Policy: Azure > CIS v4.0 > 02 - Common Reference Recommendations > 02.02 - Networking > 02.02.01 - Virtual Networks (VNets) > 02.02.01.02 - Ensure Network Access Rules are set to Deny-by-default

Configures auditing against a CIS Benchmark item.

Level: 1

Network access rules should be configured to deny access by default and only allow access from trusted networks. This reduces the attack surface by preventing unauthorized access from unknown networks.

This is a cross-cutting control that applies to multiple Azure services including Cognitive Services, Compute Disks, Container Registry, Service Bus, and Storage Accounts.

Targets

This policy targets the following resource types:

Azure > Subscription

Primary Policy

This policy is used with the following primary policy:

Azure > CIS v4.0 > 02 - Common Reference Recommendations > 02.02 - Networking > 02.02.01 - Virtual Networks (VNets)

Attestation

Controls

Setting this policy configures this control:

Azure > CIS v4.0 > 02 - Common Reference Recommendations > 02.02 - Networking > 02.02.01 - Virtual Networks (VNets) > 02.02.01.02 - Ensure Network Access Rules are set to Deny-by-default

Policy Specification

Schema Type	`string`
Default	`Per Azure > CIS v4.0 > 02 - Common Reference Recommendations > 02.02.01 - Virtual Networks`
Valid Values [YAML]	`>- Per Azure > CIS v4.0 > 02 - Common Reference Recommendations > 02.02.01 - Virtual Networks` `Skip` `Check: Benchmark using attestation`

Schema Type

string

Default

Per Azure > CIS v4.0 > 02 - Common Reference Recommendations > 02.02.01 - Virtual Networks

Valid Values [YAML]

>-
  Per Azure > CIS v4.0 > 02 - Common Reference Recommendations > 02.02.01 -
  Virtual Networks

Skip

Check: Benchmark using attestation

In Your Workspace

Policy Settings by Type report

Developers

Category URI

tmod:@turbot/cis#/control/categories/v071303

Policy Type URI

tmod:@turbot/azure-cisv4-0#/policy/types/r02020102

GraphQL

query policyType(id: "tmod:@turbot/azure-cisv4-0#/policy/types/r02020102") { … }

query policySettings(filter: "policyTypeId:'tmod:@turbot/azure-cisv4-0#/policy/types/r02020102'") { … }

query policyValues(filter: "policyTypeId:'tmod:@turbot/azure-cisv4-0#/policy/types/r02020102'") { … }

CLI

Get Policy Type

turbot graphql policy-type --id "tmod:@turbot/azure-cisv4-0#/policy/types/r02020102"

Get Policy Settings

turbot graphql policy-settings --filter "policyTypeId:tmod:@turbot/azure-cisv4-0#/policy/types/r02020102"

Policy: Azure > CIS v4.0 > 02 - Common Reference Recommendations > 02.02 - Networking > 02.02.01 - Virtual Networks (VNets) > 02.02.01.02 - Ensure Network Access Rules are set to Deny-by-default

Targets

Primary Policy

Related Policies

Controls

Policy Specification

Category

In Your Workspace

Developers

Policy: Azure > CIS v4.0 > 02 - Common Reference Recommendations > 02.02 - Networking > 02.02.01 - Virtual Networks (VNets) > 02.02.01.02 - Ensure Network Access Rules are set to Deny-by-default

Targets

Primary Policy

Related Policies

Controls

Policy Specification

Category

In Your Workspace

Developers