Mod: azure-cisv1
The azure-cisv1 mod consists of 151 policies and 122 controls.
Recommended Version
Version
5.1.8
Released On
Jan 22, 2026
Depends On
azure ^5.0.0
azure-activedirectory ^5.0.0
azure-aks ^5.0.0
azure-appservice ^5.0.0
azure-compute ^5.0.0
azure-iam ^5.0.0
azure-keyvault ^5.0.0
azure-monitor ^5.0.0
azure-mysql ^5.0.0
azure-network ^5.0.0
azure-networkwatcher ^5.0.0
azure-postgresql ^5.0.0
azure-provider ^5.0.0
azure-securitycenter ^5.0.0
azure-sql ^5.0.0
azure-storage ^5.0.0
cis ^5.0.0
turbot ^5.0.0
turbot-iam ^5.1.0
azure-activedirectory ^5.0.0
azure-aks ^5.0.0
azure-appservice ^5.0.0
azure-compute ^5.0.0
azure-iam ^5.0.0
azure-keyvault ^5.0.0
azure-monitor ^5.0.0
azure-mysql ^5.0.0
azure-network ^5.0.0
azure-networkwatcher ^5.0.0
azure-postgresql ^5.0.0
azure-provider ^5.0.0
azure-securitycenter ^5.0.0
azure-sql ^5.0.0
azure-storage ^5.0.0
cis ^5.0.0
turbot ^5.0.0
turbot-iam ^5.1.0
Controls
- Azure > CIS v1
- Azure > CIS v1 > 1 Identity and Access Management
- Azure > CIS v1 > 1 Identity and Access Management > 1.01 Ensure that multi-factor authentication is enabled for all privileged users (Not Scored)
- Azure > CIS v1 > 1 Identity and Access Management > 1.02 Ensure that multi-factor authentication is enabled for all non- privileged users (Not Scored)
- Azure > CIS v1 > 1 Identity and Access Management > 1.03 Ensure that there are no guest users (Scored)
- Azure > CIS v1 > 1 Identity and Access Management > 1.04 Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is 'Disabled' (Not Scored)
- Azure > CIS v1 > 1 Identity and Access Management > 1.05 Ensure that 'Number of methods required to reset' is set to '2' (Not Scored)
- Azure > CIS v1 > 1 Identity and Access Management > 1.06 Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to "0" (Not Scored)
- Azure > CIS v1 > 1 Identity and Access Management > 1.07 Ensure that 'Notify users on password resets?' is set to 'Yes' (Not Scored)
- Azure > CIS v1 > 1 Identity and Access Management > 1.08 Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes' (Not Scored)
- Azure > CIS v1 > 1 Identity and Access Management > 1.09 Ensure that 'Users can consent to apps accessing company data on their behalf' is set to 'No' (Not Scored)
- Azure > CIS v1 > 1 Identity and Access Management > 1.10 Ensure that 'Users can add gallery apps to their Access Panel' is set to 'No' (Not Scored)
- Azure > CIS v1 > 1 Identity and Access Management > 1.11 Ensure that 'Users can register applications' is set to 'No' (Not Scored)
- Azure > CIS v1 > 1 Identity and Access Management > 1.12 Ensure that 'Guest user permissions are limited' is set to 'Yes' (Not Scored)
- Azure > CIS v1 > 1 Identity and Access Management > 1.13 Ensure that 'Members can invite' is set to 'No' (Not Scored)
- Azure > CIS v1 > 1 Identity and Access Management > 1.14 Ensure that 'Guests can invite' is set to 'No' (Not Scored)
- Azure > CIS v1 > 1 Identity and Access Management > 1.15 Ensure that 'Restrict access to Azure AD administration portal' is set to 'Yes' (Not Scored)
- Azure > CIS v1 > 1 Identity and Access Management > 1.16 Ensure that 'Self-service group management enabled' is set to 'No' (Not Scored)
- Azure > CIS v1 > 1 Identity and Access Management > 1.17 Ensure that 'Users can create security groups' is set to 'No' (Not Scored)
- Azure > CIS v1 > 1 Identity and Access Management > 1.18 Ensure that 'Users who can manage security groups' is set to 'None' (Not Scored)
- Azure > CIS v1 > 1 Identity and Access Management > 1.19 Ensure that 'Users can create Office 365 groups' is set to 'No' (Not Scored)
- Azure > CIS v1 > 1 Identity and Access Management > 1.20 Ensure that 'Users who can manage Office 365 groups' is set to 'None' (Not Scored)
- Azure > CIS v1 > 1 Identity and Access Management > 1.21 Ensure that 'Enable "All Users" group' is set to 'Yes' (Not Scored)
- Azure > CIS v1 > 1 Identity and Access Management > 1.22 Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes' (Not Scored)
- Azure > CIS v1 > 1 Identity and Access Management > 1.23 Ensure that no custom subscription owner roles are created (Scored)
- Azure > CIS v1 > 2 Security Center
- Azure > CIS v1 > 2 Security Center > 2.01 Ensure that standard pricing tier is selected (Scored)
- Azure > CIS v1 > 2 Security Center > 2.02 Ensure that "Automatic provisioning of monitoring agent" is set to "On" (Scored)
