Azure Policy
View the new home for Paladin Cloud Documentation
View the new home for Operations
-
Install Vulnerability Assessment Solution on Virtual Machines
-
Use a Vulnerability Assessment Solution to Remediate Vulnerabilities
-
Enable Log Alert for Account Delete Network Security Group Rule
-
Enable Log Alert for Create/Update Delete SQL Server Firewall Rule
-
Enable 'Periodic Recurring Scans' in SQL Server Vulnerability Assessment
-
Enable Auto-Provisioning Policy for Defender Log Analytics Agent
-
Configure Network Security Group Flow Log Retention Period to More Than 90 Days
-
Set all Users Option to Owner in Email Notifications for MS Defender
-
Set the Severity of the Notification Alerts in MS Defender to High
Security
-
Restrict Network Ports on Network Security Groups Associated to VM
-
Harden the Network Security Group Rules for Internet-Facing Virtual Machines
-
Enable Disk Encryption Monitoring and Recommendations for Microsoft Azure Virtual Machines (VMs)
-
Enable the HTTP/2 Protocol Azure App Service Web Applications
-
Monitor Missing Endpoint Protection on VM in Security Center
-
Configure 'Send Scan Report to' within Vulnerability Assessment Under SQL Server
-
Set Retention Duration to 'Greater than 90 days' for SQL Server
-
Ensure that MySQL Flexible Database Server has the Latest TLS Version
Tagging
- Assign Mandatory Tags to Blob Container
- Assign Mandatory Tags to Databricks
- Assign Mandatory Tags to Disk
- Assign Mandatory Tags to Load Balancer
- Assign Mandatory Tags to MySQL Server
- Assign Mandatory Tags to Network Interface
- Assign Mandatory Tags to Network Security Group
- Assign Mandatory Tags to Resource Group
- Assign Mandatory Tags to Security Center
- Assign Mandatory Tags to SQL Database
- Assign Mandatory Tags to SQL Server
- Assign Mandatory Tags to Storage Account
- Assign Mandatory Tags to Virtual Machine
- Assign Mandatory Tags Virtual Network
Risk: Critical
Target: Network Security Group
Compliance:
Description
It is crucial to secure your Azure virtual machines associated with these NSGs by ensuring that Microsoft Azure network security groups (NSGs) do not permit unrestricted access on TCP ports 20 and 21, which are used for data transfer and communication by the File Transfer Protocol (FTP) client-server applications. Attackers might use brute-force methods to gain access to your Azure virtual machines through these ports, underscoring the importance of securing them.
Resolution
Restrict NSG Source setting
Risk: Critical
Target: Network Security Group
Compliance:
Description
Secure remote login is achieved through TCP port 22, which connects an SSH client application with an SSH server. In order to minimize the possibility of a security breach and adhere to the principle of least privilege, it is essential to review the inbound rules of your Microsoft Azure network security groups (NSGs) for TCP port 22. It is recommended to restrict access to only the necessary IP addresses, instead of permitting unrestricted access (i.e., 0.0.0.0/0).
Resolution
Restrict NSG Source setting
Risk: Critical
Target: Network Security Group
Compliance:
Description
The Microsoft Message Queuing (MSMQ) and other Microsoft Windows/Windows Server software use the Remote Procedure Call (RPC) TCP port 135 for client-server communications. Allowing unrestricted access to this port can lead to hacking, ransomware, and denial-of-service (DoS) attacks. To reduce the attack surface, it is essential to follow the principle of least privilege and ensure that Microsoft Azure network security groups (NSGs) do not allow unrestricted access on TCP port 135.
Resolution
Restrict NSG Source setting
Risk: Critical
Target: Network Security Group
Compliance:
Description
Allowing unrestricted access to TCP port 1433 can lead to malicious activities such as hacking, denial-of-service (DoS) attacks, and SQL injection attacks. To minimize the attack surface and adhere to the principle of least privilege, it is essential to ensure that all Microsoft Azure network security groups (NSGs) limit inbound access to TCP port 1433 to only trusted IP addresses.
Resolution
Restrict NSG Source setting
Risk: Critical
Target: Network Security Group
Compliance:
Description
Denying public access to SQL Server port 1434 in Azure is vital for security. It prevents unauthorized users from connecting to your SQL Server and reduces the risk of attacks. By restricting access, you safeguard sensitive data and comply with industry regulations. It aligns with network security best practices and helps create a more secure architecture. Additional measures like virtual network service endpoints, Azure Private Link, and firewall rules enhance security. Regular updates, strong authentication, and following security best practices are essential for overall protection.
Resolution
Restrict NSG Source Setting
Risk: Critical
Target: Network Security Group
Compliance:
Description
To implement the principle of least privilege and enhance the security of your Microsoft Azure network, it is important to restrict inbound/ingress access on TCP port 1521 to trusted entities (i.e., specific IP addresses). By limiting access to trusted entities, you can reduce the attack surface and protect your network against potential threats.
Resolution
Restrict NSG Source setting
Risk: Critical
Target: Network Security Group
Compliance:
Description
To protect against malicious actors and reduce the attack surface, it is important to ensure that Microsoft Azure network security groups (NSGs) do not permit unrestricted access (e.g., 0.0.0.0/0) on TCP port 3306.
Resolution: Work with Network Security Group
Risk: Critical
Target: Network Security Group
Compliance: CIS Microsoft Azure Foundations Benchmark v1.5.0
Description
Unrestricted access (e.g., 0.0.0.0/0) on RDP port 3389 should not be allowed as it can open your system to malicious actors and increase the attack surface.
To increase security, it is recommended to update your Azure Network Security Group (NSG) configuration to restrict Remote Desktop Protocol (RDP) access to specific IP addresses or IP ranges.
Resolution
Restrict NSG Source setting
Risk: Critical
Target:
Network Security Group
Compliance:
Description
To protect against malicious actors and reduce the attack surface, it is important to restrict firewall rules that permit unrestricted access (e.g., 0.0.0.0/0) on PostgreSQL port 5432. Restrict Azure Network Security Groups (NSGs) inbound access via TCP ports 5432 to trusted IP addresses only.
Resolution
Restrict NSG Source setting
Risk: High
Target: Security Pricings
Compliance: CIS Microsoft Azure Foundations Benchmark v1.5.0
Description Enabling Microsoft Defender for Cloud is crucial for improving the security of Microsoft Azure App Service instances. It provides advanced threat detection features such as intelligence, anomaly detection, and behavior analytics designed explicitly for Azure App Service.
Microsoft Defender for Cloud is not activated for App Service instances by default. However, turning it on will activate advanced security defense capabilities that leverage the threat detection services provided by the Microsoft Security Response Center.
Resolution
Enable Defender for App Service
Risk: High
Target: Security Pricings
Compliance: CIS Microsoft Azure Foundations Benchmark v1.5.0
Description Enabling Microsoft Defender for Cloud is recommended for Azure SQL database servers to detect and mitigate potential vulnerabilities and anomalous activities. The security feature provides action-oriented security alerts and helps monitor servers for threats like SQL injection and privilege abuse. By default, Defender for Cloud is not enabled.
Resolution
Enable Defender for App Service
Risk: High
Target: Security Pricings
Compliance:
Description
It is recommended to enable Microsoft Defender for Cloud for virtual machines in an Azure cloud account. This security service provides advanced protection features, including vulnerability scanning, file integrity monitoring, access monitoring, and network hardening. Enabling this service strengthens the defense-in-depth of the Azure environment, as it is not enabled by default.
Resolution
Enable Defender for Servers
Risk: Critical
Target: Virtual Machine
Compliance:
Description
To ensure a higher level of security and mitigate the risks associated with passwords, it is advisable to authenticate access to virtual machines using SSH keys. Removing the option of password authentication enforces more secure methods and eliminates the vulnerabilities that come with passwords.
Resolution
Create and use SSH keys for Windows VM
Risk: High
Target: Virtual Machine
Compliance:
Description
Enabling network security group monitoring in Microsoft Azure allows Azure Security Center to audit VM-associated network security groups for overly permissive traffic rules. This feature detects such groups and recommends configuring them to control inbound and outbound traffic to VMs with public endpoints. Subnet-configured security groups are inherited by all VM network interfaces by default.
