Azure Policy

Back to Top

Deny Public Access to FTP Ports 20 and 21

Risk: Critical

Target: NSG

Compliance:

Description
It is crucial to secure your Azure virtual machines associated with these NSGs by ensuring that Microsoft Azure network security groups (NSGs) do not permit unrestricted access on TCP ports 20 and 21, which are used for data transfer and communication by the File Transfer Protocol (FTP) client-server applications. Attackers might use brute-force methods to gain access to your Azure virtual machines through these ports, underscoring the importance of securing them.

Resolution
Restrict NSG Source setting

Deny Public Access to SSH Port 22

Risk: Critical

Target: NSG

Compliance:

Description
Secure remote login is achieved through TCP port 22, which connects an SSH client application with an SSH server. In order to minimize the possibility of a security breach and adhere to the principle of least privilege, it is essential to review the inbound rules of your Microsoft Azure network security groups (NSGs) for TCP port 22. It is recommended to restrict access to only the necessary IP addresses, instead of permitting unrestricted access (i.e., 0.0.0.0/0).

Resolution
Restrict NSG Source setting

Deny Public Access to RPC Port 135

Risk: Critical

Target: NSG

Compliance:

Description
The Microsoft Message Queuing (MSMQ) and other Microsoft Windows/Windows Server software use the Remote Procedure Call (RPC) TCP port 135 for client-server communications. Allowing unrestricted access to this port can lead to hacking, ransomware, and denial-of-service (DoS) attacks. To reduce the attack surface, it is essential to follow the principle of least privilege and ensure that Microsoft Azure network security groups (NSGs) do not allow unrestricted access on TCP port 135.

Resolution
Restrict NSG Source setting

Deny Public Access to SQL Server Port 1433

Risk: Critical

Target: NSG

Compliance:

Description
Allowing unrestricted access to TCP port 1433 can lead to malicious activities such as hacking, denial-of-service (DoS) attacks, and SQL injection attacks. To minimize the attack surface and adhere to the principle of least privilege, it is essential to ensure that all Microsoft Azure network security groups (NSGs) limit inbound access to TCP port 1433 to only trusted IP addresses.

Resolution
Restrict NSG Source setting

Deny Public Access to SQL Server Port 1434

Risk: Critical

Target: NSG

Compliance:

Description
Denying public access to SQL Server port 1434 in Azure is vital for security. It prevents unauthorized users from connecting to your SQL Server and reduces the risk of attacks. By restricting access, you safeguard sensitive data and comply with industry regulations. It aligns with network security best practices and helps create a more secure architecture. Additional measures like virtual network service endpoints, Azure Private Link, and firewall rules enhance security. Regular updates, strong authentication, and following security best practices are essential for overall protection.

Resolution
Restrict NSG Source Setting

Deny Public Access to Oracle Port 1521

Risk: Critical

Target: NSG

Compliance:

Description
To implement the principle of least privilege and enhance the security of your Microsoft Azure network, it is important to restrict inbound/ingress access on TCP port 1521 to trusted entities (i.e., specific IP addresses). By limiting access to trusted entities, you can reduce the attack surface and protect your network against potential threats.

Resolution
Restrict NSG Source setting

Deny Public Access to MySQL Server Port 3306

Risk: Critical

Target: NSG

Compliance:

Description
To protect against malicious actors and reduce the attack surface, it is important to ensure that Microsoft Azure network security groups (NSGs) do not permit unrestricted access (e.g., 0.0.0.0/0) on TCP port 3306.

Resolution: Work with Network Security Group

Deny Public Access to RDP Port 3389

Risk: Critical

Target: NSG

Compliance: CIS Microsoft Azure Foundations Benchmark v1.5.0

Description
Unrestricted access (e.g., 0.0.0.0/0) on RDP port 3389 should not be allowed as it can open your system to malicious actors and increase the attack surface.
To increase security, it is recommended to update your Azure Network Security Group (NSG) configuration to restrict Remote Desktop Protocol (RDP) access to specific IP addresses or IP ranges.

Resolution
Restrict NSG Source setting

Deny Public Access to PostgreSQL Server Port 5432

Risk: Critical

Target: NSG

Compliance:

Description
To protect against malicious actors and reduce the attack surface, it is important to restrict firewall rules that permit unrestricted access (e.g., 0.0.0.0/0) on PostgreSQL port 5432. Restrict Azure Network Security Groups (NSGs) inbound access via TCP ports 5432 to trusted IP addresses only.

Resolution
Restrict NSG Source setting

Enable Azure Defender for App Service

Risk: High

Target: Security Pricing

Compliance: CIS Microsoft Azure Foundations Benchmark v1.5.0

Description
Enabling Microsoft Defender for Cloud is crucial for improving the security of Microsoft Azure App Service instances. It provides advanced threat detection features such as intelligence, anomaly detection, and behavior analytics designed explicitly for Azure App Service.

Microsoft Defender for Cloud is not activated for App Service instances by default. However, turning it on will activate advanced security defense capabilities that leverage the threat detection services provided by the Microsoft Security Response Center.

Resolution
Enable Defender for App Service

Enable Azure Defender for SQL Database

Risk: Critical

Target: Security Pricing

Compliance: CIS Microsoft Azure Foundations Benchmark v1.5.0

Description
Enabling Microsoft Defender for Cloud is recommended for Azure SQL database servers to detect and mitigate potential vulnerabilities and anomalous activities. The security feature provides action-oriented security alerts and helps monitor servers for threats like SQL injection and privilege abuse. By default, Defender for Cloud is not enabled.

Resolution
Enable Defender for App Service

Enable Azure Defender for Virtual Machine

Risk: High

Target: Security Pricing

Compliance:

Description
It is recommended to enable Microsoft Defender for Cloud for virtual machines in an Azure cloud account. This security service provides advanced protection features, including vulnerability scanning, file integrity monitoring, access monitoring, and network hardening. Enabling this service strengthens the defense-in-depth of the Azure environment, as it is not enabled by default.

Resolution
Enable Defender for Servers

Authenticate VM Access Using SSH Keys for Enhanced Security

Risk: Critical

Target: VM (Azure)

Compliance:

Description
To ensure a higher level of security and mitigate the risks associated with passwords, it is advisable to authenticate access to virtual machines using SSH keys. Removing the option of password authentication enforces more secure methods and eliminates the vulnerabilities that come with passwords.

Resolution
Create and use SSH keys for Windows VM

Enable Network Security Groups on Virtual Machines

Risk: High

Target: VM (Azure)

Compliance:

Description
Enabling network security group monitoring in Microsoft Azure allows Azure Security Center to audit VM-associated network security groups for overly permissive traffic rules. This feature detects such groups and recommends configuring them to control inbound and outbound traffic to VMs with public endpoints. Subnet-configured security groups are inherited by all VM network interfaces by default.

Resolution
Filter Network Traffic

Enable Adaptive Application Controls

Risk: High

Target: VM (Azure)

Compliance:

Description
To enable the scanning of adaptive application controls and control which applications can run on eligible virtual machines (VMs) in Microsoft Azure, it is necessary to activate the monitoring of this feature. This allows Microsoft Defender for Cloud to use machine learning to analyze the applications running on each VM and suggest a list of known-safe applications, helping to harden the VMs against malware. By activating the Adaptive Application Control feature, which is an automated application to allowlist solutions provided by Microsoft Defender for Cloud, only specific applications are allowed to run on Azure and non-Azure VMs, using both Windows and Linux.

Resolution
Enable Adaptive Application Controls

Resolve App Service Health Check Issues

Risk: High

Target: VM (Azure)

Compliance:

Description
Proper maintenance of your App Service is essential to guarantee the reliability and efficiency of your application. Regular health checks are necessary to identify and resolve problems that could lead to service interruptions or sluggish performance. By addressing these issues, you can optimize your app for an improved user experience and make it more resilient to unexpected disruptions. Additionally, regular maintenance will help ensure that your application runs at optimal performance and that any potential problems are addressed quickly, resulting in a smoother overall operation.

Resolution
Monitor App Service instances using Health check

Encrypt VMs with Disk Encryption using Key Vault

Risk: High

Target: Virtual Machine

Compliance:

Description
Azure Disk Encryption uses DM-Crypt for Linux and BitLocker for Windows to provide volume encryption for OS and data disks of Azure virtual machines (VMs), integrated with Azure Key Vault for managing encryption keys and secrets. Enabling Azure Disk Encryption is recommended for production data to protect VM disks from unauthorized access and meet compliance requirements. Encrypting boot volumes ensures entire VM data is unrecoverable without a key, providing protection from unwarranted reads. It is essential to encrypt Microsoft Azure virtual machine (VM) boot volumes using Azure Disk Encryption and integrated Azure Key Vault to meet security and compliance requirements.

Resolution
Enable disk Encryption

Deny Public Access to UDP

Risk: Critical

Target: Network Security Group

Compliance: CIS Microsoft Azure Foundations Benchmark v1.5.0

Description
To reduce the attack surface and implement the principle of least privilege, ensure that Microsoft Azure network security groups (NSGs) do not allow unrestricted access(i.e., 0.0.0.0/0) to UDP ports. The User Datagram Protocol (UDP) is a communication protocol used on the internet for transmitting time-sensitive data, such as video streaming or Domain Name System (DNS) lookups. One of the main benefits of using UDP is that it allows for fast data transfer. However, it is also possible for packets to be lost during transmission, which can create vulnerabilities and potentially allow for malicious activities like Distributed Denial of Service (DDoS) attacks.