- Azure > CIS v1 > 2 Security Center > 2.03 Ensure ASC Default policy setting "Monitor System Updates" is not "Disabled" (Scored)
- Azure > CIS v1 > 2 Security Center > 2.04 Ensure ASC Default policy setting "Monitor OS Vulnerabilities" is not "Disabled" (Scored)
- Azure > CIS v1 > 2 Security Center > 2.05 Ensure ASC Default policy setting "Monitor Endpoint Protection" is not "Disabled" (Scored)
- Azure > CIS v1 > 2 Security Center > 2.06 Ensure ASC Default policy setting "Monitor Disk Encryption" is not "Disabled" (Scored)
- Azure > CIS v1 > 2 Security Center > 2.07 Ensure ASC Default policy setting "Monitor Network Security Groups" is not "Disabled" (Scored)
- Azure > CIS v1 > 2 Security Center > 2.08 Ensure ASC Default policy setting "Monitor Web Application Firewall" is not "Disabled" (Scored)
- Azure > CIS v1 > 2 Security Center > 2.09 Ensure ASC Default policy setting "Enable Next Generation Firewall(NGFW) Monitoring" is not "Disabled" (Scored)
- Azure > CIS v1 > 2 Security Center > 2.10 Ensure ASC Default policy setting "Monitor Vulnerability Assessment" is not "Disabled" (Scored)
- Azure > CIS v1 > 2 Security Center > 2.11 Ensure ASC Default policy setting "Monitor Storage Blob Encryption" is not "Disabled" (Scored)
- Azure > CIS v1 > 2 Security Center > 2.12 Ensure ASC Default policy setting "Monitor JIT Network Access" is not "Disabled" (Scored)
- Azure > CIS v1 > 2 Security Center > 2.13 Ensure ASC Default policy setting "Monitor Adaptive Application Whitelisting" is not "Disabled" (Scored)
- Azure > CIS v1 > 2 Security Center > 2.14 Ensure ASC Default policy setting "Monitor SQL Auditing" is not "Disabled" (Scored)
- Azure > CIS v1 > 2 Security Center > 2.15 Ensure ASC Default policy setting "Monitor SQL Encryption" is not "Disabled" (Scored)
- Azure > CIS v1 > 2 Security Center > 2.16 Ensure that 'Security contact emails' is set (Scored)
- Azure > CIS v1 > 2 Security Center > 2.17 Ensure that security contact 'Phone number' is set (Scored)
- Azure > CIS v1 > 2 Security Center > 2.18 Ensure that 'Send email notification for high severity alerts' is set to 'On' (Scored)
- Azure > CIS v1 > 2 Security Center > 2.19 Ensure that 'Send email also to subscription owners' is set to 'On' (Scored)
- Azure > CIS v1 > 3 Storage
- Azure > CIS v1 > 3 Storage > 3.01 Ensure that 'Secure transfer required' is set to 'Enabled' (Scored)
- Azure > CIS v1 > 3 Storage > 3.02 Ensure that storage account access keys are periodically regenerated (Not Scored)
- Azure > CIS v1 > 3 Storage > 3.03 Ensure Storage logging is enabled for Queue service for read, write, and delete requests (Not Scored)
- Azure > CIS v1 > 3 Storage > 3.04 Ensure that shared access signature tokens expire within an hour (Not Scored)
- Azure > CIS v1 > 3 Storage > 3.05 Ensure that shared access signature tokens are allowed only over https (Not Scored)
- Azure > CIS v1 > 3 Storage > 3.06 Ensure that 'Public access level' is set to Private for blob containers (Scored)
- Azure > CIS v1 > 3 Storage > 3.07 Ensure default network access rule for Storage Accounts is set to deny (Scored)
- Azure > CIS v1 > 3 Storage > 3.08 Ensure 'Trusted Microsoft Services' is enabled for Storage Account access (Not Scored)
- Azure > CIS v1 > 4 Database Services
- Azure > CIS v1 > 4 Database Services > 4.01 Ensure that 'Auditing' is set to 'On' (Scored)
- Azure > CIS v1 > 4 Database Services > 4.02 Ensure that 'AuditActionGroups' in 'auditing' policy for a SQL server is set properly (Scored)
- Azure > CIS v1 > 4 Database Services > 4.03 Ensure that 'Auditing' Retention is 'greater than 90 days' (Scored)
- Azure > CIS v1 > 4 Database Services > 4.04 Ensure that 'Advanced Data Security' on a SQL server is set to 'On' (Scored)
- Azure > CIS v1 > 4 Database Services > 4.05 Ensure that 'Threat Detection types' is set to 'All' (Scored)
- Azure > CIS v1 > 4 Database Services > 4.06 Ensure that 'Send alerts to' is set (Scored)
- Azure > CIS v1 > 4 Database Services > 4.07 Ensure that 'Email service and co-administrators' is 'Enabled' (Scored)
- Azure > CIS v1 > 4 Database Services > 4.08 Ensure that Azure Active Directory Admin is configured (Scored)
- Azure > CIS v1 > 4 Database Services > 4.09 Ensure that 'Data encryption' is set to 'On' on a SQL Database (Scored)
