Policy: Azure > CIS v4.0 > 07 - Management and Governance > Maximum Attestation Duration

The maximum duration for CIS Attestations. Attestation policies can not be set further in the future than is specified here.

Targets

This policy targets the following resource types:

Primary Policy

This policy is used with the following primary policy:

Azure > CIS v4.0 > 07 - Management and Governance

Controls

Setting this policy configures these controls:

Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.01 - Configuring Diagnostic Settings > 07.01.01.01 - Ensure that a 'Diagnostic Setting' exists for Subscription Activity Logs
Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.01 - Configuring Diagnostic Settings > 07.01.01.07 - Ensure that virtual network flow logs are captured and sent to Log Analytics
Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.01 - Configuring Diagnostic Settings > 07.01.01.08 - Ensure that a Microsoft Entra diagnostic setting exists to send Microsoft Graph activity logs to an appropriate destination
Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.01 - Configuring Diagnostic Settings > 07.01.01.09 - Ensure that a Microsoft Entra diagnostic setting exists to send Microsoft Entra activity logs to an appropriate destination
Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.01 - Configuring Diagnostic Settings > 07.01.01.10 - Ensure that Intune logs are captured and sent to Log Analytics
Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.04 - Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it
Azure > CIS v4.0 > 07 - Management and Governance > 07.02 - Ensure that Resource Locks are set for Mission-Critical Azure Resources
Azure > CIS v4.0 > 08 - Networking > 08.05 - Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'
Azure > CIS v4.0 > 08 - Networking > 08.06 - Ensure that Network Watcher is 'Enabled' for Azure Regions that are in use

Policy Specification

Schema Type	`string`
Default	`Per Azure > CIS v4.0 > Maximum Attestation Duration`
Valid Values [YAML]	`Per Azure > CIS v4.0 > Maximum Attestation Duration` `Skip` `30 days` `60 days` `90 days` `1 year` `2 years` `3 years`

In Your Workspace

Policy Settings by Type report

Developers

Category URI

tmod:@turbot/cis#/control/categories/cis

Policy Type URI

tmod:@turbot/azure-cisv4-0#/policy/types/s07Attestation

GraphQL

query policyType(id: "tmod:@turbot/azure-cisv4-0#/policy/types/s07Attestation") { … }

query policySettings(filter: "policyTypeId:'tmod:@turbot/azure-cisv4-0#/policy/types/s07Attestation'") { … }

query policyValues(filter: "policyTypeId:'tmod:@turbot/azure-cisv4-0#/policy/types/s07Attestation'") { … }

CLI

Get Policy Type

turbot graphql policy-type --id "tmod:@turbot/azure-cisv4-0#/policy/types/s07Attestation"

Get Policy Settings

turbot graphql policy-settings --filter "policyTypeId:tmod:@turbot/azure-cisv4-0#/policy/types/s07Attestation"