Checks We Perform
Below is a list of all the checks we perform. Select one to view more information.
- All (61)
- Logical Access (7)
- Configuration Management (9)
- Network Monitoring (23)
- Incident Response (1)
- Data Security (16)
- Vulnerability Management (5)
Logical Access
1.3 Ensure guest users are reviewed on a monthly basis
Description:
Azure AD is extended to include Azure AD B2B collaboration, allowing you to invite people from outside your organization to be guest users in your cloud account and sign in with their own work, school, or social identities. Guest users allow you to share your company's applications and services with users from any other organization, while maintaining control over your own corporate data.
Work with external partners, large or small, even if they don't have Azure AD or an IT department. A simple invitation and redemption process lets partners use their own credentials to access your company's resources a a guest user.
Work with external partners, large or small, even if they don't have Azure AD or an IT department. A simple invitation and redemption process lets partners use their own credentials to access your company's resources a a guest user.
Logical Access
1.21 Ensure that no custom subscription owner roles are created
Description:
Subscription ownership should not include permission to create custom owner roles. The principle of least privilege should be followed and only necessary privileges should be assigned instead of allowing full administrative access.
Configuration Management
1.22 Ensure Security Defaults is enabled on Azure Active Directory
Description:
Security defaults in Azure Active Directory (Azure AD) make it easier to be secure and help protect your organization. Security defaults contain preconfigured security settings for common attacks.
Microsoft is making security defaults available to everyone. The goal is to ensure that all organizations have a basic level of security-enabled at no extra cost. You turn on security defaults in the Azure portal.
Microsoft is making security defaults available to everyone. The goal is to ensure that all organizations have a basic level of security-enabled at no extra cost. You turn on security defaults in the Azure portal.
Network Monitoring
2.11 Enable automatic provisioning of the monitoring agent to collect security data.
Description:
Enable automatic provisioning of the monitoring agent to collect security data.
Incident Response
2.13 Ensure 'Additional email addresses' is configured with a security contact email
Description:
Security Center emails the subscription owners whenever a high-severity alert is triggered for their subscription. You should provide a security contact email address as an additional email address.
Network Monitoring
2.14 Ensure that 'Notify about alerts with the following severity' is set to 'High'
Description:
Enables emailing security alerts to the subscription owner or other designated security contact.
Logical Access
2.15 Ensure that 'All users with the following roles' is set to 'Owner'
Description:
Enable security alert emails to subscription owners.
Data Security
3.1 Ensure that 'Secure transfer required' is set to 'Enabled'
Description:
Enable data encryption in transit.
The secure transfer option enhances the security of a storage account by only allowing requests to the storage account by a secure connection. For example, when calling REST APIs to access storage accounts, the connection must use HTTPS. Any requests using HTTP will be rejected when 'secure transfer required' is enabled. When using the Azure files service, connection without encryption will fail, including scenarios using SMB 2.1, SMB 3.0 without encryption, and some flavors of the Linux SMB client. Because Azure storage doesn’t support HTTPS for custom domain names, this option is not applied when using a custom domain name.
The secure transfer option enhances the security of a storage account by only allowing requests to the storage account by a secure connection. For example, when calling REST APIs to access storage accounts, the connection must use HTTPS. Any requests using HTTP will be rejected when 'secure transfer required' is enabled. When using the Azure files service, connection without encryption will fail, including scenarios using SMB 2.1, SMB 3.0 without encryption, and some flavors of the Linux SMB client. Because Azure storage doesn’t support HTTPS for custom domain names, this option is not applied when using a custom domain name.
Configuration Management
3.5 Ensure that 'Public access level' is set to Private for blob containers
Description:
Disable anonymous access to blob containers and disallow blob public access on storage account.
Configuration Management
3.6 Ensure default network access rule for Storage Accounts is set to 'Deny'
Description:
Restricting default network access helps to provide a new layer of security, since storage accounts accept connections from clients on any network. To limit access to selected networks, the default action must be changed.
