Monitoring > 5.3 Ensure that Diagnostic Logs are enabled for all services which support it
- CIS v1.4.0 > 6 Networking > 6.1 Ensure that RDP access is restricted from the internet
- CIS v1.4.0 > 6 Networking > 6.2 Ensure that SSH access is restricted from the internet
- CIS v1.4.0 > 6 Networking > 6.3 Ensure no SQL Databases allow ingress 0.0.0.0/0 (ANY IP)
- CIS v1.4.0 > 6 Networking > 6.4 Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'
- CIS v1.4.0 > 6 Networking > 6.5 Ensure that Network Watcher is 'Enabled'
- CIS v1.4.0 > 6 Networking > 6.6 Ensure that UDP Services are restricted from the Internet
- CIS v1.4.0 > 7 Virtual Machines > 7.1 Ensure Virtual Machines are utilizing Managed Disks
- CIS v1.4.0 > 7 Virtual Machines > 7.2 Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK)
- CIS v1.4.0 > 7 Virtual Machines > 7.3 Ensure that 'Unattached disks' are encrypted with CMK
- CIS v1.4.0 > 7 Virtual Machines > 7.4 Ensure that only approved extensions are installed
- CIS v1.4.0 > 7 Virtual Machines > 7.5 Ensure that the latest OS Patches for all Virtual Machines are applied
- CIS v1.4.0 > 7 Virtual Machines > 7.6 Ensure that the endpoint protection for all Virtual Machines is installed
- CIS v1.4.0 > 7 Virtual Machines > 7.7 Ensure that VHD's are encrypted
- CIS v1.4.0 > 8 Other Security Considerations > 8.1 Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults
- CIS v1.4.0 > 8 Other Security Considerations > 8.2 Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults
- CIS v1.4.0 > 8 Other Security Considerations > 8.3 Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults
- CIS v1.4.0 > 8 Other Security Considerations > 8.4 Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults
- CIS v1.4.0 > 8 Other Security Considerations > 8.5 Ensure that Resource Locks are set for mission critical Azure resources
- CIS v1.4.0 > 8 Other Security Considerations > 8.6 Ensure the key vault is recoverable
- CIS v1.4.0 > 8 Other Security Considerations > 8.7 Enable role-based access control (RBAC) within Azure Kubernetes Services
- CIS v1.4.0 > 9 AppService > 9.1 Ensure App Service Authentication is set up for apps in Azure App Service
- CIS v1.4.0 > 9 AppService > 9.10 Ensure FTP deployments are disabled
- CIS v1.4.0 > 9 AppService > 9.11 Ensure Azure Keyvaults are used to store secrets
- CIS v1.4.0 > 9 AppService > 9.2 Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service
- CIS v1.4.0 > 9 AppService > 9.3 Ensure web app is using the latest version of TLS encryption
- CIS v1.4.0 > 9 AppService > 9.4 Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On'
- CIS v1.4.0 > 9 AppService > 9.5 Ensure that Register with Azure Active Directory is enabled on App Service
- CIS v1.4.0 > 9 AppService > 9.6 Ensure that 'PHP version' is the latest, if used to run the web app
- CIS v1.4.0 > 9 AppService > 9.7 Ensure that 'Python version' is the latest, if used to run the web app
- CIS v1.4.0 > 9 AppService > 9.8 Ensure that 'Java version' is the latest, if used to run the web app
- CIS v1.4.0 > 9 AppService > 9.9 Ensure that 'HTTP Version' is the latest, if used to run the web app
- CIS v1.5.0 > 1 Identity and Access Management > 1.23 Ensure That No Custom Subscription Owner Roles Are Created
- CIS v1.5.0 > 10 Miscellaneous > 10.1 Ensure that Resource Locks are set for Mission-Critical Azure Resources
- CIS v1.5.0 > 2 Microsoft Defender for Cloud > 2.1 Defender Plans > 2.1.1 Ensure That Microsoft Defender for Servers Is Set to 'On'
- CIS v1.5.0 > 2 Microsoft Defender for Cloud > 2.1 Defender Plans > 2.1.10 Ensure That Microsoft Defender for Key Vault Is Set To 'On'
- CIS v1.5.0 > 2 Microsoft Defender for Cloud > 2.1 Defender Plans > 2.1.11 Ensure That Microsoft Defender for DNS Is Set To 'On'
- CIS v1.5.0 > 2 Microsoft Defender for Cloud > 2.1 Defender Plans > 2.1.12 Ensure That Microsoft Defender for IoT Is Set To 'On'
- CIS v1.5.0 > 2 Microsoft Defender for Cloud > 2.1 Defender Plans > 2.1.13 Ensure That Microsoft Defender for Resource Manager Is Set To 'On'
- CIS v1.5.0 > 2 Microsoft Defender for Cloud > 2.1 Defender Plans > 2.1.2 Ensure That Microsoft Defender for App Services Is Set To 'On'
- CIS v1.5.0 > 2 Microsoft Defender for Cloud > 2.1 Defender Plans > 2.1.3 Ensure That Microsoft Defender for Databases Is Set To 'On'
- CIS v1.5.0 > 2 Microsoft Defender for Cloud > 2.1 Defender Plans > 2.1.4 Ensure That Microsoft Defender for Azure SQL Databases Is Set To 'On'
- CIS v1.5.0 > 2 Microsoft Defender for Cloud > 2.1 Defender Plans > 2.1.5 Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On'
- CIS v1.5.0 > 2 Microsoft Defender for Cloud > 2.1 Defender Plans > 2.1.6 Ensure That Microsoft Defender for Open-Source Relational Databases Is Set To 'On'
- CIS v1.5.0 > 2 Microsoft Defender for Cloud > 2.1 Defender Plans > 2.1.7 Ensure That Microsoft Defender for Storage Is Set To 'On'
- CIS v1.5.0 > 2 Microsoft Defender for Cloud > 2.1 Defender Plans > 2.1.8 Ensure That Microsoft Defender for Containers Is Set To 'On'
- CIS v1.5.0 > 2 Microsoft Defender for Cloud > 2.1 Defender Plans > 2.1.9 Ensure That Microsoft Defender for Cosmos DB Is Set To 'On'
- CIS v1.5.0 > 2 Microsoft Defender for Cloud > 2.2 Auto Provisioning > 2.2.1 Ensure that Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On'
- CIS v1.5.0 > 2 Microsoft Defender for Cloud > 2.2 Auto Provisioning > 2.2.2 Ensure that Auto provisioning of 'Vulnerability assessment for machines' is Set to 'On'
- CIS v1.5.0 > 2 Microsoft Defender for Cloud > 2.2 Auto Provisioning > 2.2.3 Ensure that Auto provisioning of 'Microsoft Defender for Containers components' is Set to 'On'
- CIS v1.5.0 > 2 Microsoft Defender for Cloud > 2.3 Email notifications > 2.3.1 Ensure That 'All users with the following roles' is set to 'Owner'
- CIS v1.5.0 > 2 Microsoft Defender for Cloud > 2.3 Email notifications > 2.3.2 Ensure 'Additional email addresses' is Configured with a Security Contact Email
- CIS v1.5.0 > 2 Microsoft Defender for Cloud > 2.3 Email notifications > 2.3.3 Ensure That 'Notify about alerts with the following severity' is Set to 'High'
- CIS v1.5.0 > 2 Microsoft Defender for Cloud > 2.4 Integrations > 2.4.1 Ensure that Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is Selected
- CIS v1.5.0 > 2 Microsoft Defender for Cloud > 2.4 Integrations > 2.4.2 Ensure that Microsoft Defender for Endpoint integration with Microsoft Defender for Cloud is selected
- CIS v1.5.0 > 2 Microsoft Defender for Cloud > 2.5 Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed'