Resolution
Filter Network Traffic
Risk: High
Target: Virtual Machines
Compliance:
Description
To enable the scanning of adaptive application controls and control which applications can run on eligible virtual machines (VMs) in Microsoft Azure, it is necessary to activate the monitoring of this feature. This allows Microsoft Defender for Cloud to use machine learning to analyze the applications running on each VM and suggest a list of known-safe applications, helping to harden the VMs against malware. By activating the Adaptive Application Control feature, which is an automated application to allowlist solutions provided by Microsoft Defender for Cloud, only specific applications are allowed to run on Azure and non-Azure VMs, using both Windows and Linux.
Resolution
Enable Adaptive Application Controls
Risk: High
Target: Virtual Machine
Compliance:
Description
Proper maintenance of your App Service is essential to guarantee the reliability and efficiency of your application. Regular health checks are necessary to identify and resolve problems that could lead to service interruptions or sluggish performance. By addressing these issues, you can optimize your app for an improved user experience and make it more resilient to unexpected disruptions. Additionally, regular maintenance will help ensure that your application runs at optimal performance and that any potential problems are addressed quickly, resulting in a smoother overall operation.
Resolution Monitor App Service instances using Health check
Risk: High
Target: Virtual Machine
Compliance:
Description
Azure Disk Encryption uses DM-Crypt for Linux and BitLocker for Windows to provide volume encryption for OS and data disks of Azure virtual machines (VMs), integrated with Azure Key Vault for managing encryption keys and secrets. Enabling Azure Disk Encryption is recommended for production data to protect VM disks from unauthorized access and meet compliance requirements. Encrypting boot volumes ensures entire VM data is unrecoverable without a key, providing protection from unwarranted reads. It is essential to encrypt Microsoft Azure virtual machine (VM) boot volumes using Azure Disk Encryption and integrated Azure Key Vault to meet security and compliance requirements.
Resolution
Enable disk Encryption
Risk: Critical
Target: Network Security Group
Compliance: CIS Microsoft Azure Foundations Benchmark v1.5.0
Description
To reduce the attack surface and implement the principle of least privilege, ensure that Microsoft Azure network security groups (NSGs) do not allow unrestricted access(i.e., 0.0.0.0/0) to UDP ports. The User Datagram Protocol (UDP) is a communication protocol used on the internet for transmitting time-sensitive data, such as video streaming or Domain Name System (DNS) lookups. One of the main benefits of using UDP is that it allows for fast data transfer. However, it is also possible for packets to be lost during transmission, which can create vulnerabilities and potentially allow for malicious activities like Distributed Denial of Service (DDoS) attacks.
Resolution
Update Security Rules
Risk: High
Target: Virtual Machine
Compliance:
Description
Regularly review Microsoft Azure network interfaces with IP forwarding enabled for security and compliance. IP forwarding is mainly used by VMs acting as network virtual appliances. Assess each interface to determine if IP forwarding is necessary.
Resolution
Disable IP forwarding
Risk: Critical
Target:
Web App
Compliance:
Description
The remote debugging feature, available for web applications such as ASP.NET, ASP.NET Core, Node.js, and Python, can create potential security vulnerabilities. It requires opening certain inbound ports for the Visual Studio remote debugger within the configuration of your Microsoft Azure App Services web applications. However, this increases the attack surface and may pose a security risk. To improve the security of your Azure App Services web applications and prevent unauthorized access, it is recommended to disable remote debugging. By following the principle of least privilege and disabling access to these inbound ports, you can significantly reduce the possibility of a security breach.
Resolution
Disable Remote Debugging
Risk: Critical
Target: Azure Virtual Machine
Description
Management ports, such as Remote Desktop Protocol (RDP) and Secure Shell (SSH), are commonly used to connect to Azure virtual machines to administer them remotely. However, these ports open your virtual machine to potential attacks from the Internet and can expose you to credential-guessing attempts. It is important to ensure that these management ports are securely configured and monitored to minimize the risk of attack.
Resolution:
Restrict NSG Source setting
Risk: High
Target Virtual Machine
Compliance
Description
Hardening the Network Security Group Rules for Internet-Facing Virtual Machines in Azure is critical to ensure the security of your cloud environment. By hardening the rules, you can reduce the attack surface and limit access to only those services and ports necessary for the applications and services running on the virtual machine. This can help protect against malicious actors trying to gain access to your environment and prevent attackers from exploiting any open or vulnerable ports. Hardening the Network Security Group Rules can help you meet compliance requirements, such as those that government regulations or industry standards may impose.
Resolution
Setup Network Hardening
Risk: Critical
Target: Vaults
Compliance:
Description
Ensuring maximum safety for confidential and crucial data stored in Azure Key Vaults requires granting access to specific operations only to relevant principals. It is also crucial to follow security best practices, including implementing the principle of least privilege. No Microsoft Azure user, group, or application should have full administrator privileges for accessing and managing Azure Key Vaults.
Resolution
Restrict Vault Privilege
Risk: High
Target Virtual Machine
Compliance:
Description
To meet security and compliance requirements, it is recommended to encrypt all disk volumes attached to Microsoft Azure virtual machines in the application tier. The Cloud Conformity engine can run a rule assuming that all Azure cloud resources in the app tier are tagged with a specific tag name and value. Enabling encryption ensures confidentiality and protects sensitive data from unauthorized access.
Resolution
Enable disk Encryption
Risk: High
Target: Disk
Compliance: CIS Microsoft Azure Foundations Benchmark v1.5.0
Description
Unencrypted detached disk volumes pose a risk of sensitive information disclosure, even if they are not mounted to any virtual machine. We recommend encrypting all disk volumes attached to Azure virtual machines within the application tier to ensure confidentiality and meet compliance and security requirements. It is also important to encrypt detached disk volumes using Azure Disk Encryption, which uses BitLocker for Windows and DM-Crypt for Linux to encrypt the OS and data disks of Azure virtual machines. Integration with Azure Key Vault allows for controlling and managing disk encryption keys and secrets.
Resolution
Enable Encryption
Risk: High
Target: PostgreSQL
Compliance:
Description
To fulfill security and compliance requirements, it is essential to ensure that data in transit for Microsoft Azure PostgreSQL servers is encrypted. This prevents unauthorized access to sensitive information stored in your Azure PostgreSQL databases. It is highly recommended to enable Secure Sockets Layer (SSL) connections between the PostgreSQL database servers and client applications when working with production data. This additional layer of security protects against Man-In-the-Middle (MITM) attacks and fulfills in-transit encryption compliance requirements within your organization.
Resolution
Enable in-transit encryption
Risk: High
Target: Redis Cache
Compliance:
Description
Using secure connections between the cache server and the service/application protects data in transit and authenticates users. Encryption is recommended to protect production data from unauthorized access and comply with data encryption requirements. Enabling SSL connection to Azure Redis Cache servers is essential to meet cloud security and compliance requirements, as it helps prevent unauthorized access to sensitive data during transit. Enforcing SSL connection is necessary to ensure data in transit remains secure.
Resolution
Enable in-transit encryption
Risk: High
Target: Azure Storage Account
Description
The Azure Storage account provides a secure and scalable environment for storing various types of data objects, including files, blobs, queues, tables, and disks, with high availability and durability.
Enabling the "Secure transfer required" feature only restricts access to your Azure storage account to secure connections using HTTPS protocol. This feature enhances the security of your storage account and prevents requests that use unencrypted connections. To ensure the security of your Azure Storage data, all data transfer between clients and the storage account must be encrypted with HTTPS protocol.
Resolution
Enable secure transfer
Risk: High
Target: SQL Server
Compliance:
Description
To capture critical activity on SQL databases and servers, ensure proper configuration of the "AuditActionGroup" property in the auditing policy implemented at the Microsoft Azure SQL server level. Enable SQL database auditing and configure the "AuditActionGroup" property to include the SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP, FAILED_DATABASE_AUTHENTICATION_GROUP, and BATCH_COMPLETED_GROUP action groups for comprehensive audit logging of SQL servers and hosted databases.
Resolution
Configure Audit Action Group
Risk: Critical
Target SQL Database
Compliance:
Description
To ensure security against unauthorized connections, it is important to set up the Microsoft Azure SQL server firewall to only allow inbound access from authorized networks. This can be done by specifying the range of IP addresses from these networks and creating firewall rules with specific IP addresses. This will reduce the risk of attacks on your SQL servers.