- Azure > CIS v1 > 4 Database Services > 4.10 Ensure SQL server's TDE protector is encrypted with BYOK (Use your own key) (Scored)
- Azure > CIS v1 > 4 Database Services > 4.11 Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server (Scored)
- Azure > CIS v1 > 4 Database Services > 4.12 Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server (Scored)
- Azure > CIS v1 > 4 Database Services > 4.13 Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server (Scored)
- Azure > CIS v1 > 4 Database Services > 4.14 Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server (Scored)
- Azure > CIS v1 > 4 Database Services > 4.15 Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server (Scored)
- Azure > CIS v1 > 4 Database Services > 4.16 Ensure server parameter 'log_duration' is set to 'ON' for PostgreSQL Database Server (Scored)
- Azure > CIS v1 > 4 Database Services > 4.17 Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server (Scored)
- Azure > CIS v1 > 4 Database Services > 4.18 Ensure server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server (Scored)
- Azure > CIS v1 > 5 Logging and Monitoring
- Azure > CIS v1 > 5 Logging and Monitoring > 5.1 Configuring Log Profile
- Azure > CIS v1 > 5 Logging and Monitoring > 5.1 Configuring Log Profile > 5.1.1 Ensure that a Log Profile exists (Scored)
- Azure > CIS v1 > 5 Logging and Monitoring > 5.1 Configuring Log Profile > 5.1.2 Ensure that Activity Log Retention is set 365 days or greater (Scored)
- Azure > CIS v1 > 5 Logging and Monitoring > 5.1 Configuring Log Profile > 5.1.3 Ensure audit profile captures all the activities (Scored)
- Azure > CIS v1 > 5 Logging and Monitoring > 5.1 Configuring Log Profile > 5.1.4 Ensure the log profile captures activity logs for all regions including global (Scored)
- Azure > CIS v1 > 5 Logging and Monitoring > 5.1 Configuring Log Profile > 5.1.5 Ensure the storage container storing the activity logs is not publicly accessible (Scored)
- Azure > CIS v1 > 5 Logging and Monitoring > 5.1 Configuring Log Profile > 5.1.6 Ensure the storage account containing the container with activity logs is encrypted with BYOK (Use Your Own Key) (Scored)
- Azure > CIS v1 > 5 Logging and Monitoring > 5.1 Configuring Log Profile > 5.1.7 Ensure that logging for Azure KeyVault is 'Enabled' (Scored)
- Azure > CIS v1 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log alerts
- Azure > CIS v1 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log alerts > 5.2.1 Ensure that Activity Log Alert exists for Create Policy Assignment (Scored)
- Azure > CIS v1 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log alerts > 5.2.2 Ensure that Activity Log Alert exists for Create or Update Network Security Group (Scored)
- Azure > CIS v1 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log alerts > 5.2.3 Ensure that Activity Log Alert exists for Delete Network Security Group (Scored)
- Azure > CIS v1 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log alerts > 5.2.4 Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule (Scored)
- Azure > CIS v1 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log alerts > 5.2.5 Ensure that activity log alert exists for the Delete Network Security Group Rule (Scored)
- Azure > CIS v1 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log alerts > 5.2.6 Ensure that Activity Log Alert exists for Create or Update Security Solution (Scored)
- Azure > CIS v1 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log alerts > 5.2.7 Ensure that Activity Log Alert exists for Delete Security Solution (Scored)
- Azure > CIS v1 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log alerts > 5.2.8 Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule (Scored)
- Azure > CIS v1 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log alerts > 5.2.9 Ensure that Activity Log Alert exists for Update Security Policy (Scored)
- Azure > CIS v1 > 6 Networking
- Azure > CIS v1 > 6 Networking > 6.01 Ensure that RDP access is restricted from the internet (Scored)
- Azure > CIS v1 > 6 Networking > 6.02 Ensure that SSH access is restricted from the internet (Scored)
- Azure > CIS v1 > 6 Networking > 6.03 Ensure no SQL Databases allow ingress 0.0.0.0/0 (ANY IP) (Scored)
- Azure > CIS v1 > 6 Networking > 6.04 Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' (Scored)
- Azure > CIS v1 > 6 Networking > 6.05 Ensure that Network Watcher is 'Enabled' (Scored)
