Policy: Azure > CIS v4.0 > Maximum Attestation Duration

Targets

This policy targets the following resource types:

• Azure > Active Directory > Directory
• Azure > Subscription
• Azure > Tenant

Primary Policy

This policy is used with the following primary policy:

• Azure > CIS v4.0

Controls

Setting this policy configures these controls:

• Azure > CIS v4.0 > 02 - Common Reference Recommendations > 02.01 - Secrets and Keys > 02.01.01 - Encryption Key Management > 02.01.01.01 - Microsoft Managed Keys (MMK) > 02.01.01.01.01 - Ensure Critical Data is Encrypted with Microsoft Managed Keys (MMK)
• Azure > CIS v4.0 > 02 - Common Reference Recommendations > 02.01 - Secrets and Keys > 02.01.01 - Encryption Key Management > 02.01.01.02 - Customer Managed Keys (CMK) > 02.01.01.02.01 - Ensure Critical Data is Encrypted with Customer Managed Keys (CMK)
• Azure > CIS v4.0 > 02 - Common Reference Recommendations > 02.02 - Networking > 02.02.01 - Virtual Networks (VNets) > 02.02.01.01 - Ensure public network access is Disabled
• Azure > CIS v4.0 > 02 - Common Reference Recommendations > 02.02 - Networking > 02.02.01 - Virtual Networks (VNets) > 02.02.01.02 - Ensure Network Access Rules are set to Deny-by-default
• Azure > CIS v4.0 > 02 - Common Reference Recommendations > 02.02 - Networking > 02.02.02 - Private Endpoints > 02.02.02.01 - Ensure Private Endpoints are used to access {service}
• Azure > CIS v4.0 > 03 - Analytics Services > 03.01 - Azure Databricks > 03.01.02 - Ensure that network security groups are configured for Databricks subnets
• Azure > CIS v4.0 > 03 - Analytics Services > 03.01 - Azure Databricks > 03.01.03 - Ensure that traffic is encrypted between cluster worker nodes
• Azure > CIS v4.0 > 03 - Analytics Services > 03.01 - Azure Databricks > 03.01.04 - Ensure that users and groups are synced from Microsoft Entra ID to Azure Databricks
• Azure > CIS v4.0 > 03 - Analytics Services > 03.01 - Azure Databricks > 03.01.05 - Ensure that Unity Catalog is configured for Azure Databricks
• Azure > CIS v4.0 > 03 - Analytics Services > 03.01 - Azure Databricks > 03.01.06 - Ensure that usage is restricted and expiry is enforced for Databricks personal access tokens
• Azure > CIS v4.0 > 03 - Analytics Services > 03.01 - Azure Databricks > 03.01.07 - Ensure that diagnostic log delivery is configured for Azure Databricks
• Azure > CIS v4.0 > 04 - Compute Services > 04.01 - Virtual Machines > 04.01.01 - Ensure only MFA enabled identities can access privileged Virtual Machine
• Azure > CIS v4.0 > 06 - Identity Services > 06.01 - Security Defaults (Per-User MFA) > 06.01.01 - Ensure that 'security defaults' is enabled in Microsoft Entra ID
• Azure > CIS v4.0 > 06 - Identity Services > 06.01 - Security Defaults (Per-User MFA) > 06.01.02 - Ensure that 'multifactor authentication' is 'enabled' for all users
• Azure > CIS v4.0 > 06 - Identity Services > 06.01 - Security Defaults (Per-User MFA) > 06.01.03 - Ensure that 'Allow users to remember multifactor authentication on devices they trust' is disabled
• Azure > CIS v4.0 > 06 - Identity Services > 06.02 - Conditional Access > 06.02.02 - Ensure that an exclusionary geographic Conditional Access policy is considered
• Azure > CIS v4.0 > 06 - Identity Services > 06.02 - Conditional Access > 06.02.03 - Ensure that an exclusionary device code flow policy is considered
• Azure > CIS v4.0 > 06 - Identity Services > 06.02 - Conditional Access > 06.02.04 - Ensure that a multifactor authentication policy exists for all users
• Azure > CIS v4.0 > 06 - Identity Services > 06.02 - Conditional Access > 06.02.05 - Ensure that multifactor authentication is required for risky sign-ins
• Azure > CIS v4.0 > 06 - Identity Services > 06.03 - Periodic Identity Reviews > 06.03.01 - Ensure that Azure admin accounts are not used for daily operations
• Azure > CIS v4.0 > 06 - Identity Services > 06.03 - Periodic Identity Reviews > 06.03.04 - Ensure that all 'privileged' role assignments are periodically reviewed
• Azure > CIS v4.0 > 06 - Identity Services > 06.04 - Ensure that 'Restrict non-admin users from creating tenants' is set to 'Yes'
• Azure > CIS v4.0 > 06 - Identity Services > 06.05 - Ensure that 'Number of methods required to reset' is set to '2'
• Azure > CIS v4.0 > 06 - Identity Services > 06.06 - Ensure that account 'Lockout threshold' is less than or equal to '10'
• Azure > CIS v4.0 > 06 - Identity Services > 06.07 - Ensure that account 'Lockout duration in seconds' is greater than or equal to '60'
• Azure > CIS v4.0 > 06 - Identity Services > 06.08 - Ensure that a 'Custom banned password list' is set to 'Enforce'
• Azure > CIS v4.0 > 06 - Identity Services > 06.09 - Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0'
• Azure > CIS v4.0 > 06 - Identity Services > 06.10 - Ensure that 'Notify users on password resets?' is set to 'Yes'
• Azure > CIS v4.0 > 06 - Identity Services > 06.11 - Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes'
• Azure > CIS v4.0 > 06 - Identity Services > 06.12 - Ensure that 'User consent for applications' is set to 'Do not allow user consent'
• Azure > CIS v4.0 > 06 - Identity Services > 06.13 - Ensure that 'User consent for applications' is set to 'Allow user consent for apps from verified publishers, for selected permissions'