Resolution
Deny public access
Risk: Medium
Target: Web App
Compliance: CIS Microsoft Azure Foundations Benchmark v1.5.0
Description
Enabling client certificates for web applications using mutual TLS authentication enhances security by verifying both client and server identities. To implement this, obtain and configure SSL/TLS certificates, distribute client certificates to authorized users, enable mTLS on the web server, update the application's authentication mechanism, and test the setup for proper functioning.
Resolution
Secure a custom DNS name with a TLS/SSL binding in Azure App Service
Risk: Medium
Target: Function App
Compliance:
Description
Enabling incoming client certificates for a Function App can enhance security by implementing mutual TLS (mTLS) authentication. This process requires the client and the server to present their respective certificates during the TLS handshake, thus verifying each other's identities. As a result, only authorized clients can access the Function App, reducing the risk of unauthorized access and enhancing the system's overall security.
Resolution
Secure a custom DNS name with a TLS/SSL binding in Azure App Service
Risk: Medium
Target: Vaults
Compliance:
Description
Enabling delete protection for a Key Vault adds an extra layer of security against accidental or intentional deletion of sensitive data, minimizing the risk of unauthorized access and maintaining data integrity and confidentiality.
Resolution
Azure Key Vault recovery management with soft delete and purge protection
Risk: Medium
Target: Storage Account
Compliance: CIS Microsoft Azure Foundations Benchmark v1.5.0
Description
A Deny Network Access Rule for Storage Accounts is a security control that blocks network traffic to a storage account from specified IP addresses or ranges. It provides benefits such as improved security, compliance, granular access control, and reduced attack surface. Deny Network Access Rules limit access to only authorized users or applications, reduce the risk of unauthorized access or data exfiltration, and help organizations meet compliance requirements. It is an important best practice for protecting sensitive data in Azure storage accounts and preventing security breaches.
Resolution
Configure Azure Storage firewalls and virtual networks
Risk: Medium
Target: Web App
Compliance: CIS Microsoft Azure Foundations Benchmark v1.5.0
Description
Configuring the latest TLS version for a WebApp in Azure provides several benefits, including improved security through encryption, compliance with regulatory requirements, improved compatibility with modern web browsers and applications, and potential performance improvements. Keeping up with the latest security protocols is considered a best practice to protect user data and maintain customer trust.
Resolution Secure a custom DNS name with a TLS/SSL binding in Azure App Service
Risk: Medium
Target: Blob Service
Compliance: CIS Microsoft Azure Foundations Benchmark v1.5.0
Description
Enabling Soft Delete for Blob Storage is crucial for protecting against accidental or malicious data deletion, ensuring compliance, simplifying data recovery, providing a cost-effective solution for data protection, and maintaining data integrity.
Resolution
Enable soft delete for blobs
Risk: Medium
Target: Subscription
Compliance: CIS Microsoft Azure Foundations Benchmark v1.5.0
Description
Encrypting a storage account for activity logs using a CMK provides data protection, custom key management, auditing and monitoring, key rotation, and compliance with industry regulations. Using services like Azure Storage Service Encryption and following key management best practices helps maintain a secure environment and protect sensitive log data.
Resolution Customer-managed keys for Azure Storage Encryption
Risk: Medium
Target: Network Security Group
Compliance: CIS Microsoft Azure Foundations Benchmark v1.5.0
Description Configuring the Network Security Group (NSG) flow log retention period to more than 90 days in Azure provides several benefits, including compliance with regulatory requirements, improved incident response capabilities, the ability to perform forensic analysis, and historical analysis to optimize network performance. Retaining NSG flow logs for a longer period is considered a best practice to gain valuable insights into network behavior and improve the security and performance of your Azure environment.
Resolution
Flow logs for network security groups
Risk: High
Target: SQL Database
Compliance: CIS Microsoft Azure Foundations Benchmark v1.5.0
Description
Transparent Data Encryption (TDE) helps protect sensitive data stored in a SQL Server database by encrypting the data on disk. This ensures that the data is not compromised if the disk or disk backups are stolen. It also helps protect data stored in memory while the server is running, and helps to prevent malicious activity by restricting access to the data. TDE also helps to ensure compliance with various industry data protection regulations and standards.
Resolution
Transparent data encryption (TDE)
Risk: Medium
Target: Subscription
Compliance: CIS Microsoft Azure Foundations Benchmark v1.5.0
Description
Configuring mandatory categories in diagnostics settings is a best practice that provides benefits such as improved visibility, compliance, simplified logging, and improved troubleshooting. It ensures important logs and metrics are collected for analysis, meets compliance requirements, simplifies logging, and improves troubleshooting by providing necessary information to identify and resolve issues. It is essential for organizations that need to monitor and analyze the health and performance of their applications and infrastructure to ensure optimal performance and reduce downtime.
Resolution
az monitor diagnostic-settings
Risk: Medium
Target: Web App
Compliance: CIS Microsoft Azure Foundations Benchmark v1.5.0
Description
Enabling Active Directory (AD) on Application Services provides several benefits, including single sign-on, centralized access control, security, compliance, and simplified management of user identities and access control.
Resolution
Configure the Active Directory Web Services (ADWS) to start automatically on all servers
Risk: Medium
Target: Disk
Compliance:
Description
Encrypting OS and data disks with a CMK provides enhanced data protection, custom key management, auditing and monitoring capabilities, key rotation, and compliance with industry regulations. Using services like Azure Disk Encryption and following best practices for key management helps maintain a secure environment and protect sensitive data.
Resolution
Use the Azure portal to enable server-side encryption with customer-managed keys for managed disks
Risk: Medium
Target: Defender
Compliance: CIS Microsoft Azure Foundations Benchmark v1.5.0
Description
Configuring additional email addresses in Microsoft Defender provides benefits such as improved notification coverage, better collaboration, redundancy, and flexibility. It ensures that relevant personnel receive security incident alerts and can collaborate to resolve them, provides redundancy in case of email address unavailability, and provides flexibility in managing notifications based on alert severity or incident type. It is an important best practice to ensure security incidents are promptly addressed and critical alerts are not missed.
Resolution
Quickstart: Configure email notifications for security alerts
Risk: Medium
Target: Defender
Compliance: CIS Microsoft Azure Foundations Benchmark v1.5.0
Description
Setting the severity of notification alerts in Microsoft Defender to "high" helps prioritize critical issues, allocate resources effectively, reduce alert fatigue, enable faster response times, and ensure compliance with regulations. However, it's crucial to maintain a comprehensive strategy for managing security alerts across all severity levels to maintain a robust security posture.
Resolution
Configure alert notifications in Microsoft 365 Defender
Risk: Medium
Target Kubernetes
Compliance:
Description
Enabling Role-Based Access Control (RBAC) for Azure Kubernetes Services (AKS) is crucial for maintaining a secure and compliant environment. It provides granular control over access to AKS resources, limits the attack surface, ensures compliance with regulatory frameworks, enables audit trails, and provides flexibility in managing access to AKS resources.
Resolution
Use Kubernetes role-based access control with Azure Active Directory in Azure Kubernetes Service
Risk: High
Target: Vaults
Compliance:
Description Enabling Azure Key Vault Customer Managed Key (CMK) provides increased security, control, and compliance to your data in the cloud. By bringing your own encryption keys to Azure Key Vault, you can manage encryption keys and control access to them, which ensures that only authorized users can access your data. Enabling CMK helps meet regulatory and compliance requirements and provides additional layers of security to your Azure resources.
Resolution Enable a customer-managed key
Risk: Medium
Target: Vaults
Compliance: CIS Microsoft Azure Foundations Benchmark v1.5.0
Description Setting an expiration date for keys in Key Vault provides benefits such as enhanced security, compliance, simplified key management, improved auditing and accountability, and better performance. It reduces the risk of compromised keys, helps ensure compliance, simplifies key management, provides a clear record of key usage, and helps maintain robust security and system performance over time. It is a critical best practice to follow for the security and integrity of cryptographic systems.
Resolution Manage Key Vault using the Azure CLI
Risk: Medium
Target: Vaults
Compliance: CIS Microsoft Azure Foundations Benchmark v1.5.0
Description Setting an expiration date for secrets in Key Vault provides benefits such as the reduced risk of compromise, simplified secret management, improved auditing and accountability, compliance, and maintaining security over time. Secrets, like passwords and connection strings, are critical to security systems, and their compromise can pose a significant risk. Setting an expiration date for secrets in Key Vault can limit their lifespan, reducing the risk of compromise, simplifying secret management, and improving auditing and accountability. It is an important best practice to ensure the security and integrity of systems.