Data Security
3.8 Ensure soft delete is enabled for Azure Storage
Description:
The Azure Storage blobs contain data like ePHI, Financial, secret or personal. Erroneously modified or deleted accidentally by an application or other storage account user cause data loss or data unavailability.
It is recommended the Azure Storage be made recoverable by enabling soft delete configuration. This is to save and recover data when blobs or blob snapshots are deleted.
It is recommended the Azure Storage be made recoverable by enabling soft delete configuration. This is to save and recover data when blobs or blob snapshots are deleted.
Data Security
3.9 Ensure storage for critical data are encrypted with Customer Managed Key
Description:
Enable sensitive data encryption at rest using Customer Managed Keys rather than Microsoft Managed keys.
Network Monitoring
4.1.1 Ensure that 'Auditing' is set to 'On'
Description:
Enable auditing on SQL Servers.
Data Security
4.1.2 Ensure that 'Data encryption' is set to 'On' on a SQL Database
Description:
Enable Transparent Data Encryption on every SQL server.
Network Monitoring
4.1.3 Ensure that 'Auditing' Retention is 'greater than 90 days'
Description:
SQL Server Audit Retention should be configured to be greater than 90 days.
Vulnerability Management
4.2.1 Ensure that Advanced Threat Protection (ATP) on an SQL server is set to 'Enabled'
Description:
Enable "Azure Defender for SQL" on critical SQL Servers.
Vulnerability Management
4.2.2 Ensure that Vulnerability Assessments on an SQL server is configured
Description:
Enable Vulnerability Assessment (VA) service scans for critical SQL servers and corresponding SQL databases.
Vulnerability Management
4.2.3 Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server
Description:
Enable Vulnerability Assessment (VA) Periodic recurring scans for critical SQL servers and corresponding SQL databases.
Vulnerability Management
4.2.4 Ensure that VA setting Send Scan Reports is configured for a SQL server
Description:
Configure 'Send scan reports to' with email ids of concerned data owners/stakeholders for a critical SQL servers.
Vulnerability Management
4.2.5 Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for an SQL server
Description:
Enable Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners'.
Data Security
4.3.1 Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server
Description:
Enable SSL connection on PostgreSQL Servers.
Data Security
4.3.2 Ensure 'Enforce SSL connection' is set to 'ENABLED' for Mysql Database Server
Description:
Enable SSL connection on MYSQL Servers.
Network Monitoring
4.3.3 Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server
Description:
Enable log_checkpoints on PostgreSQL Servers.
Network Monitoring
4.3.4 Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server
Description:
Enable log_connections on PostgreSQL Servers.
Network Monitoring
4.3.5 Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server
Description:
Enable log_disconnections on PostgreSQL Servers.
Network Monitoring
4.3.6 Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server
Description:
Enable connection_throttling on PostgreSQL Servers.
Network Monitoring
4.3.7 Ensure server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server
Description:
Enable log_retention_days on PostgreSQL Servers.
Logical Access
4.4 Ensure that Azure Active Directory Admin is configured
Description:
Use Azure Active Directory Authentication for authentication with SQL Database.
Data Security
4.5 Ensure SQL server's TDE protector is encrypted with Customer-managed key
Description:
TDE with Customer-managed key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties.
With TDE, data is encrypted at rest with a symmetric key (called the database encryption key) stored in the database or data warehouse distribution. To protect this data encryption key (DEK) in the past, only a certificate that the Azure SQL Service managed could be used. Now, with Customer-managed key support for TDE, the DEK can be protected with an asymmetric key that is stored in the Key Vault. Key Vault is a highly available and scalable cloud-based key store which offers central key management, leverages FIPS 140-2 Level 2 validated hardware security modules (HSMs), and allows separation of management of keys and data, for additional security.
Based on business needs or criticality of data/databases hosted a SQL server, it is recommended that the TDE protector is encrypted by a key that is managed by the data owner (Customer-managed key).