• Azure > CIS v4.0 > 06 - Identity Services > 06.15 - Ensure that 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects'
• Azure > CIS v4.0 > 06 - Identity Services > 06.16 - Ensure that 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles can invite guest users'
• Azure > CIS v4.0 > 06 - Identity Services > 06.17 - Ensure that 'Restrict access to Microsoft Entra admin center' is set to 'Yes'
• Azure > CIS v4.0 > 06 - Identity Services > 06.18 - Ensure that 'Restrict user ability to access groups features in My Groups' is set to 'Yes'
• Azure > CIS v4.0 > 06 - Identity Services > 06.20 - Ensure that 'Owners can manage group membership requests in My Groups' is set to 'No'
• Azure > CIS v4.0 > 06 - Identity Services > 06.21 - Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No'
• Azure > CIS v4.0 > 06 - Identity Services > 06.22 - Ensure that 'Require Multifactor Authentication to register or join devices with Microsoft Entra' is set to 'Yes'
• Azure > CIS v4.0 > 06 - Identity Services > 06.24 - Ensure that a custom role is assigned permissions for administering resource locks
• Azure > CIS v4.0 > 06 - Identity Services > 06.25 - Ensure that 'Subscription leaving Microsoft Entra tenant' and 'Subscription entering Microsoft Entra tenant' is set to 'Permit no one'
• Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.01 - Configuring Diagnostic Settings > 07.01.01.01 - Ensure that a 'Diagnostic Setting' exists for Subscription Activity Logs
• Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.01 - Configuring Diagnostic Settings > 07.01.01.07 - Ensure that virtual network flow logs are captured and sent to Log Analytics
• Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.01 - Configuring Diagnostic Settings > 07.01.01.08 - Ensure that a Microsoft Entra diagnostic setting exists to send Microsoft Graph activity logs to an appropriate destination
• Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.01 - Configuring Diagnostic Settings > 07.01.01.09 - Ensure that a Microsoft Entra diagnostic setting exists to send Microsoft Entra activity logs to an appropriate destination
• Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.01 - Configuring Diagnostic Settings > 07.01.01.10 - Ensure that Intune logs are captured and sent to Log Analytics
• Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.04 - Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it
• Azure > CIS v4.0 > 07 - Management and Governance > 07.02 - Ensure that Resource Locks are set for Mission-Critical Azure Resources
• Azure > CIS v4.0 > 08 - Networking > 08.07 - Ensure that Public IP addresses are evaluated on a periodic basis
• Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.03 - Defender Plan: Servers > 09.01.03.02 - Ensure that 'Vulnerability assessment for machines' component status is set to 'On'
• Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.03 - Defender Plan: Servers > 09.01.03.04 - Ensure that 'Agentless scanning for machines' component status is set to 'On'
• Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.03 - Defender Plan: Servers > 09.01.03.05 - Ensure that 'File Integrity Monitoring' component status is set to 'On'
• Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.10 - Ensure that Microsoft Defender for Cloud is configured to check VM operating systems for updates
• Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.11 - Ensure that Microsoft Cloud Security Benchmark policies are not set to 'Disabled'
• Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.16 - Ensure that Microsoft Defender External Attack Surface Monitoring (EASM) is enabled
• Azure > CIS v4.0 > 09 - Security Services > 09.02 - Microsoft Defender for IoT > 09.02.01 - Ensure That Microsoft Defender for IoT Hub Is Set To 'On'
• Azure > CIS v4.0 > 09 - Security Services > 09.03 - Key Vault > 09.03.10 - Ensure that Azure Key Vault Managed HSM is used when required
• Azure > CIS v4.0 > 10 - Storage Services > 10.03 - Storage Accounts > 10.03.01 - Secrets and Keys > 10.03.01.02 - Ensure that Storage Account access keys are periodically regenerated
• Azure > CIS v4.0 > 10 - Storage Services > 10.03 - Storage Accounts > 10.03.10 - Ensure Azure Resource Manager Delete locks are applied to Azure Storage Accounts
• Azure > CIS v4.0 > 10 - Storage Services > 10.03 - Storage Accounts > 10.03.11 - Ensure Azure Resource Manager ReadOnly locks are considered for Azure Storage Accounts

Policy Specification

string

Skip

Category

• CIS

In Your Workspace

• Policy Settings by Type report

Developers

Category URI

tmod:@turbot/cis#/control/categories/cis

Policy Type URI

tmod:@turbot/azure-cisv4-0#/policy/types/attestation

GraphQL

query policyType(id: "tmod:@turbot/azure-cisv4-0#/policy/types/attestation") { … }

query policySettings(filter: "policyTypeId:'tmod:@turbot/azure-cisv4-0#/policy/types/attestation'") { … }

query policyValues(filter: "policyTypeId:'tmod:@turbot/azure-cisv4-0#/policy/types/attestation'") { … }

CLI

Get Policy Type

turbot graphql policy-type --id "tmod:@turbot/azure-cisv4-0#/policy/types/attestation"

Get Policy Settings

turbot graphql policy-settings --filter "policyTypeId:tmod:@turbot/azure-cisv4-0#/policy/types/attestation"