CIS Azure Benchmark Checks in tfsec
Eve edited this page Jan 18, 2022
·
35 revisions
A list of the best practices listed in the benchmark, and their status in tfsec core checks and custom checks implemented by us.
π Not Terraform-related (rules cannot be checked by looking at Terraform code): 53
π Not doable with tfsec custom checks (details): 18
βοΈ Done by tfsec (already checked in the list of checks tfsec has): 42
β
Done: 2
Just to visualize the above ratio:
ππππππππππππππππππβοΈβοΈβοΈβοΈβοΈβοΈβοΈβοΈβοΈβοΈβοΈβ
| CIS # | Policy | Status |
|---|---|---|
| 1.1 | Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all privileged users | π Not Terraform-related |
| 1.2 | Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all non-privileged users | π Not Terraform-related |
| 1.3 | Ensure guest users are reviewed on a monthly basis | π Not Terraform-related |
| 1.4 | Ensure that 'Restore multi-factor authentication on all remembered devices' is enabled | π Not Terraform-related |
| 1.5 | Ensure that 'Number of methods required to reset' is set to '2' | π Not Terraform-related |
| 1.6 | Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0' | π Not Terraform-related |
| 1.7 | Ensure that 'Notify users on password resets?' is set to 'Yes' | π Not Terraform-related |
| 1.8 | Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes' | π Not Terraform-related |
| 1.9 | Ensure that 'Users can consent to apps accessing company data on their behalf' is set to 'No' | π Not Terraform-related |
| 1.10 | Ensure that 'Users can add gallery apps to My Apps' is set to 'No' | π Not Terraform-related |
| 1.11 | Ensure that 'Users can register applications' is set to 'No' | π Not Terraform-related |
| 1.12 | Ensure that 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects' | π Not Terraform-related |
| 1.13 | Ensure that 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles can invite guest users' | π Not Terraform-related |
| 1.14 | Ensure that 'Restrict access to Azure AD administration portal' is set to 'Yes' | π Not Terraform-related |
| 1.15 | Ensure that 'Restrict user ability to access groups features in the Access Pane' is set to 'Yes' | π Not Terraform-related |
| 1.16 | Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No' | π Not Terraform-related |
| 1.17 | Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No' | π Not Terraform-related |
| 1.18 | Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No' | π Not Terraform-related |
| 1.19 | Ensure that 'Require Multi-Factor Authentication to register or join devices with Azure AD' is set to 'Yes' | π Not Terraform-related |
| 1.20 | Ensure that no custom subscription owner roles are created | βοΈ Done by tfsec |
| 1.21 | Ensure security defaults is enabled on Azure Active Directory | π Not Terraform-related |
| 1.22 | Ensure a custom role is assigned permissions for administering resource locks | π Not Terraform-related |
| CIS # | Policy | Status |
|---|---|---|
| 2.1 | Ensure that Microsoft Defender for Servers is set to 'On' | βοΈ Done by tfsec |
| 2.2 | Ensure that Microsoft Defender for App Service is set to 'On' | βοΈ Done by tfsec |
| 2.3 | Ensure that Microsoft Defender for Azure SQL Databases is set to 'On' | βοΈ Done by tfsec |
| 2.4 | Ensure that Microsoft Defender for SQL servers on machines is set to 'On' | βοΈ Done by tfsec |
| 2.5 | Ensure that Microsoft Defender for Storage is set to 'On' | βοΈ Done by tfsec |
| 2.6 | Ensure that Microsoft Defender for Kubernetes is set to 'On' | βοΈ Done by tfsec |
| 2.7 | Ensure that Microsoft Defender for Container Registries is set to 'On' | βοΈ Done by tfsec |
| 2.8 | Ensure that Microsoft Defender for Key Vault is set to 'On' | βοΈ Done by tfsec |
| 2.9 | Ensure that Microsoft Defender for Endpoint (WDATP) integration with Microsoft Defender for Cloud is selected | π Not Terraform-related |
| 2.10 | Ensure that Microsoft Defender for Cloud Apps (MCAS) integration with Microsoft Defender for Cloud is selected | π Not Terraform-related |
| 2.11 | Ensure that auto provisioning of 'Log Analytics agent for Azure VMs' is set to 'On' | π Not Terraform-related |
| 2.12 | Ensure any of the ASC default policy setting is not set to 'Disabled' | π Not Terraform-related |
| 2.13 | Ensure 'Additional email addresses' is configured with a security contact email | π Not Terraform-related |
| 2.14 | Ensure that 'Notify about alerts with the following severity' is set to 'High' | βοΈ Done by tfsec |