With TDE, data is encrypted at rest with a symmetric key (called the database encryption key) stored in the database or data warehouse distribution. To protect this data encryption key (DEK) in the past, only a certificate that the Azure SQL Service managed could be used. Now, with Customer-managed key support for TDE, the DEK can be protected with an asymmetric key that is stored in the Key Vault. Key Vault is a highly available and scalable cloud-based key store which offers central key management, leverages FIPS 140-2 Level 2 validated hardware security modules (HSMs), and allows separation of management of keys and data, for additional security.
Based on business needs or criticality of data/databases hosted a SQL server, it is recommended that the TDE protector is encrypted by a key that is managed by the data owner (Customer-managed key).
Network Monitoring
5.1.1 Ensure that a 'Diagnostics Setting' exists
Description:
Enable Diagnostic settings for exporting activity logs. Diagnostic setting are available for each individual resources within a subscription. Settings should be configured for all appropriate resources for your environment.
Network Monitoring
5.1.2 Ensure Diagnostic Setting captures appropriate categories
Description:
The diagnostic setting should be configured to log the appropriate activities from the control/management plane.
Configuration Management
5.1.3 Ensure the storage container storing the activity logs is not publicly accessible
Description:
The storage account container containing the activity log export should not be publicly accessible.
Data Security
5.1.4 Ensure the storage account containing the container with activity logs is encrypted with BYOK (Use Your Own Key)
Description:
The storage account with the activity log export container is configured to use BYOK (Use Your Own Key).
Network Monitoring
5.1.5 Ensure that logging for Azure Key Vault is 'Enabled'
Description:
Enable AuditEvent logging for key vault instances to ensure interactions with key vaults are logged and available.
Network Monitoring
5.2.1 Ensure that Activity Log Alert exists for Create Policy Assignment
Description:
Create an activity log alert for the Create Policy Assignment event.
Network Monitoring
5.2.2 Ensure that Activity Log Alert exists for Delete Policy Assignment
Description:
Create an activity log alert for the Delete Policy Assignment event.
Network Monitoring
5.2.3 Ensure that Activity Log Alert exists for Creating or Updating a Network Security Group
Description:
Create an Activity Log Alert for the "Create" or "Update Network Security Group" event.
Network Monitoring
5.2.4 Ensure that Activity Log Alert exists for Delete Network Security Group
Description:
Create an activity log alert for the Delete Network Security Group event.
Network Monitoring
5.2.5 Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule
Description:
Create an activity log alert for the Create or Update Network Security Group Rule event.
Network Monitoring
5.2.6 Ensure that Activity Log alert exists for the Delete Network Security Group Rule
Description:
Create an activity log alert for the Delete Network Security Group Rule event.
Network Monitoring
5.2.7 Ensure that Activity Log Alert exists for Create or Update Security Solution
Description:
Create an activity log alert for the Create or Update Security Solution event.
Network Monitoring
5.2.8 Ensure that Activity Log Alert exists for Delete Security Solution
Description:
Create an activity log alert for the Delete Security Solution event.
Network Monitoring
5.2.9 Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule
Description:
Create an activity log alert for the Create or Update or Delete SQL Server Firewall Rule event.
Network Monitoring
5.3 Ensure that Diagnostic Logs are enabled for all services which support it
Description:
Diagnostic Logs capture activity to the data access plane while the Activity log is a subscription-level log for the control plane. Resource-level diagnostic logs provide insight into operations that were performed within that resource itself, for example, getting a secret from a Key Vault. Currently, 32 Azure resources support Diagnostic Logging (See the references section for a complete list), including Network Security Groups, Load Balancers, Key Vault, AD, Logic Apps and CosmosDB. The content of these logs varies by resource type. For example, Windows event system logs are a category of diagnostics logs for VMs, and blob, table, and queue logs are categories of diagnostics logs for storage accounts.