- Azure > CIS v1 > 7 Virtual Machines
- Azure > CIS v1 > 7 Virtual Machines > 7.01 Ensure that 'OS disk' are encrypted (Scored)
- Azure > CIS v1 > 7 Virtual Machines > 7.02 Ensure that 'Data disks' are encrypted (Scored)
- Azure > CIS v1 > 7 Virtual Machines > 7.03 Ensure that 'Unattached disks' are encrypted (Scored)
- Azure > CIS v1 > 7 Virtual Machines > 7.04 Ensure that only approved extensions are installed (Not Scored)
- Azure > CIS v1 > 7 Virtual Machines > 7.05 Ensure that the latest OS Patches for all Virtual Machines are applied (Not Scored)
- Azure > CIS v1 > 7 Virtual Machines > 7.06 Ensure that the endpoint protection for all Virtual Machines is installed (Not Scored)
- Azure > CIS v1 > 8 Other Security Considerations
- Azure > CIS v1 > 8 Other Security Considerations > 8.01 Ensure that the expiration date is set on all keys (Scored)
- Azure > CIS v1 > 8 Other Security Considerations > 8.02 Ensure that the expiration date is set on all secrets (Scored)
- Azure > CIS v1 > 8 Other Security Considerations > 8.03 Ensure that Resource Locks are set for mission critical Azure resources (Not Scored)
- Azure > CIS v1 > 8 Other Security Considerations > 8.04 Ensure the key vault is recoverable (Scored)
- Azure > CIS v1 > 8 Other Security Considerations > 8.05 Enable role-based access control (RBAC) within Azure Kubernetes Services (Scored)
- Azure > CIS v1 > 9 Application Services
- Azure > CIS v1 > 9 Application Services > 9.01 Ensure App Service Authentication is set on Azure App Service (Scored)
- Azure > CIS v1 > 9 Application Services > 9.02 Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service (Scored)
- Azure > CIS v1 > 9 Application Services > 9.03 Ensure web app is using the latest version of TLS encryption (Scored)
- Azure > CIS v1 > 9 Application Services > 9.04 Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On' (Scored)
- Azure > CIS v1 > 9 Application Services > 9.05 Ensure that Register with Azure Active Directory is enabled on App Service (Scored)
- Azure > CIS v1 > 9 Application Services > 9.06 Ensure that '.Net Framework' version is the latest, if used as a part of the web app (Not Scored)
- Azure > CIS v1 > 9 Application Services > 9.07 Ensure that 'PHP version' is the latest, if used to run the web app (Not Scored)
- Azure > CIS v1 > 9 Application Services > 9.08 Ensure that 'Python version' is the latest, if used to run the web app (Not Scored)
- Azure > CIS v1 > 9 Application Services > 9.09 Ensure that 'Java version' is the latest, if used to run the web app (Not Scored)
- Azure > CIS v1 > 9 Application Services > 9.10 Ensure that 'HTTP Version' is the latest, if used to run the web app (Not Scored)
Policies
- Azure > CIS v1
- Azure > CIS v1 > 1 Identity and Access Management
- Azure > CIS v1 > 1 Identity and Access Management > 1.01 Ensure that multi-factor authentication is enabled for all privileged users (Not Scored)
- Azure > CIS v1 > 1 Identity and Access Management > 1.01 Ensure that multi-factor authentication is enabled for all privileged users (Not Scored) > Attestation
- Azure > CIS v1 > 1 Identity and Access Management > 1.02 Ensure that multi-factor authentication is enabled for all non- privileged users (Not Scored)
- Azure > CIS v1 > 1 Identity and Access Management > 1.02 Ensure that multi-factor authentication is enabled for all non- privileged users (Not Scored) > Attestation
- Azure > CIS v1 > 1 Identity and Access Management > 1.03 Ensure that there are no guest users (Scored)
- Azure > CIS v1 > 1 Identity and Access Management > 1.04 Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is 'Disabled' (Not Scored)
- Azure > CIS v1 > 1 Identity and Access Management > 1.04 Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is 'Disabled' (Not Scored) > Attestation
- Azure > CIS v1 > 1 Identity and Access Management > 1.05 Ensure that 'Number of methods required to reset' is set to '2' (Not Scored)
- Azure > CIS v1 > 1 Identity and Access Management > 1.05 Ensure that 'Number of methods required to reset' is set to '2' (Not Scored) > Attestation
- Azure > CIS v1 > 1 Identity and Access Management > 1.06 Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to "0" (Not Scored)
- Azure > CIS v1 > 1 Identity and Access Management > 1.06 Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to "0" (Not Scored) > Attestation