Resolution
Update Security Rules

Disable IP Forwarding on VM Network Interfaces

Risk: High

Target: VM (Azure)

Compliance:

Description
Regularly review Microsoft Azure network interfaces with IP forwarding enabled for security and compliance. IP forwarding is mainly used by VMs acting as network virtual appliances. Assess each interface to determine if IP forwarding is necessary.

Resolution
Disable IP forwarding

Disable Remote Debugging on Application Service

Risk: High

Target: Web App

Compliance:

Description
The remote debugging feature, available for web applications such as ASP.NET, ASP.NET Core, Node.js, and Python, can create potential security vulnerabilities. It requires opening certain inbound ports for the Visual Studio remote debugger within the configuration of your Microsoft Azure App Services web applications. However, this increases the attack surface and may pose a security risk. To improve the security of your Azure App Services web applications and prevent unauthorized access, it is recommended to disable remote debugging. By following the principle of least privilege and disabling access to these inbound ports, you can significantly reduce the possibility of a security breach.

Resolution
Disable Remote Debugging

Deny Access to Virtual Machine Management Ports

Risk: Critical

Target: VM (Azure)

Description
Management ports, such as Remote Desktop Protocol (RDP) and Secure Shell (SSH), are commonly used to connect to Azure virtual machines to administer them remotely. However, these ports open your virtual machine to potential attacks from the Internet and can expose you to credential-guessing attempts. It is important to ensure that these management ports are securely configured and monitored to minimize the risk of attack.

Resolution:
Restrict NSG Source setting

Harden the Network Security Group Rules for Internet-Facing Virtual Machines

Risk: High

Target VM (Azure)

Compliance

Description
Hardening the Network Security Group Rules for Internet-Facing Virtual Machines in Azure is critical to ensure the security of your cloud environment. By hardening the rules, you can reduce the attack surface and limit access to only those services and ports necessary for the applications and services running on the virtual machine. This can help protect against malicious actors trying to gain access to your environment and prevent attackers from exploiting any open or vulnerable ports. Hardening the Network Security Group Rules can help you meet compliance requirements, such as those that government regulations or industry standards may impose.

Resolution
Setup Network Hardening

Deny Full Administrator Privilege to Azure Key Vault

Risk: Critical

Target: Key Vault

Compliance:

Description
Ensuring maximum safety for confidential and crucial data stored in Azure Key Vaults requires granting access to specific operations only to relevant principals. It is also crucial to follow security best practices, including implementing the principle of least privilege. No Microsoft Azure user, group, or application should have full administrator privileges for accessing and managing Azure Key Vaults.

Resolution
Restrict Vault Privilege

Enable Encryption for Application Tier Disk Volumes on VM

Risk: High

Target: VM (Azure)

Compliance:

Description
To meet security and compliance requirements, it is recommended to encrypt all disk volumes attached to Microsoft Azure virtual machines in the application tier. The Cloud Conformity engine can run a rule assuming that all Azure cloud resources in the app tier are tagged with a specific tag name and value. Enabling encryption ensures confidentiality and protects sensitive data from unauthorized access.

Resolution
Enable disk Encryption

Encrypt Unattached Disk Volumes

Risk: Critical

Target: Managed Disk

Compliance: CIS Microsoft Azure Foundations Benchmark v1.5.0

Description
Unencrypted detached disk volumes pose a risk of sensitive information disclosure, even if they are not mounted to any virtual machine. We recommend encrypting all disk volumes attached to Azure virtual machines within the application tier to ensure confidentiality and meet compliance and security requirements. It is also important to encrypt detached disk volumes using Azure Disk Encryption, which uses BitLocker for Windows and DM-Crypt for Linux to encrypt the OS and data disks of Azure virtual machines. Integration with Azure Key Vault allows for controlling and managing disk encryption keys and secrets.

Resolution
Enable Encryption

Enable In-Transit Encryption for PostgreSQL Server

Risk: High

Target: Postgre SQL

Compliance:

Description
To fulfill security and compliance requirements, it is essential to ensure that data in transit for Microsoft Azure PostgreSQL servers is encrypted. This prevents unauthorized access to sensitive information stored in your Azure PostgreSQL databases. It is highly recommended to enable Secure Sockets Layer (SSL) connections between the PostgreSQL database servers and client applications when working with production data. This additional layer of security protects against Man-In-the-Middle (MITM) attacks and fulfills in-transit encryption compliance requirements within your organization.

Resolution
Enable in-transit encryption

Enable In-Transit Encryption for Redis Cache Server

Risk: High

Target: Redis Cache

Compliance:

Description
Using secure connections between the cache server and the service/application protects data in transit and authenticates users. Encryption is recommended to protect production data from unauthorized access and comply with data encryption requirements. Enabling SSL connection to Azure Redis Cache servers is essential to meet cloud security and compliance requirements, as it helps prevent unauthorized access to sensitive data during transit. Enforcing SSL connection is necessary to ensure data in transit remains secure.

Resolution
Enable in-transit encryption

Enable Secure Transfer to Storage Accounts

Risk: High

Target: Storage Account

Description
The Azure Storage account provides a secure and scalable environment for storing various types of data objects, including files, blobs, queues, tables, and disks, with high availability and durability.

Enabling the “Secure transfer required” feature only restricts access to your Azure storage account to secure connections using HTTPS protocol. This feature enhances the security of your storage account and prevents requests that use unencrypted connections. To ensure the security of your Azure Storage data, all data transfer between clients and the storage account must be encrypted with HTTPS protocol.

Resolution
Enable secure transfer

Configure SQL Audit Action Groups

Risk: High

Target: SQL Server (Azure)

Compliance:

Description
To capture critical activity on SQL databases and servers, ensure proper configuration of the “AuditActionGroup” property in the auditing policy implemented at the Microsoft Azure SQL server level. Enable SQL database auditing and configure the “AuditActionGroup” property to include the SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP, FAILED_DATABASE_AUTHENTICATION_GROUP, and BATCH_COMPLETED_GROUP action groups for comprehensive audit logging of SQL servers and hosted databases.

Resolution
Configure Audit Action Group

Deny Public Access to SQL Database

Risk: High

Target SQL Database

Compliance:

Description
To ensure security against unauthorized connections, it is important to set up the Microsoft Azure SQL server firewall to only allow inbound access from authorized networks. This can be done by specifying the range of IP addresses from these networks and creating firewall rules with specific IP addresses. This will reduce the risk of attacks on your SQL servers.

Resolution
Deny public access

Enable Client Certificate for Web Applications

Risk: Critical

Target: Web App

Compliance: CIS Microsoft Azure Foundations Benchmark v1.5.0

Description
Enabling client certificates for web applications using mutual TLS authentication enhances security by verifying both client and server identities. To implement this, obtain and configure SSL/TLS certificates, distribute client certificates to authorized users, enable mTLS on the web server, update the application’s authentication mechanism, and test the setup for proper functioning.

Resolution
Secure a custom DNS name with a TLS/SSL binding in Azure App Service

Enable Incoming Client Certificates for Function App

Risk: Medium

Target: Function App

Compliance:

Description
Enabling incoming client certificates for a Function App can enhance security by implementing mutual TLS (mTLS) authentication. This process requires the client and the server to present their respective certificates during the TLS handshake, thus verifying each other’s identities. As a result, only authorized clients can access the Function App, reducing the risk of unauthorized access and enhancing the system’s overall security.

Resolution
Secure a custom DNS name with a TLS/SSL binding in Azure App Service

Enable Delete Protection for the Key Vault

Risk: High

Target: Key Vault

Compliance:

Description
Enabling delete protection for a Key Vault adds an extra layer of security against accidental or intentional deletion of sensitive data, minimizing the risk of unauthorized access and maintaining data integrity and confidentiality.

Resolution
Azure Key Vault recovery management with soft delete and purge protection

Deny Network Access Rule for Storage Accounts

Risk: High

Target: Storage Account

Compliance: CIS Microsoft Azure Foundations Benchmark v1.5.0

Description
A Deny Network Access Rule for Storage Accounts is a security control that blocks network traffic to a storage account from specified IP addresses or ranges. It provides benefits such as improved security, compliance, granular access control, and reduced attack surface. Deny Network Access Rules limit access to only authorized users or applications, reduce the risk of unauthorized access or data exfiltration, and help organizations meet compliance requirements. It is an important best practice for protecting sensitive data in Azure storage accounts and preventing security breaches.

Resolution
Configure Azure Storage firewalls and virtual networks

Configure the Latest TLS Version for WebApp

Risk: High

Target: Web App

Compliance: CIS Microsoft Azure Foundations Benchmark v1.5.0

Description
Configuring the latest TLS version for a WebApp in Azure provides several benefits, including improved security through encryption, compliance with regulatory requirements, improved compatibility with modern web browsers and applications, and potential performance improvements. Keeping up with the latest security protocols is considered a best practice to protect user data and maintain customer trust.

Resolution
Secure a custom DNS name with a TLS/SSL binding in Azure App Service

Enable Soft Delete for Blob Storage

Risk: High

Target: Blob Service

Compliance: CIS Microsoft Azure Foundations Benchmark v1.5.0

Description
Enabling Soft Delete for Blob Storage is crucial for protecting against accidental or malicious data deletion, ensuring compliance, simplifying data recovery, providing a cost-effective solution for data protection, and maintaining data integrity.

