# Azure Security & Compliance CloudQuery policy pack

Official Azure security & compliance policy pack for CloudQuery.

## What is CloudQuery

The [open-source](https://github.com/cloudquery/cloudquery) cloud asset inventory powered by SQL.

CloudQuery extracts, transforms, and loads your cloud assets into normalized PostgreSQL tables. CloudQuery enables you to assess, audit, and evaluate the configurations of your cloud assets.

### Links
* Homepage: https://cloudquery.io
* Documentation: https://docs.cloudquery.io
* CloudQuery Hub (providers & policies documentation): https://hub.cloudquery.io/
* Discord: https://cloudquery.io/discord

## Included Policies

- CIS v1.3.0
- HIPAA HITRUST 9.2

## Quick Start

### Prerequisite

1. [Install CloudQuery](https://docs.cloudquery.io/docs/getting-started)

```bash 
# install with brew
brew install cloudquery/tap/cloudquery
# or download precompiled binaries from https://github.com/cloudquery/cloudquery/releases
```

2. [Download and Configure Azure Provider](https://docs.cloudquery.io/docs/cli/fetch/overview)

```bash
cloudquery init azure
```

3. [Fetch](https://hub.cloudquery.io/providers/cloudquery/azure/latest)

```bash
# connect or run  a local PostgreSQL
docker run -p 5432:5432 -e POSTGRES_PASSWORD=pass -d postgres
# extract your cloud infra configuration
cloudquery fetch
```

### Running

```bash
# Describe what is available in the policy pack
cloudquery policy describe azure

# Run the whole pack
cloudquery policy run azure

# Run specific policy
cloudquery policy run azure//cis_v1.3.0
```



Azure Security and Compliance pack

With Azure Policies, you can use CloudQuery to automatically check compliance and security of Azure-based cloud resources.

azure

Azure

v0.2.1

cis_v1.3.0

Ensure that multi-factor authentication is enabled for all privileged users (Manual)

Ensure that multi-factor authentication is enabled for all non-privileged users (Manual)

Ensure guest users are reviewed on a monthly basis (Automated)

Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is 'Disabled' (Manual)

Ensure that 'Number of methods required to reset' is set to '2' (Manual)

Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to "0" (Manual)

Ensure that 'Notify users on password resets?' is set to 'Yes' (Manual)

Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes' (Manual)

Ensure that 'Users can consent to apps accessing company data on their behalf' is set to 'No' (Manual)

1.10 Ensure that 'Users can add gallery apps to their Access Panel' is set to 'No' (Manual)

1.11 Ensure that 'Users can register applications' is set to 'No' (Manual)

1.12 Ensure that 'Guest user permissions are limited' is set to 'Yes' (Manual)

1.13 Ensure that 'Members can invite' is set to 'No' (Manual)

1.14 Ensure that 'Guests can invite' is set to 'No' (Manual)

1.15 Ensure that 'Restrict access to Azure AD administration portal' is set to 'Yes' (Manual)

1.16 Ensure that 'Restrict user ability to access groups features in the Access Pane' is set to 'No' (Manual)

1.17 Ensure that 'Users can create security groups in Azure Portals' is set to 'No' (Manual)

1.18 Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No' (Manual)

1.19 Ensure that 'Users can create Microsoft 365 groups in Azure Portals' is set to 'No' (Manual)

1.20 Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes' (Manual)

1.21 Ensure that no custom subscription owner roles are created (Automated)

1.22 Ensure Security Defaults is enabled on Azure Active Directory (Automated)

1.23 Ensure Custom Role is assigned for Administering Resource Locks (Manual)

Section 1 Ensure that Azure Defender is set to On for Servers (Automatic)

Ensure that Azure Defender is set to On for App Service (Automatic)

Ensure that Azure Defender is set to On for Azure SQL database servers (Automatic)

Ensure that Azure Defender is set to On for SQL servers on machines (Automatic)

Ensure that Azure Defender is set to On for Storage (Automatic)

Ensure that Azure Defender is set to On for Kubernetes (Automatic)

Ensure that Azure Defender is set to On for Container Registries (Automatic)