| 2.15 | Ensure that 'All users with the following roles' is set to 'Owner' | π Not Terraform-related |
| CIS # | Policy | Status |
|---|---|---|
| 3.1 | Ensure that 'Secure transfer required' is set to 'Enabled' | π Not Terraform-related |
| 3.2 | Ensure that storage account access keys are periodically regenerated | π Not Terraform-related |
| 3.3 | Ensure storage logging is enabled for queue service for 'Read', 'Write', and 'Delete' requests | βοΈ Done by tfsec |
| 3.4 | Ensure that shared access signature tokens expire within an hour | π Not Terraform-related |
| 3.5 | Ensure that 'Public access level' is set to 'Private' for blob containers | π Not Terraform-related |
| 3.6 | Ensure default network access rule for storage accounts is set to deny | βοΈ Done by tfsec |
| 3.7 | Ensure 'Trusted Microsoft Services' are enabled for storage account access | βοΈ Done by tfsec |
| 3.8 | Ensure soft delete is enabled for Azure Storage | π Not Terraform-related |
| 3.9 | Ensure storage for critical data are encrypted with customer managed keys | π Not Terraform-related |
| 3.10 | Ensure storage logging is enabled for blob service for 'Read', 'Write', and 'Delete' requests | π Not Terraform-related |
| 3.11 | Ensure storage logging is enabled for table service for 'Read', 'Write', and 'Delete' requests | π Not Terraform-related |
| 3.12 | Ensure the 'Minimum TLS version' is set to 'Version 1.2' | βοΈ Done by tfsec |
| CIS # | Policy | Status |
|---|---|---|
| 4.1.1 | Ensure that 'Auditing' is set to 'On' | βοΈ Done by tfsec |
| 4.1.2 | Ensure that 'Data encryption' is set to 'On' on a SQL Database | π Not Terraform-related |
| 4.1.3 | Ensure that 'Auditing' retention is 'Greater than 90 days' | βοΈ Done by tfsec |
| CIS # | Policy | Status |
|---|---|---|
| 4.2.1 | Ensure that Advanced Threat Protection (ATP) on a SQL Server is set to 'Enabled' | π Not doable with tfsec custom checks |
| 4.2.2 | Ensure that Vulnerability Assessment (VA) is enabled on a SQL Server by setting a storage account | π Not doable with tfsec custom checks |
| 4.2.3 | Ensure that VA setting 'Periodic recurring scans' is set to 'On' for each SQL Server | π Not doable with tfsec custom checks |
| 4.2.4 | Ensure that VA setting 'Send scan reports to' is configured for a SQL server | π Not doable with tfsec custom checks |
| 4.2.5 | Ensure that Vulnerabilty Assessment setting 'Also send email notifications to admins and subscription owners' is set for each SQL Server | π Not doable with tfsec custom checks |
| CIS # | Policy | Status |
|---|---|---|
| 4.3.1 | Ensure 'Enforce SSL connection' is set to 'Enabled' for PostgreSQL Database Server | βοΈ Done by tfsec |
| 4.3.2 | Ensure server parameter log_checkpoints is set to 'On' for PostgreSQL Database Server |
βοΈ Done by tfsec |
| 4.3.3 | Ensure server parameter log_connections is set to 'On' for PostgreSQL Database Server |
βοΈ Done by tfsec |
| 4.3.4 | Ensure server parameter log_disconnections is set to 'On' for PostgreSQL Database Server |
π Not doable with tfsec custom checks |
| 4.3.5 | Ensure server parameter connection_throttling is set to 'On' for PostgreSQL Database Server |
βοΈ Done by tfsec |
| 4.3.6 | Ensure server parameter log_retention_days is greater than 3 days for PostgreSQL Database Server |
π Not doable with tfsec custom checks |
| 4.3.7 | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | π Not Terraform-related |
| 4.3.8 | Ensure 'Infrastructure double encryption' for PostgreSQL Database Server is 'Enabled' | π Not Terraform-related |
| CIS # | Policy | Status |
|---|---|---|
| 4.4.1 | Ensure 'Enforce SSL connection' is set to 'Enabled' for Standard MySQL Database Server | βοΈ Done by tfsec |
| 4.4.2 | Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL Flexible Database Server | βοΈ Done by tfsec |
| 4.4.3 | Ensure that Azure Active Directory Admin is configured | π Not Terraform-related |
| 4.4.4 | Ensure SQL Server's TDE protector is encrypted with customer-managed key | π Not Terraform-related |
| CIS # | Policy | Status |
|---|---|---|
| 5.1.1 | Ensure that a 'Diagnostics Setting' exists | π Not doable with tfsec custom checks |
| 5.1.2 | Ensure Diagnostics Setting captures appropriate categories | π Not doable with tfsec custom checks |
| 5.1.3 | Ensure the storage container storing the activity logs is not publicly accessible | βοΈ Done by tfsec |
| 5.1.4 | Ensure the storage account containing the container with activity logs is encrypted with BYOK (Use Your Own Key) | π Not Terraform-related |
