Turbot Guardrails Hub 
Hub
  • Mods
  • Policy Packs
  • Docs
  • Home
ModsPolicy PacksDocsHome
Mods
Azure
Loading policies...

Policy: Azure > CIS v3.0 > 08 - Virtual Machines > 08.10 - Ensure only MFA enabled identities can access privileged Virtual Machine

Configures auditing against a CIS Benchmark item.

Level: 2

Verify identities without MFA that can log in to a privileged virtual machine using separate login credentials. An adversary can leverage the access to move laterally and perform actions with the virtual machine's managed identity. Make sure the virtual machine only has necessary permissions, and revoke the admin-level permissions according to the least privileges principal.

Integrating multi-factor authentication (MFA) as part of the organizational policy can greatly reduce the risk of an identity gaining control of valid credentials that may be used for additional tactics such as initial access, lateral movement, and collecting information. MFA can also be used to restrict access to cloud resources and APIs.

An Adversary may log into accessible cloud services within a compromised environment using Valid Accounts that are synchronized to move laterally and perform actions with the virtual machine's managed identity. The adversary may then perform management actions or access cloud-hosted resources as the logged-on managed identity.

Targets

This policy targets the following resource types:

  • Azure > Compute > Virtual Machine

Primary Policy

This policy is used with the following primary policy:

  • Azure > CIS v3.0 > 08 - Virtual Machines

Related Policies

  • Attestation

Controls

Setting this policy configures this control:

  • Azure > CIS v3.0 > 08 - Virtual Machines > 08.10 - Ensure only MFA enabled identities can access privileged Virtual Machine

Policy Specification

Schema Type
string
Default
Per Azure > CIS v3.0 > 08 - Virtual Machines
Valid Values [YAML]
  • Per Azure > CIS v3.0 > 08 - Virtual Machines

  • Skip

  • Check: Benchmark using attestation

Category

  • CIS > Controls v7 > 04 Controlled Use of Administrative Privileges > 4.05 Use Multifactor Authentication For All Administrative Access

In Your Workspace

  • Policy Settings by Type report

Developers

    Category URI
    • tmod:@turbot/cis#/control/categories/v070405
    • Policy Type URI
    • tmod:@turbot/azure-cisv3-0#/policy/types/r0810
    • GraphQL
    • query policyType(id: "tmod:@turbot/azure-cisv3-0#/policy/types/r0810") { … }
    • query policySettings(filter: "policyTypeId:'tmod:@turbot/azure-cisv3-0#/policy/types/r0810'") { … }
    • query policyValues(filter: "policyTypeId:'tmod:@turbot/azure-cisv3-0#/policy/types/r0810'") { … }
    • CLI
    • Get Policy Type
    • turbot graphql policy-type --id "tmod:@turbot/azure-cisv3-0#/policy/types/r0810"
      • Get Policy Settings
    • turbot graphql policy-settings --filter "policyTypeId:tmod:@turbot/azure-cisv3-0#/policy/types/r0810"
Guardrails
Guardrails Hub
  • Hub
  • Docs
  • Blog
  • Changelog
Products
  • GuardrailsGuardrails
  • PipesPipes
  • SteampipeSteampipe
  • PowerpipePowerpipe
  • FlowpipeFlowpipe
  • TailpipeTailpipe
Turbot
  • Home
  • About us
  • We're hiring!
  • Contact us
Community

Our community of practitioners love to discuss cloud governance & security.

Slack logoJoin us on Slack →

System StatusLegalSecurity
Terms of UseSecurityPrivacy
50
Mods
204
Resource Types
3,575
Policies
1,941
Controls
103
Quick Actions
111
IAM