- CIS v1.5.0 > 2 Microsoft Defender for Cloud > 2.6 Ensure Any of the ASC Default Policy Settings are Not Set to 'Disabled'
- CIS v1.5.0 > 3 Storage Accounts > 3.1 Ensure that 'Secure transfer required' is set to 'Enabled'
- CIS v1.5.0 > 3 Storage Accounts > 3.10 Ensure Private Endpoints are used to access Storage Accounts
- CIS v1.5.0 > 3 Storage Accounts > 3.11 Ensure Soft Delete is Enabled for Azure Containers and Blob Storage
- CIS v1.5.0 > 3 Storage Accounts > 3.12 Ensure Storage for Critical Data are Encrypted with Customer Managed Keys
- CIS v1.5.0 > 3 Storage Accounts > 3.13 Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests
- CIS v1.5.0 > 3 Storage Accounts > 3.14 Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' Requests
- CIS v1.5.0 > 3 Storage Accounts > 3.15 Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2'
- CIS v1.5.0 > 3 Storage Accounts > 3.2 Ensure that 'Enable Infrastructure Encryption' for Each Storage Account in Azure Storage is Set to ‘enabled’
- CIS v1.5.0 > 3 Storage Accounts > 3.3 Ensure that 'Enable key rotation reminders' is enabled for each Storage Account
- CIS v1.5.0 > 3 Storage Accounts > 3.4 Ensure that Storage Account Access Keys are Periodically Regenerated
- CIS v1.5.0 > 3 Storage Accounts > 3.5 Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' request
- CIS v1.5.0 > 3 Storage Accounts > 3.6 Ensure that Shared Access Signature Tokens Expire Within an Hour
- CIS v1.5.0 > 3 Storage Accounts > 3.7 Ensure that 'Public access level' is disabled for storage accounts with blob containers
- CIS v1.5.0 > 3 Storage Accounts > 3.8 Ensure Default Network Access Rule for Storage Accounts is Set to Deny
- CIS v1.5.0 > 3 Storage Accounts > 3.9 Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access
- CIS v1.5.0 > 4 Database Services > 4.1 SQL Server - Auditing > 4.1.1 Ensure that 'Auditing' is set to 'On'
- CIS v1.5.0 > 4 Database Services > 4.1 SQL Server - Auditing > 4.1.2 Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)
- CIS v1.5.0 > 4 Database Services > 4.1 SQL Server - Auditing > 4.1.3 Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key
- CIS v1.5.0 > 4 Database Services > 4.1 SQL Server - Auditing > 4.1.4 Ensure that Azure Active Directory Admin is Configured for SQL Servers
- CIS v1.5.0 > 4 Database Services > 4.1 SQL Server - Auditing > 4.1.5 Ensure that 'Data encryption' is set to 'On' on a SQL Database
- CIS v1.5.0 > 4 Database Services > 4.1 SQL Server - Auditing > 4.1.6 Ensure that 'Auditing' Retention is 'greater than 90 days'
- CIS v1.5.0 > 4 Database Services > 4.2 SQL Server - Microsoft Defender for SQL > 4.2.1 Ensure that Microsoft Defender for SQL is set to 'On' for critical SQL Servers
- CIS v1.5.0 > 4 Database Services > 4.2 SQL Server - Microsoft Defender for SQL > 4.2.2 Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account
- CIS v1.5.0 > 4 Database Services > 4.2 SQL Server - Microsoft Defender for SQL > 4.2.3 Ensure that Vulnerability Assessment (VA) setting 'Periodic recurring scans' is set to 'on' for each SQL server
- CIS v1.5.0 > 4 Database Services > 4.2 SQL Server - Microsoft Defender for SQL > 4.2.4 Ensure that Vulnerability Assessment (VA) setting 'Send scan reports to' is configured for a SQL server
- CIS v1.5.0 > 4 Database Services > 4.2 SQL Server - Microsoft Defender for SQL > 4.2.5 Ensure that Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners' is set for each SQL Server
- CIS v1.5.0 > 4 Database Services > 4.3 PostgreSQL Database Server > 4.3.1 Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server
- CIS v1.5.0 > 4 Database Services > 4.3 PostgreSQL Database Server > 4.3.2 Ensure Server Parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server
- CIS v1.5.0 > 4 Database Services > 4.3 PostgreSQL Database Server > 4.3.3 Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server
- CIS v1.5.0 > 4 Database Services > 4.3 PostgreSQL Database Server > 4.3.4 Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server
- CIS v1.5.0 > 4 Database Services > 4.3 PostgreSQL Database Server > 4.3.5 Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server
- CIS v1.5.0 > 4 Database Services > 4.3 PostgreSQL Database Server > 4.3.6 Ensure Server Parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server
- CIS v1.5.0 > 4 Database Services > 4.3 PostgreSQL Database Server > 4.3.7 Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled
- CIS v1.5.0 > 4 Database Services > 4.3 PostgreSQL Database Server > 4.3.8 Ensure 'Infrastructure double encryption' for PostgreSQL Database Server is 'Enabled'
- CIS v1.5.0 > 4 Database Services > 4.4 MySQL Database > 4.4.1 Ensure 'Enforce SSL connection' is set to 'Enabled' for Standard MySQL Database Server
- CIS v1.5.0 > 4 Database Services > 4.4 MySQL Database > 4.4.2 Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server
- CIS v1.5.0 > 4 Database Services > 4.4 MySQL Database > 4.4.3 Ensure server parameter 'audit_log_enabled' is set to 'ON' for MySQL Database Server
- CIS v1.5.0 > 4 Database Services > 4.4 MySQL Database > 4.4.4 Ensure server parameter 'audit_log_events' has 'CONNECTION' set for MySQL Database Server
- CIS v1.5.0 > 4 Database Services > 4.5 Cosmos DB > 4.5.1 Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks
- CIS v1.5.0 > 4 Database Services > 4.5 Cosmos DB > 4.5.2 Ensure That Private Endpoints Are Used Where Possible
- CIS v1.5.0 > 5 Logging and Monitoring > 5.1 Configuring Diagnostic Settings > 5.1.1 Ensure that a 'Diagnostics Setting' exists
- CIS v1.5.0 > 5 Logging and Monitoring > 5.1 Configuring Diagnostic Settings > 5.1.2 Ensure Diagnostic Setting captures appropriate categories
- CIS v1.5.0 > 5 Logging and Monitoring > 5.1 Configuring Diagnostic Settings > 5.1.3 Ensure the storage container storing the activity logs is not publicly accessible
- CIS v1.5.0 > 5 Logging and Monitoring > 5.1 Configuring Diagnostic Settings > 5.1.4 Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key
- CIS v1.5.0 > 5 Logging and Monitoring > 5.1 Configuring Diagnostic Settings > 5.1.5 Ensure that logging for Azure KeyVault is 'Enabled'
- CIS v1.5.0 > 5 Logging and Monitoring > 5.1 Configuring Diagnostic Settings > 5.1.6 Ensure that Network Security Group Flow logs are captured and sent to Log Analytics
- CIS v1.5.0 > 5 Logging and Monitoring > 5.1 Configuring Diagnostic Settings > 5.1.7 Ensure that logging for Azure AppService 'AppServiceHTTPLogs' is enabled.