Resolution Manage Key Vault using the Azure CLI
Risk: High
Target: Vaults
Compliance: CIS Microsoft Azure Foundations Benchmark v1.4.0
Description
Enabling diagnostic logs in Key Vault is important to monitor and audit activities, troubleshoot issues, comply with regulatory requirements related to data protection and security, and improve overall security posture by identifying potential vulnerabilities and taking proactive measures to prevent security threats.
Resolution Enable Key Vault logging
Risk: Critical
Target: Storage Account
Compliance: CIS Microsoft Azure Foundations Benchmark v1.4.0
Description
To improve the security of your Microsoft Azure Storage account, it's advisable to modify the default setting from "Allow" to "Deny" and restrict access to selected networks or IP addresses. To achieve this, you may allow access to particular Azure Virtual Networks, which provide a secure network boundary, or public IP address ranges, which facilitate connections from specific services or clients. With network restrictions in place, only authorized applications from approved networks or IP addresses will be permitted to access the storage account. These applications must also possess the appropriate authorization to gain entry.
Resolution: Configure Azure Storage firewalls and virtual networks
Risk: High
Target: Network Interface
Compliance:
Description Assigning mandatory tags to Network Interface can help with cost management, resource management, access management, and automation. Mandatory tags can streamline operations and reduce the risk of mismanaging resources.
Resolution Network Interfaces - Update Tag
Risk: High
Target: Load Balancer
Compliance:
Description Assigning mandatory tags to Load balancer can help with cost management, resource management, access management, and automation. Mandatory tags can streamline operations and reduce the risk of mismanaging resources.
Resolution Tags for your Application Load Balancer
Risk: Medium
Target: SQL Server
Compliance:
Description Enabling auditing for Advanced Data Security on SQL Servers provides benefits such as enhanced security, compliance, improved visibility, forensic analysis, and continuous monitoring. Auditing allows you to track and log security-related events, detect potential security threats, meet compliance requirements, provide greater visibility into user activity, conduct forensic analysis, and proactively monitor for suspicious activity. It is an essential component of a robust security strategy for organizations handling sensitive SQL server data.
Resolution Auditing for Azure SQL Database and Azure Synapse Analytics
Risk: High
Target: SQL Database
Compliance:
Description Enabling alerts for Azure SQL Advanced Threat Detection is important for detecting and preventing potential data breaches or unauthorized access to sensitive data. It is also necessary for compliance with security standards and regulations, including GDPR and HIPAA, which require regular monitoring and incident detection.
Resolution Configure Advanced Threat Protection in Azure SQL Managed Instance
Risk: High
Target: Subscription
Compliance:
Description Enabling log alerts for create/update operations in a PostgreSQL database is essential for maintaining security, performance, and compliance. It helps detect unauthorized access, provides an audit trail, identifies performance bottlenecks, enables troubleshooting, ensures accountability, allows proactive maintenance and aids disaster recovery efforts.
Resolution set up alerts on metrics for Azure Database for PostgreSQL - Single Server
Risk: High
Target: Subscription
Compliance:
Description Monitoring "Create or Update Load Balancer" events in your Azure account offers insights into changes and helps detect unauthorized or undesired activities. Configure an Azure activity log alert with the condition "Category='Administrative' and Signal name='Create or Update Load Balancer (loadBalancers)'" to ensure timely detection.
Resolution Create a new alert rule
Risk: High
Target: Subscription
Compliance:
Description Configure an Azure activity log alert for "Create or Update Virtual Machine" events to detect unauthorized activities quickly. The matching condition is When the Administrative Activity Log "Create or Update Virtual Machine (Microsoft.Compute/virtualMachines)" has "any" Event level, with "any" Status, and Event initiated by "any". This monitoring provides insights into changes related to Azure VMs within your cloud environment.
Resolution Create a new alert rule
Risk: High
Target: Subscription
Compliance:
Description Enabling log alerts for Load Balancer events in Azure is essential for security, compliance, performance, troubleshooting, resource management, and promoting accountability. It helps detect unauthorized activities, maintain audit trails, optimize network traffic distribution, minimize downtime, manage resources effectively, and encourage responsible practices within the organization.
Resolution Create a new alert rule
Risk: High
Target: Subscription
Compliance:
Description Enabling log alerts for account deletion of virtual machines (VMs) in Microsoft Azure is crucial for preventing accidental or unauthorized deletion of critical VMs and their associated data, maintaining the security and integrity of an organization's cloud infrastructure, and ensuring compliance with regulatory requirements. This alert enables administrators to receive immediate notifications when a specific account deletes a VM, allowing them to take prompt action to restore any deleted VMs and investigate any unauthorized deletion attempts. Log alerts also provide valuable insights into who initiated the deletion and when it occurred, enabling administrators to track any suspicious or malicious activity.
Resolution Create a new alert rule
Risk: Low
Target: Web App
Compliance: CIS Microsoft Azure Foundations Benchmark v1.5.0
Description Enabling the HTTP/2 protocol for Azure App Service web applications can improve performance by reducing page load times, improving security with mandatory SSL/TLS encryption, ensuring compatibility with modern web browsers, and providing SEO benefits by improving search engine rankings.
Resolution HTTP/2 support in Azure App Service
HTTP/2 support in Azure App Service
Risk: Medium
Target: SQL Server
Compliance: CIS Microsoft Azure Foundations Benchmark v1.5.0
Description Configuring the "Send Scan Report to" option within SQL Server's Vulnerability Assessment is important for timely notifications, accountability, centralized documentation, compliance, improved collaboration, and monitoring of remediation progress. It helps ensure potential security risks are addressed proactively and promotes a robust security posture within the organization.
Resolution Vulnerability Assessment for SQL Server
Risk: Medium
Target: Defender
Compliance: CIS Microsoft Azure Foundations Benchmark v1.5.0
Description Setting all users as owners in email notifications for Microsoft Defender in Azure is not recommended due to security risks and management challenges. Instead, follow best practices such as the principle of least privilege, role-based access control, targeted notifications, separation of duties, and regular monitoring and auditing to maintain a secure and efficient environment.
Resolution Defender for Identity notifications in Microsoft 365 Defender
Risk: Medium
Target: Virtual Machine
Compliance:
Description Enabling Adaptive Application Controls on Virtual Machines brings benefits such as increased security, reduced risk of configuration errors, improved performance, and simplified management. It uses machine learning algorithms to identify and prevent potentially harmful activities, automatically adjusts security policies based on application behavior, and can be managed centrally.
Resolution Use adaptive application controls to reduce your machines' attack surfaces
Risk: High
Target: Storage Account
Compliance: CIS Microsoft Azure Foundations Benchmark v1.5.0
Description: To secure access to your Microsoft Azure Storage account, you should configure network rules to limit access to specific Azure Virtual Networks or public IP address ranges. Clients and applications that request access should provide proper authorization, such as access keys or Shared Access Signatures (SAS) tokens. To add an extra layer of security, ensure that the default network access is set to "Deny" to prevent unauthorized access from any network.
Resolution Azure Policy built-in definitions for Azure Storage
Risk: High
Target: Storage Account
Compliance:
Description Checking Storage VNet Integration is important to ensure a secure network boundary for specific applications accessing Microsoft Azure Storage accounts. By configuring network rules, access is limited to allowed networks and IP addresses, and proper authorization (such as a valid access key or Shared Access Signature token) is required for access. To add an extra layer of security, it is recommended to deny access to traffic from all networks and change the default action from "Allow" to "Deny."
Resolution Integrate your app with an Azure virtual network
Risk: High
Target: Batch Accounts
Compliance:
Description Configuring metric alert rules on Batch Accounts in Azure helps proactively monitor system performance and availability, trigger alerts based on defined thresholds for Batch account metrics, and prevent potential downtime or performance issues. This ensures efficient and effective operation of the Batch service.
Resolution Batch metrics, alerts, and logs for diagnostic evaluation and monitoring
Risk: High
Target: Batch Accounts
Compliance:
Description Enabling diagnostic logs in Batch Accounts in Azure provides insights into system behavior, improves system uptime, and reduces MTTR by identifying potential issues and their root causes. These logs can be used for performance monitoring, auditing, and security analysis, and analyzed with various Azure tools for valuable insights and trend identification.