Resolution
Enable soft delete for blobs

Encrypt Storage Account for Activity Logs Using CMK

Risk: Critical

Target: Subscription

Compliance: CIS Microsoft Azure Foundations Benchmark v1.5.0

Description
Encrypting a storage account for activity logs using a CMK provides data protection, custom key management, auditing and monitoring, key rotation, and compliance with industry regulations. Using services like Azure Storage Service Encryption and following key management best practices helps maintain a secure environment and protect sensitive log data.

Resolution
Customer-managed keys for Azure Storage Encryption

Set NSG flow log retention period >= N days

Risk: Critical

Target: NSG

Compliance: CIS Microsoft Azure Foundations Benchmark v1.5.0

Description
Configuring the Network Security Group (NSG) flow log retention period to more than 90 days in Azure provides several benefits, including compliance with regulatory requirements, improved incident response capabilities, the ability to perform forensic analysis, and historical analysis to optimize network performance. Retaining NSG flow logs for a longer period is considered a best practice to gain valuable insights into network behavior and improve the security and performance of your Azure environment.

Resolution
Flow logs for network security groups

Enable Transparent Data Encryption on SQL Databases

Risk: Critical

Target: SQL Database

Compliance: CIS Microsoft Azure Foundations Benchmark v1.5.0

Description
Transparent Data Encryption (TDE) helps protect sensitive data stored in a SQL Server database by encrypting the data on disk. This ensures that the data is not compromised if the disk or disk backups are stolen. It also helps protect data stored in memory while the server is running, and helps to prevent malicious activity by restricting access to the data. TDE also helps to ensure compliance with various industry data protection regulations and standards.

Resolution
Transparent data encryption (TDE)

Configure Mandatory Categories in Diagnostics Setting

Risk: High

Target: Subscription

Compliance: CIS Microsoft Azure Foundations Benchmark v1.5.0

Description
Configuring mandatory categories in diagnostics settings is a best practice that provides benefits such as improved visibility, compliance, simplified logging, and improved troubleshooting. It ensures important logs and metrics are collected for analysis, meets compliance requirements, simplifies logging, and improves troubleshooting by providing necessary information to identify and resolve issues. It is essential for organizations that need to monitor and analyze the health and performance of their applications and infrastructure to ensure optimal performance and reduce downtime.

Resolution
az monitor diagnostic-settings

Enable Active Directory on Application Services

Risk: High

Target: Web App

Compliance: CIS Microsoft Azure Foundations Benchmark v1.5.0

Description
Enabling Active Directory (AD) on Application Services provides several benefits, including single sign-on, centralized access control, security, compliance, and simplified management of user identities and access control.

Resolution
Configure the Active Directory Web Services (ADWS) to start automatically on all servers

Encrypt OS and Data Disk with CMK

Risk: Critical

Target: Managed Disk

Compliance:

Description
Encrypting OS and data disks with a CMK provides enhanced data protection, custom key management, auditing and monitoring capabilities, key rotation, and compliance with industry regulations. Using services like Azure Disk Encryption and following best practices for key management helps maintain a secure environment and protect sensitive data.

Resolution
Use the Azure portal to enable server-side encryption with customer-managed keys for managed disks

Configure Additional E-mail Address in MS Defender

Risk: High

Target: Defender for Cloud

Compliance: CIS Microsoft Azure Foundations Benchmark v1.5.0

Description
Configuring additional email addresses in Microsoft Defender provides benefits such as improved notification coverage, better collaboration, redundancy, and flexibility. It ensures that relevant personnel receive security incident alerts and can collaborate to resolve them, provides redundancy in case of email address unavailability, and provides flexibility in managing notifications based on alert severity or incident type. It is an important best practice to ensure security incidents are promptly addressed and critical alerts are not missed.

Resolution
Quickstart: Configure email notifications for security alerts

Set the Severity of the Notification Alerts in MS Defender to High

Risk: High

Target: Defender for Cloud

Compliance: CIS Microsoft Azure Foundations Benchmark v1.5.0

Description
Setting the severity of notification alerts in Microsoft Defender to “high” helps prioritize critical issues, allocate resources effectively, reduce alert fatigue, enable faster response times, and ensure compliance with regulations. However, it’s crucial to maintain a comprehensive strategy for managing security alerts across all severity levels to maintain a robust security posture.

Resolution
Configure alert notifications in Microsoft 365 Defender

Enable RBAC for Azure Kubernetes Services

Risk: Medium

Target: AKS

Compliance:

Description
Enabling Role-Based Access Control (RBAC) for Azure Kubernetes Services (AKS) is crucial for maintaining a secure and compliant environment. It provides granular control over access to AKS resources, limits the attack surface, ensures compliance with regulatory frameworks, enables audit trails, and provides flexibility in managing access to AKS resources.

Resolution
Use Kubernetes role-based access control with Azure Active Directory in Azure Kubernetes Service

Enable Azure Key Vault Customer Managed Key

Risk: High

Target: Key Vault

Compliance:

Description
Enabling Azure Key Vault Customer Managed Key (CMK) provides increased security, control, and compliance to your data in the cloud. By bringing your own encryption keys to Azure Key Vault, you can manage encryption keys and control access to them, which ensures that only authorized users can access your data. Enabling CMK helps meet regulatory and compliance requirements and provides additional layers of security to your Azure resources.

Resolution
Enable a customer-managed key

Set Expiration Date for Keys in Key Vault

Risk: High

Target: Key Vault

Compliance: CIS Microsoft Azure Foundations Benchmark v1.5.0

Description
Setting an expiration date for keys in Key Vault provides benefits such as enhanced security, compliance, simplified key management, improved auditing and accountability, and better performance. It reduces the risk of compromised keys, helps ensure compliance, simplifies key management, provides a clear record of key usage, and helps maintain robust security and system performance over time. It is a critical best practice to follow for the security and integrity of cryptographic systems.

Resolution
Manage Key Vault using the Azure CLI

Set Expiration Date for Secrets in Key Vault

Risk: High

Target: Key Vault

Compliance: CIS Microsoft Azure Foundations Benchmark v1.5.0

Description
Setting an expiration date for secrets in Key Vault provides benefits such as the reduced risk of compromise, simplified secret management, improved auditing and accountability, compliance, and maintaining security over time. Secrets, like passwords and connection strings, are critical to security systems, and their compromise can pose a significant risk. Setting an expiration date for secrets in Key Vault can limit their lifespan, reducing the risk of compromise, simplifying secret management, and improving auditing and accountability. It is an important best practice to ensure the security and integrity of systems.

Resolution
Manage Key Vault using the Azure CLI

Enable Diagnostic Logs in Key Vault

Risk: High

Target: Key Vault

Compliance: CIS Microsoft Azure Foundations Benchmark v1.4.0

Description
Enabling diagnostic logs in Key Vault is important to monitor and audit activities, troubleshoot issues, comply with regulatory requirements related to data protection and security, and improve overall security posture by identifying potential vulnerabilities and taking proactive measures to prevent security threats.

Resolution
Enable Key Vault logging

Deny Public Access to Storage Accounts with Blob Containers

Risk: High

Target: Storage Account

Compliance: CIS Microsoft Azure Foundations Benchmark v1.4.0

Description
To improve the security of your Microsoft Azure Storage account, it’s advisable to modify the default setting from “Allow” to “Deny” and restrict access to selected networks or IP addresses. To achieve this, you may allow access to particular Azure Virtual Networks, which provide a secure network boundary, or public IP address ranges, which facilitate connections from specific services or clients. With network restrictions in place, only authorized applications from approved networks or IP addresses will be permitted to access the storage account. These applications must also possess the appropriate authorization to gain entry.

Resolution: Configure Azure Storage firewalls and virtual networks

Assign Mandatory Tags to Network Interface

Risk: High

Target: Network Interface

Compliance:

Description
Assigning mandatory tags to Network Interface can help with cost management, resource management, access management, and automation. Mandatory tags can streamline operations and reduce the risk of mismanaging resources.

Resolution
Network Interfaces – Update Tag

Assign Mandatory Tags to Load Balancer

Risk: High

Target: Load Balancer (Azure)

Compliance:

Description
Assigning mandatory tags to Load balancer can help with cost management, resource management, access management, and automation. Mandatory tags can streamline operations and reduce the risk of mismanaging resources.

Resolution
Tags for your Application Load Balancer

Enable Auditing for Advanced Data Security SQL Server

Risk: Medium

Target: SQL Server

Compliance:

Description
Enabling auditing for Advanced Data Security on SQL Servers provides benefits such as enhanced security, compliance, improved visibility, forensic analysis, and continuous monitoring. Auditing allows you to track and log security-related events, detect potential security threats, meet compliance requirements, provide greater visibility into user activity, conduct forensic analysis, and proactively monitor for suspicious activity. It is an essential component of a robust security strategy for organizations handling sensitive SQL server data.

Resolution
Auditing for Azure SQL Database and Azure Synapse Analytics

Enable Alert for Azure SQL Advanced Threat Detection

Risk: High

Target: SQL Database

Compliance:

Description
Enabling alerts for Azure SQL Advanced Threat Detection is important for detecting and preventing potential data breaches or unauthorized access to sensitive data. It is also necessary for compliance with security standards and regulations, including GDPR and HIPAA, which require regular monitoring and incident detection.