- CIS v1.5.0 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log Alerts > 5.2.1 Ensure that Activity Log Alert exists for Create Policy Assignment
- CIS v1.5.0 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log Alerts > 5.2.10 Ensure that Activity Log Alert exists for Delete Public IP Address rule
- CIS v1.5.0 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log Alerts > 5.2.2 Ensure that Activity Log Alert exists for Delete Policy Assignment
- CIS v1.5.0 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log Alerts > 5.2.3 Ensure that Activity Log Alert exists for Create or Update Network Security Group
- CIS v1.5.0 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log Alerts > 5.2.4 Ensure that Activity Log Alert exists for Delete Network Security Group
- CIS v1.5.0 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log Alerts > 5.2.5 Ensure that Activity Log Alert exists for Create or Update Security Solution
- CIS v1.5.0 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log Alerts > 5.2.6 Ensure that Activity Log Alert exists for Delete Security Solution
- CIS v1.5.0 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log Alerts > 5.2.7 Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule
- CIS v1.5.0 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log Alerts > 5.2.8 Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule
- CIS v1.5.0 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log Alerts > 5.2.9 Ensure that Activity Log Alert exists for Create or Update Public IP Address rule
- CIS v1.5.0 > 5 Logging and Monitoring > 5.3 Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it
- CIS v1.5.0 > 6 Networking > 6.1 Ensure that RDP from the internet access is evaluated and restricted
- CIS v1.5.0 > 6 Networking > 6.2 Ensure that SSH access from the internet is evaluated and restricted
- CIS v1.5.0 > 6 Networking > 6.3 Ensure that UDP access from the Internet is evaluated and restricted
- CIS v1.5.0 > 6 Networking > 6.4 Ensure that HTTP(S) access from the Internet is evaluated and restricted
- CIS v1.5.0 > 6 Networking > 6.5 Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'
- CIS v1.5.0 > 6 Networking > 6.6 Ensure that Network Watcher is 'Enabled'
- CIS v1.5.0 > 7 Virtual Machines > 7.1 Ensure Virtual Machines are utilizing Managed Disks
- CIS v1.5.0 > 7 Virtual Machines > 7.2 Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK)
- CIS v1.5.0 > 7 Virtual Machines > 7.3 Ensure that 'Unattached disks' are encrypted with CMK
- CIS v1.5.0 > 7 Virtual Machines > 7.4 Ensure that only approved extensions are installed
- CIS v1.5.0 > 7 Virtual Machines > 7.5 Ensure that the endpoint protection for all Virtual Machines is installed
- CIS v1.5.0 > 7 Virtual Machines > 7.6 Ensure that VHD's are encrypted
- CIS v1.5.0 > 8 Other Security Considerations > 8.1 Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults
- CIS v1.5.0 > 8 Other Security Considerations > 8.2 Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults
- CIS v1.5.0 > 8 Other Security Considerations > 8.3 Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults
- CIS v1.5.0 > 8 Other Security Considerations > 8.4 Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults
- CIS v1.5.0 > 8 Other Security Considerations > 8.5 Ensure the key vault is recoverable
- CIS v1.5.0 > 8 Other Security Considerations > 8.6 Enable Role Based Access Control for Azure Key Vault
- CIS v1.5.0 > 8 Other Security Considerations > 8.7 Ensure that Private Endpoints are Used for Azure Key Vault
- CIS v1.5.0 > 8 Other Security Considerations > 8.8 Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services
- CIS v1.5.0 > 9 AppService > 9.1 Ensure App Service Authentication is set up for apps in Azure App Service
- CIS v1.5.0 > 9 AppService > 9.10 Ensure FTP deployments are disabled
- CIS v1.5.0 > 9 AppService > 9.11 Ensure Azure Keyvaults are used to store secrets
- CIS v1.5.0 > 9 AppService > 9.2 Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service
- CIS v1.5.0 > 9 AppService > 9.3 Ensure web app is using the latest version of TLS encryption
- CIS v1.5.0 > 9 AppService > 9.4 Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On'
- CIS v1.5.0 > 9 AppService > 9.5 Ensure that Register with Azure Active Directory is enabled on App Service
- CIS v1.5.0 > 9 AppService > 9.6 Ensure that 'PHP version' is the latest, if used to run the web app
- CIS v1.5.0 > 9 AppService > 9.7 Ensure that 'Python version' is the latest stable version, if used to run the web app
- CIS v1.5.0 > 9 AppService > 9.8 Ensure that 'Java version' is the latest, if used to run the web app
- CIS v1.5.0 > 9 AppService > 9.9 Ensure that 'HTTP Version' is the latest, if used to run the web app
- CIS v2.0.0 > 1 Identity and Access Management > 1.23 Ensure That No Custom Subscription Administrator Roles Exist
- CIS v2.0.0 > 10 Miscellaneous > 10.1 Ensure that Resource Locks are set for Mission-Critical Azure Resources
- CIS v2.0.0 > 2 Microsoft Defender > 2.1 Microsoft Defender for Cloud > 2.1.1 Ensure That Microsoft Defender for Servers Is Set to 'On'
- CIS v2.0.0 > 2 Microsoft Defender > 2.1 Microsoft Defender for Cloud > 2.1.10 Ensure That Microsoft Defender for Key Vault Is Set To 'On'
- CIS v2.0.0 > 2 Microsoft Defender > 2.1 Microsoft Defender for Cloud > 2.1.11 Ensure That Microsoft Defender for DNS Is Set To 'On'
- CIS v2.0.0 > 2 Microsoft Defender > 2.1 Microsoft Defender for Cloud > 2.1.12 Ensure That Microsoft Defender for Resource Manager Is Set To 'On'
- CIS v2.0.0 > 2 Microsoft Defender > 2.1 Microsoft Defender for Cloud > 2.1.13 Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed'
- CIS v2.0.0 > 2 Microsoft Defender > 2.1 Microsoft Defender for Cloud > 2.1.14 Ensure Any of the ASC Default Policy Settings are Not Set to 'Disabled'
- CIS v2.0.0 > 2 Microsoft Defender > 2.1 Microsoft Defender for Cloud > 2.1.15 Ensure that Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On'
- CIS v2.0.0 > 2 Microsoft Defender > 2.1 Microsoft Defender for Cloud > 2.1.16 Ensure that Auto provisioning of 'Vulnerability assessment for machines' is Set to 'On'
- CIS v2.0.0 > 2 Microsoft Defender > 2.1 Microsoft Defender for Cloud > 2.1.17 Ensure that Auto provisioning of 'Microsoft Defender for Containers components' is Set to 'On'
- CIS v2.0.0 > 2 Microsoft Defender > 2.1 Microsoft Defender for Cloud > 2.1.18 Ensure That 'All users with the following roles' is set to 'Owner'
- CIS v2.0.0 > 2 Microsoft Defender > 2.1 Microsoft Defender for Cloud > 2.1.19 Ensure 'Additional email addresses' is Configured with a Security Contact Email
- CIS v2.0.0 > 2 Microsoft Defender > 2.1 Microsoft Defender for Cloud > 2.1.2 Ensure That Microsoft Defender for App Services Is Set To 'On'
- CIS v2.0.0 > 2 Microsoft Defender > 2.1 Microsoft Defender for Cloud > 2.1.20 Ensure That 'Notify about alerts with the following severity' is Set to 'High'
- CIS v2.0.0 > 2 Microsoft Defender > 2.1 Microsoft Defender for Cloud > 2.1.21 Ensure that Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is Selected
- CIS v2.0.0 > 2 Microsoft Defender > 2.1 Microsoft Defender for Cloud > 2.1.22 Ensure that Microsoft Defender for Endpoint integration with Microsoft Defender for Cloud is selected
- CIS v2.0.0 > 2 Microsoft Defender > 2.1 Microsoft Defender for Cloud > 2.1.3 Ensure That Microsoft Defender for Databases Is Set To 'On'
- CIS v2.0.0 > 2 Microsoft Defender > 2.1 Microsoft Defender for Cloud > 2.1.4 Ensure That Microsoft Defender for Azure SQL Databases Is Set To 'On'
- CIS v2.0.0 > 2 Microsoft Defender > 2.1 Microsoft Defender for Cloud > 2.1.5 Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On'
- CIS v2.0.0 > 2 Microsoft Defender > 2.1 Microsoft Defender for Cloud > 2.1.6 Ensure That Microsoft Defender for Open-Source Relational Databases Is Set To 'On'
- CIS v2.0.0 > 2 Microsoft Defender > 2.1 Microsoft Defender for Cloud > 2.1.7 Ensure That Microsoft Defender for Storage Is Set To 'On'
- CIS v2.0.0 > 2 Microsoft Defender > 2.1 Microsoft Defender for Cloud > 2.1.8 Ensure That Microsoft Defender for Containers Is Set To 'On'
- CIS v2.0.0 > 2 Microsoft Defender > 2.1 Microsoft Defender for Cloud > 2.1.9 Ensure That Microsoft Defender for Azure Cosmos DB Is Set To 'On'
- CIS v2.0.0 > 2 Microsoft Defender > 2.2 Microsoft Defender for IoT > 2.2.1 Ensure That Microsoft Defender for IoT Hub Is Set To 'On'
- CIS v2.0.0 > 3 Storage Accounts > 3.1 Ensure that 'Secure transfer required' is set to 'Enabled'
- CIS v2.0.0 > 3 Storage Accounts > 3.10 Ensure Private Endpoints are used to access Storage Accounts
- CIS v2.0.0 > 3 Storage Accounts > 3.11 Ensure Soft Delete is Enabled for Azure Containers and Blob Storage
- CIS v2.0.0 > 3 Storage Accounts > 3.12 Ensure Storage for Critical Data are Encrypted with Customer Managed Keys