Resolution Batch metrics, alerts, and logs for diagnostic evaluation and monitoring
Risk: High
Target: Name Spaces
Compliance:
Description Enabling diagnostic logs in Azure Service Bus is essential for maintaining system visibility, identifying potential issues, and improving system uptime and performance. These logs provide insights into messaging operations, message delivery, and security events, and can be analyzed with Azure tools for monitoring, auditing, and security analysis.
Resolution Monitoring Azure Service Bus data reference
Risk: High
Target: Storage Account
Compliance:
Description Customer Managed Keys allow customers to control their own encryption keys for Azure Storage accounts, providing an extra layer of security and enabling greater regulatory compliance. This feature allows customers to generate, store, and revoke their own encryption keys in Azure Key Vault, ensuring that they have full control over who can access their data. Additionally, customers can rotate their encryption keys as needed to further enhance security. Using Customer Managed Keys is a best practice for ensuring the highest level of security for Azure Storage account data.
Resolution Customer-managed keys for Azure Storage encryption
Risk: High
Target: Vaults
Compliance:
Description To enhance security and compliance in your Microsoft Azure cloud web tier, utilizing a Customer-Managed Key (CMK) or Bring Your Own Key (BYOK) within your Azure Key Vault is recommended. This provides complete control over key usage and ownership, implementing the principle of least privilege. Configuring at least one CMK/BYOK for your web tier is advisable. All Azure cloud resources within the web tier must be tagged with <web_tier_tag>:<web_tier_tag_value>, where <web_tier_tag> refers to the tag name and <web_tier_tag_value> refers to the tag value. Properly configure the tag set for your Azure web tier before implementing the CMK/BYOK key.
Resolution Customer-managed keys for Azure Storage encryption
Risk: High
Target: Virtual Machine
Compliance: CIS Microsoft Azure Foundations Benchmark v1.5.0
Description Enable automatic provisioning of vulnerability assessment solutions for Azure VM servers using Microsoft Defender for Cloud to monitor security configurations and reduce management overhead. This applies to both Azure and hybrid environments, streamlining the installation of required agents and extensions on VMs.
Resolution Automatically configure vulnerability assessment for your machines
Risk: High
Target: Virtual Machine
Compliance: CIS Microsoft Azure Foundations Benchmark v1.5.0
Description Installing Monitoring Agents on Azure machines is crucial for enhanced visibility, performance optimization, log collection, timely alerts, security, compliance, simplified management, and seamless integration with other Azure services. This ensures efficient VM operation, effective troubleshooting, and a secure, compliant infrastructure.
Resolution Microsoft Monitoring Agent setup
Risk: High
Target: Virtual Machine
Compliance:
Description Using a Vulnerability Assessment Solution is crucial for enhancing security posture, prioritizing risk management, ensuring compliance, providing actionable insights, streamlining security processes, offering visibility and tracking, and minimizing potential damages from cyber attacks. It helps maintain a strong, secure, and compliant infrastructure.
Resolution View and remediate findings from vulnerability assessment solutions on your VMs
Risk: High
Target: SQL Server
Compliance:
Description Configuring email in Data Security Settings in Azure is essential for receiving timely security alerts, compliance notifications, and operational updates. It facilitates prompt incident response, promotes accountability and communication, and aids in auditing and reporting, ultimately improving the overall management of your Azure environment.
Resolution Configure email notifications for security alerts
Risk: High
Target: SQL Database
Compliance: CIS Microsoft Azure Foundations Benchmark v1.5.0
Description Azure Threat Detection for SQL Server provides advanced threat protection for your databases in the cloud. It monitors the security of your databases and detects suspicious activities, such as SQL injection attacks, malicious attempts to access sensitive data, and anomalous database activities. It also provides an easy-to-use dashboard to view the security of your databases and track threats. By enabling Azure Threat Detection on SQL Server, you can gain visibility into potential security threats, protect your databases from attack, and minimize your risk of data loss.
Resolution Configure Advanced Threat Protection in Azure SQL Managed Instance
Risk: High
Target: Virtual Machine
Compliance: CIS Microsoft Azure Foundations Benchmark v1.5.0
Description Endpoint protection software such as Microsoft Antimalware can help protect Azure virtual machines (VMs) from viruses, spyware, and other malicious software. Azure Security Center monitors the status of anti-malware protection on VMs, alerting users to any unprotected VMs. When installing endpoint protection, it provides real-time detection of malicious software and can prevent it from installing or running on your VMs.
Resolution Install endpoint protection solution on virtual machines
Risk: High
Target: Virtual Machine
Compliance:
Description Azure Container Security helps organizations ensure their container workloads are secure and compliant. It provides visibility and control of container images running in Azure and helps to identify potential security risks or misconfigurations. Azure Container Security also offers tools to detect and remediate container vulnerabilities and monitor container health. This helps reduce the risk of attacks and data breaches and ensures that containers comply with organizational standards and industry regulations.
Resolution Overview of Microsoft Defender for Containers
Risk: Medium
Target: Web App
Compliance: CIS Microsoft Azure Foundations Benchmark v1.5.0
Description Disabling Plain FTP Deployment is a security measure that provides benefits such as improved security, compliance, better control, and improved performance. It improves security by requiring the use of secure file transfer protocols, such as SFTP or FTPS, and avoids the vulnerabilities of plain FTP. It helps organizations meet compliance requirements and provides better control over access to the deployment. Additionally, it improves performance by using encryption and compression to improve transfer speeds and reduce latency. It is an important best practice for organizations that deploy applications or services and must protect sensitive data.
Resolution Deploy your app to Azure App Service using FTP/S
Risk: High
Target: Blob Container
Compliance:
Description The Immutable Blob Storage feature in Microsoft Azure Storage provides an added layer of protection against the modification and deletion of blob objects, making it suitable for storing sensitive data and meeting regulatory requirements. To ensure data protection, enable the feature for Azure Storage containers that hold critical information, which allows the data to be stored in a non-modifiable and non-erasable WORM state for a user-specified interval. The feature includes two policies: a time-based immutability policy for regulatory compliance and a legal hold policy for indefinite data retention. Once set, these policies protect the data from modifications and deletions.
Resolution Store business-critical blob data with immutable storage
Risk: Medium
Target: Storage Account
Compliance: CIS Microsoft Azure Foundations Benchmark v1.5.0
Description Configuring a storage account's latest minimum TLS version is crucial for maintaining robust security, protecting sensitive data, complying with regulatory frameworks, and staying up-to-date with industry standards. It helps prevent cyber threats, maintains data integrity, and ensures the use of the most robust encryption and security protocols.
Risk: Medium
Target: SQL Database
Compliance: CIS Microsoft Azure Foundations Benchmark v1.5.0
Description Enabling Transparent Data Encryption (TDE) for SQL Database is crucial for protecting sensitive data at rest, ensuring compliance, protecting data privacy, minimizing performance impact, and simplifying management of encrypted databases and backups. TDE encrypts the data stored in the database and associated backups, making it unreadable without the appropriate encryption keys, and has a minimal performance impact on SQL Database.
Resolution Transparent data encryption (TDE)
Risk: High
Target: Virtual Machine
Compliance:
Description Enable endpoint protection monitoring in Azure Security Center to safeguard Azure virtual machines from viruses, spyware, and malicious software. This feature provides comprehensive security recommendations and ensures all Windows virtual machines have endpoint protection for enhanced security.
Resolution Endpoint protection assessment and recommendations in Microsoft Defender for Cloud
Risk: Medium
Target: Name Spaces
Compliance:
Description Enabling diagnostics logs in namespaces in Azure provides several benefits, including troubleshooting issues with your application, monitoring performance, complying with regulatory requirements, and optimizing costs. By capturing detailed information about the behavior of your application, you can gain valuable insights that can help you improve the quality of your application and optimize resource consumption. It is considered a best practice to enable diagnostics logs to ensure the smooth operation of your application and meet compliance requirements.
Resolution Enable diagnostics logs for Notification Hubs
Risk: High
Target: SQL Server
Compliance: CIS Microsoft Azure Foundations Benchmark v1.5.0
Description Checking the encryption for SQL TDE Protector is important to ensure the security and integrity of sensitive data stored in a Microsoft SQL Server database. It helps identify vulnerabilities or weaknesses in security measures and ensures compliance with data protection regulations.