A number of back-end services were not configured to log and store Diagnostic Logs for certain activities or for a sufficient length. It is crucial that logging systems are correctly configured to log all relevant activities and retain those logs for a sufficient length of time. By default, Diagnostic Logs are not enabled. Given that the mean time to detection in an enterprise is 240 days, a minimum retention period of two years is recommended.
Note: The CIS Benchmark covers some specific Diagnostic Logs separately.
<3.3 - Ensure Storage logging is enabled for Queue service for read, write, and delete requests>
<6.4 Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'>
A number of back-end services were not configured to log and store Diagnostic Logs for certain activities or for a sufficient length. It is crucial that logging systems are correctly configured to log all relevant activities and retain those logs for a sufficient length of time. By default, Diagnostic Logs are not enabled. Given that the mean time to detection in an enterprise is 240 days, a minimum retention period of two years is recommended.
Note: The CIS Benchmark covers some specific Diagnostic Logs separately.
<3.3 - Ensure Storage logging is enabled for Queue service for read, write, and delete requests>
<6.4 Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'>
Configuration Management
6.1 Ensure that RDP access is restricted from the internet
Description:
Disable RDP access on network security groups from the Internet.
Configuration Management
6.2 Ensure that SSH access is restricted from the internet
Description:
Disable SSH access on network security groups from the Internet.
Configuration Management
6.3 Ensure no SQL Databases allow ingress 0.0.0.0/0 (ANY IP)
Description:
Ensure that no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP).
Network Monitoring
6.4 Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'
Description:
Network Security Group Flow Logs should be enabled and the retention period is set to greater than or equal to 90 days.
Configuration Management
6.6 Ensure that UDP access is restricted from the internet
Description:
Disable Internet exposed UDP ports on network security groups.
Data Security
7.2 Ensure that 'OS and Data' disks are encrypted with CMK
Description:
Ensure that OS disks (boot volumes) and data disks (non-boot volumes) are encrypted with CMK.
Data Security
7.3 Ensure that 'Unattached disks' are encrypted with CMK
Description:
Ensure that unattached disks in a subscription are encrypted with a Customer Managed Key (CMK).
Data Security
8.1 Ensure that the expiration date is set on all key vault keys
Description:
Ensure that all keys in Azure Key Vault have an expiration time set.
Data Security
8.2 Ensure that the expiration date is set on all key vaults secrets
Description:
Ensure that all Secrets in the Azure Key Vault have an expiration time set.
Data Security
8.4 Ensure that key vaults are recoverable
Description:
The key vault contains object keys, secrets and certificates. Accidental unavailability of a key vault can cause immediate data loss or loss of security functions (authentication, validation, verification, non-repudiation, etc.) supported by the key vault objects. \nIt is recommended the key vault be made recoverable by enabling the "Do Not Purge" and "Soft Delete" functions. This is in order to prevent loss of encrypted data including storage accounts, SQL databases, and/or dependent services provided by key vault objects (Keys, Secrets, Certificates) etc., as may happen in the case of accidental deletion by a user or from disruptive activity by a malicious user.
Logical Access
8.5 Enable role-based access control (RBAC) within Azure Kubernetes Services
Description:
Ensure that RBAC is enabled on all Azure Kubernetes Services Instances
Data Security
9.1 Ensure App Service Authentication is set on Azure App Service
Description:
Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the API app, or authenticate those that have tokens before they reach the API app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented.
Data Security
9.2 Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service
Description:
Azure Web Apps allows sites to run under both HTTP and HTTPS by default. Web apps can be accessed by anyone using non-secure HTTP links by default. Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic.
Data Security
9.3 Ensure web app is using the latest version of TLS encryption
Description:
The TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS.
Logical Access
9.4 Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On'
Description:
Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app.
Logical Access
9.5 Ensure that Register with Azure Active Directory is enabled on App Service
Description:
Managed service identity in App Service makes the app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app will connect to other Azure services securely without the need of username and passwords.