Ensure that Azure Defender is set to On for Key Vault (Automatic)

Ensure that Windows Defender ATP (WDATP) integration with Security Center is selected (Automatic)

2.10 Ensure that Microsoft Cloud App Security (MCAS) integration with Security Center is selected (Automatic)

2.11 Ensure that 'Automatic provisioning of monitoring agent' is set to 'On' (Automated)

2.12 Ensure any of the ASC Default policy setting is not set to 'Disabled' (Automated)

2.13 Ensure 'Additional email addresses' is configured with a security contact email (Automated)

2.14 Ensure that 'Notify about alerts with the following severity' is set to 'High' (Automated)

Section 2 azure_security_policy_parameters

GCP Log Metric Filter and Alarm

4.1.1 4.1.1 Ensure that 'Auditing' is set to 'On' (Automated)

4.1.2 4.1.2 Ensure that 'Data encryption' is set to 'On' on a SQL Database (Automated)

4.1.3 4.1.3 Ensure that 'Auditing' Retention is 'greater than 90 days' (Automated)

4.2.1 4.2.1 Ensure that Advanced Threat Protection (ATP) on a SQL server is set to 'Enabled' (Automated)

4.2.2 4.2.2 Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account (Automated)

4.2.3 4.2.3 Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server (Automated)

4.2.4 4.2.4 Ensure that VA setting Send scan reports to is configured for a SQL server (Automated)

4.2.5 4.2.5 Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server (Automated)

4.3.1 4.3.1 Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server (Automated)

4.3.2 4.3.2 Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server (Automated)

4.3.3 4.3.3 Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server (Automated)

4.3.4 4.3.4 Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server (Automated)

4.3.5 4.3.5 Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server (Automated)

4.3.6 4.3.6 Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server (Automated)

4.3.7 4.3.7 Ensure server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server (Automated)

4.3.8 4.3.8 Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled (Automated)

Ensure that Azure Active Directory Admin is configured (Automated)

Ensure SQL server's TDE protector is encrypted with Customer-managed key (Automated)

azure-cis-section-4

Section 4 Ensure that RDP access is restricted from the internet (Automated)

Ensure that SSH access is restricted from the internet (Automated)

Ensure no SQL Databases allow ingress 0.0.0.0/0 (ANY IP) (Automated)

Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' (Automated)

Ensure that Network Watcher is 'Enabled' (Manual)

Ensure that UDP Services are restricted from the Internet (Automated)

azure-cis-section-6

Section 6 azure_nsg_rules

Azure network security groups rules with parsed ports

Ensure Virtual Machines are utilizing Managed Disks (Manual)

Ensure that 'OS and Data' disks are encrypted with CMK (Automated)

Ensure that 'Unattached disks' are encrypted with CMK (Automated)

Ensure that only approved extensions are installed (Manual)

Ensure that the latest OS Patches for all Virtual Machines are applied (Manual)

Ensure that the endpoint protection for all Virtual Machines is installed (Manual)

Ensure that VHD's are encrypted (Manual)

azure-cis-section-7

Section 7 Ensure that the expiration date is set on all keys (Automated)

Ensure that the expiration date is set on all Secrets (Automated)

Ensure that Resource Locks are set for mission critical Azure resources (Manual)

Ensure the key vault is recoverable (Automated)

Enable role-based access control (RBAC) within Azure Kubernetes Services (Automated)

azure-cis-section-8

Section 8 Ensure App Service Authentication is set on Azure App Service (Automated)

Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service (Automated)

Ensure web app is using the latest version of TLS encryption (Automated)

Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On' (Automated)

Ensure that Register with Azure Active Directory is enabled on App Service (Automated)

Ensure that 'PHP version' is the latest, if used to run the web app (Manual)

Ensure that 'Python version' is the latest, if used to run the web app (Manual)

Ensure that 'Java version' is the latest, if used to run the web app (Manual)

Ensure that 'HTTP Version' is the latest, if used to run the web app (Manual)

9.10 Ensure FTP deployments are disabled (Automated)

9.11 Ensure Azure Keyvaults are used to store secrets (Manual)

azure-cis-section-9

Section 9 v1.3.0 Policy

hipaa_hitrust_v9.2

administrator_and_operator_logs

1270_09ad1system_12_09_ad

The organization ensures proper logging is enabled in order to audit administrator activities; and reviews system administrator and operator logs on a regular basis.