Resolution Transparent data encryption (TDE)
Risk: High
Target: SQL Server
Compliance: CIS Microsoft Azure Foundations Benchmark v1.5.0
Description Enabling Vulnerability Assessment on SQL Servers is important to identify and address potential security vulnerabilities in the database environment, prevent security breaches and data loss, ensure compliance with data protection regulations, and establish a culture of security awareness and best practices for database security.
Resolution Enable vulnerability assessment on your Azure SQL databases
Risk: High
Target: SQL Database
Compliance:
Description Classifying sensitive data in SQL databases is important to identify and manage access to sensitive data, define appropriate security controls, comply with regulatory requirements, and effectively manage data storage and retention.
Resolution SQL Data Discovery and Classification
Risk: High
Target: Subnets
Compliance:
Description Assigning a subnet to a Network Security Group (NSG) is important for managing network traffic flow in Azure Virtual Networks, protecting resources from unauthorized access and potential security threats, and enabling centralized control and management of network security policies ensuring consistent security policies across all resources within the subnet.
Resolution Filtering network traffic
Risk: High
Target: Virtual Machine
Compliance:
Description Installing system updates on virtual machines is essential to ensure the security and stability of the virtual environment, reduce the risk of cyber-attacks and other security threats, and comply with regulatory requirements related to data protection. It helps fix vulnerabilities and software bugs that attackers can exploit and maintain the integrity and availability of the virtual environment.
Resolution Manage updates and patches for your VMs
Risk: High
Target: Workflows
Compliance:
Description Enabling diagnostic logs in Logic Apps in Azure is important because it provides valuable information for troubleshooting, performance analysis, and activity monitoring. Diagnostic logs capture information such as request and response details, workflow run history, and errors encountered during execution. Without diagnostic logs, identifying the root cause of issues or errors can be difficult and lead to longer downtimes, negatively impacting business operations.
Resolution Set up logging to monitor logic apps in Microsoft Defender for Cloud
Risk: Medium
Target: Storage Account
Compliance:
Description Enabling Trusted Microsoft Services to access your storage account provides seamless integration, simplified management, security, scalability, and improved productivity. It allows for secure and efficient integration with various Azure services while adhering to the principle of least privilege, making it easier to scale and manage access permissions.
Resolution Configure Azure Storage firewalls and virtual networks
Risk: Low
Target: Kubernetes
Compliance:
Description Defining authorized IP ranges for the AKS API server is a security best practice that limits access to authorized clients, helps comply with regulatory requirements, optimizes resource utilization, and reduces data transfer and network usage costs.
Resolution Secure access to the API server using authorized IP address ranges in Azure Kubernetes Service (AKS)
Risk: Low
Target: Kubernetes
Compliance:
Description Enabling add-on policies for AKS can enhance security by enforcing best practices, improving the management of resources and workloads, enabling better monitoring of cluster health and performance, and providing automation capabilities for tasks and processes within the cluster.
Resolution Understand Azure Policy for Kubernetes clusters
Risk: Medium
Target: Defender
Compliance: CIS Microsoft Azure Foundations Benchmark v1.5.0
Description Enabling 'Auto-Provisioning Policy for Defender Log Analytics Agent' streamlines deployment ensures consistent security, minimizes human error, saves time and resources, supports scalability, and aids in compliance. This results in a comprehensive and efficient security monitoring solution across your infrastructure.
Resolution Deploy the Azure Monitor Agent to protect your servers with Microsoft Defender for Cloud
Risk: Low
Target: Kubernetes
Compliance:
Description Disabling the Kubernetes Dashboard is a security best practice that helps control access, reduce the attack surface, and optimize resource utilization, and it is a recommended best practice by the Kubernetes community.
Resolution Access the Kubernetes Dashboard in Azure Stack Hub
Risk: Low
Target: Kubernetes
Compliance:
Description Enabling private clusters for AKS can improve security by isolating the Kubernetes API server, reducing the attack surface by eliminating the need for public IPs and load balancers, helping with compliance, and providing better network performance for Kubernetes workloads.
Resolution Public and Private AKS Clusters Demystified
Risk: Medium
Target: Subscription
Compliance: CIS Microsoft Azure Foundations Benchmark v1.5.0
Description Removing custom owner roles can be beneficial in simplifying access control, enhancing security, ensuring compliance, promoting standardization, reducing redundancy, and aligning with changing organizational needs. However, it's crucial to carefully evaluate the potential impact and consult with stakeholders before making changes to avoid unintended consequences.
Resolution Create or update Azure custom roles using the Azure portal
Risk: High
Target: Virtual Machine
Compliance:
Description Network security groups (NSGs) can control inbound and outbound traffic to VMs; by default, they allow all traffic. Restricting network ports on network security groups associated with VMs is important for improving security in cloud environments. By limiting the range of open network ports, organizations can prevent unauthorized access to their resources and reduce the risk of security breaches. This will also ensure that only the necessary traffic is allowed, reducing the attack surface and improving overall security.
Resolution Filter network traffic with a network security group using the Azure portal
Risk: Medium
Target: Virtual Machine
Compliance:
Description Enabling disk encryption monitoring and recommendations for Microsoft Azure virtual machines (VMs) provides benefits such as enhanced security, compliance, improved visibility, simplified management, and cost savings. It helps protect data, ensures compliance, provides greater visibility into the encryption status of VMs, simplifies management, and identifies opportunities for cost savings. It is an essential component of a robust security strategy for organizations handling sensitive data on their Azure VMs.
Resolution Use asset inventory to manage your resources' security posture
Risk: Medium
Target: Web App
Compliance: CIS Microsoft Azure Foundations Benchmark v1.5.0
Description Enabling App Service Web App Authentication is a security measure that provides benefits such as improved security, compliance, simplified authentication, customizable authentication, and single sign-on. It improves security by preventing unauthorized access to web applications and protecting against security threats. It helps meet compliance requirements and simplifies the process of adding authentication to web applications. It allows authentication customization and supports single sign-on, enabling users to log in once and access multiple applications. It is an essential best practice for organizations that deploy web applications and need to protect sensitive data.
Resolution Authentication and authorization in Azure App Service and Azure Functions
Risk: High
Target: SQL Server
Compliance: CIS Microsoft Azure Foundations Benchmark v1.5.0
Description Setting SQL Audit Retention Duration is essential for maintaining compliance with industry regulations, optimizing storage management, enhancing data security, simplifying data analysis, and ensuring consistency with overall data retention policies.
Resolution Auditing for Azure SQL Database and Azure Synapse Analytics
Risk: Medium
Target: Kubernetes
Compliance:
Description Enabling AKS cluster monitoring is crucial for gaining performance insights, proactive troubleshooting, resource optimization, custom alerting, compliance maintenance, and ensuring security. It aids in identifying and resolving issues promptly, enhancing overall efficiency and reducing downtime.
Resolution Enable Container insights for Azure Kubernetes Service (AKS) cluster
Risk: Medium
Target: My SQL Flexible
Compliance: CIS Microsoft Azure Foundations Benchmark v1.5.0
Description Ensuring that your MySQL Flexible Database Server has the latest TLS version is crucial for enhanced security, compliance with regulations, compatibility with other systems, improved performance, and maintaining trust and reputation. Regularly updating and monitoring TLS configurations helps maintain a secure environment and protects sensitive data.
Resolution SSL/TLS connectivity in Azure Database for MySQL
Risk: High
Target: Subscription
Compliance:
Description Configure a Microsoft Azure activity log alert to trigger whenever a "Delete Key Vault" event occurs in your Azure cloud account. This alert condition improves Key Vault resource security and management by reducing the time required to mitigate accidental or intentional deletions using the Microsoft Azure Monitor service.
Resolution Configure Azure Key Vault alerts
Risk: High
Target: Subscription
Compliance:
Description To improve the security and availability of Azure SQL databases and reduce the impact of accidental or intentional deletions, monitor for "Delete Azure SQL Database" events using Microsoft Azure Monitor service and an Azure activity log alert. This alert triggers notifications whenever events matching the conditions of the "Administrative" category and "Delete Azure SQL Database (Microsoft.Sql/servers/databases)" signal name in the Activity Log occur.