Configuration Management
9.10 Ensure FTP deployments are disabled
Description:
By default, Azure Functions, Web and API Services can be deployed over FTP. If FTP is required for an essential deployment workflow, FTPS should be required for FTP login for all App Service Apps and Functions.
Logical Access
1.3 Ensure guest users are reviewed on a monthly basis
Description:
Azure AD is extended to include Azure AD B2B collaboration, allowing you to invite people from outside your organization to be guest users in your cloud account and sign in with their own work, school, or social identities. Guest users allow you to share your company's applications and services with users from any other organization, while maintaining control over your own corporate data.
Work with external partners, large or small, even if they don't have Azure AD or an IT department. A simple invitation and redemption process lets partners use their own credentials to access your company's resources a a guest user.
Work with external partners, large or small, even if they don't have Azure AD or an IT department. A simple invitation and redemption process lets partners use their own credentials to access your company's resources a a guest user.
Logical Access
1.21 Ensure that no custom subscription owner roles are created
Description:
Subscription ownership should not include permission to create custom owner roles. The principle of least privilege should be followed and only necessary privileges should be assigned instead of allowing full administrative access.
Logical Access
2.15 Ensure that 'All users with the following roles' is set to 'Owner'
Description:
Enable security alert emails to subscription owners.
Logical Access
4.4 Ensure that Azure Active Directory Admin is configured
Description:
Use Azure Active Directory Authentication for authentication with SQL Database.
Logical Access
8.5 Enable role-based access control (RBAC) within Azure Kubernetes Services
Description:
Ensure that RBAC is enabled on all Azure Kubernetes Services Instances
Logical Access
9.4 Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On'
Description:
Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app.
Logical Access
9.5 Ensure that Register with Azure Active Directory is enabled on App Service
Description:
Managed service identity in App Service makes the app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app will connect to other Azure services securely without the need of username and passwords.
Configuration Management
1.22 Ensure Security Defaults is enabled on Azure Active Directory
Description:
Security defaults in Azure Active Directory (Azure AD) make it easier to be secure and help protect your organization. Security defaults contain preconfigured security settings for common attacks.
Microsoft is making security defaults available to everyone. The goal is to ensure that all organizations have a basic level of security-enabled at no extra cost. You turn on security defaults in the Azure portal.
Microsoft is making security defaults available to everyone. The goal is to ensure that all organizations have a basic level of security-enabled at no extra cost. You turn on security defaults in the Azure portal.
Configuration Management
3.5 Ensure that 'Public access level' is set to Private for blob containers
Description:
Disable anonymous access to blob containers and disallow blob public access on storage account.
Configuration Management
3.6 Ensure default network access rule for Storage Accounts is set to 'Deny'
Description:
Restricting default network access helps to provide a new layer of security, since storage accounts accept connections from clients on any network. To limit access to selected networks, the default action must be changed.
Configuration Management
5.1.3 Ensure the storage container storing the activity logs is not publicly accessible
Description:
The storage account container containing the activity log export should not be publicly accessible.
Configuration Management
6.1 Ensure that RDP access is restricted from the internet
Description:
Disable RDP access on network security groups from the Internet.
Configuration Management
6.2 Ensure that SSH access is restricted from the internet
Description:
Disable SSH access on network security groups from the Internet.
Configuration Management
6.3 Ensure no SQL Databases allow ingress 0.0.0.0/0 (ANY IP)
Description:
Ensure that no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP).
Configuration Management
6.6 Ensure that UDP access is restricted from the internet
Description:
Disable Internet exposed UDP ports on network security groups.
Configuration Management
9.10 Ensure FTP deployments are disabled
Description:
By default, Azure Functions, Web and API Services can be deployed over FTP. If FTP is required for an essential deployment workflow, FTPS should be required for FTP login for all App Service Apps and Functions.
Network Monitoring
2.11 Enable automatic provisioning of the monitoring agent to collect security data.
Description:
Enable automatic provisioning of the monitoring agent to collect security data.