- Azure > CIS v1 > 1 Identity and Access Management > 1.07 Ensure that 'Notify users on password resets?' is set to 'Yes' (Not Scored)
- Azure > CIS v1 > 1 Identity and Access Management > 1.07 Ensure that 'Notify users on password resets?' is set to 'Yes' (Not Scored) > Attestation
- Azure > CIS v1 > 1 Identity and Access Management > 1.08 Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes' (Not Scored)
- Azure > CIS v1 > 1 Identity and Access Management > 1.08 Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes' (Not Scored) > Attestation
- Azure > CIS v1 > 1 Identity and Access Management > 1.09 Ensure that 'Users can consent to apps accessing company data on their behalf' is set to 'No' (Not Scored)
- Azure > CIS v1 > 1 Identity and Access Management > 1.09 Ensure that 'Users can consent to apps accessing company data on their behalf' is set to 'No' (Not Scored) > Attestation
- Azure > CIS v1 > 1 Identity and Access Management > 1.10 Ensure that 'Users can add gallery apps to their Access Panel' is set to 'No' (Not Scored)
- Azure > CIS v1 > 1 Identity and Access Management > 1.10 Ensure that 'Users can add gallery apps to their Access Panel' is set to 'No' (Not Scored) > Attestation
- Azure > CIS v1 > 1 Identity and Access Management > 1.11 Ensure that 'Users can register applications' is set to 'No' (Not Scored)
- Azure > CIS v1 > 1 Identity and Access Management > 1.11 Ensure that 'Users can register applications' is set to 'No' (Not Scored) > Attestation
- Azure > CIS v1 > 1 Identity and Access Management > 1.12 Ensure that 'Guest user permissions are limited' is set to 'Yes' (Not Scored)
- Azure > CIS v1 > 1 Identity and Access Management > 1.12 Ensure that 'Guest user permissions are limited' is set to 'Yes' (Not Scored) > Attestation
- Azure > CIS v1 > 1 Identity and Access Management > 1.13 Ensure that 'Members can invite' is set to 'No' (Not Scored)
- Azure > CIS v1 > 1 Identity and Access Management > 1.13 Ensure that 'Members can invite' is set to 'No' (Not Scored) > Attestation
- Azure > CIS v1 > 1 Identity and Access Management > 1.14 Ensure that 'Guests can invite' is set to 'No' (Not Scored)
- Azure > CIS v1 > 1 Identity and Access Management > 1.14 Ensure that 'Guests can invite' is set to 'No' (Not Scored) > Attestation
- Azure > CIS v1 > 1 Identity and Access Management > 1.15 Ensure that 'Restrict access to Azure AD administration portal' is set to 'Yes' (Not Scored)
- Azure > CIS v1 > 1 Identity and Access Management > 1.15 Ensure that 'Restrict access to Azure AD administration portal' is set to 'Yes' (Not Scored) > Attestation
- Azure > CIS v1 > 1 Identity and Access Management > 1.16 Ensure that 'Self-service group management enabled' is set to 'No' (Not Scored)
- Azure > CIS v1 > 1 Identity and Access Management > 1.16 Ensure that 'Self-service group management enabled' is set to 'No' (Not Scored) > Attestation
- Azure > CIS v1 > 1 Identity and Access Management > 1.17 Ensure that 'Users can create security groups' is set to 'No' (Not Scored)
- Azure > CIS v1 > 1 Identity and Access Management > 1.17 Ensure that 'Users can create security groups' is set to 'No' (Not Scored) > Attestation
- Azure > CIS v1 > 1 Identity and Access Management > 1.18 Ensure that 'Users who can manage security groups' is set to 'None' (Not Scored)
- Azure > CIS v1 > 1 Identity and Access Management > 1.18 Ensure that 'Users who can manage security groups' is set to 'None' (Not Scored) > Attestation
- Azure > CIS v1 > 1 Identity and Access Management > 1.19 Ensure that 'Users can create Office 365 groups' is set to 'No' (Not Scored)
- Azure > CIS v1 > 1 Identity and Access Management > 1.19 Ensure that 'Users can create Office 365 groups' is set to 'No' (Not Scored) > Attestation
- Azure > CIS v1 > 1 Identity and Access Management > 1.20 Ensure that 'Users who can manage Office 365 groups' is set to 'None' (Not Scored)
- Azure > CIS v1 > 1 Identity and Access Management > 1.20 Ensure that 'Users who can manage Office 365 groups' is set to 'None' (Not Scored) > Attestation
- Azure > CIS v1 > 1 Identity and Access Management > 1.21 Ensure that 'Enable "All Users" group' is set to 'Yes' (Not Scored)
- Azure > CIS v1 > 1 Identity and Access Management > 1.21 Ensure that 'Enable "All Users" group' is set to 'Yes' (Not Scored) > Attestation