- CIS v2.0.0 > 3 Storage Accounts > 3.13 Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests
- CIS v2.0.0 > 3 Storage Accounts > 3.14 Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' Requests
- CIS v2.0.0 > 3 Storage Accounts > 3.15 Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2'
- CIS v2.0.0 > 3 Storage Accounts > 3.2 Ensure that 'Enable Infrastructure Encryption' for Each Storage Account in Azure Storage is Set to 'enabled'
- CIS v2.0.0 > 3 Storage Accounts > 3.3 Ensure that 'Enable key rotation reminders' is enabled for each Storage Account
- CIS v2.0.0 > 3 Storage Accounts > 3.4 Ensure that Storage Account Access Keys are Periodically Regenerated
- CIS v2.0.0 > 3 Storage Accounts > 3.5 Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests
- CIS v2.0.0 > 3 Storage Accounts > 3.6 Ensure that Shared Access Signature Tokens Expire Within an Hour
- CIS v2.0.0 > 3 Storage Accounts > 3.7 Ensure that 'Public access level' is disabled for storage accounts with blob containers
- CIS v2.0.0 > 3 Storage Accounts > 3.8 Ensure Default Network Access Rule for Storage Accounts is Set to Deny
- CIS v2.0.0 > 3 Storage Accounts > 3.9 Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access
- CIS v2.0.0 > 4 Database Services > 4.1 SQL Server - Auditing > 4.1.1 Ensure that 'Auditing' is set to 'On'
- CIS v2.0.0 > 4 Database Services > 4.1 SQL Server - Auditing > 4.1.2 Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)
- CIS v2.0.0 > 4 Database Services > 4.1 SQL Server - Auditing > 4.1.3 Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key
- CIS v2.0.0 > 4 Database Services > 4.1 SQL Server - Auditing > 4.1.4 Ensure that Azure Active Directory Admin is Configured for SQL Servers
- CIS v2.0.0 > 4 Database Services > 4.1 SQL Server - Auditing > 4.1.5 Ensure that 'Data encryption' is set to 'On' on a SQL Database
- CIS v2.0.0 > 4 Database Services > 4.1 SQL Server - Auditing > 4.1.6 Ensure that 'Auditing' Retention is 'greater than 90 days'
- CIS v2.0.0 > 4 Database Services > 4.2 SQL Server - Microsoft Defender for SQL > 4.2.1 Ensure that Microsoft Defender for SQL is set to 'On' for critical SQL Servers
- CIS v2.0.0 > 4 Database Services > 4.2 SQL Server - Microsoft Defender for SQL > 4.2.2 Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account
- CIS v2.0.0 > 4 Database Services > 4.2 SQL Server - Microsoft Defender for SQL > 4.2.3 Ensure that Vulnerability Assessment (VA) setting 'Periodic recurring scans' is set to 'on' for each SQL server
- CIS v2.0.0 > 4 Database Services > 4.2 SQL Server - Microsoft Defender for SQL > 4.2.4 Ensure that Vulnerability Assessment (VA) setting 'Send scan reports to' is configured for a SQL server
- CIS v2.0.0 > 4 Database Services > 4.2 SQL Server - Microsoft Defender for SQL > 4.2.5 Ensure that Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners' is set for each SQL Server
- CIS v2.0.0 > 4 Database Services > 4.3 PostgreSQL Database Server > 4.3.1 Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server
- CIS v2.0.0 > 4 Database Services > 4.3 PostgreSQL Database Server > 4.3.2 Ensure Server Parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server
- CIS v2.0.0 > 4 Database Services > 4.3 PostgreSQL Database Server > 4.3.3 Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server
- CIS v2.0.0 > 4 Database Services > 4.3 PostgreSQL Database Server > 4.3.4 Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server
- CIS v2.0.0 > 4 Database Services > 4.3 PostgreSQL Database Server > 4.3.5 Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server
- CIS v2.0.0 > 4 Database Services > 4.3 PostgreSQL Database Server > 4.3.6 Ensure Server Parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server
- CIS v2.0.0 > 4 Database Services > 4.3 PostgreSQL Database Server > 4.3.7 Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled
- CIS v2.0.0 > 4 Database Services > 4.3 PostgreSQL Database Server > 4.3.8 Ensure 'Infrastructure double encryption' for PostgreSQL Database Server is 'Enabled'
- CIS v2.0.0 > 4 Database Services > 4.4 MySQL Database > 4.4.1 Ensure 'Enforce SSL connection' is set to 'Enabled' for Standard MySQL Database Server
- CIS v2.0.0 > 4 Database Services > 4.4 MySQL Database > 4.4.2 Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server
- CIS v2.0.0 > 4 Database Services > 4.4 MySQL Database > 4.4.3 Ensure server parameter 'audit_log_enabled' is set to 'ON' for MySQL Database Server
- CIS v2.0.0 > 4 Database Services > 4.4 MySQL Database > 4.4.4 Ensure server parameter 'audit_log_events' has 'CONNECTION' set for MySQL Database Server
- CIS v2.0.0 > 4 Database Services > 4.5 Cosmos DB > 4.5.1 Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks
- CIS v2.0.0 > 4 Database Services > 4.5 Cosmos DB > 4.5.2 Ensure That Private Endpoints Are Used Where Possible
- CIS v2.0.0 > 4 Database Services > 4.5 Cosmos DB > 4.5.3 Use Azure Active Directory (AAD) Client Authentication and Azure RBAC where possible
- CIS v2.0.0 > 5 Logging and Monitoring > 5.1 Configuring Diagnostic Settings > 5.1.1 Ensure that a 'Diagnostic Setting' exists
- CIS v2.0.0 > 5 Logging and Monitoring > 5.1 Configuring Diagnostic Settings > 5.1.2 Ensure Diagnostic Setting captures appropriate categories
- CIS v2.0.0 > 5 Logging and Monitoring > 5.1 Configuring Diagnostic Settings > 5.1.3 Ensure the Storage Container Storing the Activity Logs is not Publicly Accessible
- CIS v2.0.0 > 5 Logging and Monitoring > 5.1 Configuring Diagnostic Settings > 5.1.4 Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key
- CIS v2.0.0 > 5 Logging and Monitoring > 5.1 Configuring Diagnostic Settings > 5.1.5 Ensure that logging for Azure Key Vault is 'Enabled'
- CIS v2.0.0 > 5 Logging and Monitoring > 5.1 Configuring Diagnostic Settings > 5.1.6 Ensure that Network Security Group Flow logs are captured and sent to Log Analytics
- CIS v2.0.0 > 5 Logging and Monitoring > 5.1 Configuring Diagnostic Settings > 5.1.7 Ensure that logging for Azure AppService 'HTTP logs' is enabled
- CIS v2.0.0 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log Alerts > 5.2.1 Ensure that Activity Log Alert exists for Create Policy Assignment
- CIS v2.0.0 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log Alerts > 5.2.10 Ensure that Activity Log Alert exists for Delete Public IP Address rule
- CIS v2.0.0 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log Alerts > 5.2.2 Ensure that Activity Log Alert exists for Delete Policy Assignment
- CIS v2.0.0 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log Alerts > 5.2.3 Ensure that Activity Log Alert exists for Create or Update Network Security Group
- CIS v2.0.0 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log Alerts > 5.2.4 Ensure that Activity Log Alert exists for Delete Network Security Group
- CIS v2.0.0 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log Alerts > 5.2.5 Ensure that Activity Log Alert exists for Create or Update Security Solution
- CIS v2.0.0 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log Alerts > 5.2.6 Ensure that Activity Log Alert exists for Delete Security Solution
- CIS v2.0.0 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log Alerts > 5.2.7 Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule
- CIS v2.0.0 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log Alerts > 5.2.8 Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule
- CIS v2.0.0 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log Alerts > 5.2.9 Ensure that Activity Log Alert exists for Create or Update Public IP Address rule
- CIS v2.0.0 > 5 Logging and Monitoring > 5.3 Configuring Application Insights > 5.3.1 Ensure Application Insights are Configured
- CIS v2.0.0 > 5 Logging and Monitoring > 5.4 Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it
- CIS v2.0.0 > 6 Networking > 6.1 Ensure that RDP access from the Internet is evaluated and restricted
- CIS v2.0.0 > 6 Networking > 6.2 Ensure that SSH access from the Internet is evaluated and restricted
- CIS v2.0.0 > 6 Networking > 6.3 Ensure that UDP access from the Internet is evaluated and restricted
- CIS v2.0.0 > 6 Networking > 6.4 Ensure that HTTP(S) access from the Internet is evaluated and restricted
- CIS v2.0.0 > 6 Networking > 6.5 Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'
- CIS v2.0.0 > 6 Networking > 6.6 Ensure that Network Watcher is 'Enabled'
- CIS v2.0.0 > 6 Networking > 6.7 Ensure that Public IP addresses are Evaluated on a Periodic Basis
- CIS v2.0.0 > 7 Virtual Machines > 7.1 Ensure an Azure Bastion Host Exists
- CIS v2.0.0 > 7 Virtual Machines > 7.2 Ensure Virtual Machines are utilizing Managed Disks
- CIS v2.0.0 > 7 Virtual Machines > 7.3 Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK)
- CIS v2.0.0 > 7 Virtual Machines > 7.4 Ensure that 'Unattached disks' are encrypted with 'Customer Managed Key' (CMK)
