Skip to content

SevenStones/azure-CIS-cli-script

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

21 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

azure-CIS-cli-script

Various BASH cli scripts for Azure CIS Benchmarks 2.0

Note: you have to populate the subscriptions.txt file with lines of subscription IDs.

1.4, 1.5 – Review Guest Users – script list the Guest users configured in Entra

1.23 – Ensure That No Custom Subscription Administrator Roles Exist

3.1 - Ensure that 'Secure transfer required' is set to 'Enabled' [Storage Accounts]

3.2 - Ensure that ‘Enable Infrastructure Encryption’ for Each Storage Account in Azure Storage is Set to ‘enabled’

3.7 - Ensure that 'Public access level' is disabled for storage accounts with blob containers

3.10 - Ensure Private Endpoints are used to access Storage Accounts

3.11 - Ensure Soft Delete is Enabled for Azure Containers and Blob Storage

3.12 - Ensure Storage for Critical Data are Encrypted with Customer Managed Keys

3.15 - Ensure the "Minimum TLS version" for storage accounts is set to "Version 1.2"

5.1.3 - Ensure the Storage Container Storing the Activity Logs is not Publicly Accessible

5.1.6 - Ensure that Network Security Group Flow logs are captured and sent to Log Analytics

6.5 - Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'

6.7 - Ensure that Public IP addresses are Evaluated on a Periodic Basis (lists the addresses)

7.4 - Ensure that 'Unattached disks' are encrypted with 'Customer Managed Key' (CMK) (lists unattached disks)

8.2 - Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults (usually all key vaults will be RBAC enabled, making this control non-applicable. One script lists the RBAC and non-RBAC Key Vaults, then there's an untested script for listing the non-expiring keys)

8.3 - Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults. The script is untested because of a lack of access to a test key vault(s).

8.4 - Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults (usually all key vaults will be RBAC enabled, making this control non-applicable. One script lists the RBAC and non-RBAC Key Vaults, then there's an untested script for listing the non-expiring secrets)

10.1 - Ensure that Resource Locks are set for Mission-Critical Azure Resources

5.1.6 needed some work. The 'nsg' parameter was made obsolete. Technically the script will run with a warning if the 'nsg' parameter is used, but anyway I have done as suggested and used the '--location and --name combination' in the az network watcher command instead.

About

Various BASH cli scripts for Azure CIS Benchmarks 2.0

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published