Turbot Guardrails Hub 
Hub
  • Mods
  • Policy Packs
  • Docs
  • Home
ModsPolicy PacksDocsHome
Mods
Azure
Loading policies...

Policy: Azure > CIS v5.0 > 7 - Networking Services

This section covers security best practice recommendations for products in the Azure Networking services category.

This includes Virtual Networks, Network Security Groups, Application Gateway, and related networking recommendations.

Primary Policy

This policy is used with the following primary policy:

  • Azure > CIS v5.0

Related Policies

  • 7.01 - Ensure that RDP access from the Internet is evaluated and restricted
  • 7.02 - Ensure that SSH access from the Internet is evaluated and restricted
  • 7.03 - Ensure that UDP access from the Internet is evaluated and restricted
  • 7.04 - Ensure that HTTP(S) access from the Internet is evaluated and restricted
  • 7.05 - Ensure that network security group flow log retention days is set to greater than or equal to 90
  • 7.06 - Ensure that Network Watcher is 'Enabled' for Azure Regions that are in use
  • 7.07 - Ensure that Public IP addresses are Evaluated on a Periodic Basis
  • 7.08 - Ensure that virtual network flow log retention days is set to greater than or equal to 90
  • 7.09 - Ensure 'Authentication type' is set to 'Azure Active Directory' only for Azure VPN Gateway point-to-site configuration
  • 7.10 - Ensure Azure Web Application Firewall (WAF) is enabled on Azure Application Gateway
  • 7.11 - Ensure subnets are associated with network security groups
  • 7.12 - Ensure the SSL policy's 'Min protocol version' is set to 'TLSv1_2' or higher on Azure Application Gateway
  • 7.13 - Ensure 'HTTP2' is set to 'Enabled' on Azure Application Gateway
  • 7.14 - Ensure request body inspection is enabled in Azure Web Application Firewall policy on Azure Application Gateway
  • 7.15 - Ensure bot protection is enabled in Azure Web Application Firewall policy on Azure Application Gateway
  • 7.16 - Ensure Azure Network Security Perimeter is used to secure Azure platform-as-a-service resources
  • Maximum Attestation Duration

Controls

Setting this policy configures these controls:

  • Azure > CIS v5.0 > 7 - Networking Services > 7.01 - Ensure that RDP access from the Internet is evaluated and restricted
  • Azure > CIS v5.0 > 7 - Networking Services > 7.02 - Ensure that SSH access from the Internet is evaluated and restricted
  • Azure > CIS v5.0 > 7 - Networking Services > 7.03 - Ensure that UDP access from the Internet is evaluated and restricted
  • Azure > CIS v5.0 > 7 - Networking Services > 7.04 - Ensure that HTTP(S) access from the Internet is evaluated and restricted
  • Azure > CIS v5.0 > 7 - Networking Services > 7.05 - Ensure that network security group flow log retention days is set to greater than or equal to 90
  • Azure > CIS v5.0 > 7 - Networking Services > 7.06 - Ensure that Network Watcher is 'Enabled' for Azure Regions that are in use
  • Azure > CIS v5.0 > 7 - Networking Services > 7.07 - Ensure that Public IP addresses are Evaluated on a Periodic Basis
  • Azure > CIS v5.0 > 7 - Networking Services > 7.08 - Ensure that virtual network flow log retention days is set to greater than or equal to 90
  • Azure > CIS v5.0 > 7 - Networking Services > 7.09 - Ensure 'Authentication type' is set to 'Azure Active Directory' only for Azure VPN Gateway point-to-site configuration
  • Azure > CIS v5.0 > 7 - Networking Services > 7.10 - Ensure Azure Web Application Firewall (WAF) is enabled on Azure Application Gateway
  • Azure > CIS v5.0 > 7 - Networking Services > 7.11 - Ensure subnets are associated with network security groups
  • Azure > CIS v5.0 > 7 - Networking Services > 7.12 - Ensure the SSL policy's 'Min protocol version' is set to 'TLSv1_2' or higher on Azure Application Gateway
  • Azure > CIS v5.0 > 7 - Networking Services > 7.13 - Ensure 'HTTP2' is set to 'Enabled' on Azure Application Gateway
  • Azure > CIS v5.0 > 7 - Networking Services > 7.14 - Ensure request body inspection is enabled in Azure Web Application Firewall policy on Azure Application Gateway
  • Azure > CIS v5.0 > 7 - Networking Services > 7.15 - Ensure bot protection is enabled in Azure Web Application Firewall policy on Azure Application Gateway
  • Azure > CIS v5.0 > 7 - Networking Services > 7.16 - Ensure Azure Network Security Perimeter is used to secure Azure platform-as-a-service resources

Policy Specification

Schema Type
string
Default
Per Azure > CIS v5.0
Valid Values [YAML]
  • Per Azure > CIS v5.0

  • Skip

  • Check: All CIS Benchmarks except attestations

  • Check: All CIS Benchmarks
Examples [YAML]
  • Skip

Category

  • CIS

In Your Workspace

  • Policy Settings by Type report

Developers

    Category URI
    • tmod:@turbot/cis#/control/categories/cis
    • Policy Type URI
    • tmod:@turbot/azure-cisv5-0#/policy/types/s07
    • GraphQL
    • query policyType(id: "tmod:@turbot/azure-cisv5-0#/policy/types/s07") { … }
    • query policySettings(filter: "policyTypeId:'tmod:@turbot/azure-cisv5-0#/policy/types/s07'") { … }
    • query policyValues(filter: "policyTypeId:'tmod:@turbot/azure-cisv5-0#/policy/types/s07'") { … }
    • CLI
    • Get Policy Type
    • turbot graphql policy-type --id "tmod:@turbot/azure-cisv5-0#/policy/types/s07"
      • Get Policy Settings
    • turbot graphql policy-settings --filter "policyTypeId:tmod:@turbot/azure-cisv5-0#/policy/types/s07"
Guardrails
Guardrails Hub
  • Hub
  • Docs
  • Blog
  • Changelog
Products
  • GuardrailsGuardrails
  • PipesPipes
  • SteampipeSteampipe
  • PowerpipePowerpipe
  • FlowpipeFlowpipe
  • TailpipeTailpipe
Turbot
  • Home
  • About us
  • We're hiring!
  • Contact us
Community

Our community of practitioners love to discuss cloud governance & security.

Slack logoJoin us on Slack →

System StatusLegalSecurity
Terms of UseSecurityPrivacy
50
Mods
207
Resource Types
3,612
Policies
1,957
Controls
103
Quick Actions
114
IAM