| 5.1.5 | Ensure that logging for Azure KeyVault is 'Enabled' | π Not Terraform-related |
| CIS # | Policy | Status |
|---|---|---|
| 5.2.1 | Ensure that Activity Log Alert exists for Create Policy Assignment | π Not doable with tfsec custom checks |
| 5.2.2 | Ensure that Activity Log Alert exists for Delete Policy Assignment | π Not doable with tfsec custom checks |
| 5.2.3 | Ensure that Activity Log Alert exists for Create or Update Network Security Group | π Not doable with tfsec custom checks |
| 5.2.4 | Ensure that Activity Log Alert exists for Delete Network Security Group | π Not doable with tfsec custom checks |
| 5.2.5 | Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule | π Not doable with tfsec custom checks |
| 5.2.6 | Ensure that Activity Log Alert exists for Delete Network Security Group Rule | π Not doable with tfsec custom checks |
| 5.2.7 | Ensure that Activity Log Alert exists for Create or Update Security Solution | π Not doable with tfsec custom checks |
| 5.2.8 | Ensure that Activity Log Alert exists for Delete Security Solution | π Not doable with tfsec custom checks |
| 5.2.9 | Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule | π Not doable with tfsec custom checks |
| 5.2.10 | Ensure that Diagnostic Logs are enabled for all services that support it | π Not Terraform-related |
| CIS # | Policy | Status |
|---|---|---|
| 6.1 | Ensure that RDP access is restricted from the Internet | βοΈ Done by tfsec |
| 6.2 | Ensure that SSH access is restricted from the Internet | βοΈ Done by tfsec |
| 6.3 | Ensure no SQL Databases allow ingress 0.0.0.0/0 (any IP) | βοΈ Done by tfsec |
| 6.4 | Ensure that Network Security Group Flow Log retention period is 'Greater than 90 days' | βοΈ Done by tfsec |
| 6.5 | Ensure that Network Watcher is 'Enabled' | π Not Terraform-related |
| 6.6 | Ensure that UDP Services are restricted from the Internet | π Not Terraform-related |
| CIS # | Policy | Status |
|---|---|---|
| 7.1 | Ensure Virtual Machines are utilizing Managed Disks | β Done |
| 7.2 | Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK) | π Not Terraform-related |
| 7.3 | Ensure that 'Unattached disks' are encrypted with CMK | π Not Terraform-related |
| 7.4 | Ensure that only approved extensions are installed | π Not Terraform-related |
| 7.5 | Ensure that the latest OS patches for all Virtual Machines are applied | π Not Terraform-related |
| 7.6 | Ensure that the endpoint protection for all Virtual Machines is installed | π Not Terraform-related |
| 7.7 | Ensure that VHDs are encrypted | π Not Terraform-related |
| CIS # | Policy | Status |
|---|---|---|
| 8.1 | Ensure that the expiration date is set for all Keys in RBAC Key Vaults | βοΈ Done by tfsec |
| 8.2 | Ensure that the expiration date is set for all Keys in Non-RBAC Key Vaults | βοΈ Done by tfsec |
| 8.3 | Ensure that the expiration date is set for all Secrets in RBAC Key Vaults | βοΈ Done by tfsec |
| 8.4 | Ensure that the expiration date is set for all Secrets in Non-RBAC Key Vaults | βοΈ Done by tfsec |
| 8.5 | Ensure that Resource Locks are set for mission critical Azure resources | π Not Terraform-related |
| 8.6 | Ensure the Key Vault is recoverable | βοΈ Done by tfsec |
| 8.7 | Enable role-based access control (RBAC) within Azure Kubernetes Services | βοΈ Done by tfsec |
| CIS # | Policy | Status |
|---|---|---|
| 9.1 | Ensure App Service Authentication is set up for apps in Azure App Service | βοΈ Done by tfsec |
| 9.2 | Ensure Web App redirects all HTTP traffic to HTTPS in Azure App Service | βοΈ Done by tfsec |
| 9.3 | Ensure Web App is using the latest version of TLS encryption | βοΈ Done by tfsec |
| 9.4 | Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On' | βοΈ Done by tfsec |
| 9.5 | Ensure that Register with Azure Active Directory is enabled on App Service | βοΈ Done by tfsec |
| 9.6 | Ensure that 'PHP version' is the latest, if used to run the web app | βοΈ Done by tfsec |
| 9.7 | Ensure that 'Python version' is the latest stable version, if used to run the web app | βοΈ Done by tfsec |
| 9.8 | Ensure that 'Java version' is the latest, if used to run the web app | β Done (this check will need manually updating for newer versions of Java - it checks for Java 17) |
| 9.9 | Ensure that 'HTTP version' is the latest, if used to run the web app | βοΈ Done by tfsec |
| 9.10 | Ensure FTP deployments are disabled | βοΈ Done by tfsec |
| 9.11 | Ensure Azure Key Vaults are used to store Secrets | π Not Terraform-related |