- Azure > CIS v1 > 1 Identity and Access Management > 1.22 Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes' (Not Scored)
- Azure > CIS v1 > 1 Identity and Access Management > 1.22 Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes' (Not Scored) > Attestation
- Azure > CIS v1 > 1 Identity and Access Management > 1.23 Ensure that no custom subscription owner roles are created (Scored)
- Azure > CIS v1 > 2 Security Center
- Azure > CIS v1 > 2 Security Center > 2.01 Ensure that standard pricing tier is selected (Scored)
- Azure > CIS v1 > 2 Security Center > 2.02 Ensure that 'Automatic provisioning of monitoring agent' is set to 'On' (Scored)
- Azure > CIS v1 > 2 Security Center > 2.03 Ensure ASC Default policy setting "Monitor System Updates" is not "Disabled" (Scored)
- Azure > CIS v1 > 2 Security Center > 2.04 Ensure ASC Default policy setting "Monitor OS Vulnerabilities" is not "Disabled" (Scored)
- Azure > CIS v1 > 2 Security Center > 2.05 Ensure ASC Default policy setting "Monitor Endpoint Protection" is not "Disabled" (Scored)
- Azure > CIS v1 > 2 Security Center > 2.06 Ensure ASC Default policy setting "Monitor Disk Encryption" is not "Disabled" (Scored)
- Azure > CIS v1 > 2 Security Center > 2.07 Ensure ASC Default policy setting "Monitor Network Security Groups" is not "Disabled" (Scored)
- Azure > CIS v1 > 2 Security Center > 2.08 Ensure ASC Default policy setting "Monitor Web Application Firewall" is not "Disabled" (Scored)
- Azure > CIS v1 > 2 Security Center > 2.09 Ensure ASC Default policy setting "Enable Next Generation Firewall(NGFW) Monitoring" is not "Disabled" (Scored)
- Azure > CIS v1 > 2 Security Center > 2.10 Ensure ASC Default policy setting "Monitor Vulnerability Assessment" is not "Disabled" (Scored)
- Azure > CIS v1 > 2 Security Center > 2.11 Ensure ASC Default policy setting "Monitor Storage Blob Encryption" is not "Disabled" (Scored)
- Azure > CIS v1 > 2 Security Center > 2.12 Ensure ASC Default policy setting "Monitor JIT Network Access" is not "Disabled" (Scored)
- Azure > CIS v1 > 2 Security Center > 2.13 Ensure ASC Default policy setting "Monitor Adaptive Application Whitelisting" is not "Disabled" (Scored)
- Azure > CIS v1 > 2 Security Center > 2.14 Ensure ASC Default policy setting "Monitor SQL Auditing" is not "Disabled" (Scored)
- Azure > CIS v1 > 2 Security Center > 2.15 Ensure ASC Default policy setting "Monitor SQL Encryption" is not "Disabled" (Scored)
- Azure > CIS v1 > 2 Security Center > 2.16 Ensure that 'Security contact emails' is set (Scored)
- Azure > CIS v1 > 2 Security Center > 2.17 Ensure that security contact 'Phone number' is set (Scored)
- Azure > CIS v1 > 2 Security Center > 2.18 Ensure that 'Send email notification for high severity alerts' is set to 'On' (Scored)
- Azure > CIS v1 > 2 Security Center > 2.19 Ensure that 'Send email also to subscription owners' is set to 'On' (Scored)
- Azure > CIS v1 > 3 Storage
- Azure > CIS v1 > 3 Storage > 3.01 Ensure that 'Secure transfer required' is set to 'Enabled' (Scored)
- Azure > CIS v1 > 3 Storage > 3.02 Ensure that storage account access keys are periodically regenerated (Not Scored)
- Azure > CIS v1 > 3 Storage > 3.02 Ensure that storage account access keys are periodically regenerated (Not Scored) > Attestation
- Azure > CIS v1 > 3 Storage > 3.03 Ensure Storage logging is enabled for Queue service for read, write, and delete requests (Not Scored)
- Azure > CIS v1 > 3 Storage > 3.04 Ensure that shared access signature tokens expire within an hour (Not Scored)
- Azure > CIS v1 > 3 Storage > 3.04 Ensure that shared access signature tokens expire within an hour (Not Scored) > Attestation
- Azure > CIS v1 > 3 Storage > 3.05 Ensure that shared access signature tokens are allowed only over https (Not Scored)
- Azure > CIS v1 > 3 Storage > 3.05 Ensure that shared access signature tokens are allowed only over https (Not Scored) > Attestation
- Azure > CIS v1 > 3 Storage > 3.06 Ensure that 'Public access level' is set to Private for blob containers (Scored)
- Azure > CIS v1 > 3 Storage > 3.07 Ensure default network access rule for Storage Accounts is set to deny (Scored)
- Azure > CIS v1 > 3 Storage > 3.08 Ensure 'Trusted Microsoft Services' is enabled for Storage Account access (Not Scored)
- Azure > CIS v1 > 4 Database Services
