Policy: Azure > CIS v3.0 > Maximum Attestation Duration
The maximum duration for CIS Attestations. Attestation policies can not be set further in the future than is specified here.
Targets
This policy targets the following resource types:
Primary Policy
This policy is used with the following primary policy:
Controls
Setting this policy configures these controls:
- Azure > CIS v3.0 > 02 - Identity > 02.01 - Security Defaults (Per-User MFA) > 02.01.01 - Ensure Security Defaults is enabled on Microsoft Entra ID
- Azure > CIS v3.0 > 02 - Identity > 02.01 - Security Defaults (Per-User MFA) > 02.01.02 - Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users
- Azure > CIS v3.0 > 02 - Identity > 02.01 - Security Defaults (Per-User MFA) > 02.01.03 - Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users
- Azure > CIS v3.0 > 02 - Identity > 02.01 - Security Defaults (Per-User MFA) > 02.01.04 - Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is Disabled
- Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.01 - Ensure Trusted Locations Are Defined
- Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.02 - Ensure that an exclusionary Geographic Access Policy is considered
- Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.03 - Ensure that an exclusionary Device code flow policy is considered
- Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.04 - Ensure that A Multi-factor Authentication Policy Exists for Administrative Groups
- Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.05 - Ensure that A Multi-factor Authentication Policy Exists for All Users
- Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.06 - Ensure Multi-factor Authentication is Required for Risky Sign-ins
- Azure > CIS v3.0 > 02 - Identity > 02.03 - Ensure that 'Restrict non-admin users from creating tenants' is set to 'Yes'
- Azure > CIS v3.0 > 02 - Identity > 02.05 - Ensure That 'Number of methods required to reset' is set to '2'
- Azure > CIS v3.0 > 02 - Identity > 02.06 - Ensure that account 'Lockout Threshold' is less than or equal to '10'
- Azure > CIS v3.0 > 02 - Identity > 02.07 - Ensure that account 'Lockout duration in seconds' is greater than or equal to '60'
- Azure > CIS v3.0 > 02 - Identity > 02.08 - Ensure that a Custom Bad Password List is set to 'Enforce' for your Organization
- Azure > CIS v3.0 > 02 - Identity > 02.09 - Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0'
- Azure > CIS v3.0 > 02 - Identity > 02.10 - Ensure that 'Notify users on password resets?' is set to 'Yes'
- Azure > CIS v3.0 > 02 - Identity > 02.11 - Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes'
- Azure > CIS v3.0 > 02 - Identity > 02.12 - Ensure `User consent for applications` is set to `Do not allow user consent`
- Azure > CIS v3.0 > 02 - Identity > 02.13 - Ensure 'User consent for applications' Is Set To 'Allow for Verified Publishers'
- Azure > CIS v3.0 > 02 - Identity > 02.15 - Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects'
- Azure > CIS v3.0 > 02 - Identity > 02.16 - Ensure that 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles can invite guest users'
- Azure > CIS v3.0 > 02 - Identity > 02.17 - Ensure That 'Restrict access to Microsoft Entra admin center' is Set to 'Yes'
- Azure > CIS v3.0 > 02 - Identity > 02.18 - Ensure that 'Restrict user ability to access groups features in the Access Pane' is Set to 'Yes'
- Azure > CIS v3.0 > 02 - Identity > 02.20 - Ensure that 'Owners can manage group membership requests in My Groups' is set to 'No'
- Azure > CIS v3.0 > 02 - Identity > 02.21 - Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No'
- Azure > CIS v3.0 > 02 - Identity > 02.22 - Ensure that 'Require Multifactor Authentication to register or join devices with Microsoft Entra' is set to 'Yes'
- Azure > CIS v3.0 > 02 - Identity > 02.24 - Ensure a Custom Role is Assigned Permissions for Administering Resource Locks
- Azure > CIS v3.0 > 02 - Identity > 02.25 - Ensure That 'Subscription leaving Microsoft Entra tenant' and 'Subscription entering Microsoft Entra tenant' Is Set To 'Permit no one'
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.03 - Defender Plan Servers > 03.01.03.02 - Ensure that 'Vulnerability assessment for machines' component status is set to 'On'