- CIS v2.0.0 > 7 Virtual Machines > 7.5 Ensure that Only Approved Extensions Are Installed
- CIS v2.0.0 > 7 Virtual Machines > 7.6 Ensure that Endpoint Protection for all Virtual Machines is installed
- CIS v2.0.0 > 7 Virtual Machines > 7.7 Ensure that VHDs are Encrypted
- CIS v2.0.0 > 8 Key Vault > 8.1 Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults
- CIS v2.0.0 > 8 Key Vault > 8.2 Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults
- CIS v2.0.0 > 8 Key Vault > 8.3 Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults
- CIS v2.0.0 > 8 Key Vault > 8.4 Ensure that the Expiration Date is set for all Secrets in Non- RBAC Key Vaults
- CIS v2.0.0 > 8 Key Vault > 8.5 Ensure the Key Vault is Recoverable
- CIS v2.0.0 > 8 Key Vault > 8.6 Enable Role Based Access Control for Azure Key Vault
- CIS v2.0.0 > 8 Key Vault > 8.7 Ensure that Private Endpoints are Used for Azure Key Vault
- CIS v2.0.0 > 8 Key Vault > 8.8 Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services
- CIS v2.0.0 > 9 AppService > 9.1 Ensure App Service Authentication is set up for apps in Azure App Service
- CIS v2.0.0 > 9 AppService > 9.10 Ensure FTP deployments are Disabled
- CIS v2.0.0 > 9 AppService > 9.11 Ensure Azure Key Vaults are Used to Store Secrets
- CIS v2.0.0 > 9 AppService > 9.2 Ensure Web App Redirects All HTTP traffic to HTTPS in Azure App Service
- CIS v2.0.0 > 9 AppService > 9.3 Ensure Web App is using the latest version of TLS encryption
- CIS v2.0.0 > 9 AppService > 9.4 Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On'
- CIS v2.0.0 > 9 AppService > 9.5 Ensure that Register with Azure Active Directory is enabled on App Service
- CIS v2.0.0 > 9 AppService > 9.6 Ensure That 'PHP version' is the Latest, If Used to Run the Web App
- CIS v2.0.0 > 9 AppService > 9.7 Ensure that 'Python version' is the Latest Stable Version, if Used to Run the Web App
- CIS v2.0.0 > 9 AppService > 9.8 Ensure that 'Java version' is the latest, if used to run the Web App
- CIS v2.0.0 > 9 AppService > 9.9 Ensure that 'HTTP Version' is the Latest, if Used to Run the Web App
- CIS v2.1.0 > 1 Identity and Access Management > 1.22 Ensure That No Custom Subscription Administrator Roles Exist
- CIS v2.1.0 > 10 Miscellaneous > 10.1 Ensure that Resource Locks are set for Mission-Critical Azure Resources
- CIS v2.1.0 > 2 Microsoft Defender > 2.1 Microsoft Defender for Cloud > 2.1.1 Ensure That Microsoft Defender for Servers Is Set to 'On'
- CIS v2.1.0 > 2 Microsoft Defender > 2.1 Microsoft Defender for Cloud > 2.1.10 [LEGACY] Ensure That Microsoft Defender for DNS Is Set To 'On'
- CIS v2.1.0 > 2 Microsoft Defender > 2.1 Microsoft Defender for Cloud > 2.1.11 Ensure That Microsoft Defender for Resource Manager Is Set To 'On'
- CIS v2.1.0 > 2 Microsoft Defender > 2.1 Microsoft Defender for Cloud > 2.1.12 Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed'
- CIS v2.1.0 > 2 Microsoft Defender > 2.1 Microsoft Defender for Cloud > 2.1.13 Ensure that Microsoft Cloud Security Benchmark policies are not set to 'Disabled'
- CIS v2.1.0 > 2 Microsoft Defender > 2.1 Microsoft Defender for Cloud > 2.1.14 Ensure that Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On'
- CIS v2.1.0 > 2 Microsoft Defender > 2.1 Microsoft Defender for Cloud > 2.1.15 Ensure that Auto provisioning of 'Vulnerability assessment for machines' is Set to 'On'
- CIS v2.1.0 > 2 Microsoft Defender > 2.1 Microsoft Defender for Cloud > 2.1.16 Ensure that Auto provisioning of 'Microsoft Defender for Containers components' is Set to 'On'
- CIS v2.1.0 > 2 Microsoft Defender > 2.1 Microsoft Defender for Cloud > 2.1.17 Ensure That 'All users with the following roles' is set to 'Owner'
- CIS v2.1.0 > 2 Microsoft Defender > 2.1 Microsoft Defender for Cloud > 2.1.18 Ensure 'Additional email addresses' is Configured with a Security Contact Email
- CIS v2.1.0 > 2 Microsoft Defender > 2.1 Microsoft Defender for Cloud > 2.1.19 Ensure That 'Notify about alerts with the following severity' is Set to 'High'
- CIS v2.1.0 > 2 Microsoft Defender > 2.1 Microsoft Defender for Cloud > 2.1.2 Ensure That Microsoft Defender for App Services Is Set To 'On'
- CIS v2.1.0 > 2 Microsoft Defender > 2.1 Microsoft Defender for Cloud > 2.1.20 Ensure that Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is Selected
- CIS v2.1.0 > 2 Microsoft Defender > 2.1 Microsoft Defender for Cloud > 2.1.21 Ensure that Microsoft Defender for Endpoint integration with Microsoft Defender for Cloud is selected
- CIS v2.1.0 > 2 Microsoft Defender > 2.1 Microsoft Defender for Cloud > 2.1.22 Ensure that Microsoft Defender External Attack Surface Monitoring (EASM) is enabled
- CIS v2.1.0 > 2 Microsoft Defender > 2.1 Microsoft Defender for Cloud > 2.1.3 Ensure That Microsoft Defender for (Managed Instance) Azure SQL Databases Is Set To 'On'
- CIS v2.1.0 > 2 Microsoft Defender > 2.1 Microsoft Defender for Cloud > 2.1.4 Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On'
- CIS v2.1.0 > 2 Microsoft Defender > 2.1 Microsoft Defender for Cloud > 2.1.5 Ensure That Microsoft Defender for Open-Source Relational Databases Is Set To 'On'
- CIS v2.1.0 > 2 Microsoft Defender > 2.1 Microsoft Defender for Cloud > 2.1.6 Ensure That Microsoft Defender for Azure Cosmos DB Is Set To 'On'
- CIS v2.1.0 > 2 Microsoft Defender > 2.1 Microsoft Defender for Cloud > 2.1.7 Ensure That Microsoft Defender for Storage Is Set To 'On'
- CIS v2.1.0 > 2 Microsoft Defender > 2.1 Microsoft Defender for Cloud > 2.1.8 Ensure That Microsoft Defender for Containers Is Set To 'On'
- CIS v2.1.0 > 2 Microsoft Defender > 2.1 Microsoft Defender for Cloud > 2.1.9 Ensure That Microsoft Defender for Key Vault Is Set To 'On'
- CIS v2.1.0 > 2 Microsoft Defender > 2.2 Microsoft Defender for IoT > 2.2.1 Ensure That Microsoft Defender for IoT Hub Is Set To 'On'
- CIS v2.1.0 > 3 Storage Accounts > 3.1 Ensure that 'Secure transfer required' is set to 'Enabled'
- CIS v2.1.0 > 3 Storage Accounts > 3.10 Ensure Private Endpoints are used to access Storage Accounts
- CIS v2.1.0 > 3 Storage Accounts > 3.11 Ensure Soft Delete is Enabled for Azure Containers and Blob Storage
- CIS v2.1.0 > 3 Storage Accounts > 3.12 Ensure Storage for Critical Data are Encrypted with Customer Managed Keys
- CIS v2.1.0 > 3 Storage Accounts > 3.13 Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests
- CIS v2.1.0 > 3 Storage Accounts > 3.14 Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' Requests
- CIS v2.1.0 > 3 Storage Accounts > 3.15 Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2'
- CIS v2.1.0 > 3 Storage Accounts > 3.16 Ensure 'Cross Tenant Replication' is not enabled
- CIS v2.1.0 > 3 Storage Accounts > 3.17 Ensure that `Allow Blob Anonymous Access` is set to `Disabled`
- CIS v2.1.0 > 3 Storage Accounts > 3.2 Ensure that 'Enable Infrastructure Encryption' for Each Storage Account in Azure Storage is Set to 'enabled'
- CIS v2.1.0 > 3 Storage Accounts > 3.3 Ensure that 'Enable key rotation reminders' is enabled for each Storage Account
- CIS v2.1.0 > 3 Storage Accounts > 3.4 Ensure that Storage Account Access Keys are Periodically Regenerated
- CIS v2.1.0 > 3 Storage Accounts > 3.5 Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests
- CIS v2.1.0 > 3 Storage Accounts > 3.6 Ensure that Shared Access Signature Tokens Expire Within an Hour
- CIS v2.1.0 > 3 Storage Accounts > 3.7 Ensure that 'Public Network Access' is `Disabled' for storage accounts
- CIS v2.1.0 > 3 Storage Accounts > 3.8 Ensure Default Network Access Rule for Storage Accounts is Set to Deny
- CIS v2.1.0 > 3 Storage Accounts > 3.9 Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access
- CIS v2.1.0 > 4 Database Services > 4.1 SQL Server - Auditing > 4.1.1 Ensure that 'Auditing' is set to 'On'
- CIS v2.1.0 > 4 Database Services > 4.1 SQL Server - Auditing > 4.1.2 Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)
- CIS v2.1.0 > 4 Database Services > 4.1 SQL Server - Auditing > 4.1.3 Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key
- CIS v2.1.0 > 4 Database Services > 4.1 SQL Server - Auditing > 4.1.4 Ensure that Microsoft Entra authentication is Configured for SQL Servers
- CIS v2.1.0 > 4 Database Services > 4.1 SQL Server - Auditing > 4.1.5 Ensure that 'Data encryption' is set to 'On' on a SQL Database
- CIS v2.1.0 > 4 Database Services > 4.1 SQL Server - Auditing > 4.1.6 Ensure that 'Auditing' Retention is 'greater than 90 days'
- CIS v2.1.0 > 4 Database Services > 4.3 PostgreSQL Database Server > 4.3.1 Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server
- CIS v2.1.0 > 4 Database Services > 4.3 PostgreSQL Database Server > 4.3.2 Ensure Server Parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server
- CIS v2.1.0 > 4 Database Services > 4.3 PostgreSQL Database Server > 4.3.3 Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server
- CIS v2.1.0 > 4 Database Services > 4.3 PostgreSQL Database Server > 4.3.4 Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server