Resolution
Configure Advanced Threat Protection in Azure SQL Managed Instance

Enable Log Alert for Create/Update PostgreSQL DB

Risk: High

Target: Subscription

Compliance:

Description
Enabling log alerts for create/update operations in a PostgreSQL database is essential for maintaining security, performance, and compliance. It helps detect unauthorized access, provides an audit trail, identifies performance bottlenecks, enables troubleshooting, ensures accountability, allows proactive maintenance and aids disaster recovery efforts.

Resolution
set up alerts on metrics for Azure Database for PostgreSQL – Single Server

Enable Log Alert for Create/Update Load Balancer

Risk: High

Target: Subscription

Compliance:

Description
Monitoring “Create or Update Load Balancer” events in your Azure account offers insights into changes and helps detect unauthorized or undesired activities. Configure an Azure activity log alert with the condition “Category=’Administrative’ and Signal name=’Create or Update Load Balancer (loadBalancers)’” to ensure timely detection.

Resolution
Create a new alert rule

Enable Log Alert for Create/Update Virtual Machine

Risk: High

Target: Subscription

Compliance:

Description
Configure an Azure activity log alert for “Create or Update Virtual Machine” events to detect unauthorized activities quickly. The matching condition is When the Administrative Activity Log “Create or Update Virtual Machine (Microsoft.Compute/virtualMachines)” has “any” Event level, with “any” Status, and Event initiated by “any”. This monitoring provides insights into changes related to Azure VMs within your cloud environment.

Resolution
Create a new alert rule

Enable Log Alert for Load Balancer

Risk: High

Target: Subscription

Compliance:

Description
Enabling log alerts for Load Balancer events in Azure is essential for security, compliance, performance, troubleshooting, resource management, and promoting accountability. It helps detect unauthorized activities, maintain audit trails, optimize network traffic distribution, minimize downtime, manage resources effectively, and encourage responsible practices within the organization.

Resolution
Create a new alert rule

Enable Log Alert for Account Delete VM

Risk: High

Target: Subscription

Compliance:

Description
Enabling log alerts for account deletion of virtual machines (VMs) in Microsoft Azure is crucial for preventing accidental or unauthorized deletion of critical VMs and their associated data, maintaining the security and integrity of an organization’s cloud infrastructure, and ensuring compliance with regulatory requirements. This alert enables administrators to receive immediate notifications when a specific account deletes a VM, allowing them to take prompt action to restore any deleted VMs and investigate any unauthorized deletion attempts. Log alerts also provide valuable insights into who initiated the deletion and when it occurred, enabling administrators to track any suspicious or malicious activity.

Resolution
Create a new alert rule

Enable the HTTP/2 Protocol Azure App Service Web Applications

Risk: High

Target: Web App

Compliance: CIS Microsoft Azure Foundations Benchmark v1.5.0

Description
Enabling the HTTP/2 protocol for Azure App Service web applications can improve performance by reducing page load times, improving security with mandatory SSL/TLS encryption, ensuring compatibility with modern web browsers, and providing SEO benefits by improving search engine rankings.

Resolution
HTTP/2 support in Azure App Service

HTTP/2 support in Azure App Service

Configure ‘Send Scan Report to’ within Vulnerability Assessment under SQL Server

Risk: Medium

Target: SQL Server (Azure)

Compliance: CIS Microsoft Azure Foundations Benchmark v1.5.0

Description
Configuring the “Send Scan Report to” option within SQL Server’s Vulnerability Assessment is important for timely notifications, accountability, centralized documentation, compliance, improved collaboration, and monitoring of remediation progress. It helps ensure potential security risks are addressed proactively and promotes a robust security posture within the organization.

Resolution
Vulnerability Assessment for SQL Server

Set all Users Option to Owner in Email Notifications for MS Defender

Risk: High

Target: Defender for Cloud

Compliance: CIS Microsoft Azure Foundations Benchmark v1.5.0

Description
Setting all users as owners in email notifications for Microsoft Defender in Azure is not recommended due to security risks and management challenges. Instead, follow best practices such as the principle of least privilege, role-based access control, targeted notifications, separation of duties, and regular monitoring and auditing to maintain a secure and efficient environment.

Resolution
Defender for Identity notifications in Microsoft 365 Defender

Enable Adaptive Application Controls on Virtual Machines

Risk: Medium

Target: Virtual Machine

Compliance:

Description
Enabling Adaptive Application Controls on Virtual Machines brings benefits such as increased security, reduced risk of configuration errors, improved performance, and simplified management. It uses machine learning algorithms to identify and prevent potentially harmful activities, automatically adjusts security policies based on application behavior, and can be managed centrally.

Resolution
Use adaptive application controls to reduce your machines’ attack surfaces

Check Unrestricted Network Access to Storage Accounts

Risk: High

Target: Storage Account

Compliance: CIS Microsoft Azure Foundations Benchmark v1.5.0

Description:
To secure access to your Microsoft Azure Storage account, you should configure network rules to limit access to specific Azure Virtual Networks or public IP address ranges. Clients and applications that request access should provide proper authorization, such as access keys or Shared Access Signatures (SAS) tokens. To add an extra layer of security, ensure that the default network access is set to “Deny” to prevent unauthorized access from any network.

Resolution
Azure Policy built-in definitions for Azure Storage

Check Storage VNet Integration

Risk: High

Target: Storage Account

Compliance:

Description
Checking Storage VNet Integration is important to ensure a secure network boundary for specific applications accessing Microsoft Azure Storage accounts. By configuring network rules, access is limited to allowed networks and IP addresses, and proper authorization (such as a valid access key or Shared Access Signature token) is required for access. To add an extra layer of security, it is recommended to deny access to traffic from all networks and change the default action from “Allow” to “Deny.”

Resolution
Integrate your app with an Azure virtual network

Configure Metric Alert Rules on Batch Accounts

Risk: High

Target: Batch Account

Compliance:

Description
Configuring metric alert rules on Batch Accounts in Azure helps proactively monitor system performance and availability, trigger alerts based on defined thresholds for Batch account metrics, and prevent potential downtime or performance issues. This ensures efficient and effective operation of the Batch service.

Resolution
Batch metrics, alerts, and logs for diagnostic evaluation and monitoring

Enable Diagnostic Logs in Batch Accounts

Risk: High

Target: Batch Account

Compliance:

Description
Enabling diagnostic logs in Batch Accounts in Azure provides insights into system behavior, improves system uptime, and reduces MTTR by identifying potential issues and their root causes. These logs can be used for performance monitoring, auditing, and security analysis, and analyzed with various Azure tools for valuable insights and trend identification.

Resolution
Batch metrics, alerts, and logs for diagnostic evaluation and monitoring

Enable Diagnostic Logs in Service Bus

Risk: High

Target: Service Bus Namespace

Compliance:

Description
Enabling diagnostic logs in Azure Service Bus is essential for maintaining system visibility, identifying potential issues, and improving system uptime and performance. These logs provide insights into messaging operations, message delivery, and security events, and can be analyzed with Azure tools for monitoring, auditing, and security analysis.

Resolution
Monitoring Azure Service Bus data reference

Enable Azure Storage Account Customer Managed Keys

Risk: High

Target: Storage Account

Compliance:

Description
Customer Managed Keys allow customers to control their own encryption keys for Azure Storage accounts, providing an extra layer of security and enabling greater regulatory compliance. This feature allows customers to generate, store, and revoke their own encryption keys in Azure Key Vault, ensuring that they have full control over who can access their data. Additionally, customers can rotate their encryption keys as needed to further enhance security. Using Customer Managed Keys is a best practice for ensuring the highest level of security for Azure Storage account data.

Resolution
Customer-managed keys for Azure Storage encryption

Enable Web Tier Customer Managed Keys

Risk: High

Target: Key Vault

Compliance:

Description
To enhance security and compliance in your Microsoft Azure cloud web tier, utilizing a Customer-Managed Key (CMK) or Bring Your Own Key (BYOK) within your Azure Key Vault is recommended. This provides complete control over key usage and ownership, implementing the principle of least privilege. Configuring at least one CMK/BYOK for your web tier is advisable. All Azure cloud resources within the web tier must be tagged with :, where refers to the tag name and refers to the tag value. Properly configure the tag set for your Azure web tier before implementing the CMK/BYOK key.

Resolution
Customer-managed keys for Azure Storage encryption

Install Vulnerability Assessment Solution on Virtual Machines

Risk: High

Target: VM (Azure)

Compliance: CIS Microsoft Azure Foundations Benchmark v1.5.0

Description
Enable automatic provisioning of vulnerability assessment solutions for Azure VM servers using Microsoft Defender for Cloud to monitor security configurations and reduce management overhead. This applies to both Azure and hybrid environments, streamlining the installation of required agents and extensions on VMs.

Resolution
Automatically configure vulnerability assessment for your machines

Install Monitoring Agent on Machines

Risk: High

Target: VM (Azure)

Compliance: CIS Microsoft Azure Foundations Benchmark v1.5.0

Description
Installing Monitoring Agents on Azure machines is crucial for enhanced visibility, performance optimization, log collection, timely alerts, security, compliance, simplified management, and seamless integration with other Azure services. This ensures efficient VM operation, effective troubleshooting, and a secure, compliant infrastructure.