- Azure > CIS v1 > 4 Database Services > 4.01 Ensure that 'Auditing' is set to 'On' (Scored)
- Azure > CIS v1 > 4 Database Services > 4.02 Ensure that 'AuditActionGroups' in 'auditing' policy for a SQL server is set properly (Scored)
- Azure > CIS v1 > 4 Database Services > 4.03 Ensure that 'Auditing' Retention is 'greater than 90 days' (Scored)
- Azure > CIS v1 > 4 Database Services > 4.04 Ensure that 'Advanced Data Security' on a SQL server is set to 'On' (Scored)
- Azure > CIS v1 > 4 Database Services > 4.05 Ensure that 'Threat Detection types' is set to 'All' (Scored)
- Azure > CIS v1 > 4 Database Services > 4.06 Ensure that 'Send alerts to' is set (Scored)
- Azure > CIS v1 > 4 Database Services > 4.07 Ensure that 'Email service and co-administrators' is 'Enabled' (Scored)
- Azure > CIS v1 > 4 Database Services > 4.08 Ensure that Azure Active Directory Admin is configured (Scored)
- Azure > CIS v1 > 4 Database Services > 4.09 Ensure that 'Data encryption' is set to 'On' on a SQL Database (Scored)
- Azure > CIS v1 > 4 Database Services > 4.10 Ensure SQL server's TDE protector is encrypted with BYOK (Use your own key) (Scored)
- Azure > CIS v1 > 4 Database Services > 4.11 Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server (Scored)
- Azure > CIS v1 > 4 Database Services > 4.12 Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server (Scored)
- Azure > CIS v1 > 4 Database Services > 4.13 Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server (Scored)
- Azure > CIS v1 > 4 Database Services > 4.14 Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server (Scored)
- Azure > CIS v1 > 4 Database Services > 4.15 Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server (Scored)
- Azure > CIS v1 > 4 Database Services > 4.16 Ensure server parameter 'log_duration' is set to 'ON' for PostgreSQL Database Server (Scored)
- Azure > CIS v1 > 4 Database Services > 4.17 Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server (Scored)
- Azure > CIS v1 > 4 Database Services > 4.18 Ensure server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server (Scored)
- Azure > CIS v1 > 5 Logging and Monitoring
- Azure > CIS v1 > 5 Logging and Monitoring > 5.1 Configuring Log Profile
- Azure > CIS v1 > 5 Logging and Monitoring > 5.1 Configuring Log Profile > 5.1.1 Ensure that a Log Profile exists (Scored)
- Azure > CIS v1 > 5 Logging and Monitoring > 5.1 Configuring Log Profile > 5.1.2 Ensure that Activity Log Retention is set 365 days or greater (Scored)
- Azure > CIS v1 > 5 Logging and Monitoring > 5.1 Configuring Log Profile > 5.1.3 Ensure audit profile captures all the activities (Scored)
- Azure > CIS v1 > 5 Logging and Monitoring > 5.1 Configuring Log Profile > 5.1.4 Ensure the log profile captures activity logs for all regions including global (Scored)
- Azure > CIS v1 > 5 Logging and Monitoring > 5.1 Configuring Log Profile > 5.1.5 Ensure the storage container storing the activity logs is not publicly accessible (Scored)
- Azure > CIS v1 > 5 Logging and Monitoring > 5.1 Configuring Log Profile > 5.1.6 Ensure the storage account containing the container with activity logs is encrypted with BYOK (Use Your Own Key) (Scored)
- Azure > CIS v1 > 5 Logging and Monitoring > 5.1 Configuring Log Profile > 5.1.7 Ensure that logging for Azure KeyVault is 'Enabled' (Scored)
- Azure > CIS v1 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log alerts
- Azure > CIS v1 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log alerts > 5.2.1 Ensure that Activity Log Alert exists for Create Policy Assignment (Scored)
- Azure > CIS v1 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log alerts > 5.2.2 Ensure that Activity Log Alert exists for Create or Update Network Security Group (Scored)
- Azure > CIS v1 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log alerts > 5.2.3 Ensure that Activity Log Alert exists for Delete Network Security Group (Scored)
- Azure > CIS v1 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log alerts > 5.2.4 Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule (Scored)
- Azure > CIS v1 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log alerts > 5.2.5 Ensure that activity log alert exists for the Delete Network Security Group Rule (Scored)
- Azure > CIS v1 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log alerts > 5.2.6 Ensure that Activity Log Alert exists for Create or Update Security Solution (Scored)
