Policy: Azure > CIS v5.0 > 7 - Networking Services

Primary Policy

This policy is used with the following primary policy:

• Azure > CIS v5.0

Related Policies

• 7.01 - Ensure that RDP access from the Internet is evaluated and restricted
• 7.02 - Ensure that SSH access from the Internet is evaluated and restricted
• 7.03 - Ensure that UDP access from the Internet is evaluated and restricted
• 7.04 - Ensure that HTTP(S) access from the Internet is evaluated and restricted
• 7.05 - Ensure that network security group flow log retention days is set to greater than or equal to 90
• 7.06 - Ensure that Network Watcher is 'Enabled' for Azure Regions that are in use
• 7.07 - Ensure that Public IP addresses are Evaluated on a Periodic Basis
• 7.08 - Ensure that virtual network flow log retention days is set to greater than or equal to 90
• 7.09 - Ensure 'Authentication type' is set to 'Azure Active Directory' only for Azure VPN Gateway point-to-site configuration
• 7.10 - Ensure Azure Web Application Firewall (WAF) is enabled on Azure Application Gateway
• 7.11 - Ensure subnets are associated with network security groups
• 7.12 - Ensure the SSL policy's 'Min protocol version' is set to 'TLSv1_2' or higher on Azure Application Gateway
• 7.13 - Ensure 'HTTP2' is set to 'Enabled' on Azure Application Gateway
• 7.14 - Ensure request body inspection is enabled in Azure Web Application Firewall policy on Azure Application Gateway
• 7.15 - Ensure bot protection is enabled in Azure Web Application Firewall policy on Azure Application Gateway
• 7.16 - Ensure Azure Network Security Perimeter is used to secure Azure platform-as-a-service resources
• 7 - Maximum Attestation Duration

Controls

Setting this policy configures these controls:

• Azure > CIS v5.0 > 7 - Networking Services > 7.01 - Ensure that RDP access from the Internet is evaluated and restricted
• Azure > CIS v5.0 > 7 - Networking Services > 7.02 - Ensure that SSH access from the Internet is evaluated and restricted
• Azure > CIS v5.0 > 7 - Networking Services > 7.03 - Ensure that UDP access from the Internet is evaluated and restricted
• Azure > CIS v5.0 > 7 - Networking Services > 7.04 - Ensure that HTTP(S) access from the Internet is evaluated and restricted
• Azure > CIS v5.0 > 7 - Networking Services > 7.05 - Ensure that network security group flow log retention days is set to greater than or equal to 90
• Azure > CIS v5.0 > 7 - Networking Services > 7.06 - Ensure that Network Watcher is 'Enabled' for Azure Regions that are in use
• Azure > CIS v5.0 > 7 - Networking Services > 7.07 - Ensure that Public IP addresses are Evaluated on a Periodic Basis
• Azure > CIS v5.0 > 7 - Networking Services > 7.08 Ensure that virtual network flow log retention days is set to greater than or equal to 90
• Azure > CIS v5.0 > 7 - Networking Services > 7.09 - Ensure 'Authentication type' is set to 'Azure Active Directory' only for Azure VPN Gateway point-to-site configuration
• Azure > CIS v5.0 > 7 - Networking Services > 7.10 - Ensure Azure Web Application Firewall (WAF) is enabled on Azure Application Gateway
• Azure > CIS v5.0 > 7 - Networking Services > 7.11 - Ensure subnets are associated with network security groups
• Azure > CIS v5.0 > 7 - Networking Services > 7.12 - Ensure the SSL policy's 'Min protocol version' is set to 'TLSv1_2' or higher on Azure Application Gateway
• Azure > CIS v5.0 > 7 - Networking Services > 7.13 - Ensure 'HTTP2' is set to 'Enabled' on Azure Application Gateway
• Azure > CIS v5.0 > 7 - Networking Services > 7.14 - Ensure request body inspection is enabled in Azure Web Application Firewall policy on Azure Application Gateway
• Azure > CIS v5.0 > 7 - Networking Services > 7.15 - Ensure bot protection is enabled in Azure Web Application Firewall policy on Azure Application Gateway
• Azure > CIS v5.0 > 7 - Networking Services > 7.16 - Ensure Azure Network Security Perimeter is used to secure Azure platform-as-a-service resources

Policy Specification

string

Per Azure > CIS v5.0

Category

• CIS

In Your Workspace

• Policy Settings by Type report

Developers

Category URI

tmod:@turbot/cis#/control/categories/cis

Policy Type URI

tmod:@turbot/azure-cisv5-0#/policy/types/s07

GraphQL

query policyType(id: "tmod:@turbot/azure-cisv5-0#/policy/types/s07") { … }

query policySettings(filter: "policyTypeId:'tmod:@turbot/azure-cisv5-0#/policy/types/s07'") { … }

query policyValues(filter: "policyTypeId:'tmod:@turbot/azure-cisv5-0#/policy/types/s07'") { … }

CLI

Get Policy Type

turbot graphql policy-type --id "tmod:@turbot/azure-cisv5-0#/policy/types/s07"

Get Policy Settings

turbot graphql policy-settings --filter "policyTypeId:tmod:@turbot/azure-cisv5-0#/policy/types/s07"