Resolution
Microsoft Monitoring Agent setup

Use a Vulnerability Assessment Solution to Remediate Vulnerabilities

Risk: High

Target: VM (Azure)

Compliance:

Description
Using a Vulnerability Assessment Solution is crucial for enhancing security posture, prioritizing risk management, ensuring compliance, providing actionable insights, streamlining security processes, offering visibility and tracking, and minimizing potential damages from cyber attacks. It helps maintain a strong, secure, and compliant infrastructure.

Resolution
View and remediate findings from vulnerability assessment solutions on your VMs

Configure Email in Data Security Settings

Risk: High

Target: SQL Server (Azure)

Compliance:

Description
Configuring email in Data Security Settings in Azure is essential for receiving timely security alerts, compliance notifications, and operational updates. It facilitates prompt incident response, promotes accountability and communication, and aids in auditing and reporting, ultimately improving the overall management of your Azure environment.

Resolution
Configure email notifications for security alerts

Enable Azure Threat Detection on SQL Server

Risk: High

Target: SQL Database

Compliance: CIS Microsoft Azure Foundations Benchmark v1.5.0

Description
Azure Threat Detection for SQL Server provides advanced threat protection for your databases in the cloud. It monitors the security of your databases and detects suspicious activities, such as SQL injection attacks, malicious attempts to access sensitive data, and anomalous database activities. It also provides an easy-to-use dashboard to view the security of your databases and track threats. By enabling Azure Threat Detection on SQL Server, you can gain visibility into potential security threats, protect your databases from attack, and minimize your risk of data loss.

Resolution
Configure Advanced Threat Protection in Azure SQL Managed Instance

Install Endpoint Protection for VM

Risk: High

Target: VM (Azure)

Compliance: CIS Microsoft Azure Foundations Benchmark v1.5.0

Description
Endpoint protection software such as Microsoft Antimalware can help protect Azure virtual machines (VMs) from viruses, spyware, and other malicious software. Azure Security Center monitors the status of anti-malware protection on VMs, alerting users to any unprotected VMs. When installing endpoint protection, it provides real-time detection of malicious software and can prevent it from installing or running on your VMs.

Resolution
Install endpoint protection solution on virtual machines

Strengthen VM Security using Azure Container Security

Risk: High

Target: VM (Azure)

Compliance:

Description
Azure Container Security helps organizations ensure their container workloads are secure and compliant. It provides visibility and control of container images running in Azure and helps to identify potential security risks or misconfigurations. Azure Container Security also offers tools to detect and remediate container vulnerabilities and monitor container health. This helps reduce the risk of attacks and data breaches and ensures that containers comply with organizational standards and industry regulations.

Resolution
Overview of Microsoft Defender for Containers

Disable Plain FTP Deployment

Risk: High

Target: Web App

Compliance: CIS Microsoft Azure Foundations Benchmark v1.5.0

Description
Disabling Plain FTP Deployment is a security measure that provides benefits such as improved security, compliance, better control, and improved performance. It improves security by requiring the use of secure file transfer protocols, such as SFTP or FTPS, and avoids the vulnerabilities of plain FTP. It helps organizations meet compliance requirements and provides better control over access to the deployment. Additionally, it improves performance by using encryption and compression to improve transfer speeds and reduce latency. It is an important best practice for organizations that deploy applications or services and must protect sensitive data.

Resolution
Deploy your app to Azure App Service using FTP/S

Enable Immutable Blob Storage

Risk: High

Target: Blob Container

Compliance:

Description
The Immutable Blob Storage feature in Microsoft Azure Storage provides an added layer of protection against the modification and deletion of blob objects, making it suitable for storing sensitive data and meeting regulatory requirements. To ensure data protection, enable the feature for Azure Storage containers that hold critical information, which allows the data to be stored in a non-modifiable and non-erasable WORM state for a user-specified interval. The feature includes two policies: a time-based immutability policy for regulatory compliance and a legal hold policy for indefinite data retention. Once set, these policies protect the data from modifications and deletions.

Resolution
Store business-critical blob data with immutable storage

Configure Latest Minimum TLS Version for Storage Account

Risk: High

Target: Storage Account

Compliance: CIS Microsoft Azure Foundations Benchmark v1.5.0

Description
Configuring a storage account’s latest minimum TLS version is crucial for maintaining robust security, protecting sensitive data, complying with regulatory frameworks, and staying up-to-date with industry standards. It helps prevent cyber threats, maintains data integrity, and ensures the use of the most robust encryption and security protocols.

Resolution
Enforce a minimum required version of Transport Layer Security (TLS) for requests to a storage account

Enable Transparent Data Encryption for SQL Database

Risk: Medium

Target: SQL Database

Compliance: CIS Microsoft Azure Foundations Benchmark v1.5.0

Description
Enabling Transparent Data Encryption (TDE) for SQL Database is crucial for protecting sensitive data at rest, ensuring compliance, protecting data privacy, minimizing performance impact, and simplifying management of encrypted databases and backups. TDE encrypts the data stored in the database and associated backups, making it unreadable without the appropriate encryption keys, and has a minimal performance impact on SQL Database.

Resolution
Transparent data encryption (TDE)

Monitor Missing Endpoint Protection on VM in Security Center

Risk: High

Target: VM (Azure)

Compliance:

Description
Enable endpoint protection monitoring in Azure Security Center to safeguard Azure virtual machines from viruses, spyware, and malicious software. This feature provides comprehensive security recommendations and ensures all Windows virtual machines have endpoint protection for enhanced security.

Resolution
Endpoint protection assessment and recommendations in Microsoft Defender for Cloud

Enable Diagnostics Logs in Namespaces

Risk: Medium

Target: Service Bus Namespaces

Compliance:

Description
Enabling diagnostics logs in namespaces in Azure provides several benefits, including troubleshooting issues with your application, monitoring performance, complying with regulatory requirements, and optimizing costs. By capturing detailed information about the behavior of your application, you can gain valuable insights that can help you improve the quality of your application and optimize resource consumption. It is considered a best practice to enable diagnostics logs to ensure the smooth operation of your application and meet compliance requirements.

Resolution
Enable diagnostics logs for Notification Hubs

Check Encryption for SQL TDE Protector

Risk: High

Target: SQL Server (Azure)

Compliance: CIS Microsoft Azure Foundations Benchmark v1.5.0

Description
Checking the encryption for SQL TDE Protector is important to ensure the security and integrity of sensitive data stored in a Microsoft SQL Server database. It helps identify vulnerabilities or weaknesses in security measures and ensures compliance with data protection regulations.

Resolution
Transparent data encryption (TDE)

Enable Vulnerability Assessment on SQL Servers

Risk: High

Target: SQL Server (Azure)

Compliance: CIS Microsoft Azure Foundations Benchmark v1.5.0

Description
Enabling Vulnerability Assessment on SQL Servers is important to identify and address potential security vulnerabilities in the database environment, prevent security breaches and data loss, ensure compliance with data protection regulations, and establish a culture of security awareness and best practices for database security.

Resolution
Enable vulnerability assessment on your Azure SQL databases

Classify Sensitive Data in SQL Database

Risk: High

Target: SQL Database

Compliance:

Description
Classifying sensitive data in SQL databases is important to identify and manage access to sensitive data, define appropriate security controls, comply with regulatory requirements, and effectively manage data storage and retention.

Resolution
SQL Data Discovery and Classification

Assign Subnet to Network Security Group

Risk: High

Target: Subnet (Azure)

Compliance:

Description
Assigning a subnet to a Network Security Group (NSG) is important for managing network traffic flow in Azure Virtual Networks, protecting resources from unauthorized access and potential security threats, and enabling centralized control and management of network security policies ensuring consistent security policies across all resources within the subnet.

Resolution
Filtering network traffic

Install System Updates on Virtual Machines

Risk: High

Target: VM (Azure)

Compliance:

Description
Installing system updates on virtual machines is essential to ensure the security and stability of the virtual environment, reduce the risk of cyber-attacks and other security threats, and comply with regulatory requirements related to data protection. It helps fix vulnerabilities and software bugs that attackers can exploit and maintain the integrity and availability of the virtual environment.

Resolution
Manage updates and patches for your VMs

Enable Diagnostic Logs for Azure Logic Apps Workflows

Risk: High

Target: Work flow

Compliance:

Description
Enabling diagnostic logs in Logic Apps in Azure is important because it provides valuable information for troubleshooting, performance analysis, and activity monitoring. Diagnostic logs capture information such as request and response details, workflow run history, and errors encountered during execution. Without diagnostic logs, identifying the root cause of issues or errors can be difficult and lead to longer downtimes, negatively impacting business operations.

Resolution
Set up logging to monitor logic apps in Microsoft Defender for Cloud

Enable Trusted Microsoft Services to Access Storage Account

Risk: Critical

Target: Storage Account

Compliance:

Description
Enabling Trusted Microsoft Services to access your storage account provides seamless integration, simplified management, security, scalability, and improved productivity. It allows for secure and efficient integration with various Azure services while adhering to the principle of least privilege, making it easier to scale and manage access permissions.

Resolution
Configure Azure Storage firewalls and virtual networks

Define Authorized IP Ranges for AKS API Server

Risk: Low

Target: AKS

Compliance:

Description
Defining authorized IP ranges for the AKS API server is a security best practice that limits access to authorized clients, helps comply with regulatory requirements, optimizes resource utilization, and reduces data transfer and network usage costs.