Resolution Create a new alert rule
Risk: High
Target: Subscription
Compliance:
Description Enabling log alerts for creating/updating operations in a MySQL database is crucial for maintaining security, performance, and compliance. It helps detect unauthorized access, provide an audit trail, identify performance bottlenecks and troubleshoot issues, ensure accountability, enable proactive maintenance, and aid disaster recovery efforts.
Resolution Set up alerts on metrics for Azure Database for MySQL - Flexible Server
Risk: High
Target: Subscription
Compliance:
Description Enabling log alerts for Deallocate VM events is essential for cost management, security, compliance, resource management, troubleshooting, and promoting accountability. It helps detect unauthorized activity, maintain audit trails, ensure efficient resource usage, minimize downtime, and encourage responsible practices within the organization.
Resolution Create a new alert rule
Risk: High
Target: Subscription
Compliance:
Description Enabling log alerts for Network Security Group events in Azure is essential for security, compliance, configuration management, troubleshooting, visibility, and promoting accountability. It helps detect unauthorized activities, maintain audit trails, identify misconfigurations, minimize downtime, manage network traffic effectively, and encourage responsible practices within the organization.
Resolution Create a new alert rule
Risk: High
Target: Subscription
Compliance:
Description Enabling log alerts for Account Delete Network Security Group Rule events is essential for security, compliance, configuration management, troubleshooting, visibility, and promoting accountability. It helps detect unauthorized activities, maintain audit trails, identify misconfigurations, minimize downtime, manage network traffic effectively, and encourage responsible practices within the organization.
Resolution Create a new alert rule
Risk: High
Target: Subscription
Compliance: CIS Microsoft Azure Foundations Benchmark v1.5.0
Description Enabling log alerts for Delete Policy Assignment events in Azure is essential for security, compliance, configuration management, troubleshooting, visibility, and promoting accountability. It helps detect unauthorized activities, maintain audit trails, identify misconfigurations, minimize downtime, manage resources according to established policies, and encourage responsible practices within the organization.
Resolution Create a new alert rule
Risk: High
Target: Subscription
Compliance:
Description Enabling log alerts for Delete PostgreSQL Database events in Azure is essential for security, compliance, data protection, troubleshooting, resource management, and promoting accountability. It helps detect unauthorized activities, maintain audit trails, protect valuable information, minimize downtime, manage resources effectively, and encourage responsible practices within the organization.
Resolution Create a new alert rule
Risk: High
Target: Subscription
Compliance: CIS Microsoft Azure Foundations Benchmark v1.5.0
Description Enabling log alerts for Delete Security Solution events in Azure is essential for security, compliance, configuration management, troubleshooting, visibility, and promoting accountability. It helps detect unauthorized activities, maintain audit trails, identify misconfigurations, minimize downtime, manage security infrastructure effectively, and encourage responsible practices within the organization.
Resolution Create a new alert rule
Risk: High
Target: Subscription
Compliance:
Description Enabling log alerts for deleting virtual machines (VMs) in Microsoft Azure is crucial for preventing accidental or unauthorized VM deletions and maintaining the security and integrity of an organization's cloud infrastructure. This alert provides immediate notifications when a VM is deleted, allowing administrators to take prompt action to restore any deleted VMs and investigate unauthorized deletion attempts. Log alerts also provide insights into who initiated the deletion and when it occurred, enabling administrators to track any suspicious or malicious activity. Moreover, log alerts for deleting VMs are important for compliance and regulatory requirements.
Resolution Create a new alert rule
Risk: High
Target: SQL Server
Compliance:
Description Configuring Azure Active Directory authentication allows for central identity management and access to Azure SQL databases through an Active Directory administrator. This simplifies permission management, improves security, and reduces the number of user identities. Additional benefits include password rotation in one place, external group management of permissions, and support for various forms of authentication. Connections from SQL Server Management Studio and SQL Server Data Tools are also enabled.
Resolution Configure and manage Azure AD authentication with Azure SQL
Risk: High
Target: Subscription
Compliance:
Description Enabling log alerts for deleting storage accounts in Microsoft Azure is crucial for preventing accidental or unauthorized deletion of critical data, maintaining data security and integrity, and ensuring compliance with regulatory requirements. This alert enables administrators to receive immediate notifications when a storage account is deleted, allowing them to take prompt action to restore any deleted data and investigate any unauthorized deletion attempts. Additionally, log alerts provide insights into who initiated the deletion and when it occurred, enabling administrators to track any suspicious or malicious activity.
Resolution Create a new alert rule
Risk: High
Target: Subscription
Compliance:
Description Enabling log alerts for renaming SQL databases in Microsoft Azure is crucial for preventing accidental or unauthorized renaming of critical databases, maintaining the security and integrity of an organization's cloud infrastructure, and ensuring compliance with regulatory requirements. This alert provides immediate notifications when a database is renamed, allowing administrators to take prompt action to restore any renamed databases and investigate unauthorized renaming attempts. Log alerts also provide insights into who initiated the renaming and when it occurred, enabling administrators to track any suspicious or malicious activity. Moreover, log alerts for renaming databases are important for compliance and regulatory requirements.
Resolution Create a new alert rule
Risk: High
Target: Subscription
Compliance:
Description Enabling log alerts for creating or updating security solutions in Microsoft Azure is crucial for maintaining the security and integrity of an organization's cloud infrastructure. This alert provides immediate notifications when a ""Create"" or ""Update Security Solution"" event occurs, enabling administrators to take prompt action to investigate any unauthorized creation or modification attempts. Azure activity log alerts are activated whenever a new activity log event that matches the condition specified in the alert occurs, and in this case, the alert condition searches for Security Activity Logs that have ""any"" level, with ""any"" status and event initiated by ""any"".
By monitoring Azure accounts for ""Create"" or ""Update Security Solution"" events, administrators can gain insights into the changes made for their Azure Security Solutions and can reduce the time it takes to detect suspicious activity. Log alerts for creating or updating security solutions are also important for compliance and regulatory requirements, as most compliance frameworks require organizations to monitor and track activities that involve creating or modifying security solutions.
Resolution Create a new alert rule
Risk: High
Target: Subscription
Compliance:
Description Enabling log alerts for updating Key Vault activity in Microsoft Azure is crucial for maintaining the security and integrity of an organization's cloud infrastructure. This alert provides immediate notifications when an ""Update Key Vault"" event occurs, allowing administrators to take prompt action to investigate any unauthorized modification attempts. Azure activity log alerts are triggered whenever a new activity log event that matches the condition specified in the alert configuration occurs.
To comply with this rule, an Azure activity log alert must be fired whenever ""Update Key Vault"" events are triggered within the Microsoft Azure cloud account. The alert configuration should match the condition ""Whenever the Activity Log has an event with Category='Administrative', Signal name='Update Key Vault (vaults)'"".
Log alerts for updating Key Vault activity are crucial for maintaining Azure security and ensuring compliance with regulatory requirements. By enabling log alerts for updating Key Vault activity, administrators can gain insights into the changes made to their Key Vault, reduce the time it takes to detect suspicious activity and comply with regulatory requirements that mandate monitoring and tracking of data modifications and access.
Resolution Configure Azure Key Vault alerts
Risk: High
Target: Security
Compliance: CIS Microsoft Azure Foundations Benchmark v1.5.0
Description To quickly detect security policy changes and reduce the risk of unauthorized modifications in your Azure cloud account, it is recommended to monitor the "Update Security Policy" events. You can achieve this by configuring an Azure activity log alert that triggers whenever a new event matching any level, any status, and any entity initiating the event occurs.
Resolution Create a new alert rule
Risk: High
Target: Subscription
Compliance:
Description To detect and prevent unauthorized activity in your Microsoft Azure cloud account, monitor for "Create/Update Storage Account" events using Azure activity log alerts. These alerts trigger notifications whenever events that match the specified configuration occur, which in this case includes the "Administrative" category and "Create/Update Storage Account (Microsoft.Storage/storageAccounts)" signal name in the Activity Log.
Resolution Create a new alert rule
Risk: High
Target: Subscription
Compliance: CIS Microsoft Azure Foundations Benchmark v1.5.0
Description To detect suspicious activity at the SQL server firewall level in your Microsoft Azure account, monitor for "Create," "Update," or "Delete SQL Server Firewall Rule" events using an Azure activity log alert. This alert triggers notifications whenever the specified events occur, matching the conditions of the "Administrative" activity log and "Create/Update server firewall rule (Microsoft.Sql/servers/firewallRules)" signal name, with any level, any status, and initiated by any entity.
