Policy: Azure > CIS v5.0 > 8 - Security Services

This section covers security best practice recommendations for products in the Azure Security services category.

This includes Microsoft Defender for Cloud, Key Vault, and Azure Bastion recommendations.

Primary Policy

This policy is used with the following primary policy:

Azure > CIS v5.0

Controls

Setting this policy configures these controls:

Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.01 - Microsoft Cloud Security Posture Management (CSPM) > 8.01.01.01 - Ensure Microsoft Defender CSPM is set to 'On'
Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.02 - Defender Plan: APIs > 8.01.02.01 - Ensure Microsoft Defender for APIs is set to 'On'
Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.03 - Defender Plan: Servers > 8.01.03.01 - Ensure that Defender for Servers is set to 'On'
Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.03 - Defender Plan: Servers > 8.01.03.02 - Ensure that 'Vulnerability assessment for machines' component status is set to 'On'
Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.03 - Defender Plan: Servers > 8.01.03.03 - Ensure that 'Endpoint protection' component status is set to 'On'
Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.03 - Defender Plan: Servers > 8.01.03.04 - Ensure that 'Agentless scanning for machines' component status is set to 'On'
Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.03 - Defender Plan: Servers > 8.01.03.05 - Ensure that 'File Integrity Monitoring' component status is set to 'On'
Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.04 - Defender Plan: Containers > 8.01.04.01 - Ensure That Microsoft Defender for Containers Is Set To 'On'
Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.05 - Defender Plan: Storage > 8.01.05.01 - Ensure That Microsoft Defender for Storage Is Set To 'On'
Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.05 - Defender Plan: Storage > 8.01.05.02 - Ensure Advanced Threat Protection Alerts for Storage Accounts Are Monitored
Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.06 - Defender Plan: App Service > 8.01.06.01 - Ensure That Microsoft Defender for App Services Is Set To 'On'
Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.07 - Defender Plan: Databases > 8.01.07.01 - Ensure That Microsoft Defender for Azure Cosmos DB Is Set To 'On'
Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.07 - Defender Plan: Databases > 8.01.07.02 - Ensure That Microsoft Defender for Open-Source Relational Databases Is Set To 'On'
Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.07 - Defender Plan: Databases > 8.01.07.03 - Ensure That Microsoft Defender for (Managed Instance) Azure SQL Databases Is Set To 'On'
Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.07 - Defender Plan: Databases > 8.01.07.04 - Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On'
Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.08 - Defender Plan: Key Vault > 8.01.08.01 - Ensure That Microsoft Defender for Key Vault Is Set To 'On'
Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.09 - Defender Plan: Resource Manager > 8.01.09.01 - Ensure That Microsoft Defender for Resource Manager Is Set To 'On'
Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.10 - Ensure that Microsoft Defender for Cloud is configured to check VM operating systems for updates
Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.11 - Ensure That Microsoft Cloud Security Benchmark policies are not set to 'Disabled'
Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.12 - Ensure That 'All users with the following roles' is set to 'Owner'
Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.13 - Ensure 'Additional email addresses' is Configured with a Security Contact Email
Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.14 - Ensure that 'Notify about alerts with the following severity (or higher)' is enabled
Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.15 - Ensure that 'Notify about attack paths with the following risk level (or higher)' is enabled
Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.16 - Ensure that Microsoft Defender External Attack Surface Monitoring (EASM) is enabled
Azure > CIS v5.0 > 8 - Security Services > 8.02 - Microsoft Defender for IoT > 8.02.01 - Ensure That Microsoft Defender for IoT Hub Is Set To 'On'
Azure > CIS v5.0 > 8 - Security Services > 8.03 - Key Vault > 8.03.01 - Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults
Azure > CIS v5.0 > 8 - Security Services > 8.03 - Key Vault > 8.03.02 - Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults
Azure > CIS v5.0 > 8 - Security Services > 8.03 - Key Vault > 8.03.03 - Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults
Azure > CIS v5.0 > 8 - Security Services > 8.03 - Key Vault > 8.03.04 - Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults
Azure > CIS v5.0 > 8 - Security Services > 8.03 - Key Vault > 8.03.05 - Ensure 'Purge protection' is set to 'Enabled'
Azure > CIS v5.0 > 8 - Security Services > 8.03 - Key Vault > 8.03.06 - Ensure that Role Based Access Control for Azure Key Vault is enabled
Azure > CIS v5.0 > 8 - Security Services > 8.03 - Key Vault > 8.03.07 - Ensure Public Network Access is Disabled
Azure > CIS v5.0 > 8 - Security Services > 8.03 - Key Vault > 8.03.08 - Ensure Private Endpoints are used to access Azure Key Vault
Azure > CIS v5.0 > 8 - Security Services > 8.03 - Key Vault > 8.03.09 - Ensure automatic key rotation is enabled within Azure Key Vault
Azure > CIS v5.0 > 8 - Security Services > 8.03 - Key Vault > 8.03.10 - Ensure that Azure Key Vault Managed HSM is used when required
Azure > CIS v5.0 > 8 - Security Services > 8.03 - Key Vault > 8.03.11 - Ensure certificate 'Validity Period (in months)' is less than or equal to '12'
Azure > CIS v5.0 > 8 - Security Services > 8.04 - Azure Bastion > 8.04.01 - Ensure an Azure Bastion Host Exists
Azure > CIS v5.0 > 8 - Security Services > 8.05 - Ensure Azure DDoS Network Protection is enabled on virtual networks

Policy Specification

Schema Type	`string`
Default	`Per Azure > CIS v5.0`
Valid Values [YAML]	`Per Azure > CIS v5.0` `Skip` `Check: All CIS Benchmarks except attestations` `Check: All CIS Benchmarks`
Examples [YAML]	`Skip`

In Your Workspace

Policy Settings by Type report

Developers

Category URI

tmod:@turbot/cis#/control/categories/cis

Policy Type URI

tmod:@turbot/azure-cisv5-0#/policy/types/s08

GraphQL

query policyType(id: "tmod:@turbot/azure-cisv5-0#/policy/types/s08") { … }

query policySettings(filter: "policyTypeId:'tmod:@turbot/azure-cisv5-0#/policy/types/s08'") { … }

query policyValues(filter: "policyTypeId:'tmod:@turbot/azure-cisv5-0#/policy/types/s08'") { … }

CLI

Get Policy Type

turbot graphql policy-type --id "tmod:@turbot/azure-cisv5-0#/policy/types/s08"

Get Policy Settings

turbot graphql policy-settings --filter "policyTypeId:tmod:@turbot/azure-cisv5-0#/policy/types/s08"