Resolution
Secure access to the API server using authorized IP address ranges in Azure Kubernetes Service (AKS)

Enable Add-on Policies for AKS

Risk: Low

Target: AKS

Compliance:

Description
Enabling add-on policies for AKS can enhance security by enforcing best practices, improving the management of resources and workloads, enabling better monitoring of cluster health and performance, and providing automation capabilities for tasks and processes within the cluster.

Resolution
Understand Azure Policy for Kubernetes clusters

Enable Auto-Provisioning Policy for Defender Log Analytics Agent

Risk: Medium

Target: Defender for Cloud

Compliance: CIS Microsoft Azure Foundations Benchmark v1.5.0

Description
Enabling ‘Auto-Provisioning Policy for Defender Log Analytics Agent’ streamlines deployment ensures consistent security, minimizes human error, saves time and resources, supports scalability, and aids in compliance. This results in a comprehensive and efficient security monitoring solution across your infrastructure.

Resolution
Deploy the Azure Monitor Agent to protect your servers with Microsoft Defender for Cloud

Disable Kubernetes Dashboard

Risk: Low

Target: AKS

Compliance:

Description
Disabling the Kubernetes Dashboard is a security best practice that helps control access, reduce the attack surface, and optimize resource utilization, and it is a recommended best practice by the Kubernetes community.

Resolution
Access the Kubernetes Dashboard in Azure Stack Hub

Enable Private Cluster for AKS

Risk: Low

Target: AKS

Compliance:

Description
Enabling private clusters for AKS can improve security by isolating the Kubernetes API server, reducing the attack surface by eliminating the need for public IPs and load balancers, helping with compliance, and providing better network performance for Kubernetes workloads.

Resolution
Public and Private AKS Clusters Demystified

Remove Custom Owner Roles

Risk: High

Target: Subscription

Compliance: CIS Microsoft Azure Foundations Benchmark v1.5.0

Description
Removing custom owner roles can be beneficial in simplifying access control, enhancing security, ensuring compliance, promoting standardization, reducing redundancy, and aligning with changing organizational needs. However, it’s crucial to carefully evaluate the potential impact and consult with stakeholders before making changes to avoid unintended consequences.

Resolution
Create or update Azure custom roles using the Azure portal

Restrict Network Ports on Network Security Groups Associated to VM

Risk: High

Target: VM (Azure)

Compliance:

Description
Network security groups (NSGs) can control inbound and outbound traffic to VMs; by default, they allow all traffic. Restricting network ports on network security groups associated with VMs is important for improving security in cloud environments. By limiting the range of open network ports, organizations can prevent unauthorized access to their resources and reduce the risk of security breaches. This will also ensure that only the necessary traffic is allowed, reducing the attack surface and improving overall security.

Resolution
Filter network traffic with a network security group using the Azure portal

Enable Disk Encryption Monitoring and Recommendations for Microsoft Azure Virtual Machines (VMs)

Risk: Medium

Target: VM (Azure)

Compliance:

Description
Enabling disk encryption monitoring and recommendations for Microsoft Azure virtual machines (VMs) provides benefits such as enhanced security, compliance, improved visibility, simplified management, and cost savings. It helps protect data, ensures compliance, provides greater visibility into the encryption status of VMs, simplifies management, and identifies opportunities for cost savings. It is an essential component of a robust security strategy for organizations handling sensitive data on their Azure VMs.

Resolution
Use asset inventory to manage your resources’ security posture

Enable App Service Web App Authentication

Risk: Critical

Target: Web App

Compliance: CIS Microsoft Azure Foundations Benchmark v1.5.0

Description
Enabling App Service Web App Authentication is a security measure that provides benefits such as improved security, compliance, simplified authentication, customizable authentication, and single sign-on. It improves security by preventing unauthorized access to web applications and protecting against security threats. It helps meet compliance requirements and simplifies the process of adding authentication to web applications. It allows authentication customization and supports single sign-on, enabling users to log in once and access multiple applications. It is an essential best practice for organizations that deploy web applications and need to protect sensitive data.

Resolution
Authentication and authorization in Azure App Service and Azure Functions

Set SQL Audit Retention Duration

Risk: High

Target: SQL Server (Azure)

Compliance: CIS Microsoft Azure Foundations Benchmark v1.5.0

Description
Setting SQL Audit Retention Duration is essential for maintaining compliance with industry regulations, optimizing storage management, enhancing data security, simplifying data analysis, and ensuring consistency with overall data retention policies.

Resolution
Auditing for Azure SQL Database and Azure Synapse Analytics

Enable AKS Cluster Monitoring

Risk: Medium

Target: AKS

Compliance:

Description
Enabling AKS cluster monitoring is crucial for gaining performance insights, proactive troubleshooting, resource optimization, custom alerting, compliance maintenance, and ensuring security. It aids in identifying and resolving issues promptly, enhancing overall efficiency and reducing downtime.

Resolution
Enable Container insights for Azure Kubernetes Service (AKS) cluster

Ensure that MySQL Flexible Database Server has the Latest TLS Version

Risk: High

Target: My SQL Flexible Server

Compliance: CIS Microsoft Azure Foundations Benchmark v1.5.0

Description
Ensuring that your MySQL Flexible Database Server has the latest TLS version is crucial for enhanced security, compliance with regulations, compatibility with other systems, improved performance, and maintaining trust and reputation. Regularly updating and monitoring TLS configurations helps maintain a secure environment and protects sensitive data.

Resolution
SSL/TLS connectivity in Azure Database for MySQL

Enable Log Alert for Delete Key Vault Events

Risk: High

Target: Subscription

Compliance:

Description
Configure a Microsoft Azure activity log alert to trigger whenever a “Delete Key Vault” event occurs in your Azure cloud account. This alert condition improves Key Vault resource security and management by reducing the time required to mitigate accidental or intentional deletions using the Microsoft Azure Monitor service.

Resolution
Configure Azure Key Vault alerts

Enable Log Alert for Delete SQL DB

Risk: High

Target: Subscription

Compliance:

Description
To improve the security and availability of Azure SQL databases and reduce the impact of accidental or intentional deletions, monitor for “Delete Azure SQL Database” events using Microsoft Azure Monitor service and an Azure activity log alert. This alert triggers notifications whenever events matching the conditions of the “Administrative” category and “Delete Azure SQL Database (Microsoft.Sql/servers/databases)” signal name in the Activity Log occur.

Resolution
Create a new alert rule

Enable Log Alert for Create/Update MySQL DB

Risk: High

Target: Subscription

Compliance:

Description
Enabling log alerts for creating/updating operations in a MySQL database is crucial for maintaining security, performance, and compliance. It helps detect unauthorized access, provide an audit trail, identify performance bottlenecks and troubleshoot issues, ensure accountability, enable proactive maintenance, and aid disaster recovery efforts.

Resolution
Set up alerts on metrics for Azure Database for MySQL – Flexible Server

Enable Log Alert for Deallocate VM Event

Risk: High

Target: Subscription

Compliance:

Description
Enabling log alerts for Deallocate VM events is essential for cost management, security, compliance, resource management, troubleshooting, and promoting accountability. It helps detect unauthorized activity, maintain audit trails, ensure efficient resource usage, minimize downtime, and encourage responsible practices within the organization.

Resolution
Create a new alert rule

Enable Log Alert for Network Security Group

Risk: High

Target: Subscription

Compliance:

Description
Enabling log alerts for Network Security Group events in Azure is essential for security, compliance, configuration management, troubleshooting, visibility, and promoting accountability. It helps detect unauthorized activities, maintain audit trails, identify misconfigurations, minimize downtime, manage network traffic effectively, and encourage responsible practices within the organization.

Resolution
Create a new alert rule

Enable Log Alert for Account Delete Network Security Group Rule

Risk: High

Target: Subscription

Compliance:

Description
Enabling log alerts for Account Delete Network Security Group Rule events is essential for security, compliance, configuration management, troubleshooting, visibility, and promoting accountability. It helps detect unauthorized activities, maintain audit trails, identify misconfigurations, minimize downtime, manage network traffic effectively, and encourage responsible practices within the organization.

Resolution
Create a new alert rule

Enable Log Alert for Delete Policy Assignment

Risk: High

Target: Subscription

Compliance: CIS Microsoft Azure Foundations Benchmark v1.5.0

Description
Enabling log alerts for Delete Policy Assignment events in Azure is essential for security, compliance, configuration management, troubleshooting, visibility, and promoting accountability. It helps detect unauthorized activities, maintain audit trails, identify misconfigurations, minimize downtime, manage resources according to established policies, and encourage responsible practices within the organization.

Resolution
Create a new alert rule

Enable Log Alert for Delete PostgreSQL Database

Risk: High

Target: Subscription

Compliance:

Description
Enabling log alerts for Delete PostgreSQL Database events in Azure is essential for security, compliance, data protection, troubleshooting, resource management, and promoting accountability. It helps detect unauthorized activities, maintain audit trails, protect valuable information, minimize downtime, manage resources effectively, and encourage responsible practices within the organization.

Resolution
Create a new alert rule

Enable Log Alert for Delete Security Solution Event

Risk: High

Target: Subscription

Compliance: CIS Microsoft Azure Foundations Benchmark v1.5.0

Description
Enabling log alerts for Delete Security Solution events in Azure is essential for security, compliance, configuration management, troubleshooting, visibility, and promoting accountability. It helps detect unauthorized activities, maintain audit trails, identify misconfigurations, minimize downtime, manage security infrastructure effectively, and encourage responsible practices within the organization.