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.03 - Defender Plan Servers > 03.01.03.04 - Ensure that 'Agentless scanning for machines' component status is set to 'On'
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.03 - Defender Plan Servers > 03.01.03.05 - Ensure that 'File Integrity Monitoring' component status is set to 'On'
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.04 - Defender Plan Containers > 03.01.04.02 - Ensure that 'Agentless discovery for Kubernetes' component status 'On'
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.04 - Defender Plan Containers > 03.01.04.03 - Ensure that 'Agentless container vulnerability assessment' component status is 'On'
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.10 - Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed'
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.11 - Ensure that Microsoft Cloud Security Benchmark policies are not set to 'Disabled'
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.15 - Ensure that Microsoft Defender External Attack Surface Monitoring (EASM) is enabled
- Azure > CIS v3.0 > 03 - Security > 03.02 - Microsoft Defender for IoT > 03.02.01 - Ensure That Microsoft Defender for IoT Hub Is Set To 'On'
- Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.08 - Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services
- Azure > CIS v3.0 > 04 - Storage Accounts > 04.04 - Ensure that Storage Account Access Keys are Periodically Regenerated
- Azure > CIS v3.0 > 04 - Storage Accounts > 04.05 - Ensure that Shared Access Signature Tokens Expire Within an Hour
- Azure > CIS v3.0 > 05 - Database Services > 05.01 - Azure SQL Database > 05.01.01 - Ensure that 'Auditing' is set to 'On'
- Azure > CIS v3.0 > 05 - Database Services > 05.04 - Azure Cosmos DB > 05.04.03 - Use Entra ID Client Authentication and Azure RBAC where possible
- Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.01 - Configuring Diagnostic Settings > 06.01.01 - Ensure that a 'Diagnostic Setting' exists for Subscription Activity Logs
- Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.04 - Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it
- Azure > CIS v3.0 > 07 - Networking > 07.05 - Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'
- Azure > CIS v3.0 > 07 - Networking > 07.06 - Ensure that Network Watcher is 'Enabled' for Azure Regions that are in use
- Azure > CIS v3.0 > 07 - Networking > 07.07 - Ensure that Public IP addresses are evaluated on a periodic basis
- Azure > CIS v3.0 > 08 - Virtual Machines > 08.07 - Ensure that Only Approved Extensions Are Installed
- Azure > CIS v3.0 > 08 - Virtual Machines > 08.08 - Ensure that Endpoint Protection for all Virtual Machines is installed
- Azure > CIS v3.0 > 08 - Virtual Machines > 08.09 - [Legacy] Ensure that VHDs are Encrypted
- Azure > CIS v3.0 > 08 - Virtual Machines > 08.10 - Ensure only MFA enabled identities can access privileged Virtual Machine
- Azure > CIS v3.0 > 09 - Application Services > 09.06 - Ensure that 'Basic Authentication' is 'Disabled'
- Azure > CIS v3.0 > 09 - Application Services > 09.07 - Ensure that 'PHP version' is currently supported (if in use)
- Azure > CIS v3.0 > 09 - Application Services > 09.08 - Ensure that 'Python version' is currently supported (if in use)
- Azure > CIS v3.0 > 09 - Application Services > 09.09 - Ensure that 'Java version' is currently supported (if in use)
- Azure > CIS v3.0 > 09 - Application Services > 09.11 - Ensure Azure Key Vaults are Used to Store Secrets
- Azure > CIS v3.0 > 10 - Miscellaneous > 10.01 - Ensure that Resource Locks are set for Mission-Critical Azure Resources
Policy Specification
Schema Type | |
|---|---|
Default | |
Valid Values [YAML] |
|
Category
In Your Workspace
Developers
- tmod:@turbot/cis#/control/categories/cis
- tmod:@turbot/azure-cisv3-0#/policy/types/attestation
- turbot graphql policy-type --id "tmod:@turbot/azure-cisv3-0#/policy/types/attestation"
- turbot graphql policy-settings --filter "policyTypeId:tmod:@turbot/azure-cisv3-0#/policy/types/attestation"
Get Policy TypeGet Policy Settings
Category URI
Policy Type URI
GraphQL
CLI