Network Monitoring
2.14 Ensure that 'Notify about alerts with the following severity' is set to 'High'
Description:
Enables emailing security alerts to the subscription owner or other designated security contact.
Network Monitoring
4.1.1 Ensure that 'Auditing' is set to 'On'
Description:
Enable auditing on SQL Servers.
Network Monitoring
4.1.3 Ensure that 'Auditing' Retention is 'greater than 90 days'
Description:
SQL Server Audit Retention should be configured to be greater than 90 days.
Network Monitoring
4.3.3 Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server
Description:
Enable log_checkpoints on PostgreSQL Servers.
Network Monitoring
4.3.4 Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server
Description:
Enable log_connections on PostgreSQL Servers.
Network Monitoring
4.3.5 Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server
Description:
Enable log_disconnections on PostgreSQL Servers.
Network Monitoring
4.3.6 Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server
Description:
Enable connection_throttling on PostgreSQL Servers.
Network Monitoring
4.3.7 Ensure server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server
Description:
Enable log_retention_days on PostgreSQL Servers.
Network Monitoring
5.1.1 Ensure that a 'Diagnostics Setting' exists
Description:
Enable Diagnostic settings for exporting activity logs. Diagnostic setting are available for each individual resources within a subscription. Settings should be configured for all appropriate resources for your environment.
Network Monitoring
5.1.2 Ensure Diagnostic Setting captures appropriate categories
Description:
The diagnostic setting should be configured to log the appropriate activities from the control/management plane.
Network Monitoring
5.1.5 Ensure that logging for Azure Key Vault is 'Enabled'
Description:
Enable AuditEvent logging for key vault instances to ensure interactions with key vaults are logged and available.
Network Monitoring
5.2.1 Ensure that Activity Log Alert exists for Create Policy Assignment
Description:
Create an activity log alert for the Create Policy Assignment event.
Network Monitoring
5.2.2 Ensure that Activity Log Alert exists for Delete Policy Assignment
Description:
Create an activity log alert for the Delete Policy Assignment event.
Network Monitoring
5.2.3 Ensure that Activity Log Alert exists for Creating or Updating a Network Security Group
Description:
Create an Activity Log Alert for the "Create" or "Update Network Security Group" event.
Network Monitoring
5.2.4 Ensure that Activity Log Alert exists for Delete Network Security Group
Description:
Create an activity log alert for the Delete Network Security Group event.
Network Monitoring
5.2.5 Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule
Description:
Create an activity log alert for the Create or Update Network Security Group Rule event.
Network Monitoring
5.2.6 Ensure that Activity Log alert exists for the Delete Network Security Group Rule
Description:
Create an activity log alert for the Delete Network Security Group Rule event.
Network Monitoring
5.2.7 Ensure that Activity Log Alert exists for Create or Update Security Solution
Description:
Create an activity log alert for the Create or Update Security Solution event.
Network Monitoring
5.2.8 Ensure that Activity Log Alert exists for Delete Security Solution
Description:
Create an activity log alert for the Delete Security Solution event.
Network Monitoring
5.2.9 Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule
Description:
Create an activity log alert for the Create or Update or Delete SQL Server Firewall Rule event.
Network Monitoring
5.3 Ensure that Diagnostic Logs are enabled for all services which support it
Description:
Diagnostic Logs capture activity to the data access plane while the Activity log is a subscription-level log for the control plane. Resource-level diagnostic logs provide insight into operations that were performed within that resource itself, for example, getting a secret from a Key Vault. Currently, 32 Azure resources support Diagnostic Logging (See the references section for a complete list), including Network Security Groups, Load Balancers, Key Vault, AD, Logic Apps and CosmosDB. The content of these logs varies by resource type. For example, Windows event system logs are a category of diagnostics logs for VMs, and blob, table, and queue logs are categories of diagnostics logs for storage accounts.
A number of back-end services were not configured to log and store Diagnostic Logs for certain activities or for a sufficient length. It is crucial that logging systems are correctly configured to log all relevant activities and retain those logs for a sufficient length of time. By default, Diagnostic Logs are not enabled. Given that the mean time to detection in an enterprise is 240 days, a minimum retention period of two years is recommended.