Resolution
Create a new alert rule

Enable Log Alert for Delete VM

Risk: High

Target: Subscription

Compliance:

Description
Enabling log alerts for deleting virtual machines (VMs) in Microsoft Azure is crucial for preventing accidental or unauthorized VM deletions and maintaining the security and integrity of an organization’s cloud infrastructure. This alert provides immediate notifications when a VM is deleted, allowing administrators to take prompt action to restore any deleted VMs and investigate unauthorized deletion attempts. Log alerts also provide insights into who initiated the deletion and when it occurred, enabling administrators to track any suspicious or malicious activity. Moreover, log alerts for deleting VMs are important for compliance and regulatory requirements.

Resolution
Create a new alert rule

Provision Active Directory Administrator for SQL Servers

Risk: High

Target: SQL Server (Azure)

Compliance:

Description
Configuring Azure Active Directory authentication allows for central identity management and access to Azure SQL databases through an Active Directory administrator. This simplifies permission management, improves security, and reduces the number of user identities. Additional benefits include password rotation in one place, external group management of permissions, and support for various forms of authentication. Connections from SQL Server Management Studio and SQL Server Data Tools are also enabled.

Resolution
Configure and manage Azure AD authentication with Azure SQL

Enable Log Alert for Delete Storage Account

Risk: High

Target: Subscription

Compliance:

Description
Enabling log alerts for deleting storage accounts in Microsoft Azure is crucial for preventing accidental or unauthorized deletion of critical data, maintaining data security and integrity, and ensuring compliance with regulatory requirements. This alert enables administrators to receive immediate notifications when a storage account is deleted, allowing them to take prompt action to restore any deleted data and investigate any unauthorized deletion attempts. Additionally, log alerts provide insights into who initiated the deletion and when it occurred, enabling administrators to track any suspicious or malicious activity.

Resolution
Create a new alert rule

Enable log Alert for Rename SQL DB

Risk: High

Target: Subscription

Compliance:

Description
Enabling log alerts for renaming SQL databases in Microsoft Azure is crucial for preventing accidental or unauthorized renaming of critical databases, maintaining the security and integrity of an organization’s cloud infrastructure, and ensuring compliance with regulatory requirements. This alert provides immediate notifications when a database is renamed, allowing administrators to take prompt action to restore any renamed databases and investigate unauthorized renaming attempts. Log alerts also provide insights into who initiated the renaming and when it occurred, enabling administrators to track any suspicious or malicious activity. Moreover, log alerts for renaming databases are important for compliance and regulatory requirements.

Resolution
Create a new alert rule

Enable log Alert for Create/Update Security Solution

Risk: High

Target: Subscription

Compliance:

Description
Enabling log alerts for creating or updating security solutions in Microsoft Azure is crucial for maintaining the security and integrity of an organization’s cloud infrastructure. This alert provides immediate notifications when a “”Create”” or “”Update Security Solution”” event occurs, enabling administrators to take prompt action to investigate any unauthorized creation or modification attempts. Azure activity log alerts are activated whenever a new activity log event that matches the condition specified in the alert occurs, and in this case, the alert condition searches for Security Activity Logs that have “”any”” level, with “”any”” status and event initiated by “”any””.

By monitoring Azure accounts for “”Create”” or “”Update Security Solution”” events, administrators can gain insights into the changes made for their Azure Security Solutions and can reduce the time it takes to detect suspicious activity. Log alerts for creating or updating security solutions are also important for compliance and regulatory requirements, as most compliance frameworks require organizations to monitor and track activities that involve creating or modifying security solutions.

Resolution
Create a new alert rule

Enable Log Alert for Update Key Vault Activity

Risk: High

Target: Subscription

Compliance:

Description
Enabling log alerts for updating Key Vault activity in Microsoft Azure is crucial for maintaining the security and integrity of an organization’s cloud infrastructure. This alert provides immediate notifications when an “”Update Key Vault”” event occurs, allowing administrators to take prompt action to investigate any unauthorized modification attempts. Azure activity log alerts are triggered whenever a new activity log event that matches the condition specified in the alert configuration occurs.

To comply with this rule, an Azure activity log alert must be fired whenever “”Update Key Vault”” events are triggered within the Microsoft Azure cloud account. The alert configuration should match the condition “”Whenever the Activity Log has an event with Category=’Administrative’, Signal name=’Update Key Vault (vaults)’””.

Log alerts for updating Key Vault activity are crucial for maintaining Azure security and ensuring compliance with regulatory requirements. By enabling log alerts for updating Key Vault activity, administrators can gain insights into the changes made to their Key Vault, reduce the time it takes to detect suspicious activity and comply with regulatory requirements that mandate monitoring and tracking of data modifications and access.

Resolution
Configure Azure Key Vault alerts

Enable Log Alert for Update Security Policy

Risk: High

Target: Subscription

Compliance: CIS Microsoft Azure Foundations Benchmark v1.5.0

Description
To quickly detect security policy changes and reduce the risk of unauthorized modifications in your Azure cloud account, it is recommended to monitor the “Update Security Policy” events. You can achieve this by configuring an Azure activity log alert that triggers whenever a new event matching any level, any status, and any entity initiating the event occurs.

Resolution
Create a new alert rule

Enable log Alert for Create/Update Storage Account

Risk: High

Target: Subscription

Compliance:

Description
To detect and prevent unauthorized activity in your Microsoft Azure cloud account, monitor for “Create/Update Storage Account” events using Azure activity log alerts. These alerts trigger notifications whenever events that match the specified configuration occur, which in this case includes the “Administrative” category and “Create/Update Storage Account (Microsoft.Storage/storageAccounts)” signal name in the Activity Log.

Resolution
Create a new alert rule

Enable Log Alert for Create/Update Delete SQL Server Firewall Rule

Risk: High

Target: Subscription

Compliance: CIS Microsoft Azure Foundations Benchmark v1.5.0

Description
To detect suspicious activity at the SQL server firewall level in your Microsoft Azure account, monitor for “Create,” “Update,” or “Delete SQL Server Firewall Rule” events using an Azure activity log alert. This alert triggers notifications whenever the specified events occur, matching the conditions of the “Administrative” activity log and “Create/Update server firewall rule (Microsoft.Sql/servers/firewallRules)” signal name, with any level, any status, and initiated by any entity.

Resolution
Create a new alert rule

Enable the Vulnerability Assessment ‘Periodic Recurring Scans’

Risk: Medium

Target: SQL Server (Azure)

Compliance:

Description
Enabling periodic recurring scans in Vulnerability Assessment maintains continuous security, detects new threats, ensures compliance, tracks remediation progress, prioritizes risk management, and adapts to evolving threats. This protects your systems and data by staying proactive and informed.

Resolution
SQL vulnerability assessment helps you identify database vulnerabilities

Redirect All Traffic from HTTP to HTTPS

Risk: High

Target: Web App

Compliance: CIS Microsoft Azure Foundations Benchmark v1.5.0

Description
Redirecting all web application traffic from HTTP to HTTPS in Azure provides several benefits, including improved security through encryption, compliance with regulatory requirements, improved search engine optimization, and avoiding mixed content warnings. It is considered a best practice to ensure a seamless and secure user experience.

Resolution
Create an application gateway with HTTP to HTTPS redirection using the Azure portal

Enable JIT Access to Secure VM Management

Risk: High

Target: VM (Azure)

Compliance:

Description
Microsoft Azure Security Center offers Just-in-Time (JIT) access as a threat prevention instrument to reduce surface areas susceptible to attacks. JIT access locks down virtual machines at the network level by blocking inbound traffic to management ports, and allows you to create policies to control access and reduce the attack surface. Enabling JIT access for Azure virtual machines is essential to improve security and reduce exposure to attacks while providing easy SSH/RDP access when needed.

Resolution
Secure your management ports with just-in-time access

Create Policy Assignment Log Alert

Risk: High

Target: Subscription

Compliance: CIS Microsoft Azure Foundations Benchmark v1.5.0

Description
It’s recommended to configure an Azure activity log alert for detecting “Create Policy Assignment” events in your Microsoft Azure cloud account. This alert is triggered whenever a new activity log event matches the specified condition. Monitoring such events can help you gain visibility into changes made within the “Policy Assignment” Azure policy and quickly identify any unauthorized changes.

Resolution
Create a new alert rule

Set Retention Duration to ‘Greater than N days’ for SQL Server

Risk: High

Target: SQL Server (Azure)

Compliance:

Description
Setting the retention duration to greater than 90 days for SQL Server in Azure can benefit data recovery, compliance, auditing and reporting, troubleshooting, and disaster recovery. However, consider the potential increase in storage costs and management resources before determining the appropriate retention duration for your organization’s needs.

Resolution
Manage Azure SQL Database long-term backup retention

Assign Mandatory Tags to Blob Container

Risk: High

Target: Blob Container

Compliance:

Description
Assigning mandatory tags to Blob containers can provide several benefits, including improved data governance, resource allocation, enhanced data visibility, security, and streamlined operations. These tags help to correctly classify and label data, track resource usage, restrict access to sensitive data, automate routine tasks, and optimize resource allocation.