Resolution Create a new alert rule
Risk: Medium
Target: SQL Server
Compliance:
Description Enabling periodic recurring scans in Vulnerability Assessment maintains continuous security, detects new threats, ensures compliance, tracks remediation progress, prioritizes risk management, and adapts to evolving threats. This protects your systems and data by staying proactive and informed.
Resolution SQL vulnerability assessment helps you identify database vulnerabilities
Risk: Medium
Target: Web App
Compliance: CIS Microsoft Azure Foundations Benchmark v1.5.0
Description Redirecting all web application traffic from HTTP to HTTPS in Azure provides several benefits, including improved security through encryption, compliance with regulatory requirements, improved search engine optimization, and avoiding mixed content warnings. It is considered a best practice to ensure a seamless and secure user experience.
Resolution Create an application gateway with HTTP to HTTPS redirection using the Azure portal
Risk: High
Target: Virtual Machine
Compliance:
Description Microsoft Azure Security Center offers Just-in-Time (JIT) access as a threat prevention instrument to reduce surface areas susceptible to attacks. JIT access locks down virtual machines at the network level by blocking inbound traffic to management ports, and allows you to create policies to control access and reduce the attack surface. Enabling JIT access for Azure virtual machines is essential to improve security and reduce exposure to attacks while providing easy SSH/RDP access when needed.
Resolution Secure your management ports with just-in-time access
Risk: High
Target: Subscription
Compliance: CIS Microsoft Azure Foundations Benchmark v1.5.0
Description It's recommended to configure an Azure activity log alert for detecting "Create Policy Assignment" events in your Microsoft Azure cloud account. This alert is triggered whenever a new activity log event matches the specified condition. Monitoring such events can help you gain visibility into changes made within the "Policy Assignment" Azure policy and quickly identify any unauthorized changes.
Resolution Create a new alert rule
Risk: Medium
Target: SQL Server
Compliance:
Description Setting the retention duration to greater than 90 days for SQL Server in Azure can benefit data recovery, compliance, auditing and reporting, troubleshooting, and disaster recovery. However, consider the potential increase in storage costs and management resources before determining the appropriate retention duration for your organization's needs.
Resolution Manage Azure SQL Database long-term backup retention
Risk: High
Target: Blob Container
Compliance:
Description Assigning mandatory tags to Blob containers can provide several benefits, including improved data governance, resource allocation, enhanced data visibility, security, and streamlined operations. These tags help to correctly classify and label data, track resource usage, restrict access to sensitive data, automate routine tasks, and optimize resource allocation.
Resolution Set Blob Tags
Risk: High
Target: Databricks
Compliance:
Description Assigning mandatory tags to Data Bricks can help with cost management, resource management, access management, and automation. Mandatory tags can streamline operations and reduce the risk of mismanaging resources.
Resolution Monitor usage using cluster and pool tags
Risk: High
Target: Disk
Compliance:
Description Assigning mandatory tags to Disks can help with cost management, resource management, access management, and automation. Mandatory tags can streamline operations and reduce the risk of mismanaging resources.
Resolution Use tags to organize your Azure resources and management hierarchy
Risk: High
Target: MySQL Server
Compliance:
Description Assigning mandatory tags to MySQL Server can help with cost management, resource management, access management, and automation. Mandatory tags can streamline operations and reduce the risk of mismanaging resources.
Resolution Manage MySQL servers
Risk: High
Target: Network Security Group
Compliance:
Description Assigning mandatory tags to Network Security Group can help with cost management, resource management, access management, and automation. Mandatory tags can streamline operations and reduce the risk of mismanaging resources.
Resolution Network Security Groups - Update Tags
Risk: High
Target: Resource Group
Compliance:
Description Assigning mandatory tags to Resource Group can help with cost management, resource management, access management, and automation. Mandatory tags can streamline operations and reduce the risk of mismanaging resources.
Resolution Use tags to organize your Azure resources and management hierarchy
Risk: High
Target: Security Centre
Compliance:
Description Assigning mandatory tags to Security center can help with cost management, resource management, access management, and automation. Mandatory tags can streamline operations and reduce the risk of mismanaging resources.
Resolution required-tag
Risk: High
Target: SQL Database
Compliance:
Description Assigning mandatory tags to SQL Database center can help with cost management, resource management, access management, and automation. Mandatory tags can streamline operations and reduce the risk of mismanaging resources.
Resolution Use tags to organize your Azure resources and management hierarchy
Risk: High
Target: SQL Server
Compliance:
Description Assigning mandatory tags to SQL Server center can help with cost management, resource management, access management, and automation. Mandatory tags can streamline operations and reduce the risk of mismanaging resources.
Resolution Use tags to organize your Azure resources and management hierarchy
Risk: High
Target: Virtual Machine
Compliance:
Description Assigning mandatory tags to Virtual Machines can help with cost management, resource management, access management, and automation. Mandatory tags can streamline operations and reduce the risk of mismanaging resources.
Resolution Use tags to organize your Azure resources and management hierarchy
Risk: High
Target: VNet
Compliance:
Description Assigning mandatory tags to Virtual Network can help with cost management, resource management, access management, and automation. Mandatory tags can streamline operations and reduce the risk of mismanaging resources.
Resolution Virtual network service tags
Risk: High
Target: Storage Account
Compliance:
Description Assigning mandatory tags to Storage Account can help with cost management, resource management, access management, and automation. Mandatory tags can streamline operations and reduce the risk of mismanaging resources.
Resolution Use tags to organize your Azure resources and management hierarchy
Risk: High
Target: Vaults
Compliance:
Description Using your own AWS KMS Customer Master Key (CMK) to encrypt data in your database-tier provides you with complete control over encryption key ownership and usage. It's recommended to create an Amazon KMS Customer Master Key (CMK) for your database tier to protect data-at-rest in your AWS web stack and meet security and compliance requirements. You can easily rotate, audit, and disable the key with Amazon KMS. Additionally, it's advised to tag AWS resources in your database tier to better manage and organize your resources.
Resolution Creating keys
Risk: High
Target: Vaults RBAC
Compliance: CIS Microsoft Azure Foundations Benchmark v1.5.0
Description It is important to have an explicit expiration time for all Microsoft Azure Key Vault keys to meet cloud security best practices and renew them before their expiration date to maintain security and compliance. Regularly check for expiring keys and create new versions of these keys to ensure security and compliance. Configuration for key renewal before expiration should be set on the Cloud Conformity account dashboard before running this rule.
Resolution Azure Policy built-in definitions for Key Vault
Risk: High
Target: Vaults RBAC
Compliance: CIS Microsoft Azure Foundations Benchmark v1.5.0
Description Setting an expiration date for RBAC for secrets in Key Vaults is important to help secure and protect confidential information. It limits access time, ensures timely reviews of users and applications with access to the secret, and helps avoid forgotten secrets becoming security risks.
Resolution Azure Policy built-in definitions for Key Vault
Risk: High
Target: Subscription
Compliance:
Description Enabling log alerts for MySQL databases in Azure is essential for security, compliance, performance, troubleshooting, resource management, and promoting accountability. It helps detect unauthorized activities, maintain audit trails, optimize database performance, minimize downtime, manage resources effectively, and encourage responsible practices within the organization.
Resolution Create a new alert rule
Risk: High
Target: Virtual Machine
Compliance:
Description Microsoft Azure provides multiple layers of encryption protection for virtual machine-managed disks using platform-managed keys. However, it is recommended to use customer-managed keys for finer control over encryption/decryption. This provides complete control over who can access the encrypted data on managed disks, reducing the risk of sensitive data disclosure even for unattached disks.
Resolution Create and encrypt a Windows virtual machine with the Azure portal
Enable Vulnerability Assessment (VA) Setting 'Also Send Email Notifications to Admins and Subscription Owners'
Risk: Medium
Target: SQL Server
Compliance: CIS Microsoft Azure Foundations Benchmark v1.5.0
Description Enabling the "Also Send Email Notifications to Admins and Subscription Owners" setting in Vulnerability Assessment promotes timely remediation, improved security awareness, shared accountability, centralized communication, and comprehensive reporting. This helps maintain a proactive security posture and fosters a security-aware culture within the organization.
Resolution SQL vulnerability assessment helps you identify database vulnerabilities
