Policy: Azure > CIS v5.0 > Maximum Attestation Duration
The maximum duration for CIS Attestations. Attestation policies can not be set further in the future than is specified here.
Targets
This policy targets the following resource types:
Primary Policy
This policy is used with the following primary policy:
Controls
Setting this policy configures these controls:
- Azure > CIS v5.0 > 2 - Analytics Services > 2.01 - Azure Databricks > 2.01.02 - Ensure that network security groups are configured for Databricks subnets
- Azure > CIS v5.0 > 2 - Analytics Services > 2.01 - Azure Databricks > 2.01.03 - Ensure that traffic is encrypted between cluster worker nodes
- Azure > CIS v5.0 > 2 - Analytics Services > 2.01 - Azure Databricks > 2.01.04 - Ensure that users and groups are synced from Microsoft Entra ID to Azure Databricks
- Azure > CIS v5.0 > 2 - Analytics Services > 2.01 - Azure Databricks > 2.01.05 - Ensure that Unity Catalog is configured for Azure Databricks
- Azure > CIS v5.0 > 2 - Analytics Services > 2.01 - Azure Databricks > 2.01.06 - Ensure that usage is restricted and expiry is enforced for Databricks personal access tokens
- Azure > CIS v5.0 > 2 - Analytics Services > 2.01 - Azure Databricks > 2.01.07 - Ensure that diagnostic log delivery is configured for Azure Databricks
- Azure > CIS v5.0 > 3 - Compute Services > 3.01 - Virtual Machines > 3.01.01 - Ensure only MFA enabled identities can access privileged Virtual Machine
- Azure > CIS v5.0 > 5 - Identity Services > 5.01 - Security Defaults (Per-User MFA) > 5.01.01 - Ensure that 'security defaults' is enabled in Microsoft Entra ID
- Azure > CIS v5.0 > 5 - Identity Services > 5.01 - Security Defaults (Per-User MFA) > 5.01.02 - Ensure that 'multifactor authentication' is 'enabled' for all users
- Azure > CIS v5.0 > 5 - Identity Services > 5.01 - Security Defaults (Per-User MFA) > 5.01.03 - Ensure that 'Allow users to remember multifactor authentication on devices they trust' is disabled
- Azure > CIS v5.0 > 5 - Identity Services > 5.02 - Conditional Access > 5.02.02 - Ensure that an exclusionary geographic Conditional Access policy is considered
- Azure > CIS v5.0 > 5 - Identity Services > 5.02 - Conditional Access > 5.02.03 - Ensure that an exclusionary Device code flow policy is considered
- Azure > CIS v5.0 > 5 - Identity Services > 5.02 - Conditional Access > 5.02.04 - Ensure that a multifactor authentication policy exists for all users
- Azure > CIS v5.0 > 5 - Identity Services > 5.02 - Conditional Access > 5.02.05 - Ensure that multifactor authentication is required for risky sign-ins
- Azure > CIS v5.0 > 5 - Identity Services > 5.02 - Conditional Access > 5.02.08 - Ensure a Token Protection Conditional Access policy is considered
- Azure > CIS v5.0 > 5 - Identity Services > 5.03 - Periodic Identity Reviews > 5.03.01 - Ensure that Azure admin accounts are not used for daily operations
- Azure > CIS v5.0 > 5 - Identity Services > 5.03 - Periodic Identity Reviews > 5.03.04 - Ensure that all 'privileged' role assignments are periodically reviewed
- Azure > CIS v5.0 > 5 - Identity Services > 5.03 - Periodic Identity Reviews > 5.03.05 - Ensure disabled user accounts do not have read, write, or owner permissions
- Azure > CIS v5.0 > 5 - Identity Services > 5.03 - Periodic Identity Reviews > 5.03.06 - Ensure 'Tenant Creator' role assignments are periodically reviewed
- Azure > CIS v5.0 > 5 - Identity Services > 5.03 - Periodic Identity Reviews > 5.03.07 - Ensure all non-privileged role assignments are periodically reviewed
- Azure > CIS v5.0 > 5 - Identity Services > 5.04 - Ensure that 'Restrict non-admin users from creating tenants' is set to 'Yes'
- Azure > CIS v5.0 > 5 - Identity Services > 5.05 - Ensure that 'Number of methods required to reset' is set to '2'
- Azure > CIS v5.0 > 5 - Identity Services > 5.06 - Ensure that account 'Lockout Threshold' is less than or equal to '10'
- Azure > CIS v5.0 > 5 - Identity Services > 5.07 - Ensure that account 'Lockout duration in seconds' is greater than or equal to '60'
- Azure > CIS v5.0 > 5 - Identity Services > 5.08 - Ensure that a 'Custom banned password list' is set to 'Enforce'
- Azure > CIS v5.0 > 5 - Identity Services > 5.09 - Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0'
- Azure > CIS v5.0 > 5 - Identity Services > 5.10 - Ensure that 'Notify users on password resets?' is set to 'Yes'
- Azure > CIS v5.0 > 5 - Identity Services > 5.11 - Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes'
- Azure > CIS v5.0 > 5 - Identity Services > 5.12 - Ensure that 'User consent for applications' is set to 'Do not allow user consent'
- Azure > CIS v5.0 > 5 - Identity Services > 5.13 - Ensure that 'User consent for applications' is set to 'Allow user consent for apps from verified publishers, for selected permissions'
- Azure > CIS v5.0 > 5 - Identity Services > 5.15 - Ensure that 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects'
- Azure > CIS v5.0 > 5 - Identity Services > 5.16 - Ensure that 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles [...]' or 'No one [..]'