- CIS v2.1.0 > 4 Database Services > 4.3 PostgreSQL Database Server > 4.3.5 Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server
- CIS v2.1.0 > 4 Database Services > 4.3 PostgreSQL Database Server > 4.3.6 Ensure Server Parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server
- CIS v2.1.0 > 4 Database Services > 4.3 PostgreSQL Database Server > 4.3.7 Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled
- CIS v2.1.0 > 4 Database Services > 4.3 PostgreSQL Database Server > 4.3.8 Ensure 'Infrastructure double encryption' for PostgreSQL Database Server is 'Enabled'
- CIS v2.1.0 > 4 Database Services > 4.4 MySQL Database > 4.4.1 Ensure 'Enforce SSL connection' is set to 'Enabled' for Standard MySQL Database Server
- CIS v2.1.0 > 4 Database Services > 4.4 MySQL Database > 4.4.2 Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server
- CIS v2.1.0 > 4 Database Services > 4.4 MySQL Database > 4.4.3 Ensure server parameter 'audit_log_enabled' is set to 'ON' for MySQL Database Server
- CIS v2.1.0 > 4 Database Services > 4.4 MySQL Database > 4.4.4 Ensure server parameter 'audit_log_events' has 'CONNECTION' set for MySQL Database Server
- CIS v2.1.0 > 4 Database Services > 4.5 Cosmos DB > 4.5.1 Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks
- CIS v2.1.0 > 4 Database Services > 4.5 Cosmos DB > 4.5.2 Ensure That Private Endpoints Are Used Where Possible
- CIS v2.1.0 > 4 Database Services > 4.5 Cosmos DB > 4.5.3 Use Entra ID Client Authentication and Azure RBAC where possible
- CIS v2.1.0 > 5 Logging and Monitoring > 5.1 Configuring Diagnostic Settings > 5.1.1 Ensure that a 'Diagnostic Setting' exists for Subscription Activity Logs
- CIS v2.1.0 > 5 Logging and Monitoring > 5.1 Configuring Diagnostic Settings > 5.1.2 Ensure Diagnostic Setting captures appropriate categories
- CIS v2.1.0 > 5 Logging and Monitoring > 5.1 Configuring Diagnostic Settings > 5.1.3 Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key
- CIS v2.1.0 > 5 Logging and Monitoring > 5.1 Configuring Diagnostic Settings > 5.1.4 Ensure that logging for Azure Key Vault is 'Enabled'
- CIS v2.1.0 > 5 Logging and Monitoring > 5.1 Configuring Diagnostic Settings > 5.1.5 Ensure that Network Security Group Flow logs are captured and sent to Log Analytics
- CIS v2.1.0 > 5 Logging and Monitoring > 5.1 Configuring Diagnostic Settings > 5.1.6 Ensure that logging for Azure AppService 'HTTP logs' is enabled
- CIS v2.1.0 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log Alerts > 5.2.1 Ensure that Activity Log Alert exists for Create Policy Assignment
- CIS v2.1.0 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log Alerts > 5.2.10 Ensure that Activity Log Alert exists for Delete Public IP Address rule
- CIS v2.1.0 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log Alerts > 5.2.2 Ensure that Activity Log Alert exists for Delete Policy Assignment
- CIS v2.1.0 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log Alerts > 5.2.3 Ensure that Activity Log Alert exists for Create or Update Network Security Group
- CIS v2.1.0 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log Alerts > 5.2.4 Ensure that Activity Log Alert exists for Delete Network Security Group
- CIS v2.1.0 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log Alerts > 5.2.5 Ensure that Activity Log Alert exists for Create or Update Security Solution
- CIS v2.1.0 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log Alerts > 5.2.6 Ensure that Activity Log Alert exists for Delete Security Solution
- CIS v2.1.0 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log Alerts > 5.2.7 Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule
- CIS v2.1.0 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log Alerts > 5.2.8 Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule
- CIS v2.1.0 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log Alerts > 5.2.9 Ensure that Activity Log Alert exists for Create or Update Public IP Address rule
- CIS v2.1.0 > 5 Logging and Monitoring > 5.3 Configuring Application Insights > 5.3.1 Ensure Application Insights are Configured
- CIS v2.1.0 > 5 Logging and Monitoring > 5.4 Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it
- CIS v2.1.0 > 6 Networking > 6.1 Ensure that RDP access from the Internet is evaluated and restricted
- CIS v2.1.0 > 6 Networking > 6.2 Ensure that SSH access from the Internet is evaluated and restricted
- CIS v2.1.0 > 6 Networking > 6.3 Ensure that UDP access from the Internet is evaluated and restricted
- CIS v2.1.0 > 6 Networking > 6.4 Ensure that HTTP(S) access from the Internet is evaluated and restricted
- CIS v2.1.0 > 6 Networking > 6.5 Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'
- CIS v2.1.0 > 6 Networking > 6.6 Ensure that Network Watcher is 'Enabled'
- CIS v2.1.0 > 6 Networking > 6.7 Ensure that Public IP addresses are Evaluated on a Periodic Basis
- CIS v2.1.0 > 7 Virtual Machines > 7.1 Ensure an Azure Bastion Host Exists
- CIS v2.1.0 > 7 Virtual Machines > 7.2 Ensure Virtual Machines are utilizing Managed Disks
- CIS v2.1.0 > 7 Virtual Machines > 7.3 Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK)
- CIS v2.1.0 > 7 Virtual Machines > 7.4 Ensure that 'Unattached disks' are encrypted with 'Customer Managed Key' (CMK)
- CIS v2.1.0 > 7 Virtual Machines > 7.5 Ensure that Only Approved Extensions Are Installed
- CIS v2.1.0 > 7 Virtual Machines > 7.6 Ensure that Endpoint Protection for all Virtual Machines is installed
- CIS v2.1.0 > 7 Virtual Machines > 7.7 [Legacy] Ensure that VHDs are Encrypted
- CIS v2.1.0 > 7 Virtual Machines > 7.8 Ensure only MFA enabled identities can access privileged Virtual Machine
- CIS v2.1.0 > 7 Virtual Machines > 7.9 Ensure Trusted Launch is enabled on Virtual Machines
- CIS v2.1.0 > 8 Key Vault > 8.1 Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults
- CIS v2.1.0 > 8 Key Vault > 8.2 Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults
- CIS v2.1.0 > 8 Key Vault > 8.3 Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults
- CIS v2.1.0 > 8 Key Vault > 8.4 Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults
- CIS v2.1.0 > 8 Key Vault > 8.5 Ensure the Key Vault is Recoverable
- CIS v2.1.0 > 8 Key Vault > 8.6 Enable Role Based Access Control for Azure Key Vault
- CIS v2.1.0 > 8 Key Vault > 8.7 Ensure that Private Endpoints are Used for Azure Key Vault
- CIS v2.1.0 > 8 Key Vault > 8.8 Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services
- CIS v2.1.0 > 9 AppService > 9.1 Ensure App Service Authentication is set up for apps in Azure App Service
- CIS v2.1.0 > 9 AppService > 9.10 Ensure Azure Key Vaults are Used to Store Secrets
- CIS v2.1.0 > 9 AppService > 9.2 Ensure Web App Redirects All HTTP traffic to HTTPS in Azure App Service
- CIS v2.1.0 > 9 AppService > 9.3 Ensure Web App is using the latest version of TLS encryption
- CIS v2.1.0 > 9 AppService > 9.4 Ensure that Register with Entra ID is enabled on App Service
- CIS v2.1.0 > 9 AppService > 9.5 Ensure That 'PHP version' is the Latest, If Used to Run the Web App
- CIS v2.1.0 > 9 AppService > 9.6 Ensure that 'Python version' is the Latest Stable Version, if Used to Run the Web App
- CIS v2.1.0 > 9 AppService > 9.7 Ensure that 'Java version' is the latest, if used to run the Web App
- CIS v2.1.0 > 9 AppService > 9.8 Ensure that 'HTTP Version' is the Latest, if Used to Run the Web App
- CIS v2.1.0 > 9 AppService > 9.9 Ensure FTP deployments are Disabled
- Cognitive Services accounts should disable public network access
- Cognitive Services accounts should enable data encryption with a customer-managed key
- Cognitive Services accounts should have local authentication methods disabled
- Cognitive Services accounts should restrict network access
- Cognitive Services should use private link
- Container Instance container group should use customer-managed key for encryption
- Container registries should be encrypted with a customer-managed key
- Container registries should not allow unrestricted network access
- Container registries should use private link
- Container Registry should use a virtual network service endpoint
- Cosmos DB should use a virtual network service endpoint
- CosmosDB accounts should use private link
- Deploy default Microsoft IaaSAntimalware extension for Windows Server
- Deploy Diagnostic Settings for Network Security Groups
- Deploy network watcher when virtual networks are created
- Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
- Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs
- Disk access resources should use private link
- Disk encryption should be enabled on Azure Data Explorer
- Double encryption should be enabled on Azure Data Explorer
- Email notification for high severity alerts should be enabled
- Email notification to subscription owner for high severity alerts should be enabled