- Azure > CIS v1 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log alerts > 5.2.7 Ensure that Activity Log Alert exists for Delete Security Solution (Scored)
- Azure > CIS v1 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log alerts > 5.2.8 Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule (Scored)
- Azure > CIS v1 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log alerts > 5.2.9 Ensure that Activity Log Alert exists for Update Security Policy (Scored)
- Azure > CIS v1 > 6 Networking
- Azure > CIS v1 > 6 Networking > 6.01 Ensure that RDP access is restricted from the internet (Scored)
- Azure > CIS v1 > 6 Networking > 6.02 Ensure that SSH access is restricted from the internet (Scored)
- Azure > CIS v1 > 6 Networking > 6.03 Ensure no SQL Databases allow ingress 0.0.0.0/0 (ANY IP) (Scored)
- Azure > CIS v1 > 6 Networking > 6.04 Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' (Scored)
- Azure > CIS v1 > 6 Networking > 6.05 Ensure that Network Watcher is 'Enabled' (Scored)
- Azure > CIS v1 > 7 Virtual Machines
- Azure > CIS v1 > 7 Virtual Machines > 7.01 Ensure that 'OS disk' are encrypted (Scored)
- Azure > CIS v1 > 7 Virtual Machines > 7.02 Ensure that 'Data disks' are encrypted (Scored)
- Azure > CIS v1 > 7 Virtual Machines > 7.03 Ensure that 'Unattached disks' are encrypted (Scored)
- Azure > CIS v1 > 7 Virtual Machines > 7.04 Ensure that only approved extensions are installed (Not Scored)
- Azure > CIS v1 > 7 Virtual Machines > 7.04 Ensure that only approved extensions are installed (Not Scored) > Attestation
- Azure > CIS v1 > 7 Virtual Machines > 7.05 Ensure that the latest OS Patches for all Virtual Machines are applied (Not Scored)
- Azure > CIS v1 > 7 Virtual Machines > 7.05 Ensure that the latest OS Patches for all Virtual Machines are applied (Not Scored) > Attestation
- Azure > CIS v1 > 7 Virtual Machines > 7.06 Ensure that the endpoint protection for all Virtual Machines is installed (Not Scored)
- Azure > CIS v1 > 7 Virtual Machines > 7.06 Ensure that the endpoint protection for all Virtual Machines is installed (Not Scored) > Attestation
- Azure > CIS v1 > 8 Other Security Considerations
- Azure > CIS v1 > 8 Other Security Considerations > 8.01 Ensure that the expiration date is set on all keys (Scored)
- Azure > CIS v1 > 8 Other Security Considerations > 8.02 Ensure that the expiration date is set on all Secrets (Scored)
- Azure > CIS v1 > 8 Other Security Considerations > 8.03 Ensure that Resource Locks are set for mission critical Azure resources (Not Scored)
- Azure > CIS v1 > 8 Other Security Considerations > 8.03 Ensure that Resource Locks are set for mission critical Azure resources (Not Scored) > Attestation
- Azure > CIS v1 > 8 Other Security Considerations > 8.04 Ensure the key vault is recoverable (Scored)
- Azure > CIS v1 > 8 Other Security Considerations > 8.05 Enable role-based access control (RBAC) within Azure Kubernetes Services (Scored)
- Azure > CIS v1 > 9 Application Services
- Azure > CIS v1 > 9 Application Services > 9.01 Ensure App Service Authentication is set on Azure App Service (Scored)
- Azure > CIS v1 > 9 Application Services > 9.02 Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service (Scored)
- Azure > CIS v1 > 9 Application Services > 9.03 Ensure web app is using the latest version of TLS encryption (Scored)
- Azure > CIS v1 > 9 Application Services > 9.04 Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On' (Scored)
- Azure > CIS v1 > 9 Application Services > 9.05 Ensure that Register with Azure Active Directory is enabled on App Service (Scored)
- Azure > CIS v1 > 9 Application Services > 9.06 Ensure that '.Net Framework' version is the latest, if used as a part of the web app (Not Scored)
- Azure > CIS v1 > 9 Application Services > 9.07 Ensure that 'PHP version' is the latest, if used to run the web app (Not Scored)
- Azure > CIS v1 > 9 Application Services > 9.08 Ensure that 'Python version' is the latest, if used to run the web app (Not Scored)
- Azure > CIS v1 > 9 Application Services > 9.09 Ensure that 'Java version' is the latest, if used to run the web app (Not Scored)
- Azure > CIS v1 > 9 Application Services > 9.10 Ensure that 'HTTP Version' is the latest, if used to run the web app (Not Scored)
- Azure > CIS v1 > Maximum Attestation Duration