# azure
Official Azure security &amp; compliance CloudQuery policy pack


Azure Security and Compliance pack

azure

Azure Security & Compliance Policy Pack

v0.1.0

cis_v1.3.0

1.1 Ensure that multi-factor authentication is enabled for all privileged users (Manual)

1.2 Ensure that multi-factor authentication is enabled for all non-privileged users (Manual)

1.3 Ensure guest users are reviewed on a monthly basis (Automated)

1.4 Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is 'Disabled' (Manual)

1.5 Ensure that 'Number of methods required to reset' is set to '2' (Manual)

1.6 Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to "0" (Manual)

1.7 Ensure that 'Notify users on password resets?' is set to 'Yes' (Manual)

1.8 Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes' (Manual)

1.9 Ensure that 'Users can consent to apps accessing company data on their behalf' is set to 'No' (Manual)

1.10 1.10 Ensure that 'Users can add gallery apps to their Access Panel' is set to 'No' (Manual)

1.11 1.11 Ensure that 'Users can register applications' is set to 'No' (Manual)

1.12 1.12 Ensure that 'Guest user permissions are limited' is set to 'Yes' (Manual)

1.13 1.13 Ensure that 'Members can invite' is set to 'No' (Manual)

1.14 1.14 Ensure that 'Guests can invite' is set to 'No' (Manual)

1.15 1.15 Ensure that 'Restrict access to Azure AD administration portal' is set to 'Yes' (Manual)

1.16 1.16 Ensure that 'Restrict user ability to access groups features in the Access Pane' is set to 'No' (Manual)

1.17 1.17 Ensure that 'Users can create security groups in Azure Portals' is set to 'No' (Manual)

1.18 1.18 Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No' (Manual)

1.19 1.19 Ensure that 'Users can create Microsoft 365 groups in Azure Portals' is set to 'No' (Manual)

1.20 1.20 Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes' (Manual)

1.21 1.21 Ensure that no custom subscription owner roles are created (Automated)

1.22 1.22 Ensure Security Defaults is enabled on Azure Active Directory (Automated)

1.23 1.23 Ensure Custom Role is assigned for Administering Resource Locks (Manual)

Section 1 2.1 Ensure that Azure Defender is set to On for Servers (Automatic)

2.2 Ensure that Azure Defender is set to On for App Service (Automatic)

2.3 Ensure that Azure Defender is set to On for Azure SQL database servers (Automatic)

2.4 Ensure that Azure Defender is set to On for SQL servers on machines (Automatic)

2.5 Ensure that Azure Defender is set to On for Storage (Automatic)

2.6 Ensure that Azure Defender is set to On for Kubernetes (Automatic)

2.7 Ensure that Azure Defender is set to On for Container Registries (Automatic)

2.8 Ensure that Azure Defender is set to On for Key Vault (Automatic)

2.9 Ensure that Windows Defender ATP (WDATP) integration with Security Center is selected (Automatic)

2.10 2.10 Ensure that Microsoft Cloud App Security (MCAS) integration with Security Center is selected (Automatic)

2.11 2.11 Ensure that 'Automatic provisioning of monitoring agent' is set to 'On' (Automated)

2.12 2.12 Ensure any of the ASC Default policy setting is not set to 'Disabled' (Automated)

2.13 2.13 Ensure 'Additional email addresses' is configured with a security contact email (Automated)

2.14 2.14 Ensure that 'Notify about alerts with the following severity' is set to 'High' (Automated)

Section 2 azure_security_policy_parameters

GCP Log Metric Filter and Alarm

azure-cis-section-3

Section 3

4.1.1 4.1.1 Ensure that 'Auditing' is set to 'On' (Automated)

4.1.2 4.1.2 Ensure that 'Data encryption' is set to 'On' on a SQL Database (Automated)

4.1.3 4.1.3 Ensure that 'Auditing' Retention is 'greater than 90 days' (Automated)

4.2.1 4.2.1 Ensure that Advanced Threat Protection (ATP) on a SQL server is set to 'Enabled' (Automated)

4.2.2 4.2.2 Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account (Automated)

4.2.3 4.2.3 Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server (Automated)

4.2.4 4.2.4 Ensure that VA setting Send scan reports to is configured for a SQL server (Automated)

4.2.5 4.2.5 Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server (Automated)

4.3.1 4.3.1 Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server (Automated)

4.3.2 4.3.2 Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server (Automated)

4.3.3 4.3.3 Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server (Automated)

4.3.4 4.3.4 Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server (Automated)

4.3.5 4.3.5 Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server (Automated)

4.3.6 4.3.6 Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server (Automated)

4.3.7 4.3.7 Ensure server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server (Automated)

4.3.8 4.3.8 Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled (Automated)

4.4 Ensure that Azure Active Directory Admin is configured (Automated)

4.5 Ensure SQL server's TDE protector is encrypted with Customer-managed key (Automated)

azure-cis-section-4

Section 4 azure-cis-section-5

Section 5 6.1 Ensure that RDP access is restricted from the internet (Automated)

6.2 Ensure that SSH access is restricted from the internet (Automated)

6.3 Ensure no SQL Databases allow ingress 0.0.0.0/0 (ANY IP) (Automated)

6.4 Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' (Automated)

6.5 Ensure that Network Watcher is 'Enabled' (Manual)

6.6 Ensure that UDP Services are restricted from the Internet (Automated)

azure-cis-section-6

Section 6 azure_nsg_rules

Azure network security groups rules with parsed ports

7.1 Ensure Virtual Machines are utilizing Managed Disks (Manual)

7.2 Ensure that 'OS and Data' disks are encrypted with CMK (Automated)

7.3 Ensure that 'Unattached disks' are encrypted with CMK (Automated)

7.4 Ensure that only approved extensions are installed (Manual)

7.5 Ensure that the latest OS Patches for all Virtual Machines are applied (Manual)

7.6 Ensure that the endpoint protection for all Virtual Machines is installed (Manual)

7.7 Ensure that VHD's are encrypted (Manual)

azure-cis-section-7

Section 7 8.1 Ensure that the expiration date is set on all keys (Automated)

8.2 Ensure that the expiration date is set on all Secrets (Automated)

8.3 Ensure that Resource Locks are set for mission critical Azure resources (Manual)

8.4 Ensure the key vault is recoverable (Automated)

8.5 Enable role-based access control (RBAC) within Azure Kubernetes Services (Automated)

azure-cis-section-8

Section 8 9.1 Ensure App Service Authentication is set on Azure App Service (Automated)

9.2 Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service (Automated)

9.3 Ensure web app is using the latest version of TLS encryption (Automated)

9.4 Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On' (Automated)

9.5 Ensure that Register with Azure Active Directory is enabled on App Service (Automated)

9.6 Ensure that 'PHP version' is the latest, if used to run the web app (Manual)

9.7 Ensure that 'Python version' is the latest, if used to run the web app (Manual)

9.8 Ensure that 'Java version' is the latest, if used to run the web app (Manual)

9.9 Ensure that 'HTTP Version' is the latest, if used to run the web app (Manual)

9.10 9.10 Ensure FTP deployments are disabled (Automated)

9.11 9.11 Ensure Azure Keyvaults are used to store secrets (Manual)

azure-cis-section-9

Section 9 v1.3.0 Policy

azure

Version

License

Repository

Published at