- Endpoint protection solution should be installed on virtual machine scale sets
- Enforce SSL connection should be enabled for MySQL database servers
- Enforce SSL connection should be enabled for PostgreSQL database servers
- Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server
- Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server
- Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server
- Ensure server parameter 'log_duration' is set to 'ON' for PostgreSQL Database Server
- Ensure that 'HTTP Version' is the latest, if used to run the Function app
- Ensure that 'HTTP Version' is the latest, if used to run the Web app
- Ensure That Microsoft Defender for Databases is set to 'On'
- Ensure That Microsoft Defender for Open-Source Relational Databases is set to 'On'
- Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key
- Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On'
- Event Hub namespaces should use a customer-managed key for encryption
- Event Hub namespaces should use private link
- Event Hub should use a virtual network service endpoint
- Flow logs should be configured for every network security group
- FTPS only should be required in your API App
- FTPS only should be required in your Function App
- FTPS should be required in your Web App
- Function apps should have 'Client Certificates (Incoming client certificates)' enabled
- Function apps should have remote debugging turned off
- Function apps should not have CORS configured to allow every resource to access your apps
- Function apps should only be accessible over HTTPS
- Function apps should use managed identity
- Function apps should use the latest TLS version
- Gateway subnets should not be configured with a network security group
- Geo-redundant backup should be enabled for Azure Database for MariaDB
- Geo-redundant backup should be enabled for Azure Database for MySQL
- Geo-redundant backup should be enabled for Azure Database for PostgreSQL
- Geo-redundant storage should be enabled for Storage Accounts
- Guest Configuration extension should be installed on your machines
- HIPAA HITRUST 9.2 > 06 Configuration Management > 0605.10h1System.12-10.h 10.04 Security of System Files > Windows machines should meet requirements for 'Security Options - Audit'
- HIPAA HITRUST 9.2 > 08 Network Protection > 0858.09m1Organizational.4-09.m 09.06 Network Security Management > Windows machines should meet requirements for 'Windows Firewall Properties'
- HIPAA HITRUST 9.2 > 08 Network Protection > 0861.09m2Organizational.67-09.m 09.06 Network Security Management > Windows machines should meet requirements for 'Security Options - Network Access'
- HIPAA HITRUST 9.2 > 09 Transmission Protection > 0945.09y1Organizational.3-09.y 09.09 Electronic Commerce Services > Audit Windows machines that do not contain the specified certificates in Trusted Root
- HIPAA HITRUST 9.2 > 11 Access Control > 1123.01q1System.2-01.q 01.05 Operating System Access Control > Audit Windows machines that have extra accounts in the Administrators group
- HIPAA HITRUST 9.2 > 11 Access Control > 1148.01c2System.78-01.c 01.02 Authorized Access to Information Systems > Windows machines should meet requirements for 'Security Options - Accounts'
- HIPAA HITRUST 9.2 > 12 Audit Logging & Monitoring > 1277.09c2Organizational.4-09.c 09.01 Documented Operating Procedures > Windows machines should meet requirements for 'Security Options - User Account Control'
- HIPAA HITRUST 9.2 > 16 Business Continuity & Disaster Recovery > 1637.12b2Organizational.2-12.b 12.01 Information Security Aspects of Business Continuity Management > Windows machines should meet requirements for 'Security Options - Recovery console'
- HPC Cache accounts should use customer-managed key for encryption
- Infrastructure encryption should be enabled for Azure Database for MySQL servers
- Infrastructure encryption should be enabled for Azure Database for PostgreSQL servers
- Internet-facing virtual machines should be protected with network security groups
- IoT Hub device provisioning service instances should use private link
- IP Forwarding on your virtual machine should be disabled
- Key Vault keys should have an expiration date
- Key Vault secrets should have an expiration date
- Key Vault should use a virtual network service endpoint
- Key vaults should have deletion protection enabled
- Key vaults should have soft delete enabled
- Kubernetes clusters should be accessible only over HTTPS
- Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version
- Linux machines should meet requirements for the Azure compute security baseline
- Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
- Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring
- Log Analytics extension should be installed on your Linux Azure Arc machines
- Log Analytics extension should be installed on your Windows Azure Arc machines
- Log Analytics workspaces should block log ingestion and querying from public networks
- Log Analytics Workspaces should block non-Azure Active Directory based ingestion
- Long-term geo-redundant backup should be enabled for Azure SQL Databases
- Managed disks should be double encrypted with both platform-managed and customer-managed keys
- Management ports of virtual machines should be protected with just-in-time network access control
- Management ports should be closed on your virtual machines
- Microsoft Antimalware for Azure should be configured to automatically update protection signatures
- Microsoft Defender for Containers should be enabled
- Microsoft Defender for Storage (Classic) should be enabled
- Monitor log profiles should have retention set to 365 days or greater
- Monitor missing Endpoint Protection in Azure Security Center
- Monitor missing Endpoint Protection in Azure Security Center
- MySQL servers should use customer-managed keys to encrypt data at rest
- Network load balancers should use standard SKUs as a minimum
- Network public IPs should use standard SKUs as a minimum
- Network traffic data collection agent should be installed on Linux virtual machines
- Network traffic data collection agent should be installed on Windows virtual machines
- Network Watcher flow logs should have traffic analytics enabled
- Network Watcher should be enabled
- NIST SP 800-53 Revision 5 > Access Control (AC) > Access Enforcement (AC-3) > Authorize access to security functions and information
- NIST SP 800-53 Revision 5 > Configuration Management (CM) > Configuration Settings (CM-6) > Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits
- NIST SP 800-53 Revision 5 > Configuration Management (CM) > Configuration Settings (CM-6) > Kubernetes cluster containers should not share host process ID or host IPC namespace
- NIST SP 800-53 Revision 5 > Configuration Management (CM) > Configuration Settings (CM-6) > Kubernetes cluster containers should only use allowed AppArmor profiles
- NIST SP 800-53 Revision 5 > Configuration Management (CM) > Configuration Settings (CM-6) > Kubernetes cluster containers should only use allowed capabilities
- NIST SP 800-53 Revision 5 > Configuration Management (CM) > Configuration Settings (CM-6) > Kubernetes cluster containers should only use allowed images
- NIST SP 800-53 Revision 5 > Configuration Management (CM) > Configuration Settings (CM-6) > Kubernetes cluster containers should run with a read only root file system
- NIST SP 800-53 Revision 5 > Configuration Management (CM) > Configuration Settings (CM-6) > Kubernetes cluster pod hostPath volumes should only use allowed host paths
- NIST SP 800-53 Revision 5 > Configuration Management (CM) > Configuration Settings (CM-6) > Kubernetes cluster pods and containers should only run with approved user and group IDs
- NIST SP 800-53 Revision 5 > Configuration Management (CM) > Configuration Settings (CM-6) > Kubernetes cluster pods should only use approved host network and port range
- NIST SP 800-53 Revision 5 > Configuration Management (CM) > Configuration Settings (CM-6) > Kubernetes cluster services should listen only on allowed ports
- NIST SP 800-53 Revision 5 > Configuration Management (CM) > Configuration Settings (CM-6) > Kubernetes cluster should not allow privileged containers
- NIST SP 800-53 Revision 5 > Configuration Management (CM) > Configuration Settings (CM-6) > Kubernetes clusters should not allow container privilege escalation
- NIST SP 800-53 Revision 5 > Identification and Authentication (IA) > Authenticator Management (IA-5) > Certificates should have the specified maximum validity period
- NIST SP 800-53 Revision 5 > Risk Assessment (RA) > Vulnerability Monitoring and Scanning (RA-5) > Container registry images should have vulnerability findings resolved
- NIST SP 800-53 Revision 5 > Risk Assessment (RA) > Vulnerability Monitoring and Scanning (RA-5) > SQL servers on machines should have vulnerability findings resolved