Note: The CIS Benchmark covers some specific Diagnostic Logs separately.
<3.3 - Ensure Storage logging is enabled for Queue service for read, write, and delete requests>
<6.4 Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'>
A number of back-end services were not configured to log and store Diagnostic Logs for certain activities or for a sufficient length. It is crucial that logging systems are correctly configured to log all relevant activities and retain those logs for a sufficient length of time. By default, Diagnostic Logs are not enabled. Given that the mean time to detection in an enterprise is 240 days, a minimum retention period of two years is recommended.
Note: The CIS Benchmark covers some specific Diagnostic Logs separately.
<3.3 - Ensure Storage logging is enabled for Queue service for read, write, and delete requests>
<6.4 Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'>
Network Monitoring
6.4 Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'
Description:
Network Security Group Flow Logs should be enabled and the retention period is set to greater than or equal to 90 days.
Incident Response
2.13 Ensure 'Additional email addresses' is configured with a security contact email
Description:
Security Center emails the subscription owners whenever a high-severity alert is triggered for their subscription. You should provide a security contact email address as an additional email address.
Data Security
3.1 Ensure that 'Secure transfer required' is set to 'Enabled'
Description:
Enable data encryption in transit.
The secure transfer option enhances the security of a storage account by only allowing requests to the storage account by a secure connection. For example, when calling REST APIs to access storage accounts, the connection must use HTTPS. Any requests using HTTP will be rejected when 'secure transfer required' is enabled. When using the Azure files service, connection without encryption will fail, including scenarios using SMB 2.1, SMB 3.0 without encryption, and some flavors of the Linux SMB client. Because Azure storage doesn’t support HTTPS for custom domain names, this option is not applied when using a custom domain name.
The secure transfer option enhances the security of a storage account by only allowing requests to the storage account by a secure connection. For example, when calling REST APIs to access storage accounts, the connection must use HTTPS. Any requests using HTTP will be rejected when 'secure transfer required' is enabled. When using the Azure files service, connection without encryption will fail, including scenarios using SMB 2.1, SMB 3.0 without encryption, and some flavors of the Linux SMB client. Because Azure storage doesn’t support HTTPS for custom domain names, this option is not applied when using a custom domain name.
Data Security
3.8 Ensure soft delete is enabled for Azure Storage
Description:
The Azure Storage blobs contain data like ePHI, Financial, secret or personal. Erroneously modified or deleted accidentally by an application or other storage account user cause data loss or data unavailability.
It is recommended the Azure Storage be made recoverable by enabling soft delete configuration. This is to save and recover data when blobs or blob snapshots are deleted.
It is recommended the Azure Storage be made recoverable by enabling soft delete configuration. This is to save and recover data when blobs or blob snapshots are deleted.
Data Security
3.9 Ensure storage for critical data are encrypted with Customer Managed Key
Description:
Enable sensitive data encryption at rest using Customer Managed Keys rather than Microsoft Managed keys.
Data Security
4.1.2 Ensure that 'Data encryption' is set to 'On' on a SQL Database
Description:
Enable Transparent Data Encryption on every SQL server.
Data Security
4.3.1 Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server
Description:
Enable SSL connection on PostgreSQL Servers.
Data Security
4.3.2 Ensure 'Enforce SSL connection' is set to 'ENABLED' for Mysql Database Server
Description:
Enable SSL connection on MYSQL Servers.
Data Security
4.5 Ensure SQL server's TDE protector is encrypted with Customer-managed key
Description:
TDE with Customer-managed key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties.
With TDE, data is encrypted at rest with a symmetric key (called the database encryption key) stored in the database or data warehouse distribution. To protect this data encryption key (DEK) in the past, only a certificate that the Azure SQL Service managed could be used. Now, with Customer-managed key support for TDE, the DEK can be protected with an asymmetric key that is stored in the Key Vault. Key Vault is a highly available and scalable cloud-based key store which offers central key management, leverages FIPS 140-2 Level 2 validated hardware security modules (HSMs), and allows separation of management of keys and data, for additional security.