- Azure > CIS v5.0 > 5 - Identity Services > 5.17 - Ensure that 'Restrict access to Microsoft Entra admin center' is set to 'Yes'
- Azure > CIS v5.0 > 5 - Identity Services > 5.18 - Ensure that 'Restrict user ability to access groups features in My Groups' is set to 'Yes'
- Azure > CIS v5.0 > 5 - Identity Services > 5.20 - Ensure that 'Owners can manage group membership requests in My Groups' is set to 'No'
- Azure > CIS v5.0 > 5 - Identity Services > 5.21 - Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No'
- Azure > CIS v5.0 > 5 - Identity Services > 5.22 - Ensure that 'Require Multifactor Authentication to register or join devices with Microsoft Entra' is set to 'Yes'
- Azure > CIS v5.0 > 5 - Identity Services > 5.24 - Ensure that a custom role is assigned permissions for administering resource locks
- Azure > CIS v5.0 > 5 - Identity Services > 5.25 - Ensure that 'Subscription leaving Microsoft Entra tenant' and 'Subscription entering Microsoft Entra tenant' is set to 'Permit no one'
- Azure > CIS v5.0 > 5 - Identity Services > 5.27 - Ensure there are between 2 and 3 subscription owners
- Azure > CIS v5.0 > 5 - Identity Services > 5.28 - Ensure passwordless authentication methods are considered
- Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.01 - Configuring Diagnostic Settings > 6.01.01.01 - Ensure that a 'Diagnostic Setting' exists for Subscription Activity Logs
- Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.01 - Configuring Diagnostic Settings > 6.01.01.07 - Ensure that virtual network flow logs are captured and sent to Log Analytics
- Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.01 - Configuring Diagnostic Settings > 6.01.01.08 - Ensure that a Microsoft Entra diagnostic setting exists to send Microsoft Graph activity logs to an appropriate destination
- Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.01 - Configuring Diagnostic Settings > 6.01.01.09 - Ensure that a Microsoft Entra diagnostic setting exists to send Microsoft Entra activity logs to an appropriate destination
- Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.01 - Configuring Diagnostic Settings > 6.01.01.10 - Ensure that Intune logs are captured and sent to Log Analytics
- Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.04 - Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it
- Azure > CIS v5.0 > 6 - Management and Governance Services > 6.02 - Ensure that Resource Locks are set for Mission-Critical Azure Resources
- Azure > CIS v5.0 > 7 - Networking Services > 7.07 - Ensure that Public IP addresses are Evaluated on a Periodic Basis
- Azure > CIS v5.0 > 7 - Networking Services > 7.16 - Ensure Azure Network Security Perimeter is used to secure Azure platform-as-a-service resources
- Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.03 - Defender Plan: Servers > 8.01.03.02 - Ensure that 'Vulnerability assessment for machines' component status is set to 'On'
- Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.03 - Defender Plan: Servers > 8.01.03.04 - Ensure that 'Agentless scanning for machines' component status is set to 'On'
- Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.03 - Defender Plan: Servers > 8.01.03.05 - Ensure that 'File Integrity Monitoring' component status is set to 'On'
- Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.05 - Defender Plan: Storage > 8.01.05.02 - Ensure Advanced Threat Protection Alerts for Storage Accounts Are Monitored
- Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.10 - Ensure that Microsoft Defender for Cloud is configured to check VM operating systems for updates
- Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.11 - Ensure That Microsoft Cloud Security Benchmark policies are not set to 'Disabled'
- Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.16 - Ensure that Microsoft Defender External Attack Surface Monitoring (EASM) is enabled
- Azure > CIS v5.0 > 8 - Security Services > 8.02 - Microsoft Defender for IoT > 8.02.01 - Ensure That Microsoft Defender for IoT Hub Is Set To 'On'
- Azure > CIS v5.0 > 8 - Security Services > 8.03 - Key Vault > 8.03.10 - Ensure that Azure Key Vault Managed HSM is used when required
- Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.01 - Secrets and Keys > 9.03.01.02 - Ensure that Storage Account Access Keys are Periodically Regenerated
- Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.09 - Ensure Azure Resource Manager Delete locks are applied to Azure Storage Accounts
- Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.10 - Ensure Azure Resource Manager ReadOnly locks are considered for Azure Storage Accounts
Policy Specification
Schema Type | |
|---|---|
Default | |
Valid Values [YAML] |
|
Category
In Your Workspace
Developers
- tmod:@turbot/cis#/control/categories/cis
- tmod:@turbot/azure-cisv5-0#/policy/types/attestation
- turbot graphql policy-type --id "tmod:@turbot/azure-cisv5-0#/policy/types/attestation"
- turbot graphql policy-settings --filter "policyTypeId:tmod:@turbot/azure-cisv5-0#/policy/types/attestation"
Get Policy TypeGet Policy Settings
Category URI
Policy Type URI
GraphQL
CLI