1271_09ad1system_1_09_ad

An intrusion detection system managed outside of the control of system and network administrators is used to monitor system and network administration activities for compliance.

Administrator and Operator Logs

audit_logging

1202_09aa1system_1_09_aa

A secure audit record is created for all activities on the system (create, read, update, delete) involving covered information.

1203_09aa1system_2_09_aa

Audit records include the unique user ID, unique data subject ID, function performed, and date/time the event was performed.

1204_09aa1system_3_09_aa

The activities of privileged users (administrators, operators, etc.) include the success/failure of the event, time the event occurred, the account involved, the processes involved, and additional information about the event.

1205_09aa2system_1_09_aa

Logs of messages sent and received are maintained including the date, time, origin and destination of the message, but not its contents.

1206_09aa2system_23_09_aa

Auditing is always available while the system is active and tracks key events, success/failed data access, system security configuration changes, privileged or utility use, any alarms raised,  activation and de-activation of protection systems (e.g., A/V and IDS), activation and deactivation of identification and authentication mechanisms, and creation and deletion of system-level objects.

1207_09aa2system_4_09_aa

Audit records are retained for 90 days and older audit records are archived for one year.

1208_09aa3system_1_09_aa

Audit logs are maintained for management activities, system and application startup/shutdown/errors, file changes, and security policy changes.

1209_09aa3system_2_09_aa

The information system generates audit records containing the following detailed information: (i) filename accessed; (ii) program or command used to initiate the event; and (iii) source and destination addresses.

1210_09aa3system_3_09_aa

All disclosures of covered information within or outside of the organization are logged including type of disclosure, date/time of the event, recipient, and sender.

1211_09aa3system_4_09_aa

The organization verifies every ninety (90) days for each extract of covered information recorded that the data is erased or its use is still required.

Audit Logging

back_up

1616_09l1organizational_16_09_l

Backup copies of information and software are made and tests of the media and restoration procedures are regularly performed at appropriate intervals.

1617_09l1organizational_23_09_l

A formal definition of the level of backup required for each system is defined and documented including how each system will be restored, the scope of data to be imaged, frequency of imaging, and duration of retention based on relevant contractual, legal, regulatory and business requirements.

1618_09l1organizational_45_09_l

The backups are stored in a physically secure remote location, at a sufficient distance to make them reasonably immune from damage to data at the primary site, and reasonable physical and environmental controls are in place to ensure their protection at the remote location.

1619_09l1organizational_7_09_l

Inventory records for the backup copies, including content and current location, are maintained.

1620_09l1organizational_8_09_l

When the backup service is delivered by the third party, the service level agreement includes the detailed protections to control confidentiality, integrity and availability of the backup information.

1621_09l2organizational_1_09_l

Automated tools are used to track all backups.

1622_09l2organizational_23_09_l

The integrity and security of the backup copies are maintained to ensure future availability, and any potential accessibility problems with the backup copies are identified and mitigated in the event of an area-wide disaster.

1623_09l2organizational_4_09_l

Covered information is backed-up in an encrypted format to ensure confidentiality.

1624_09l3organizational_12_09_l

The organization performs incremental or differential backups daily and full backups weekly to separate media.

1625_09l3organizational_34_09_l

Three (3) generations of backups (full plus all related incremental or differential backups) are stored off-site, and both on-site and off-site backups are logged with name, date, time and action.

1626_09l3organizational_5_09_l

The organization ensures a current, retrievable copy of covered information is available before movement of servers.

1627_09l3organizational_6_09_l

The organization tests backup information following each backup to verify media reliability and information integrity, and at least annually thereafter.

1699_09l1organizational_10_09_l

Workforce members roles and responsibilities in the data backup process are identified and communicated to the workforce; in particular, Bring Your Own Device (BYOD) users are required to perform backups of organizational and/or client data on their devices.

Back-up

v9.2 Policy