Based on business needs or criticality of data/databases hosted a SQL server, it is recommended that the TDE protector is encrypted by a key that is managed by the data owner (Customer-managed key).
With TDE, data is encrypted at rest with a symmetric key (called the database encryption key) stored in the database or data warehouse distribution. To protect this data encryption key (DEK) in the past, only a certificate that the Azure SQL Service managed could be used. Now, with Customer-managed key support for TDE, the DEK can be protected with an asymmetric key that is stored in the Key Vault. Key Vault is a highly available and scalable cloud-based key store which offers central key management, leverages FIPS 140-2 Level 2 validated hardware security modules (HSMs), and allows separation of management of keys and data, for additional security.
Based on business needs or criticality of data/databases hosted a SQL server, it is recommended that the TDE protector is encrypted by a key that is managed by the data owner (Customer-managed key).
Data Security
5.1.4 Ensure the storage account containing the container with activity logs is encrypted with BYOK (Use Your Own Key)
Description:
The storage account with the activity log export container is configured to use BYOK (Use Your Own Key).
Data Security
7.2 Ensure that 'OS and Data' disks are encrypted with CMK
Description:
Ensure that OS disks (boot volumes) and data disks (non-boot volumes) are encrypted with CMK.
Data Security
7.3 Ensure that 'Unattached disks' are encrypted with CMK
Description:
Ensure that unattached disks in a subscription are encrypted with a Customer Managed Key (CMK).
Data Security
8.1 Ensure that the expiration date is set on all key vault keys
Description:
Ensure that all keys in Azure Key Vault have an expiration time set.
Data Security
8.2 Ensure that the expiration date is set on all key vaults secrets
Description:
Ensure that all Secrets in the Azure Key Vault have an expiration time set.
Data Security
8.4 Ensure that key vaults are recoverable
Description:
The key vault contains object keys, secrets and certificates. Accidental unavailability of a key vault can cause immediate data loss or loss of security functions (authentication, validation, verification, non-repudiation, etc.) supported by the key vault objects. \nIt is recommended the key vault be made recoverable by enabling the "Do Not Purge" and "Soft Delete" functions. This is in order to prevent loss of encrypted data including storage accounts, SQL databases, and/or dependent services provided by key vault objects (Keys, Secrets, Certificates) etc., as may happen in the case of accidental deletion by a user or from disruptive activity by a malicious user.
Data Security
9.1 Ensure App Service Authentication is set on Azure App Service
Description:
Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the API app, or authenticate those that have tokens before they reach the API app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented.
Data Security
9.2 Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service
Description:
Azure Web Apps allows sites to run under both HTTP and HTTPS by default. Web apps can be accessed by anyone using non-secure HTTP links by default. Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic.
Data Security
9.3 Ensure web app is using the latest version of TLS encryption
Description:
The TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS.
Vulnerability Management
4.2.1 Ensure that Advanced Threat Protection (ATP) on an SQL server is set to 'Enabled'
Description:
Enable "Azure Defender for SQL" on critical SQL Servers.
Vulnerability Management
4.2.2 Ensure that Vulnerability Assessments on an SQL server is configured
Description:
Enable Vulnerability Assessment (VA) service scans for critical SQL servers and corresponding SQL databases.
Vulnerability Management
4.2.3 Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server
Description:
Enable Vulnerability Assessment (VA) Periodic recurring scans for critical SQL servers and corresponding SQL databases.
Vulnerability Management
4.2.4 Ensure that VA setting Send Scan Reports is configured for a SQL server
Description:
Configure 'Send scan reports to' with email ids of concerned data owners/stakeholders for a critical SQL servers.
Vulnerability Management
4.2.5 Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for an SQL server
Description:
Enable Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners'.