- NIST SP 800-53 Revision 5 > System and Communications Protection (SC) > Cryptographic Key Establishment and Management (SC-12) > Azure Automation accounts should use customer-managed keys to encrypt data at rest
- NIST SP 800-53 Revision 5 > System and Communications Protection (SC) > Cryptographic Key Establishment and Management (SC-12) > Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password
- NIST SP 800-53 Revision 5 > System and Communications Protection (SC) > Cryptographic Key Establishment and Management (SC-12) > Azure Monitor Logs clusters should be encrypted with customer-managed key
- NIST SP 800-53 Revision 5 > System and Communications Protection (SC) > Cryptographic Key Establishment and Management (SC-12) > Azure Recovery Services vaults should use customer-managed keys for encrypting backup data
- NIST SP 800-53 Revision 5 > System and Communications Protection (SC) > Cryptographic Key Establishment and Management (SC-12) > Azure Stream Analytics jobs should use customer-managed keys to encrypt data
- NIST SP 800-53 Revision 5 > System and Communications Protection (SC) > Cryptographic Key Establishment and Management (SC-12) > Bot Service should be encrypted with a customer-managed key
- NIST SP 800-53 Revision 5 > System and Communications Protection (SC) > Cryptographic Key Establishment and Management (SC-12) > IoT Hub device provisioning service data should be encrypted using customer-managed keys (CMK)
- NIST SP 800-53 Revision 5 > System and Communications Protection (SC) > Cryptographic Key Establishment and Management (SC-12) > Logic Apps Integration Service Environment should be encrypted with customer-managed keys
- NIST SP 800-53 Revision 5 > System and Communications Protection (SC) > Cryptographic Key Establishment and Management (SC-12) > Saved-queries in Azure Monitor should be saved in customer storage account for logs encryption
- Non-internet-facing virtual machines should be protected with network security groups
- Only secure connections to your Azure Cache for Redis should be enabled
- OS and data disks should be encrypted with a customer-managed key
- PostgreSQL servers should use customer-managed keys to encrypt data at rest
- Private endpoint connections on Azure SQL Database should be enabled
- Private endpoint should be enabled for MariaDB servers
- Private endpoint should be enabled for MySQL servers
- Private endpoint should be enabled for PostgreSQL servers
- Public network access on Azure SQL Database should be disabled
- Public network access should be disabled for MariaDB servers
- Public network access should be disabled for MySQL servers
- Public network access should be disabled for PostgreSQL servers
- Recovery Services vaults should use private link
- Require encryption on Data Lake Store accounts
- Reserve Bank of India - IT Framework for NBFC Regulatory Compliance > Information and Cyber Security > Information Security-3 > Identification and Classification of Information Assets-3.1 > Segregation of Functions-3.1.b > Secure Boot should be enabled on supported Windows virtual machines
- Resource logs in Azure Data Lake Store should be enabled
- Resource logs in Azure Key Vault Managed HSM should be enabled
- Resource logs in Azure Stream Analytics should be enabled
- Resource logs in Batch accounts should be enabled
- Resource logs in Data Lake Analytics should be enabled
- Resource logs in Event Hub should be enabled
- Resource logs in IoT Hub should be enabled
- Resource logs in Key Vault should be enabled
- Resource logs in Logic Apps should be enabled
- Resource logs in Search services should be enabled
- Resource logs in Service Bus should be enabled
- Role-Based Access Control (RBAC) should be used on Kubernetes Services
- Secure transfer to storage accounts should be enabled
- Service Bus Premium namespaces should use a customer-managed key for encryption
- Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign
- Service Fabric clusters should only use Azure Active Directory for client authentication
- SQL databases should have vulnerability findings resolved
- SQL databases transparent data encryption should be enabled
- SQL managed instances should use customer-managed keys to encrypt data at rest
- SQL Server should use a virtual network service endpoint
- SQL servers should use customer-managed keys to encrypt data at rest
- SQL servers with auditing to storage account destination should be configured with 90 days retention or higher
- Storage account encryption scopes should use customer-managed keys to encrypt data at rest
- Storage account public access should be disallowed
- Storage accounts should be migrated to new Azure Resource Manager resources
- Storage accounts should have infrastructure encryption
- Storage accounts should restrict network access
- Storage accounts should restrict network access using virtual network rules
- Storage Accounts should use a virtual network service endpoint
- Storage accounts should use customer-managed key for encryption
- Storage accounts should use private link
- Subnets should be associated with a Network Security Group
- Subscriptions should have a contact email address for security issues
- System updates on virtual machine scale sets should be installed
- System updates should be installed on your machines
- Temp disks and cache for agent node pools in Azure Kubernetes Service clusters should be encrypted at host
- There should be more than one owner assigned to your subscription
- Transparent Data Encryption on SQL databases should be enabled
- Virtual machines and virtual machine scale sets should have encryption at host enabled
- Virtual machines should be connected to an approved virtual network
- Virtual machines should be migrated to new Azure Resource Manager resources
- Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
- Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
- Virtual network gateways should use standard SKUs as a minimum
- VM Image Builder templates should use private link
- Vulnerabilities in container security configurations should be remediated
- Vulnerabilities in security configuration on your machines should be remediated
- Vulnerabilities in security configuration on your virtual machine scale sets should be remediated
- Vulnerability assessment should be enabled on SQL Managed Instance
- Vulnerability assessment should be enabled on your SQL servers
- Vulnerability assessment should be enabled on your Synapse workspaces
- Web Application Firewall (WAF) should be enabled for Application Gateway
- Web Application Firewall (WAF) should be enabled for Azure Front Door Service
- Web Application Firewall (WAF) should use the specified mode for Application Gateway
- Web Application should only be accessible over HTTPS
- Windows Defender Exploit Guard should be enabled on your machines
- Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking'
- Windows machines should meet requirements for 'User Rights Assignment'
- Windows machines should meet requirements of the Azure compute security baseline
- Windows web servers should be configured to use secure communication protocols
Schema for azure_subscription
| Name | Type | Operators | Description |
|---|---|---|---|
| _ctx | jsonb | Steampipe context in JSON form. | |
| akas | jsonb | Array of globally unique identifier strings (also known as) for the resource. | |
| authorization_source | text | The authorization source of the request. Valid values are one or more combinations of Legacy, RoleBased, Bypassed, Direct and Management. For example, 'Legacy, RoleBased'. | |
| cloud_environment | text | The Azure Cloud Environment. | |
| display_name | text | A friendly name that identifies a subscription. | |
| id | text | The fully qualified ID for the subscription. For example, /subscriptions/00000000-0000-0000-0000-000000000000. | |
| managed_by_tenants | jsonb | An array containing the tenants managing the subscription. | |
| sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
| sp_ctx | jsonb | Steampipe context in JSON form. | |
| state | text | The subscription state. Possible values are Enabled, Warned, PastDue, Disabled, and Deleted. Possible values include: 'StateEnabled', 'StateWarned', 'StatePastDue', 'StateDisabled', 'StateDeleted' | |
| subscription_id | text | =, !=, ~~, ~~*, !~~, !~~* | The subscription ID. |
| subscription_policies | jsonb | The subscription policies. | |
| tags | jsonb | A map of tags for the resource. | |
| tenant_id | text | The subscription tenant ID. | |
| title | text | Title of the resource. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- azureYou can pass the configuration to the command with the --config argument:
steampipe_export_azure --config '<your_config>' azure_subscription