Resolution
Set Blob Tags

Assign Mandatory Tags to Databricks

Risk: High

Target: Databricks

Compliance:

Description
Assigning mandatory tags to Data Bricks can help with cost management, resource management, access management, and automation. Mandatory tags can streamline operations and reduce the risk of mismanaging resources.

Resolution
Monitor usage using cluster and pool tags

Assign Mandatory Tags to Disk

Risk: High

Target: Managed Disk

Compliance:

Description
Assigning mandatory tags to Disks can help with cost management, resource management, access management, and automation. Mandatory tags can streamline operations and reduce the risk of mismanaging resources.

Resolution
Use tags to organize your Azure resources and management hierarchy

Assign Mandatory Tags to MySQL Server

Risk: High

Target: MySQL Server (Azure)

Compliance:

Description
Assigning mandatory tags to MySQL Server can help with cost management, resource management, access management, and automation. Mandatory tags can streamline operations and reduce the risk of mismanaging resources.

Resolution
Manage MySQL servers

Assign Mandatory Tags to Network Security Group

Risk: High

Target: NSG

Compliance:

Description
Assigning mandatory tags to Network Security Group can help with cost management, resource management, access management, and automation. Mandatory tags can streamline operations and reduce the risk of mismanaging resources.

Resolution
Network Security Groups – Update Tags

Assign Mandatory Tags to Resource Group

Risk: High

Target: Resource Group

Compliance:

Description
Assigning mandatory tags to Resource Group can help with cost management, resource management, access management, and automation. Mandatory tags can streamline operations and reduce the risk of mismanaging resources.

Resolution
Use tags to organize your Azure resources and management hierarchy

Assign Mandatory Tags to Security Center

Risk: High

Target: Security Centre

Compliance:

Description
Assigning mandatory tags to Security center can help with cost management, resource management, access management, and automation. Mandatory tags can streamline operations and reduce the risk of mismanaging resources.

Resolution
required-tag

Assign Mandatory Tags to SQL Database

Risk: High

Target: SQL Database

Compliance:

Description
Assigning mandatory tags to SQL Database center can help with cost management, resource management, access management, and automation. Mandatory tags can streamline operations and reduce the risk of mismanaging resources.

Resolution
Use tags to organize your Azure resources and management hierarchy

Assign Mandatory Tags to SQL Server

Risk: High

Target: SQL Server (Azure)

Compliance:

Description
Assigning mandatory tags to SQL Server center can help with cost management, resource management, access management, and automation. Mandatory tags can streamline operations and reduce the risk of mismanaging resources.

Resolution
Use tags to organize your Azure resources and management hierarchy

Assign Mandatory Tags to Virtual Machine

Risk: High

Target: VM (Azure)

Compliance:

Description
Assigning mandatory tags to Virtual Machines can help with cost management, resource management, access management, and automation. Mandatory tags can streamline operations and reduce the risk of mismanaging resources.

Resolution
Use tags to organize your Azure resources and management hierarchy

Assign Mandatory Tags Virtual Network

Risk: High

Target: Virtual Network

Compliance:

Description
Assigning mandatory tags to Virtual Network can help with cost management, resource management, access management, and automation. Mandatory tags can streamline operations and reduce the risk of mismanaging resources.

Resolution
Virtual network service tags

Assign Mandatory Tags to Storage Account

Risk: High

Target: Storage Account

Compliance:

Description
Assigning mandatory tags to Storage Account can help with cost management, resource management, access management, and automation. Mandatory tags can streamline operations and reduce the risk of mismanaging resources.

Resolution
Use tags to organize your Azure resources and management hierarchy

Create AWS KMS Customer Master Key for Database-Tier

Risk: High

Target: Key Vault

Compliance:

Description
Using your own AWS KMS Customer Master Key (CMK) to encrypt data in your database-tier provides you with complete control over encryption key ownership and usage. It’s recommended to create an Amazon KMS Customer Master Key (CMK) for your database tier to protect data-at-rest in your AWS web stack and meet security and compliance requirements. You can easily rotate, audit, and disable the key with Amazon KMS. Additionally, it’s advised to tag AWS resources in your database tier to better manage and organize your resources.

Resolution
Creating keys

Set Expiration Date for RBAC for Keys in Key Vaults

Risk: High

Target: Vaults With Role Based Access Control

Compliance: CIS Microsoft Azure Foundations Benchmark v1.5.0

Description
It is important to have an explicit expiration time for all Microsoft Azure Key Vault keys to meet cloud security best practices and renew them before their expiration date to maintain security and compliance. Regularly check for expiring keys and create new versions of these keys to ensure security and compliance. Configuration for key renewal before expiration should be set on the Cloud Conformity account dashboard before running this rule.

Resolution
Azure Policy built-in definitions for Key Vault

Set Expiration Date for RBAC for Secrets in Key Vaults

Risk: High

Target: Vaults With Role Based Access Control

Compliance: CIS Microsoft Azure Foundations Benchmark v1.5.0

Description
Setting an expiration date for RBAC for secrets in Key Vaults is important to help secure and protect confidential information. It limits access time, ensures timely reviews of users and applications with access to the secret, and helps avoid forgotten secrets becoming security risks.

Resolution
Azure Policy built-in definitions for Key Vault

Enable Log Alert for MySQL Database

Risk: High

Target: Subscription

Compliance:

Description
Enabling log alerts for MySQL databases in Azure is essential for security, compliance, performance, troubleshooting, resource management, and promoting accountability. It helps detect unauthorized activities, maintain audit trails, optimize database performance, minimize downtime, manage resources effectively, and encourage responsible practices within the organization.

Resolution
Create a new alert rule

Encrypt VM Disk Volume Using CMK

Risk: High

Target: VM (Azure)

Compliance:

Description
Microsoft Azure provides multiple layers of encryption protection for virtual machine-managed disks using platform-managed keys. However, it is recommended to use customer-managed keys for finer control over encryption/decryption. This provides complete control over who can access the encrypted data on managed disks, reducing the risk of sensitive data disclosure even for unattached disks.

Resolution
Create and encrypt a Windows virtual machine with the Azure portal

Enable Vulnerability Assessment (VA) Setting Also Send email Notifications to Admins and Subscription Owners

Risk: High

Target: SQL Server (Azure)

Compliance: CIS Microsoft Azure Foundations Benchmark v1.5.0

Description
Enabling the “Also Send Email Notifications to Admins and Subscription Owners” setting in Vulnerability Assessment promotes timely remediation, improved security awareness, shared accountability, centralized communication, and comprehensive reporting. This helps maintain a proactive security posture and fosters a security-aware culture within the organization.

Resolution
SQL vulnerability assessment helps you identify database vulnerabilities

Delete Unused Scale Set

Risk: High

Target: VM Scale Set

Compliance: 

Description

Deleting unused scale sets in Azure is essential for cost savings, resource efficiency, simplified management, security, and performance optimization. It aligns with scalability, helps with resource planning, reduces technical debt, and avoids unnecessary licensing costs. Removing unused resources enhances backup and disaster recovery processes, promotes consistency, and ensures a clean, well-maintained Azure environment.

Resolution

Azure Virtual Machine Scale Sets

Delete Unused VM Disk

Risk: High

Target: Managed Disk

Compliance: 

Description

Deleting unused VM disks in Azure is crucial for cost savings, efficient resource usage, improved performance, security, and simplified management. It reduces storage expenses, optimizes storage capacity, enhances data privacy, and streamlines backup and compliance efforts. This practice also ensures that resources are effectively allocated to active workloads while minimizing administrative overhead.

Resolution

Identify Unattached Azure Disks

Delete Unused Load Balancer

Risk: High

Target: Load Balancer (Azure)

Compliance: 

Description

Deleting unused load balancers in Azure is crucial to save costs, optimize resource utilization, enhance network performance, and improve security. It simplifies management, aids resource planning, ensures service availability, and supports environmental sustainability. Deleting these resources prevents security risks, avoids technical debt, and facilitates efficient auditing and documentation.

Resolution

Manage Rules for Azure Load Balancer

Enable Log Alert for Create/Update Network Security Group

Risk: High

Target: Subscription

Compliance: CIS Microsoft Azure Foundations Benchmark v1.5.0

Description

Enabling log alerts for creating or updating Network Security Groups (NSGs) in Azure enhances security by providing real-time visibility, early threat detection, compliance auditing, and efficient incident response. These alerts aid in enforcing policies, maintaining proper configuration, and automating remediation. They also offer operational insights and support proactive security measures, helping organizations manage and protect their network environments effectively.

Resolution

Create/Edit an Alert Rule

Enable Log Alert for Create/Update SQL DB

Risk: High

Target: Subscription

Compliance: 

Description

Enabling log alerts for creating or updating SQL databases in Azure offers real-time security monitoring, early threat detection, compliance auditing, and efficient incident response. These alerts ensure policy enforcement, proper configuration management, and automation for remediation. Additionally, they provide operational insights and support proactive security measures, helping organizations effectively manage and protect their SQL database environments.

Resolution

Create/Update Activity Log Alerts

Enable Log Alert for PostgreSQL DB

Risk: High

Target: Subscription

Compliance: 

Description

Enabling log alerts for PostgreSQL databases in Azure provides real-time security monitoring, early threat detection, compliance auditing, and effective incident response. These alerts ensure policy enforcement, proper configuration management, and automation for prompt remediation. They also offer operational insights and support proactive security measures, enhancing the management and protection of PostgreSQL database environments.

Resolution

Create/Edit Alert Rule